From a2cb24af99e03c0e3303865c1ddb0400c41d247a Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Wed, 15 Feb 2023 02:46:42 +0100 Subject: [PATCH] Migrate from old repository --- defaults/main.yml | 20 ++++++++++++ meta/main.yml | 18 ++++++++++ tasks/main.yml | 57 ++++++++++++++++++++++++++++++++ templates/config.yaml.j2 | 60 ++++++++++++++++++++++++++++++++++ templates/email.yaml.j2 | 37 +++++++++++++++++++++ templates/mywhitelists.yaml.j2 | 8 +++++ templates/profiles.yaml.j2 | 15 +++++++++ 7 files changed, 215 insertions(+) create mode 100644 defaults/main.yml create mode 100644 meta/main.yml create mode 100644 tasks/main.yml create mode 100644 templates/config.yaml.j2 create mode 100644 templates/email.yaml.j2 create mode 100644 templates/mywhitelists.yaml.j2 create mode 100644 templates/profiles.yaml.j2 diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..508588c --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,20 @@ +--- +cs_collections_list: [] +cs_scenarios_list: [] +cs_parsers_list: [] +cs_postoverflows_list: [] + +cs_ban_duration: "4h" + +cs_prometheus_enabled: false + +cs_parsers_mywhitelists_ip: [] +cs_parsers_mywhitelists_cidr: [] + +cs_trusted_ips: + - 127.0.0.1 + - ::1 + +cs_receiver_emails: [] + +version: latest diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..e725329 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,18 @@ +--- + +dependencies: [] + +galaxy_info: + role_name: crowdsec + author: 'Pierre-Olivier Mercier ' + description: Installs and configure crowdsec through Docker + license: GPL-3.0-or-later + min_ansible_version: 2.9 + platforms: + - name: Alpine + versions: + - all + - name: Debian + versions: + - all + galaxy_tags: [] diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..81ce4a5 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,57 @@ +--- +- name: Ensure crowdsec directory exists + file: + path: "{{ item }}" + state: directory + loop: + - /etc/crowdsec/notifications + - /etc/crowdsec/parsers/s02-enrich + +- name: configure crowdsec + template: + src: "{{ item.src }}" + dest: "/etc/crowdsec/{{ item.dest }}" + register: crowdsecconfig + loop: + - {src: "config.yaml.j2", dest: "config.yaml" } + - {src: "profiles.yaml.j2", dest: "profiles.yaml" } + - {src: "email.yaml.j2", dest: "notifications/email.yaml" } + - {src: "mywhitelists.yaml.j2", dest: "parsers/s02-enrich/mywhitelists.yaml" } + +- name: "stop crowdsec container to reload config" + docker_container: + name: "{{ instance_name }}" + state: stopped + when: crowdsecconfig is changed + ignore_errors: yes + +- name: "launch {{ instance_name }} container" + docker_container: + name: "{{ instance_name }}" + image: "crowdsecurity/crowdsec:{{ version }}" + pull: true + state: started + restart_policy: unless-stopped + memory: 2G + volumes: + - /etc/crowdsec:/etc/crowdsec + - /var/lib/crowdsec:/var/lib/crowdsec/data + - /var/log/:/logs:ro + mounts: + - target: /tmp + type: tmpfs + tmpfs_mode: 1777 + tmpfs_size: 512M + env: + COLLECTIONS: "{{ cs_collections_list | join(' ') }}" + SCENARIOS: "{% if cs_scenarios_list is defined %}{{ cs_scenarios_list | join(' ') }}{% endif %}" + PARSERS: "{% if cs_parsers_list is defined %}{{ cs_parsers_list | join(' ') }}{% endif %}" + POSTOVERFLOWS: "{% if cs_postoverflows_list is defined %}{{ cs_postoverflows_list | join(' ') }}{% endif %}" + published_ports: + - "{{ prometheus_endpoint }}:6060" + - "{{ endpoint }}:8080" + log_driver: syslog + log_options: + syslog-address: unixgram:///dev/log + syslog-facility: daemon + tag: "{{ instance_name }}" diff --git a/templates/config.yaml.j2 b/templates/config.yaml.j2 new file mode 100644 index 0000000..f81ef9c --- /dev/null +++ b/templates/config.yaml.j2 @@ -0,0 +1,60 @@ +common: + daemonize: false + pid_dir: /var/run/ + log_media: stdout + log_level: info + log_dir: /logs/ + working_dir: . +config_paths: + config_dir: /etc/crowdsec/ + data_dir: /var/lib/crowdsec/data/ + simulation_path: /etc/crowdsec/simulation.yaml + hub_dir: /etc/crowdsec/hub/ + index_path: /etc/crowdsec/hub/.index.json + notification_dir: /etc/crowdsec/notifications/ + plugin_dir: /usr/local/lib/crowdsec/plugins/ +crowdsec_service: + acquisition_path: /etc/crowdsec/acquis.yaml + parser_routines: 1 +plugin_config: + user: nobody + group: nobody +cscli: + output: human +db_config: + log_level: info +{% if database is defined %} + type: mysql + user: "{{ database.username }}" + password: "{{ database.password }}" + db_name: "{{ database.database }}" + host: "{{ database.host }}" + port: {{ database.port }} +{% else %} + type: sqlite + db_path: /var/lib/crowdsec/data/crowdsec.db +{% endif %} + flush: + max_items: 5000 + max_age: 7d +api: + client: + insecure_skip_verify: false + credentials_path: /etc/crowdsec/local_api_credentials.yaml + server: + log_level: info + listen_uri: 0.0.0.0:8080 + profiles_path: /etc/crowdsec/profiles.yaml + use_forwarded_for_headers: true + trusted_ips: {{ cs_trusted_ips | to_json() }}# IP ranges, or IPs which can have admin API access + online_client: # Central API credentials (to push signals and receive bad IPs) + credentials_path: /etc/crowdsec/online_api_credentials.yaml + #credentials_path: /etc/crowdsec/online_api_credentials.yaml +# tls: +# cert_file: /etc/crowdsec/ssl/cert.pem +# key_file: /etc/crowdsec/ssl/key.pem +prometheus: + enabled: {{ cs_prometheus_enabled }} + level: full + listen_addr: 0.0.0.0 + listen_port: 6060 diff --git a/templates/email.yaml.j2 b/templates/email.yaml.j2 new file mode 100644 index 0000000..b35aaf2 --- /dev/null +++ b/templates/email.yaml.j2 @@ -0,0 +1,37 @@ +type: email # Don't change +name: email_default # Must match the registered plugin in the profile + +# One of "trace", "debug", "info", "warn", "error", "off" +log_level: info + +# group_wait: # Time to wait collecting alerts before relaying a message to this plugin, eg "30s" +# group_threshold: # Amount of alerts that triggers a message before has expired, eg "10" +# max_retry: # Number of attempts to relay messages to plugins in case of error +timeout: 20s # Time to wait for response from the plugin before considering the attempt a failure, eg "10s" + +#------------------------- +# plugin-specific options + +# The following template receives a list of models.Alert objects +# The output goes in the email message body +format: | {{ " + {{range . -}} + {{$alert := . -}} + {{range .Decisions -}} +

{{.Value}} will get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}} on machine {{$alert.MachineID}}.

Shodan

+ {{end -}} + {{end -}}" }} + +smtp_host: "{{ email.host }}" +smtp_username: "{{ email.username }}" +smtp_password: "{{ email.password }}" +smtp_port: {{ email.port }} +auth_type: "{{ email.auth }}" # Valid choices are "none", "crammd5", "login", "plain" +sender_name: "CrowdSec" +sender_email: "{{ email.from }}" +email_subject: "CrowdSec Notification" +receiver_emails: {{ cs_receiver_emails | to_json() }} +# - email1@gmail.com +# - email2@gmail.com + +encryption_type: "{{ email.starttls }}" # One of "ssltls", "none" diff --git a/templates/mywhitelists.yaml.j2 b/templates/mywhitelists.yaml.j2 new file mode 100644 index 0000000..cabd06b --- /dev/null +++ b/templates/mywhitelists.yaml.j2 @@ -0,0 +1,8 @@ +name: crowdsecurity/whitelists +description: "Whitelist events from my ip addresses" +whitelist: + reason: "my ip ranges" + ip: + {{ cs_parsers_mywhitelists_ip }} + cidr: + {{ cs_parsers_mywhitelists_cidr }} \ No newline at end of file diff --git a/templates/profiles.yaml.j2 b/templates/profiles.yaml.j2 new file mode 100644 index 0000000..961c075 --- /dev/null +++ b/templates/profiles.yaml.j2 @@ -0,0 +1,15 @@ +name: default_ip_remediation +#debug: true +filters: + - Alert.Remediation == true && Alert.GetScope() == "Ip" +decisions: + - type: ban + duration: {{ cs_ban_duration }} +notifications: +# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this. +# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this. +# - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this. +{% if len(cs_receiver_emails) > 0 %} + - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this. +{% endif %} +on_success: break