Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dependabot/pip/ansible-9.4.0
dependabot/github_actions/actions/setup-python-5.1.0
fix/14704
dependabot/pip/jinja2-approx-eq-3.1.3
v1.1
v1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '13f11514b7'
${ noResults }
algo/common.yml

85 lines
2.2 KiB
YAML
Raw Blame History

---
- name: Common tools
hosts: vpn-host
remote_user: root
vars_files:
- config.cfg
tasks:
- name: Wait for port 22 to become available
local_action: "wait_for port=22 host={{ inventory_hostname }}"
- name: Updating apt-get
raw: apt-get update -qq
- name: Install python2.7 for Ansible
raw: apt-get install -qq -y python2.7
- name: Install tools
apt: name="{{ item }}" state=latest
with_items:
- git
- screen
- apparmor-utils
- uuid-runtime
- coreutils
- auditd
- rsyslog
- sendmail
- libpam-google-authenticator
- name: Enable packet forwarding for IPv4
sysctl: name=net.ipv4.ip_forward value=1
- name: Do not accept ICMP redirects (prevent MITM attacks)
sysctl: name=net.ipv4.conf.all.accept_redirects value=0
- name: Do not send ICMP redirects (we are not a router)
sysctl: name=net.ipv4.conf.all.send_redirects value=0
# auditd
- name: Collect Use of Privileged Commands
shell: >
/usr/bin/find {/usr/local/sbin,/usr/local/bin,/sbin,/bin,/usr/sbin,/usr/bin} -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }'
args:
executable: /bin/bash
register: privileged_programs
- name: Auditd rules configured
template: src=audit.rules.j2 dest=/etc/audit/audit.rules
notify:
- restart auditd
- name: Auditd configured
template: src=auditd.conf.j2 dest=/etc/audit/auditd.conf
notify:
- restart auditd
- name: Rsyslog configured
template: src=rsyslog.conf.j2 dest=/etc/rsyslog.conf
notify:
- restart rsyslog
- name: Rsyslog CIS configured
template: src=CIS.conf.j2 dest=/etc/rsyslog.d/CIS.conf owner=root group=root mode=0644
notify:
- restart rsyslog
- name: Enable services
service: name={{ item }} enabled=yes
with_items:
- auditd
- rsyslog
handlers:
- name: restart auditd
service: name=auditd state=restarted
- name: restart rsyslog
service: name=rsyslog state=restarted
Reference in New Issue View Git Blame Copy Permalink