From d4366fef2a593547dd02803341b79e295dc2f99b Mon Sep 17 00:00:00 2001 From: Aaron Guise Date: Tue, 20 Aug 2024 11:11:35 +1200 Subject: [PATCH] =?UTF-8?q?feat:=20Initial=20Project=20=20=F0=9F=8E=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/CI.yml | 106 ++++++++++++++++++++++++++++ .travis.yml | 66 ++++++++++++++++++ LICENSE | 21 ++++++ README.md | 77 +++++++++++++++++++++ defaults/main.yml | 96 ++++++++++++++++++++++++++ handlers/main.yml | 22 ++++++ meta/main.yml | 33 +++++++++ tasks/configure.yml | 117 +++++++++++++++++++++++++++++++ tasks/disable_firewall.yml | 25 +++++++ tasks/install.yml | 44 ++++++++++++ tasks/main.yml | 37 ++++++++++ templates/csf.allow.j2 | 34 +++++++++ templates/csf.dyndns.j2 | 32 +++++++++ templates/csf.fignore.j2 | 37 ++++++++++ templates/csf.ignore.j2 | 25 +++++++ templates/csf.pignore.j2 | 138 +++++++++++++++++++++++++++++++++++++ tests/docker_playbook.yml | 58 ++++++++++++++++ tests/test.yml | 5 ++ vars/Debian.yml | 7 ++ vars/RedHat-6.yml | 7 ++ vars/RedHat-7.yml | 7 ++ vars/main.yml | 4 ++ 22 files changed, 998 insertions(+) create mode 100644 .github/workflows/CI.yml create mode 100644 .travis.yml create mode 100644 LICENSE create mode 100644 README.md create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 tasks/configure.yml create mode 100644 tasks/disable_firewall.yml create mode 100644 tasks/install.yml create mode 100644 tasks/main.yml create mode 100644 templates/csf.allow.j2 create mode 100644 templates/csf.dyndns.j2 create mode 100644 templates/csf.fignore.j2 create mode 100644 templates/csf.ignore.j2 create mode 100644 templates/csf.pignore.j2 create mode 100644 tests/docker_playbook.yml create mode 100644 tests/test.yml create mode 100644 vars/Debian.yml create mode 100644 vars/RedHat-6.yml create mode 100644 vars/RedHat-7.yml create mode 100644 vars/main.yml diff --git a/.github/workflows/CI.yml b/.github/workflows/CI.yml new file mode 100644 index 0000000..8f4dcd6 --- /dev/null +++ b/.github/workflows/CI.yml @@ -0,0 +1,106 @@ +name: CI +on: + push: + branches: + - "**" + tags: + - "!**" + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-python@v5 + with: + python-version: '3.10' + cache: 'pip' # caching pip dependencies + + - name: Ensure requirements are installed + run: pip install -r requirements.txt + + - name: Lint with ansible-lint + run: ansible-lint --exclude ./tests -c ".ansible-lint" + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + - name: Lint with yamllint + run: yamllint . + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + # molecule: + # name: Molecule Test + # runs-on: ubuntu-latest + # needs: lint + # strategy: + # fail-fast: true + # matrix: + # os: [almalinux8, almalinux9] + # steps: + # - name: Checkout code + # uses: actions/checkout@v4 + + # - name: Setup Python + # uses: actions/setup-python@v5 + # with: + # python-version: '3.10' + # cache: 'pip' # caching pip dependencies + + # - name: Ensure requirements are installed + # run: pip install -r requirements.txt + + # - name: Run Molecule tests. + # run: molecule test + # env: + # PY_COLORS: '1' + # ANSIBLE_FORCE_COLOR: '1' + # MOLECULE_DISTRO: ${{ matrix.os }} + release: + runs-on: ubuntu-latest + needs: + - lint + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version: '1.22' + - run: | + echo "github repo: ${GITHUB_REPOSITORY}" + echo "env vars: $(env)" + - uses: go-semantic-release/action@v1 + with: + custom-arguments: --provider=gitea + env: + GITEA_TOKEN: ${{ secrets.G_TOKEN }} + GITEA_HOST: ${{ secrets.G_SERVER_URL}} + notify: + runs-on: ubuntu-latest + needs: + - lint + - release + steps: + - name: ntfy-success-notifications + uses: niniyas/ntfy-action@master + if: success() + with: + url: '${{ vars.NTFY_URL }}' + title: Workflow success - ansible-role-repo-epel + topic: 'ci-status' + priority: 4 + tags: +1,partying_face,action,successfully,completed + details: Workflow has been successfully completed! + icon: 'https://styles.redditmedia.com/t5_32uhe/styles/communityIcon_xnt6chtnr2j21.png' + image: true + + - name: ntfy-failed-notifications + uses: niniyas/ntfy-action@master + if: failure() + with: + url: '${{ vars.NTFY_URL }}' + title: Workflow failed - ansible-role-repo-epel + topic: 'ci-status' + priority: 5 + tags: -1,skull,action,failed + details: Workflow has failed! + actions: 'default' diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..843a620 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,66 @@ +--- +dist: bionic +sudo: false +language: python +services: docker +cache: pip +addons: + apt: + packages: + - python-pip + +env: + global: + - _ANSIBLE_CONNECTION=local + - _ANSIBLE_PLAYBOOK=tests/docker_playbook.yml + matrix: + - _ANSIBLE_CONNECTION=ssh _ANSIBLE_PLAYBOOK=tests/test.yml + _DOCKER_NAME=alpine _DOCKER_IMAGE=alpine +# - _DOCKER_NAME=centos6 _DOCKER_IMAGE=ansiblecheck/ansiblecheck:centos-6 _DOCKER_IMAGE_INIT=/sbin/init + - _DOCKER_NAME=centos7 _DOCKER_IMAGE=ansiblecheck/ansiblecheck:centos-7 _DOCKER_IMAGE_INIT=/usr/lib/systemd/systemd + - _DOCKER_NAME=debian8 _DOCKER_IMAGE=ansiblecheck/ansiblecheck:debian-8 _DOCKER_IMAGE_INIT=/lib/systemd/systemd + - _DOCKER_NAME=debian9 _DOCKER_IMAGE=ansiblecheck/ansiblecheck:debian-9 _DOCKER_IMAGE_INIT=/lib/systemd/systemd + - _DOCKER_NAME=ubuntu16 _DOCKER_IMAGE=ansiblecheck/ansiblecheck:ubuntu-16.04 _DOCKER_IMAGE_INIT=/lib/systemd/systemd + - _DOCKER_NAME=ubuntu18 _DOCKER_IMAGE=ansiblecheck/ansiblecheck:ubuntu-18.04 _DOCKER_IMAGE_INIT=/lib/systemd/systemd + +matrix: + fast_finish: true + +before_install: + - > + ssh-keygen -t rsa -C travis@localhost -q -P '' -f ~/.ssh/id_rsa ; + cat /home/travis/.ssh/id_rsa.pub >> /home/travis/.ssh/authorized_keys ; + printf 'Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile=/dev/null\n' > /home/travis/.ssh/config; + +install: +# - travis_retry pip install git+git://github.com/ansible/ansible.git@devel + - travis_retry pip install --upgrade --upgrade-strategy=eager ansible ansible-lint + - travis_retry docker pull ${_DOCKER_IMAGE} + +before_script: + - printf '[defaults]\nroles_path=../\nhost_key_checking = False\nretry_files_enabled = False\n\n[ssh_connection]\npipelining = True\n' > ansible.cfg + - printf 'localhost' > inventory + - sudo ln -s /bin/true /usr/sbin/sendmail + - ansible --version + +script: + - ansible-lint -v ${_ANSIBLE_PLAYBOOK} + - > + ansible-playbook -i inventory ${_ANSIBLE_PLAYBOOK} + --connection=${_ANSIBLE_CONNECTION} + --extra-vars "DOCKER_NAME=${_DOCKER_NAME} DOCKER_IMAGE=${_DOCKER_IMAGE} DOCKER_IMAGE_INIT=${_DOCKER_IMAGE_INIT}" + --skip-tags "destroy" + -vv + - > + ANSIBLE_LOG_PATH=/tmp/idempotence.log + ansible-playbook -i inventory ${_ANSIBLE_PLAYBOOK} + --connection=${_ANSIBLE_CONNECTION} + --extra-vars "DOCKER_NAME=${_DOCKER_NAME} DOCKER_IMAGE=${_DOCKER_IMAGE} DOCKER_IMAGE_INIT=${_DOCKER_IMAGE_INIT}" + - > + awk '/PLAY RECAP/,/EOF/ + {if (NF && $7 !~ "PLAY" && $10$11$12 !~ "changed=0unreachable=0failed=0" ) status=1 } END + { print (status)? "Idempotence test: FAIL" : "Idempotence test: PASS"; exit status }' + /tmp/idempotence.log + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..701d6b1 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2021 Lik + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..23cdebd --- /dev/null +++ b/README.md @@ -0,0 +1,77 @@ +[![Ansible Galaxy](https://img.shields.io/badge/role-likg.csf-blue.svg?style=flat)](https://galaxy.ansible.com/likg/csf/) +[![Build Status](https://travis-ci.org/likg/ansible-role-csf.svg?branch=master)](https://travis-ci.org/likg/ansible-role-csf) + +# Ansible Role: CSF/LFD + +Install and configure [CSF/LFD](https://configserver.com/cp/csf.html) + +## Requirements + +CSF/LFD is a set of perl scripts, thus perl interpreter is required. Many popular distros comes with perl installed by default, nevertheless, this role will install perl if it is missing. + +Full list of required packages (will be installed by this role) defined in [`csf_required_packages`](defaults/main.yml#L6-L11) and [`csf_required_packages_dist`](vars/) variables. + +## Role Variables + +Available variables with their default values can be found in [defaults/main.yml](defaults/main.yml). + +## Dependencies + +None. + +## Example Playbook +```yaml +- hosts: servers + become: yes + roles: + - { role: likg.csf } + vars_files: + - path_to_vars.yml +``` + +File `path_to_vars.yml`: +```yaml +csf_global_ini: + - option: RESTRICT_SYSLOG + value: "2" + - option: URLGET + value: "2" + - option: TCP_IN + value: "80,443,{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }},30000:65535" + - option: TCP_OUT + value: "20,21,22,25,37,43,53,80,123,443,873,953,8080,9418,{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }},30000:65535" + - option: UDP_IN + value: "53" + - option: UDP_OUT + value: "20,21,43,53,113,123,58745,30000:65535" + +csf_allow: + - 10.10.10.10 + - 172.16.1.1/29 + +csf_ignore: + - 10.10.10.10 + - 172.16.1.1/29 + +csf_pignore: + - 'exe:/usr/sbin/nginx' + - 'user:mysql' + +csf_fignore: + - '/tmp/\.horde' + - '/tmp/\.horde/.*' + +csf_blocklists: + - "SPAMDROP" + +csf_csfpre_sh: | + #!/bin/bash + /sbin/iptables -t nat -F POSTROUTING +``` +## License + +MIT + +## Author Information + +This role was created by Lik. Extended by Cybercinch Team diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..509b49d --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,96 @@ +--- +# csf/defaults/main.yml + +csf_tmp_dir: "/usr/src" + +csf_required_packages: + - iptables + - perl + - unzip + - tar + - net-tools + +csf_global_ini_core: + - option: TESTING + value: "0" + - option: AUTO_UPDATES + value: "1" + - option: PORTS_sshd + value: "{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }}" + +csf_global_ini: + - option: RESTRICT_UI + value: "2" + - option: RESTRICT_SYSLOG + value: "2" + - option: URLGET + value: "2" + - option: USE_CONNTRACK + value: "1" + - option: TCP_IN + value: "80,443,{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }},30000:65535" + - option: TCP_OUT + value: "20,21,22,25,37,43,53,80,123,443,873,953,8080,9418,{{ hostvars[inventory_hostname]['ansible_port'] | default('22') }},30000:65535" + - option: UDP_IN + value: "53" + - option: UDP_OUT + value: "20,21,43,53,113,123,58745,30000:65535" + +#csf_allow: +# - 10.10.10.10 +# - 172.16.1.1/29 + +#csf_ignore: +# - 10.10.10.10 +# - 172.16.1.1/29 + +#csf_pignore: +# - 'exe:/usr/sbin/nginx' +# - 'user:mysql' + +#csf_fignore: +# - '/tmp/\.horde' +# - '/tmp/\.horde/.*' + +#csf_blocklists: +# - "SPAMDROP" + +#csf_dyndns: +# - "no-ip.com" + +#csf_csfpre_sh: | +# #!/bin/bash +# /sbin/iptables -t nat -F POSTROUTING + +#csf_csfpost_sh: | +# #!/bin/bash +# /sbin/iptables -t nat -F POSTROUTING + +# Host based custom allow rules +#csf_allow_host: +# - 'tcp|in|d=22|s=1.1.1.1' + +#csf_ignore_host: +# - '1.1.1.1' + +#csf_pignore_host: +# - 'exe:/usr/sbin/nginx' +# - 'user:mysql' + +#csf_fignore_host: +# - '/tmp/\.horde' +# - '/tmp/\.horde/.*' + +#csf_blocklists_host: +# - "SPAMDROP" + +#csf_dyndns_host: +# - "no-ip.com" + +#csf_csfpre_sh_host: | +# #!/bin/bash +# /sbin/iptables -t nat -F POSTROUTING + +#csf_csfpost_sh_host: | +# #!/bin/bash +# /sbin/iptables -t nat -F POSTROUTING \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..b09ccdc --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,22 @@ +--- +# csf/handlers/main.yml + +- name: run csftest.pl + command: /etc/csf/csftest.pl + register: csf_check_contents + changed_when: false + failed_when: csf_check_contents.stdout.find('csf should function on this server') == -1 + when: ansible_facts.virtualization_type != 'docker' +# toremove when: statement ^ + +- name: check csf conf + command: csf -c + register: csf_conf_check + changed_when: false + failed_when: "'error' in csf_conf_check.stdout.lower()" + +- name: restart csf + command: csf -ra + +- name: enable csf + command: csf -e diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..a009ad9 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,33 @@ +--- +dependencies: [] + +galaxy_info: + author: cybercinch + description: Install and configure CSF/LFD (https://configserver.com/cp/csf.html) + min_ansible_version: 2.9 + license: MIT + platforms: + - name: EL + versions: + - 6 + - 7 + - 8 + - 9 + - name: Debian + versions: + - wheezy + - jessie + - stretch + - name: Ubuntu + versions: + - precise + - trusty + - xenial + - bionic + galaxy_tags: + - csf + - lfd + - firewall + - iptables + - networking + - system diff --git a/tasks/configure.yml b/tasks/configure.yml new file mode 100644 index 0000000..241bf7e --- /dev/null +++ b/tasks/configure.yml @@ -0,0 +1,117 @@ +--- +# csf/tasks/configure.yml + +- name: edit csf.conf + lineinfile: + dest: /etc/csf/csf.conf + regexp: '^#? ?{{ item.option }} =' + line: '{{ item.option }} = "{{ item.value }}"' + state: present + with_flattened: + - '{{ csf_global_ini_core }}' + - '{{ csf_global_ini }}' + notify: + - check csf conf + - restart csf + tags: + - csf + - csf_conf + - configuration + +- name: edit csf.{allow,ignore,pignore,fignore,dyndns} + template: + src: '{{ item }}.j2' + dest: '/etc/csf/{{ item }}' + owner: root + group: root + mode: 0600 + loop: + - 'csf.allow' + - 'csf.ignore' + - 'csf.pignore' + - 'csf.fignore' + - 'csf.dyndns' + notify: + - check csf conf + - restart csf + tags: + - csf + - csf_conf + - configuration + +- name: disable csf.blocklists + replace: + dest: /etc/csf/csf.blocklists + regexp: '^(\w+\|.*)$' + replace: '#\1' + when: csf_blocklists is undefined + notify: + - check csf conf + - restart csf + tags: + - csf + - csf_conf + - configuration + +- name: enable csf.blocklists + lineinfile: + dest: /etc/csf/csf.blocklists + regexp: '^#{{ item }}\|(.*)$' + line: '{{ item }}|\1' + state: present + backrefs: yes + loop: '{{ csf_blocklists }}' + when: csf_blocklists is defined + notify: + - check csf conf + - restart csf + tags: + - csf + - csf_conf + - configuration + +- name: remove csfpre.sh hook + file: + path: '/etc/csf/csfpre.sh' + state: absent + when: csf_csfpre_sh is undefined + tags: + - csf + - csf_conf + - configuration + +- name: remove csfpost.sh hook + file: + path: '/etc/csf/csfpost.sh' + state: absent + when: csf_csfpost_sh is undefined + tags: + - csf + - csf_conf + - configuration + +- name: create csfpre.sh hook + copy: + content: "{{ vars['csf_csfpre_sh'] }}" + dest: '/etc/csf/csfpre.sh' + mode: 0700 + when: csf_csfpre_sh is defined + notify: + - restart csf + tags: + - csf + - csf_conf + - configuration + +- name: create csfpost.sh hook + copy: + content: "{{ vars['csf_csfpost_sh'] }}" + dest: '/etc/csf/csfpost.sh' + mode: 0700 + when: csf_csfpost_sh is defined + notify: + - restart csf + tags: + - csf + - csf_conf + - configuration diff --git a/tasks/disable_firewall.yml b/tasks/disable_firewall.yml new file mode 100644 index 0000000..f73f19b --- /dev/null +++ b/tasks/disable_firewall.yml @@ -0,0 +1,25 @@ +--- +# csf/tasks/disable_firewall.yml + +- name: disable firewalld (RedHat case) + service: + name: firewalld + state: stopped + enabled: no + when: + - ansible_facts.os_family == 'RedHat' + - ansible_facts.service_mgr == 'systemd' + ignore_errors: true + tags: + - services + +- name: disable ufw (Ubuntu case) + service: + name: ufw + state: stopped + enabled: no + when: + - ansible_facts.distribution == 'Ubuntu' + ignore_errors: true + tags: + - services diff --git a/tasks/install.yml b/tasks/install.yml new file mode 100644 index 0000000..69dc429 --- /dev/null +++ b/tasks/install.yml @@ -0,0 +1,44 @@ +--- +# csf/tasks/install.yml + +- name: install required packages + package: + name: '{{ item }}' + state: present + update_cache: yes + with_flattened: + - '{{ csf_required_packages }}' + - '{{ csf_required_packages_dist }}' + tags: + - packages + +- name: check /usr/sbin/csf file + stat: + path: /usr/sbin/csf + register: csf_sbin_file + +- name: download csf.tgz + get_url: + url: 'https://download.configserver.com/csf.tgz' + dest: '{{ csf_tmp_dir }}/csf.tgz' + checksum: 'sha256:https://www.configserver.com/checksums.txt' + when: not csf_sbin_file.stat.exists + tags: + - download + +- name: unpack csf.tgz + unarchive: # noqa 208 + src: '{{ csf_tmp_dir }}/csf.tgz' + dest: '{{ csf_tmp_dir }}' + remote_src: yes + creates: '{{ csf_tmp_dir }}/csf/install.sh' + when: not csf_sbin_file.stat.exists + +- name: run CSF installer + command: sh install.sh + args: + chdir: '{{ csf_tmp_dir }}/csf' + creates: /etc/csf/csf.conf + when: not csf_sbin_file.stat.exists + notify: + - run csftest.pl diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..9626374 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,37 @@ +--- +# csf/tasks/main.yml + +- name: include OS-specific variables + include_vars: '{{ item }}' + with_first_found: + - '{{ ansible_facts.os_family }}-{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.os_family }}.yml' + - 'main.yml' + tags: + - csf + - vars + - packages + +- import_tasks: disable_firewall.yml + tags: + - csf + +- import_tasks: install.yml + tags: + - csf + +- import_tasks: configure.yml + tags: + - csf + +- name: ensure csf/lfd started/enabled + service: + name: '{{ item }}' + state: started + enabled: yes + loop: + - csf + - lfd + tags: + - csf + - services diff --git a/templates/csf.allow.j2 b/templates/csf.allow.j2 new file mode 100644 index 0000000..a6b6807 --- /dev/null +++ b/templates/csf.allow.j2 @@ -0,0 +1,34 @@ +############################################################################### +# Copyright 2006-2018, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following IP addresses will be allowed through iptables. +# One IP address per line. +# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24). +# Only list IP addresses, not domain names (they will be ignored) +# +# Advanced port+ip filtering allowed with the following format +# tcp/udp|in/out|s/d=port,port,...|s/d=ip +# See readme.txt for more information +# +# Note: IP addressess listed in this file will NOT be ignored by lfd, so they +# can still be blocked. If you do not want lfd to block an IP address you must +# add it to csf.ignore + +# BEGIN GENERAL ALLOW LIST +{% if ansible_env['SSH_CONNECTION'] is defined %} +{{ ansible_env['SSH_CONNECTION'].split()[0] }} # csf SSH installation/upgrade IP address +{% endif %} +{% for ip in csf_allow | default([]) %} +{{ ip }} +{% endfor %} +# END GENERAL ALLOW LIST +{% if csf_allow_host is defined %} + +# BEGIN HOST SPECIFIC ALLOW LIST +{% for ip in csf_allow_host | default([]) %} +{{ ip }} +{% endfor %} +# END HOST SPECIFIC ALLOW LIST +{% endif %} diff --git a/templates/csf.dyndns.j2 b/templates/csf.dyndns.j2 new file mode 100644 index 0000000..ece6df2 --- /dev/null +++ b/templates/csf.dyndns.j2 @@ -0,0 +1,32 @@ +############################################################################### +# Copyright 2006-2018, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following FQDN's will be allowed through the firewall. This is controlled +# by lfd which checks the DNS resolution of the FQDN and adds the ip address +# into the ALLOWDYNIN and ALLOWDYNOUT iptables chains. lfd will check for IP +# updates every DYNDNS seconds if set. +# +# If the FQDN has multiple A records then all of the IP addresses will be +# processed. If IPV6 is enabled and the perl module Socket6 from cpan.org is +# installed, then all IPv6 AAAA IP address records will also be allowed. +# +# Only list fully qualified domain names (FQDN's) in this file, either on their +# own to allow full access, or using Advanced Allow/Deny Filters (see +# readme.txt) +# + +# BEGIN GENERAL DYNDNS ALLOW LIST +{% for fqdn in csf_dyndns | default([]) %} +{{ fqdn }} +{% endfor %} +# END GENERAL DYNDNS ALLOW LIST +{% if csf_dyndns_host is defined %} + +# BEGIN HOST SPECIFIC DYNDNS ALLOW LIST +{% for fqdn in csf_dyndns_host %} +{{ fqdn }} +{% endfor %} +# END HOST SPECIFIC DYNDNS ALLOW LIST +{% endif %} diff --git a/templates/csf.fignore.j2 b/templates/csf.fignore.j2 new file mode 100644 index 0000000..fecf97b --- /dev/null +++ b/templates/csf.fignore.j2 @@ -0,0 +1,37 @@ +############################################################################### +# Copyright 2006-2018, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following is a list of files that lfd directory watching will ignore. You +# must specify the full path to the file +# +# You can also use perl regular expression pattern matching, for example: +# /tmp/clamav.* +# /tmp/.*\.wrk +# +# Remember that you will need to escape special characters (precede them with a +# backslash) such as \. \? +# +# Pattern matching will only occur with strings containing an asterix (*), +# otherwise full file path matching will be applied +# +# You can also add entries to ignore files owner by a particular user by +# preceding it with user:, for example: +# user:bob +# +# Note: files owned by root are ignored + +# BEGIN GENERAL FILE IGNORE LIST +{% for file in csf_fignore | default([]) %} +{{ file }} +{% endfor %} +# END GENERAL FILE IGNORE LIST +{% if csf_fignore_host is defined %} + +# BEGIN HOST SPECIFIC FILE IGNORE LIST +{% for file in csf_fignore_host %} +{{ file }} +{% endfor %} +# END HOST SPECIFIC FILE IGNORE LIST +{% endif %} diff --git a/templates/csf.ignore.j2 b/templates/csf.ignore.j2 new file mode 100644 index 0000000..21f3455 --- /dev/null +++ b/templates/csf.ignore.j2 @@ -0,0 +1,25 @@ +############################################################################### +# Copyright 2006-2018, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following IP addresses will be ignored by all lfd checks +# One IP address per line +# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24) +# Only list IP addresses, not domain names (they will be ignored) +# + +127.0.0.1 +# BEGIN GENERAL IGNORE LIST +{% for ip in csf_ignore | default([]) %} +{{ ip }} +{% endfor %} +# END GENERAL IGNORE LIST +{% if csf_ignore_host is defined %} + +# BEGIN HOST SPECIFIC IGNORE LIST +{% for ip in csf_ignore_host %} +{{ ip }} +{% endfor %} +# END HOST SPECIFIC IGNORE LIST +{% endif %} \ No newline at end of file diff --git a/templates/csf.pignore.j2 b/templates/csf.pignore.j2 new file mode 100644 index 0000000..11f7d3d --- /dev/null +++ b/templates/csf.pignore.j2 @@ -0,0 +1,138 @@ +############################################################################### +# Copyright 2006-2018, Way to the Web Limited +# URL: http://www.configserver.com +# Email: sales@waytotheweb.com +############################################################################### +# The following is a list of executables (exe) command lines (cmd) and +# usernames (user) that lfd process tracking will ignore. +# +# You must use the following format: +# +# exe:/full/path/to/file +# user:username +# cmd:command line +# +# Or, perl regular expression matching (regex): +# +# pexe:/full/path/to/file as a perl regex[*] +# puser:username as a perl regex[*] +# pcmd:command line as a perl regex[*] +# +# [*]You must remember to escape characters correctly when using regex's, e.g.: +# pexe:/home/.*/public_html/cgi-bin/script\.cgi +# puser:bob\d.* +# pcmd:/home/.*/command\s\to\smatch\s\.pl\s.* +# +# It is strongly recommended that you use command line ignores very carefully +# as any process can change what is reported to the OS. +# +# For more information see readme.txt + +exe:/bin/dbus-daemon +exe:/sbin/ntpd +exe:/usr/bin/dbus-daemon +exe:/usr/bin/dbus-daemon-1 +exe:/usr/bin/lsmd +exe:/usr/bin/postgres +exe:/usr/bin/spamc +exe:/usr/lib/courier-imap/bin/imapd +exe:/usr/lib/courier-imap/bin/pop3d +exe:/usr/lib/polkit-1/polkitd +exe:/usr/libexec/dovecot/anvil +exe:/usr/libexec/dovecot/auth +exe:/usr/libexec/dovecot/dict +exe:/usr/libexec/dovecot/imap +exe:/usr/libexec/dovecot/imap-login +exe:/usr/libexec/dovecot/lmtp +exe:/usr/libexec/dovecot/pop3 +exe:/usr/libexec/dovecot/pop3-login +exe:/usr/libexec/dovecot/quota-status +exe:/usr/libexec/dovecot/stats +exe:/usr/libexec/dovecot/imap-hibernate +exe:/usr/libexec/gam_server +exe:/usr/libexec/hald-addon-acpi +exe:/usr/libexec/hald-addon-keyboard +exe:/usr/libexec/mysqld +exe:/usr/local/apache/bin/httpd +exe:/usr/local/cpanel/3rdparty/bin/analog +exe:/usr/local/cpanel/3rdparty/bin/english/webalizer +exe:/usr/local/cpanel/3rdparty/bin/imapd +exe:/usr/local/cpanel/3rdparty/bin/php +exe:/usr/local/cpanel/3rdparty/bin/webalizer_lang/english +exe:/usr/local/cpanel/3rdparty/php/54/bin/php-cgi +exe:/usr/local/cpanel/3rdparty/php/56/bin/php-cgi +exe:/usr/local/cpanel/3rdparty/php/56/sbin/php-fpm +exe:/usr/local/cpanel/3rdparty/php/54/sbin/php-fpm +exe:/usr/local/cpanel/3rdparty/sbin/mydns +exe:/usr/local/cpanel/3rdparty/sbin/p0f +exe:/usr/local/cpanel/bin/cppop +exe:/usr/local/cpanel/bin/cppop-ssl +exe:/usr/local/cpanel/bin/cpuwatch +exe:/usr/local/cpanel/bin/cpwrap +exe:/usr/local/cpanel/bin/logrunner +exe:/usr/local/cpanel/bin/pkgacct +exe:/usr/local/cpanel/cpanel +exe:/usr/local/cpanel/cpdavd +exe:/usr/local/cpanel/cpsrvd +exe:/usr/local/cpanel/cpsrvd-ssl +exe:/usr/local/libexec/dovecot/imap +exe:/usr/local/libexec/dovecot/imap-login +exe:/usr/local/libexec/dovecot/pop3 +exe:/usr/local/libexec/dovecot/pop3-login +exe:/usr/local/urchin/bin/urchinwebd +exe:/usr/sbin/chronyd +exe:/usr/sbin/exim +exe:/usr/sbin/exim +exe:/usr/sbin/hald +exe:/usr/sbin/httpd +exe:/usr/sbin/mysqld +exe:/usr/sbin/mysqld_safe +exe:/usr/sbin/named +exe:/usr/sbin/nscd +exe:/usr/sbin/nsd +exe:/usr/sbin/ntpd +exe:/usr/sbin/proftpd +exe:/usr/sbin/pure-ftpd +exe:/usr/sbin/sshd +exe:/var/cpanel/3rdparty/bin/php +exe:/usr/sbin/pdns_server +exe:/usr/local/cpanel/bin/autossl_check +exe:/usr/local/cpanel/bin/whm_xfer_download-ssl +pexe:^/usr/lib/jvm/java-.*/jre/bin/java$ +exe:/usr/libexec/dovecot/indexer-worker +exe:/usr/libexec/dovecot/indexer +pexe:/usr/local/cpanel/3rdparty/bin/git.* +pexe:/usr/local/cpanel/3rdparty/libexec/git-core/git.* + +# Some additional entries that you might want to ignore on cPanel servers. +# However, be aware of the security implications under "Process Tracking" in +# the csf readme.txt when using these: +# +#cmd:/bin/sh /usr/bin/mysqld_safe +#cmd:/bin/sh /usr/bin/mysqld_safe --basedir=/usr +#cmd:spamd child +#pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner.* +#pcmd:/usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl.* +#pcmd:/usr/bin/python.? /usr/local/cpanel/3rdparty/mailman/bin/qrunner.* +#pcmd:/usr/bin/python.? /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl.* +#pcmd:/usr/bin/perl /usr/local/cpanel/3rdparty/bin/awstats\.pl.* +#pcmd:/usr/bin/perl /usr/local/cpanel/base/awstats\.pl.* +#pcmd:cpanellogd - (http|ftp) logs for .* +#pcmd:ubic-guardian ubic-periodic.* +#pcmd:perl /usr/local/cpanel/3rdparty/perl/\d+/bin/ubic-periodic.* +#pcmd:MailScanner:.* + +# BEGIN GENERAL PROCESS IGNORE LIST +{% for process in csf_pignore | default([]) %} +{{ process }} +{% endfor %} +# END GENERAL PROCESS IGNORE LIST +{% if csf_pignore_host is defined %} + +# BEGIN HOST SPECIFIC PROCESS IGNORE LIST +{% for process in csf_pignore_host %} +{{ process }} +{% endfor %} +# END HOST SPECIFIC PROCESS IGNORE LIST + +{% endif %} \ No newline at end of file diff --git a/tests/docker_playbook.yml b/tests/docker_playbook.yml new file mode 100644 index 0000000..b144435 --- /dev/null +++ b/tests/docker_playbook.yml @@ -0,0 +1,58 @@ +--- +# docker_playbook.yml + +- hosts: localhost + become: yes + + pre_tasks: + - name: define containers facts + set_fact: + containers: + - name: '{{ DOCKER_NAME }}' + image: '{{ DOCKER_IMAGE }}' + init: '{{ DOCKER_IMAGE_INIT | d("/sbin/init") }}' + tags: + - always + + tasks: + - name: install docker on localhost + pip: + name: docker + extra_args: "--upgrade" + + - name: create docker containers + docker_container: + name: '{{ item.name }}' + image: '{{ item.image }}' + command: '{{ item.init }}' + state: started + privileged: true + volumes: + - '/sys/fs/cgroup:/sys/fs/cgroup:ro' + loop: '{{ containers }}' + + - name: add containers to inventory + add_host: + name: '{{ item.name }}' + groups: docker_containers + ansible_connection: docker + changed_when: false + loop: '{{ containers }}' + +- name: run tasks in containers + hosts: docker_containers + strategy: free + become: yes + roles: + - { role: ../.. } + +- hosts: localhost + tasks: + - name: remove docker containers + docker_container: + name: '{{ item.name }}' + state: absent + loop: '{{ containers }}' + changed_when: false + tags: + - destroy diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..b3cc2b1 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: all + become: yes + roles: + - ../.. diff --git a/vars/Debian.yml b/vars/Debian.yml new file mode 100644 index 0000000..74b0721 --- /dev/null +++ b/vars/Debian.yml @@ -0,0 +1,7 @@ +--- +# csf/vars/Debian.yml + +csf_required_packages_dist: + - bind9-host + - libwww-perl + - liblwp-protocol-https-perl diff --git a/vars/RedHat-6.yml b/vars/RedHat-6.yml new file mode 100644 index 0000000..50cb233 --- /dev/null +++ b/vars/RedHat-6.yml @@ -0,0 +1,7 @@ +--- +# csf/vars/RedHat-6.yml + +csf_required_packages_dist: + - bind-utils + - perl-libwww-perl + - perl-Crypt-SSLeay diff --git a/vars/RedHat-7.yml b/vars/RedHat-7.yml new file mode 100644 index 0000000..43278d5 --- /dev/null +++ b/vars/RedHat-7.yml @@ -0,0 +1,7 @@ +--- +# csf/vars/RedHat-7.yml + +csf_required_packages_dist: + - bind-utils + - perl-libwww-perl + - perl-LWP-Protocol-https diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..41257fe --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,4 @@ +--- +# csf/vars/main.yml + +csf_required_packages_dist: []