From 83353a87b71b5a4b58433fab71b9ce60be7eb50f Mon Sep 17 00:00:00 2001 From: alex Date: Sun, 1 Mar 2026 19:20:55 +0300 Subject: [PATCH] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=B8=D1=82?= =?UTF-8?q?=D1=8C=20ansible.yml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible.yml | 137 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 137 insertions(+) create mode 100644 ansible.yml diff --git a/ansible.yml b/ansible.yml new file mode 100644 index 0000000..f168c3f --- /dev/null +++ b/ansible.yml @@ -0,0 +1,137 @@ +- hosts: log-server + become: true + tasks: + + - name: enable UDP remote suslog + lineinfile: + path: /etc/rsyslog.conf + regexp: '^#module\(load="imudp"\)' + line: 'module(load="imudp")' + notify: restart syslog + + - name: enable UDP remote suslog port + lineinfile: + path: /etc/rsyslog.conf + regexp: '^#input\(type="imudp" port="514"\)' + line: 'input(type="imudp" port="514")' + notify: restart syslog + + - name: enable TCP remote suslog + lineinfile: + path: /etc/rsyslog.conf + regexp: '^#module\(load="imtcp"\)' + line: 'module(load="imtcp")' + notify: restart syslog + + - name: enable TCP remote suslog port + lineinfile: + path: /etc/rsyslog.conf + regexp: '^#input\(type="imtcp" port="514"\)' + line: 'input(type="imtcp" port="514")' + notify: restart syslog + + - name: conf remote suslog + blockinfile: + path: /etc/rsyslog.conf + block: | + if ($fromhost-ip != '127.0.0.1' and $msg contains 'msg=audit') then { + set $.progname_change = "audit"; + } else { + set $.progname_change = $programname; + } + + $template RemoteLogs,"/var/log/rsyslog/%fromhost-ip%/%$.progname_change%.log" + *.* ?RemoteLogs + & ~ + notify: restart syslog + + handlers: + - name: restart syslog + systemd: + name: syslog + state: restarted + + +- hosts: nginx + become: true + tasks: + + - name: update + apt: + update_cache: yes + + - name: install nginx + apt: + name: nginx + + - name: install auditd & audispd-plugins + apt: + name: + - auditd + - audispd-plugins + state: present + + - name: enable UDP remote suslog + lineinfile: + path: /etc/nginx/nginx.conf + regexp: '^(\s*)access_log /var/log/nginx/access.log;' + line: '\1access_log syslog:server=192.168.80.30:514,tag=nginx_access;' + backrefs: yes + notify: restart nginx + + - name: enable UDP remote suslog + lineinfile: + path: /etc/nginx/nginx.conf + regexp: '(^(\s*)error_log /var/log/nginx/error.log;)' + line: '\1\n\2error_log syslog:server=192.168.80.30:514,tag=nginx_error;' + backrefs: yes + notify: restart nginx + + - name: Create audit rule for nginx config + blockinfile: + path: /etc/audit/rules.d/audit.rules + block: | + -w /etc/nginx/nginx.conf -p wa -k nginx_config + -w /etc/nginx/sites-available/ -p wa -k nginx_config + -w /etc/nginx/sites-enabled/ -p wa -k nginx_config + notify: restart auditd + + - name: change audisp-remote conf ip + lineinfile: + path: /etc/audit/audisp-remote.conf + regexp: '^remote_server =' + line: 'remote_server = 192.168.80.30' + notify: restart auditd + + - name: change audisp-remote conf port + lineinfile: + path: /etc/audit/audisp-remote.conf + regexp: '^port = 60' + line: 'port = 514' + notify: restart auditd + + - name: change audisp-remote conf format + lineinfile: + path: /etc/audit/audisp-remote.conf + regexp: '^format = managed' + line: 'format = ascii' + notify: restart auditd + + - name: change au-remote conf + lineinfile: + path: /etc/audit/plugins.d/au-remote.conf + regexp: '^active = no' + line: 'active = yes' + notify: restart auditd + + handlers: + - name: restart nginx + systemd: + name: nginx + state: restarted + + - name: restart auditd + systemd: + name: auditd + state: restarted +