Добавить ansible.yml

ansible.yml

@@ -0,0 +1,137 @@
+- hosts: log-server
+  become: true
+  tasks:
+
+    - name: enable UDP remote suslog
+      lineinfile:
+        path: /etc/rsyslog.conf
+        regexp: '^#module\(load="imudp"\)'
+        line: 'module(load="imudp")'
+      notify: restart syslog
+
+    - name: enable UDP remote suslog port
+      lineinfile:
+        path: /etc/rsyslog.conf
+        regexp: '^#input\(type="imudp" port="514"\)'
+        line: 'input(type="imudp" port="514")'
+      notify: restart syslog
+
+    - name: enable TCP remote suslog
+      lineinfile:
+        path: /etc/rsyslog.conf
+        regexp: '^#module\(load="imtcp"\)'
+        line: 'module(load="imtcp")'
+      notify: restart syslog
+
+    - name: enable TCP remote suslog port
+      lineinfile:
+        path: /etc/rsyslog.conf
+        regexp: '^#input\(type="imtcp" port="514"\)'
+        line: 'input(type="imtcp" port="514")'
+      notify: restart syslog
+
+    - name: conf remote suslog
+      blockinfile:
+        path: /etc/rsyslog.conf
+        block: |
+          if ($fromhost-ip != '127.0.0.1' and $msg contains 'msg=audit') then {
+            set $.progname_change = "audit";
+          } else {
+            set $.progname_change = $programname;
+          }
+
+          $template RemoteLogs,"/var/log/rsyslog/%fromhost-ip%/%$.progname_change%.log"
+          *.* ?RemoteLogs
+          & ~
+      notify: restart syslog
+
+  handlers:
+    - name: restart syslog
+      systemd:
+        name: syslog
+        state: restarted
+
+
+- hosts: nginx
+  become: true
+  tasks:
+
+    - name: update 
+      apt:
+        update_cache: yes 
+
+    - name: install nginx 
+      apt:
+        name: nginx
+
+    - name: install auditd & audispd-plugins
+      apt:
+        name: 
+          - auditd
+          - audispd-plugins
+        state: present
+
+    - name: enable UDP remote suslog
+      lineinfile:
+        path: /etc/nginx/nginx.conf
+        regexp: '^(\s*)access_log /var/log/nginx/access.log;'
+        line: '\1access_log syslog:server=192.168.80.30:514,tag=nginx_access;'
+        backrefs: yes
+      notify: restart nginx
+
+    - name: enable UDP remote suslog
+      lineinfile:
+        path: /etc/nginx/nginx.conf
+        regexp: '(^(\s*)error_log /var/log/nginx/error.log;)'
+        line: '\1\n\2error_log syslog:server=192.168.80.30:514,tag=nginx_error;'
+        backrefs: yes
+      notify: restart nginx
+
+    - name: Create audit rule for nginx config
+      blockinfile:
+        path: /etc/audit/rules.d/audit.rules
+        block: |
+          -w /etc/nginx/nginx.conf -p wa -k nginx_config
+          -w /etc/nginx/sites-available/ -p wa -k nginx_config
+          -w /etc/nginx/sites-enabled/ -p wa -k nginx_config
+      notify: restart auditd
+
+    - name: change audisp-remote conf ip
+      lineinfile:
+        path: /etc/audit/audisp-remote.conf
+        regexp: '^remote_server ='
+        line: 'remote_server = 192.168.80.30'
+      notify: restart auditd
+
+    - name: change audisp-remote conf port
+      lineinfile:
+        path: /etc/audit/audisp-remote.conf
+        regexp: '^port = 60'
+        line: 'port = 514'
+      notify: restart auditd
+
+    - name: change audisp-remote conf format
+      lineinfile:
+        path: /etc/audit/audisp-remote.conf
+        regexp: '^format = managed'
+        line: 'format = ascii'
+      notify: restart auditd
+
+    - name: change au-remote conf
+      lineinfile:
+        path: /etc/audit/plugins.d/au-remote.conf
+        regexp: '^active = no'
+        line: 'active = yes'
+      notify: restart auditd
+
+  handlers:
+    - name: restart nginx
+      systemd:
+        name: nginx
+        state: restarted
+
+    - name: restart auditd
+      systemd:
+        name: auditd
+        state: restarted
+