138 lines
3.6 KiB
YAML
138 lines
3.6 KiB
YAML
- hosts: log-server
|
|
become: true
|
|
tasks:
|
|
|
|
- name: enable UDP remote suslog
|
|
lineinfile:
|
|
path: /etc/rsyslog.conf
|
|
regexp: '^#module\(load="imudp"\)'
|
|
line: 'module(load="imudp")'
|
|
notify: restart syslog
|
|
|
|
- name: enable UDP remote suslog port
|
|
lineinfile:
|
|
path: /etc/rsyslog.conf
|
|
regexp: '^#input\(type="imudp" port="514"\)'
|
|
line: 'input(type="imudp" port="514")'
|
|
notify: restart syslog
|
|
|
|
- name: enable TCP remote suslog
|
|
lineinfile:
|
|
path: /etc/rsyslog.conf
|
|
regexp: '^#module\(load="imtcp"\)'
|
|
line: 'module(load="imtcp")'
|
|
notify: restart syslog
|
|
|
|
- name: enable TCP remote suslog port
|
|
lineinfile:
|
|
path: /etc/rsyslog.conf
|
|
regexp: '^#input\(type="imtcp" port="514"\)'
|
|
line: 'input(type="imtcp" port="514")'
|
|
notify: restart syslog
|
|
|
|
- name: conf remote suslog
|
|
blockinfile:
|
|
path: /etc/rsyslog.conf
|
|
block: |
|
|
if ($fromhost-ip != '127.0.0.1' and $msg contains 'msg=audit') then {
|
|
set $.progname_change = "audit";
|
|
} else {
|
|
set $.progname_change = $programname;
|
|
}
|
|
|
|
$template RemoteLogs,"/var/log/rsyslog/%fromhost-ip%/%$.progname_change%.log"
|
|
*.* ?RemoteLogs
|
|
& ~
|
|
notify: restart syslog
|
|
|
|
handlers:
|
|
- name: restart syslog
|
|
systemd:
|
|
name: syslog
|
|
state: restarted
|
|
|
|
|
|
- hosts: nginx
|
|
become: true
|
|
tasks:
|
|
|
|
- name: update
|
|
apt:
|
|
update_cache: yes
|
|
|
|
- name: install nginx
|
|
apt:
|
|
name: nginx
|
|
|
|
- name: install auditd & audispd-plugins
|
|
apt:
|
|
name:
|
|
- auditd
|
|
- audispd-plugins
|
|
state: present
|
|
|
|
- name: enable UDP remote suslog
|
|
lineinfile:
|
|
path: /etc/nginx/nginx.conf
|
|
regexp: '^(\s*)access_log /var/log/nginx/access.log;'
|
|
line: '\1access_log syslog:server=192.168.80.30:514,tag=nginx_access;'
|
|
backrefs: yes
|
|
notify: restart nginx
|
|
|
|
- name: enable UDP remote suslog
|
|
lineinfile:
|
|
path: /etc/nginx/nginx.conf
|
|
regexp: '(^(\s*)error_log /var/log/nginx/error.log;)'
|
|
line: '\1\n\2error_log syslog:server=192.168.80.30:514,tag=nginx_error;'
|
|
backrefs: yes
|
|
notify: restart nginx
|
|
|
|
- name: Create audit rule for nginx config
|
|
blockinfile:
|
|
path: /etc/audit/rules.d/audit.rules
|
|
block: |
|
|
-w /etc/nginx/nginx.conf -p wa -k nginx_config
|
|
-w /etc/nginx/sites-available/ -p wa -k nginx_config
|
|
-w /etc/nginx/sites-enabled/ -p wa -k nginx_config
|
|
notify: restart auditd
|
|
|
|
- name: change audisp-remote conf ip
|
|
lineinfile:
|
|
path: /etc/audit/audisp-remote.conf
|
|
regexp: '^remote_server ='
|
|
line: 'remote_server = 192.168.80.30'
|
|
notify: restart auditd
|
|
|
|
- name: change audisp-remote conf port
|
|
lineinfile:
|
|
path: /etc/audit/audisp-remote.conf
|
|
regexp: '^port = 60'
|
|
line: 'port = 514'
|
|
notify: restart auditd
|
|
|
|
- name: change audisp-remote conf format
|
|
lineinfile:
|
|
path: /etc/audit/audisp-remote.conf
|
|
regexp: '^format = managed'
|
|
line: 'format = ascii'
|
|
notify: restart auditd
|
|
|
|
- name: change au-remote conf
|
|
lineinfile:
|
|
path: /etc/audit/plugins.d/au-remote.conf
|
|
regexp: '^active = no'
|
|
line: 'active = yes'
|
|
notify: restart auditd
|
|
|
|
handlers:
|
|
- name: restart nginx
|
|
systemd:
|
|
name: nginx
|
|
state: restarted
|
|
|
|
- name: restart auditd
|
|
systemd:
|
|
name: auditd
|
|
state: restarted
|
|
|