Split diagnostic tasks into a new role

author: Matthieu Saulnier <fantom@fedoraproject.org> 2018-10-21 12:06:09 +0200
committer: Matthieu Saulnier <fantom@fedoraproject.org> 2018-10-21 12:06:09 +0200
commit: 70a98118cefc95c3fc131a9a9029c61153d9766e (patch)
tree: 9b099781694301ca3df52f1ef8e8327aa019b542 /roles/diagnostics/tasks
parent: b79f383bc5d82302ee4e292c284e2482ae8fd24f (diff)
download: playbooks-ansible-70a98118cefc95c3fc131a9a9029c61153d9766e.tar.gz
playbooks-ansible-70a98118cefc95c3fc131a9a9029c61153d9766e.tar.xz
playbooks-ansible-70a98118cefc95c3fc131a9a9029c61153d9766e.zip
7 files changed, 123 insertions, 0 deletions
diff --git a/roles/diagnostics/tasks/aide.yml b/roles/diagnostics/tasks/aide.yml
new file mode 100644
index 0000000..a8640fd
--- /dev/null
+++ b/roles/diagnostics/tasks/aide.yml
@@ -0,0 +1,16 @@
+- name: Installation du HIDS AIDE
+  yum: name=aide state=present
+  when: ansible_pkg_mgr == "yum"
+
+- name: Installation du HIDS AIDE
+  dnf: name=aide state=present
+  when: ansible_pkg_mgr == "dnf"
+
+- name: Activation Cron du HIDS AIDE
+  copy:
+    src: aidereport.sh
+    dest: /etc/cron.daily/z-aidereport.sh
+    mode: 0755
+  when: ansible_distribution == "Fedora" and ansible_distribution_version|int >= 28 and
+        ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+  notify: initialize aide
diff --git a/roles/diagnostics/tasks/cron.yml b/roles/diagnostics/tasks/cron.yml
new file mode 100644
index 0000000..7646287
--- /dev/null
+++ b/roles/diagnostics/tasks/cron.yml
@@ -0,0 +1,34 @@
+- name: Installation démon Cron
+  yum: name=crontabs state=present
+  when: ansible_pkg_mgr == "yum"
+
+- name: Installation démon Cron
+  dnf: name=crontabs state=present
+  when: ansible_pkg_mgr == "dnf"
+
+- name: Rapport disques durs
+  template: src=diskreport.sh.j2 dest=/etc/cron.daily/diskreport.sh mode=755
+  when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+
+- name: Rapport RPM Verify daily
+  file:
+    path: /etc/cron.daily/rpmreport.sh
+    state: absent
+
+- name: Rapport RPM Verify monthly
+  copy:
+    src: rpmreport.sh
+    dest: /etc/cron.monthly/rpmreport.sh
+    mode: 0755
+  when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+
+- name: Tests disques durs
+  template: src=diskcheck.sh.j2 dest=/etc/cron.weekly/diskcheck.sh mode=755
+  when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+
+- name: Rapport d'uptime des machines physiques
+  copy:
+    src: uptimereport.sh
+    dest: /etc/cron.weekly/a-uptimereport.sh
+    mode: 0755
+  when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
diff --git a/roles/diagnostics/tasks/main.yml b/roles/diagnostics/tasks/main.yml
new file mode 100644
index 0000000..613a3b5
--- /dev/null
+++ b/roles/diagnostics/tasks/main.yml
@@ -0,0 +1,18 @@
+- name: Configuration démon Cron
+  import_tasks: cron.yml
+
+- name: Installation des logiciels de base
+  import_tasks: pkgs.yml
+
+- name: État des services
+  import_tasks: services.yml
+
+- name: Installation du HIDS AIDE
+  import_tasks: aide.yml
+
+- name: Installation de rkhunter
+  import_tasks: rkhunter.yml
+  when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+
+- name: Crontasks pour SELinux
+  import_tasks: selinux.yml
diff --git a/roles/diagnostics/tasks/pkgs.yml b/roles/diagnostics/tasks/pkgs.yml
new file mode 100644
index 0000000..2861700
--- /dev/null
+++ b/roles/diagnostics/tasks/pkgs.yml
@@ -0,0 +1,16 @@
+- name: Installation des paquets disgnostic matériel
+  dnf: name={{ item }} state=present
+  with_items:
+    - hddtemp
+    - smartmontools
+  when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+
+- name: Installation du paquet memtest pour archi x86_64
+  dnf: name=memtest86+ state=present
+  when: ansible_architecture == "x86_64" and
+        ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+
+- name: Installation du paquet lm_sensors pour archi x86_64
+  dnf: name=lm_sensors state=present
+  when: ansible_architecture == "x86_64" and
+        ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
diff --git a/roles/diagnostics/tasks/rkhunter.yml b/roles/diagnostics/tasks/rkhunter.yml
new file mode 100644
index 0000000..460073a
--- /dev/null
+++ b/roles/diagnostics/tasks/rkhunter.yml
@@ -0,0 +1,24 @@
+- name: Installation du HIDS rkhunter
+  dnf: name=rkhunter state=present
+  notify: initialize rkhunter
+
+- name: Activation de tests rkhunter
+  lineinfile: dest=/etc/rkhunter.conf state=present backrefs=yes
+              regexp="^DISABLE_TESTS=suspscan hidden_ports deleted_files packet_cap_apps apps"
+              line="DISABLE_TESTS=deleted_files"
+
+- name: Ajout de process en liste blanche
+  lineinfile:
+    path: /etc/rkhunter.conf
+    line: 'ALLOWPROCLISTEN=/usr/sbin/wpa_supplicant'
+
+- name: Ajout de process en liste blanche
+  lineinfile:
+    path: /etc/rkhunter.conf
+    line: 'ALLOWPROCLISTEN=/usr/sbin/arpwatch'
+
+- name: Ajout de fichier en liste blanche
+  lineinfile:
+    path: /etc/rkhunter.conf
+    insertafter: '^ALLOWDEVFILE=/dev/shm/squid-ssl_session_cache.shm'
+    line: 'ALLOWDEVFILE=/dev/shm/squid-tls_session_cache.shm'
diff --git a/roles/diagnostics/tasks/selinux.yml b/roles/diagnostics/tasks/selinux.yml
new file mode 100644
index 0000000..0acf948
--- /dev/null
+++ b/roles/diagnostics/tasks/selinux.yml
@@ -0,0 +1,6 @@
+- name: Rapport SELinux
+  copy:
+    src: eaureport.sh
+    dest: /etc/cron.daily/eaureport.sh
+    mode: 0755
+  when: ansible_selinux.status != "disabled"
diff --git a/roles/diagnostics/tasks/services.yml b/roles/diagnostics/tasks/services.yml
new file mode 100644
index 0000000..1baee1f
--- /dev/null
+++ b/roles/diagnostics/tasks/services.yml
@@ -0,0 +1,9 @@
+- name: Activation et démarrage du service lm_sensors
+  service: name=lm_sensors state=started enabled=yes
+  when: ansible_architecture == "x86_64" and
+        ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+
+- name: Activation et démarrage du service Smartd
+  service: name=smartd state=started enabled=yes
+  when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+
author	Matthieu Saulnier <fantom@fedoraproject.org>	2018-10-21 12:06:09 +0200
committer	Matthieu Saulnier <fantom@fedoraproject.org>	2018-10-21 12:06:09 +0200
commit	70a98118cefc95c3fc131a9a9029c61153d9766e (patch)
tree	9b099781694301ca3df52f1ef8e8327aa019b542 /roles/diagnostics/tasks
parent	b79f383bc5d82302ee4e292c284e2482ae8fd24f (diff)
download	playbooks-ansible-70a98118cefc95c3fc131a9a9029c61153d9766e.tar.gz playbooks-ansible-70a98118cefc95c3fc131a9a9029c61153d9766e.tar.xz playbooks-ansible-70a98118cefc95c3fc131a9a9029c61153d9766e.zip