Split diagnostic tasks into a new role

17 files changed, 182 insertions, 0 deletions

diff --git a/roles/diagnostics/files/aideinit.sh b/roles/diagnostics/files/aideinit.sh
new file mode 100755
index 0000000..ae9eda7
--- /dev/null
+++ b/roles/diagnostics/files/aideinit.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/bash
+
+/usr/sbin/aide -i
+/bin/cp -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
+/sbin/restorecon -R /var/lib/aide/
diff --git a/roles/diagnostics/files/aidereport.sh b/roles/diagnostics/files/aidereport.sh
new file mode 100755
index 0000000..fa56fe4
--- /dev/null
+++ b/roles/diagnostics/files/aidereport.sh
@@ -0,0 +1,4 @@
+#!/usr/bin/bash
+
+aide --update --verbose=20
+cp -f /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz && echo "Updated database file: aide.db.gz"
diff --git a/roles/diagnostics/files/eaureport.sh b/roles/diagnostics/files/eaureport.sh
new file mode 100755
index 0000000..119fc41
--- /dev/null
+++ b/roles/diagnostics/files/eaureport.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/bash
+
+aureport -a -ts yesterday -te today
+aureport -n -ts yesterday -te today
+aureport -r -ts yesterday -te today
+aureport -ma -i -ts yesterday -te today
+aureport -l --success -i -ts yesterday -te today
+aureport -l --failed -i -ts yesterday -te today
diff --git a/roles/diagnostics/files/rpmreport.sh b/roles/diagnostics/files/rpmreport.sh
new file mode 100755
index 0000000..25ca420
--- /dev/null
+++ b/roles/diagnostics/files/rpmreport.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/bash
+
+rpm -Va | grep -v /lib/modules/
diff --git a/roles/diagnostics/files/uptimereport.sh b/roles/diagnostics/files/uptimereport.sh
new file mode 100755
index 0000000..65a07ed
--- /dev/null
+++ b/roles/diagnostics/files/uptimereport.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/bash
+
+/usr/bin/uptime
diff --git a/roles/diagnostics/handlers/aide.yml b/roles/diagnostics/handlers/aide.yml
new file mode 100644
index 0000000..4d5cdfc
--- /dev/null
+++ b/roles/diagnostics/handlers/aide.yml
@@ -0,0 +1,2 @@
+- name: initialize aide
+  script: files/aideinit.sh
diff --git a/roles/diagnostics/handlers/main.yml b/roles/diagnostics/handlers/main.yml
new file mode 100644
index 0000000..037a724
--- /dev/null
+++ b/roles/diagnostics/handlers/main.yml
@@ -0,0 +1,2 @@
+- import_tasks: aide.yml
+- import_tasks: rkhunter.yml
diff --git a/roles/diagnostics/handlers/rkhunter.yml b/roles/diagnostics/handlers/rkhunter.yml
new file mode 100644
index 0000000..d332d08
--- /dev/null
+++ b/roles/diagnostics/handlers/rkhunter.yml
@@ -0,0 +1,2 @@
+- name: initialize rkhunter
+  command: /usr/bin/rkhunter --propupd
diff --git a/roles/diagnostics/tasks/aide.yml b/roles/diagnostics/tasks/aide.yml
new file mode 100644
index 0000000..a8640fd
--- /dev/null
+++ b/roles/diagnostics/tasks/aide.yml
@@ -0,0 +1,16 @@
+- name: Installation du HIDS AIDE
+  yum: name=aide state=present
+  when: ansible_pkg_mgr == "yum"
+
+- name: Installation du HIDS AIDE
+  dnf: name=aide state=present
+  when: ansible_pkg_mgr == "dnf"
+
+- name: Activation Cron du HIDS AIDE
+  copy:
+    src: aidereport.sh
+    dest: /etc/cron.daily/z-aidereport.sh
+    mode: 0755
+  when: ansible_distribution == "Fedora" and ansible_distribution_version|int >= 28 and
+        ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+  notify: initialize aide
diff --git a/roles/diagnostics/tasks/cron.yml b/roles/diagnostics/tasks/cron.yml
new file mode 100644
index 0000000..7646287
--- /dev/null
+++ b/roles/diagnostics/tasks/cron.yml
@@ -0,0 +1,34 @@
+- name: Installation démon Cron
+  yum: name=crontabs state=present
+  when: ansible_pkg_mgr == "yum"
+
+- name: Installation démon Cron
+  dnf: name=crontabs state=present
+  when: ansible_pkg_mgr == "dnf"
+
+- name: Rapport disques durs
+  template: src=diskreport.sh.j2 dest=/etc/cron.daily/diskreport.sh mode=755
+  when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+
+- name: Rapport RPM Verify daily
+  file:
+    path: /etc/cron.daily/rpmreport.sh
+    state: absent
+
+- name: Rapport RPM Verify monthly
+  copy:
+    src: rpmreport.sh
+    dest: /etc/cron.monthly/rpmreport.sh
+    mode: 0755
+  when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+
+- name: Tests disques durs
+  template: src=diskcheck.sh.j2 dest=/etc/cron.weekly/diskcheck.sh mode=755
+  when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+
+- name: Rapport d'uptime des machines physiques
+  copy:
+    src: uptimereport.sh
+    dest: /etc/cron.weekly/a-uptimereport.sh
+    mode: 0755
+  when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
diff --git a/roles/diagnostics/tasks/main.yml b/roles/diagnostics/tasks/main.yml
new file mode 100644
index 0000000..613a3b5
--- /dev/null
+++ b/roles/diagnostics/tasks/main.yml
@@ -0,0 +1,18 @@
+- name: Configuration démon Cron
+  import_tasks: cron.yml
+
+- name: Installation des logiciels de base
+  import_tasks: pkgs.yml
+
+- name: État des services
+  import_tasks: services.yml
+
+- name: Installation du HIDS AIDE
+  import_tasks: aide.yml
+
+- name: Installation de rkhunter
+  import_tasks: rkhunter.yml
+  when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+
+- name: Crontasks pour SELinux
+  import_tasks: selinux.yml
diff --git a/roles/diagnostics/tasks/pkgs.yml b/roles/diagnostics/tasks/pkgs.yml
new file mode 100644
index 0000000..2861700
--- /dev/null
+++ b/roles/diagnostics/tasks/pkgs.yml
@@ -0,0 +1,16 @@
+- name: Installation des paquets disgnostic matériel
+  dnf: name={{ item }} state=present
+  with_items:
+    - hddtemp
+    - smartmontools
+  when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+
+- name: Installation du paquet memtest pour archi x86_64
+  dnf: name=memtest86+ state=present
+  when: ansible_architecture == "x86_64" and
+        ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+
+- name: Installation du paquet lm_sensors pour archi x86_64
+  dnf: name=lm_sensors state=present
+  when: ansible_architecture == "x86_64" and
+        ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
diff --git a/roles/diagnostics/tasks/rkhunter.yml b/roles/diagnostics/tasks/rkhunter.yml
new file mode 100644
index 0000000..460073a
--- /dev/null
+++ b/roles/diagnostics/tasks/rkhunter.yml
@@ -0,0 +1,24 @@
+- name: Installation du HIDS rkhunter
+  dnf: name=rkhunter state=present
+  notify: initialize rkhunter
+
+- name: Activation de tests rkhunter
+  lineinfile: dest=/etc/rkhunter.conf state=present backrefs=yes
+              regexp="^DISABLE_TESTS=suspscan hidden_ports deleted_files packet_cap_apps apps"
+              line="DISABLE_TESTS=deleted_files"
+
+- name: Ajout de process en liste blanche
+  lineinfile:
+    path: /etc/rkhunter.conf
+    line: 'ALLOWPROCLISTEN=/usr/sbin/wpa_supplicant'
+
+- name: Ajout de process en liste blanche
+  lineinfile:
+    path: /etc/rkhunter.conf
+    line: 'ALLOWPROCLISTEN=/usr/sbin/arpwatch'
+
+- name: Ajout de fichier en liste blanche
+  lineinfile:
+    path: /etc/rkhunter.conf
+    insertafter: '^ALLOWDEVFILE=/dev/shm/squid-ssl_session_cache.shm'
+    line: 'ALLOWDEVFILE=/dev/shm/squid-tls_session_cache.shm'
diff --git a/roles/diagnostics/tasks/selinux.yml b/roles/diagnostics/tasks/selinux.yml
new file mode 100644
index 0000000..0acf948
--- /dev/null
+++ b/roles/diagnostics/tasks/selinux.yml
@@ -0,0 +1,6 @@
+- name: Rapport SELinux
+  copy:
+    src: eaureport.sh
+    dest: /etc/cron.daily/eaureport.sh
+    mode: 0755
+  when: ansible_selinux.status != "disabled"
diff --git a/roles/diagnostics/tasks/services.yml b/roles/diagnostics/tasks/services.yml
new file mode 100644
index 0000000..1baee1f
--- /dev/null
+++ b/roles/diagnostics/tasks/services.yml
@@ -0,0 +1,9 @@
+- name: Activation et démarrage du service lm_sensors
+  service: name=lm_sensors state=started enabled=yes
+  when: ansible_architecture == "x86_64" and
+        ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+
+- name: Activation et démarrage du service Smartd
+  service: name=smartd state=started enabled=yes
+  when: ansible_virtualization_role == "NA" or ansible_virtualization_role == "host"
+
diff --git a/roles/diagnostics/templates/diskcheck.sh.j2 b/roles/diagnostics/templates/diskcheck.sh.j2
new file mode 100644
index 0000000..137dfdc
--- /dev/null
+++ b/roles/diagnostics/templates/diskcheck.sh.j2
@@ -0,0 +1,15 @@
+#!/usr/bin/bash
+
+
+{% if ansible_devices.sda is defined and ansible_devices.sda.removable == "0" %}
+smartctl -t long /dev/sda
+{% endif %}
+{% if ansible_devices.sdb is defined and ansible_devices.sdb.removable == "0" %}
+smartctl -t long /dev/sdb
+{% endif %}
+{% if ansible_devices.sdc is defined and ansible_devices.sdc.removable == "0" %}
+smartctl -t long /dev/sdc
+{% endif %}
+{% if ansible_devices.sdd is defined and ansible_devices.sdd.removable == "0" %}
+smartctl -t long /dev/sdd
+{% endif %}
diff --git a/roles/diagnostics/templates/diskreport.sh.j2 b/roles/diagnostics/templates/diskreport.sh.j2
new file mode 100644
index 0000000..e27f70e
--- /dev/null
+++ b/roles/diagnostics/templates/diskreport.sh.j2
@@ -0,0 +1,15 @@
+#!/usr/bin/bash
+
+
+{% if ansible_devices.sda is defined and ansible_devices.sda.removable == "0" %}
+smartctl -HAl error /dev/sda
+{% endif %}
+{% if ansible_devices.sdb is defined and ansible_devices.sdb.removable == "0" %}
+smartctl -HAl error /dev/sdb
+{% endif %}
+{% if ansible_devices.sdc is defined and ansible_devices.sdc.removable == "0" %}
+smartctl -HAl error /dev/sdc
+{% endif %}
+{% if ansible_devices.sdd is defined and ansible_devices.sdd.removable == "0" %}
+smartctl -HAl error /dev/sdd
+{% endif %}