Commit e2a969fd authored by Alexander Withers's avatar Alexander Withers

Initial commit

parents
playbook.log
sites.retry
site.retry
SDAIA Project
=============
CICI: Secure Data Architecture: Shared Intelligence Platform for Protecting our National Cyberinfrastructure
ACI Award Number:1547249
[defaults]
sudo=yes
host_key_checking=False
hostfile=hosts
log_path=./playbook.log
retry_files_enabled=False
[privilege_escalation]
become_method = sudo
become_user = root
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
env/
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
*.egg-info/
.installed.cfg
*.egg
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*,cover
.hypothesis/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# IPython Notebook
.ipynb_checkpoints
# pyenv
.python-version
# celery beat schedule file
celerybeat-schedule
# dotenv
.env
# virtualenv
venv/
ENV/
# Spyder project settings
.spyderproject
# Rope project settings
.ropeproject
This diff is collapsed.
***Release: https://github.com/csirtgadgets/bearded-avenger-deploymentkit/archive/3.0.0a5.tar.gz***
#e -*- mode: ruby -*-
# vi: set ft=ruby :
# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
VAGRANTFILE_API_VERSION = "2"
VAGRANTFILE_LOCAL = 'Vagrantfile.local'
sdist=ENV['CIF_ANSIBLE_SDIST']
es=ENV['CIF_ANSIBLE_ES']
es_nodes=ENV['CIF_ANSIBLE_ES_NODES']
hunter_threads=ENV['CIF_HUNTER_THREADS']
geo_fqdn=ENV['CIF_GATHERER_GEO_FQDN']
$script = <<SCRIPT
export CIF_ANSIBLE_SDIST=#{sdist}
export CIF_ANSIBLE_ES=#{es}
export CIF_ANSIBLE_ES_NODES=#{es_nodes}
export CIF_HUNTER_THREADS=#{hunter_threads}
export CIF_GATHERER_GEO_FQDN=#{geo_fqdn}
export CIF_BOOTSTRAP_TEST=1
cd /vagrant
bash easybutton.sh
SCRIPT
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.provision "shell", inline: $script
config.vm.box = 'ubuntu/xenial64'
config.vm.network :forwarded_port, guest: 443, host: 8443
config.vm.network :forwarded_port, guest: 5000, host: 5000
config.vm.network :forwarded_port, guest: 9200, host: 9200
config.vm.provider :virtualbox do |vb|
vb.customize ["modifyvm", :id, "--cpus", "2", "--ioapic", "on", "--memory", "2048" ]
if #{es} == '1'
vb.customize ["modifyvm", :id, "--cpus", "2", "--ioapic", "on", "--memory", "4096" ]
end
end
if File.file?(VAGRANTFILE_LOCAL)
external = File.read VAGRANTFILE_LOCAL
eval external
end
end
#e -*- mode: ruby -*-
# vi: set ft=ruby :
# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
VAGRANTFILE_API_VERSION = "2"
VAGRANTFILE_LOCAL = 'Vagrantfile.local'
sdist=ENV['CIF_ANSIBLE_SDIST']
es=ENV['CIF_ANSIBLE_ES']
$script = <<SCRIPT
export CIF_ANSIBLE_SDIST=#{sdist}
export CIF_ANSIBLE_ES=#{es}
export CIF_BOOTSTRAP_TEST=1
cd /vagrant
bash easybutton.sh
SCRIPT
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.box = 'geerlingguy/centos7'
config.vm.provision "shell", inline: $script
config.vm.network :forwarded_port, guest: 443, host: 8443
config.vm.provider :virtualbox do |vb|
vb.customize ["modifyvm", :id, "--cpus", "2", "--ioapic", "on", "--memory", "2048" ]
end
if File.file?(VAGRANTFILE_LOCAL)
external = File.read VAGRANTFILE_LOCAL
eval external
end
end
#e -*- mode: ruby -*-
# vi: set ft=ruby :
# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
VAGRANTFILE_API_VERSION = "2"
VAGRANTFILE_LOCAL = 'Vagrantfile.local'
sdist=ENV['CIF_ANSIBLE_SDIST']
es=ENV['CIF_ANSIBLE_ES']
$script = <<SCRIPT
export CIF_ANSIBLE_SDIST=#{sdist}
export CIF_ANSIBLE_ES=#{es}
export CIF_BOOTSTRAP_TEST=1
cd /vagrant
bash easybutton.sh
SCRIPT
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.provision "shell", inline: $script
config.vm.box = 'ubuntu/trusty64'
config.vm.network :forwarded_port, guest: 443, host: 8443
config.vm.provider :virtualbox do |vb|
vb.customize ["modifyvm", :id, "--cpus", "2", "--ioapic", "on", "--memory", "2048" ]
end
if File.file?(VAGRANTFILE_LOCAL)
external = File.read VAGRANTFILE_LOCAL
eval external
end
end
#!/bin/bash
set -e
echo 'installing ansible...'
sudo pip install 'setuptools>=18.3,<34.0' 'ansible>=2.2.1.0'
echo 'running ansible...'
ansible-playbook -i "localhost," -c local site.yml -vv
\ No newline at end of file
# Ansible config file
[defaults]
hostfile = hosts
private_key_file = ~/.ssh/id_rsa
host_key_checking = False
roles_path = ../roles
[privilege_escalation]
become_method = sudo
become_user = root
\ No newline at end of file
#!/bin/bash
export CIF_ELASTICSEARCH=$CIF_ELASTICSEARCH
export CIF_ANSIBLE_SDIST=$CIF_ANSIBLE_SDIST
export CIF_HUNTER_THREADS=$CIF_HUNTER_THREADS
export CIF_GATHERER_GEO_FQDN=$CIF_GATHERER_GEO_FQDN
export CIF_HUNTER_ADVANCED=$CIF_HUNTER_ADVANCED
set -e
yum -y install epel-release
yum -y update
echo 'updating apt-get tree and installing python-pip'
sudo yum install -y gcc python-pip python-devel git libffi-devel openssl-devel
bash ../ansible.sh
if [[ "$CIF_BOOTSTRAP_TEST" -eq '1' ]]; then
bash ../test.sh
fi
\ No newline at end of file
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
---
# defaults file for centos71-check
firewall_allowed_tcp_ports:
- "22"
- "443"
- '5000'
firewall_allowed_udp_ports: []
firewall_forwarded_tcp_ports: []
firewall_forwarded_udp_ports: []
firewall_additional_rules: []
firewall_log_dropped_packets: true
python_tmp: '/tmp/tmp_install_python'
python_version: '2.7.10'
app_user: cif
app_group: "{{ app_user }}"
app_user_home: "/home/{{ app_user }}"
cif_runtime_path: '/var/lib/cif'
cif_router_config_path: '/etc/cif/cif-router.yml'
cif_store_store: 'sqlite'
cif_hunter_exclude: 'osint.bambenekconsulting.com:dga'
cif_hunter_threads: 0
cif_gatherer_geo_fqdn: 0
cif_hunter_advanced: 0
csirtg_smrt_runtime_path: "{{ cif_runtime_path }}"
csirtg_smrt_cache_path: "{{ cif_runtime_path }}/smrt"
csirtg_smrt_config_path: '/etc/cif/csirtg-smrt.yml'
csirtg_smrt_rules_path: '/etc/cif/rules'
csirtg_smrt_cif_remote: 'http://localhost:5000'
csirtg_smrt_fireball_size: 500
csirtg_smrt_goback_days: 3
geoip_userid: 999999
geoip_key: "000000000000"
geoip_products: GeoLite2-City GeoLite2-Country GeoLite-Legacy-IPv6-City GeoLite-Legacy-IPv6-Country 506 517 533
pyversion: 2
nginx_key_file: /etc/nginx/ssl/nginx.key
nginx_cert_file: /etc/nginx/ssl/nginx.crt
nginx_conf_file: /etc/nginx/conf.d/cif.conf
nginx_server_name: localhost
\ No newline at end of file
# Configuration file for NetworkManager.
#
# See "man 5 NetworkManager.conf" for details.
#
# The directory /etc/NetworkManager/conf.d/ can contain additional configuration
# snippets. Those snippets override the settings from this main file.
#
# The files within conf.d/ directory are read in asciibetical order.
#
# If two files define the same key, the one that is read afterwards will overwrite
# the previous one.
[main]
plugins=ifcfg-rh
dns=none
[logging]
#level=DEBUG
#domains=ALL
\ No newline at end of file
// {{ ansible_managed }}
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
forward only;
forwarders {
8.8.8.8;
8.8.4.4;
};
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "cymru.com" {
forward only;
type forward;
forwarders { };
};
zone "zen.spamhaus.org" {
forward only;
type forward;
forwarders { };
};
zone "dbl.spamhaus.org" {
forward only;
type forward;
forwarders { };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[Unit]
Description=cif-httpd service
[Service]
Type=simple
User=cif
Group=cif
PIDFile=/run/cif-httpd.pid
ExecStart=/usr/bin/cif-httpd
KillMode=process
Restart=on-failure
KillSignal=SIGINT
TimeoutStopSec=5
PrivateTmp=true
#WorkingDirectory=/home/node/Node/
# https://coreos.com/os/docs/latest/using-environment-variables-in-systemd-units.html
EnvironmentFile=/etc/cif.env
[Install]
WantedBy=multi-user.target
\ No newline at end of file
[Unit]
Description=cif-router service
[Service]
Type=simple
User=cif
Group=cif
PIDFile=/run/cif-router.pid
ExecStart=/usr/bin/cif-router -d
KillMode=process
Restart=on-failure
KillSignal=SIGINT
TimeoutStopSec=15
LimitAS=infinity
LimitRSS=infinity
LimitCORE=infinity
LimitNOFILE=65536
Nice=-1
# https://coreos.com/os/docs/latest/using-environment-variables-in-systemd-units.html
EnvironmentFile=/etc/cif.env
[Install]
WantedBy=multi-user.target
\ No newline at end of file
[Unit]
Description=csirtg-smrt service
[Service]
Type=simple
User=cif
Group=cif
PIDFile=/run/csirtg-smrt.pid
ExecStart=/usr/bin/csirtg-smrt --remember --service --client cif --fireball --delay 5
KillMode=process
Restart=on-failure
KillSignal=SIGINT
TimeoutStopSec=15
EnvironmentFile=/etc/cif.env
[Install]
WantedBy=multi-user.target
---
# handlers file for centos71-check
- name: restart firewall
command: service firewall restart
- name: reload systemd
command: systemctl daemon-reload
- name: restart named
command: systemctl reload named
\ No newline at end of file
---
galaxy_info:
author: your name
description:
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: license (GPLv2, CC-BY, etc)
min_ansible_version: 1.2
#
# Below are all platforms currently available. Just uncomment
# the ones that apply to your role. If you don't see your
# platform on this list, let us know and we'll get it added!
#
#platforms:
#- name: EL
# versions:
# - all
# - 5
# - 6
# - 7
#- name: GenericUNIX
# versions:
# - all
# - any
#- name: Solaris
# versions:
# - all
# - 10
# - 11.0
# - 11.1
# - 11.2
# - 11.3
#- name: Fedora
# versions:
# - all
# - 16
# - 17
# - 18
# - 19
# - 20