-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #747 from liquidat/security/tower
Add populated Tower to security
- Loading branch information
Showing
8 changed files
with
464 additions
and
197 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,366 @@ | ||
| --- | ||
| # Inventory | ||
| - name: Create inventory | ||
| tower_inventory: | ||
| name: "Workshop Inventory" | ||
| organization: "Default" | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Import existing inventory into Tower | ||
| command: "awx-manage inventory_import --source=/home/{{ username }}/lab_inventory/hosts --inventory-id=2" | ||
|
|
||
| # Teams | ||
| - name: Create analyst team | ||
| tower_team: | ||
| name: "TeamSIEM" | ||
| description: "Analysts Team" | ||
| organization: "Default" | ||
| state: present | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Create IDS team | ||
| tower_team: | ||
| name: "TeamIDS" | ||
| description: "IDS Team" | ||
| organization: "Default" | ||
| state: present | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Create Firewall team | ||
| tower_team: | ||
| name: "TeamFIREWALL" | ||
| description: "Firewall Team" | ||
| organization: "Default" | ||
| state: present | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| # Users | ||
| - name: Add user analyst | ||
| tower_user: | ||
| username: analyst | ||
| password: "{{ admin_password }}" | ||
| email: analyst@redhat.com | ||
| first_name: Mary | ||
| last_name: Analyst | ||
| state: present | ||
| superuser: false | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Add user opsids | ||
| tower_user: | ||
| username: opsids | ||
| password: "{{ admin_password }}" | ||
| email: opsids@redhat.com | ||
| first_name: Carter | ||
| last_name: Ops | ||
| state: present | ||
| superuser: false | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Add user opsfirewall | ||
| tower_user: | ||
| username: opsfirewall | ||
| password: "{{ admin_password }}" | ||
| email: opsfirewall@redhat.com | ||
| first_name: Kim | ||
| last_name: Ops | ||
| state: present | ||
| superuser: false | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| # Assign users to default org | ||
| - name: Ensure that user analyst belongs to the Default org | ||
| tower_role: | ||
| user: analyst | ||
| organization: "Default" | ||
| role: member | ||
| state: present | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Ensure that user opsids belongs to the Default org | ||
| tower_role: | ||
| user: opsids | ||
| organization: "Default" | ||
| role: member | ||
| state: present | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Ensure that user opsfirewall belongs to the Default org | ||
| tower_role: | ||
| user: opsfirewall | ||
| organization: "Default" | ||
| role: member | ||
| state: present | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| # Teams assignment | ||
| - name: Assign analyst to group TeamSIEM | ||
| tower_role: | ||
| user: analyst | ||
| target_team: "TeamSIEM" | ||
| role: member | ||
| state: present | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Assign opsids to group TeamIDS | ||
| tower_role: | ||
| user: opsids | ||
| target_team: "TeamIDS" | ||
| role: member | ||
| state: present | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Assign opsfirewall to group TeamFirewall | ||
| tower_role: | ||
| user: opsfirewall | ||
| target_team: "TeamFIREWALL" | ||
| role: member | ||
| state: present | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| # Credentials | ||
| - name: Add ec2-user credential to Tower | ||
| tower_credential: | ||
| username: ec2-user | ||
| name: "ec2-user credential" | ||
| ssh_key_data: "{{ lookup('file', playbook_dir +'/' + ec2_name_prefix + '/' + ec2_name_prefix + '-private.pem') }}" | ||
| kind: ssh | ||
| organization: "Default" | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| # Add repository as project | ||
| - name: Add git repository as Tower project | ||
| tower_project: | ||
| name: "Workshop Project" | ||
| scm_type: git | ||
| scm_url: "https://github.com/ansible-security/workshop-examples" | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Wait for update to finish | ||
| pause: | ||
| minutes: 1 | ||
|
|
||
| # Job templates | ||
| - name: Job template sending firewall logs to QRadar | ||
| tower_job_template: | ||
| name: "Send firewall logs to QRadar" | ||
| job_type: "run" | ||
| inventory: "Workshop Inventory" | ||
| project: "Workshop Project" | ||
| playbook: "cp_log.yml" | ||
| state: "present" | ||
| limit: "checkpoint" | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Job template sending IDPS logs to QRadar | ||
| tower_job_template: | ||
| name: "Send IDPS logs to QRadar" | ||
| job_type: "run" | ||
| inventory: "Workshop Inventory" | ||
| project: "Workshop Project" | ||
| playbook: "idps_log.yml" | ||
| state: "present" | ||
| limit: "snort" | ||
| credential: "ec2-user credential" | ||
| become_enabled: true | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Job template accepting firewall logs in QRadar | ||
| tower_job_template: | ||
| name: "Accept firewall logs in QRadar" | ||
| job_type: "run" | ||
| inventory: "Workshop Inventory" | ||
| project: "Workshop Project" | ||
| playbook: "qradar_cp_log.yml" | ||
| state: "present" | ||
| limit: "qradar" | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Job template accepting IDPS logs in QRadar | ||
| tower_job_template: | ||
| name: "Accept IDPS logs in QRadar" | ||
| job_type: "run" | ||
| inventory: "Workshop Inventory" | ||
| project: "Workshop Project" | ||
| playbook: "qradar_snort_log.yml" | ||
| state: "present" | ||
| limit: "qradar" | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Job template rolling back everything | ||
| tower_job_template: | ||
| name: "Roll back all changes" | ||
| job_type: "run" | ||
| inventory: "Workshop Inventory" | ||
| project: "Workshop Project" | ||
| playbook: "rollback.yml" | ||
| state: "present" | ||
| credential: "ec2-user credential" | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Job template adding DDOS IDPS rule | ||
| tower_job_template: | ||
| name: "Add IDPS rule" | ||
| job_type: "run" | ||
| inventory: "Workshop Inventory" | ||
| project: "Workshop Project" | ||
| playbook: "snort_rule.yml" | ||
| state: "present" | ||
| limit: "snort" | ||
| credential: "ec2-user credential" | ||
| become_enabled: true | ||
| survey_enabled: true | ||
| survey_spec: "{{ lookup('template', 'security_survey_ids_rule.json') }}" | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Job template adding ddos attack simulation | ||
| tower_job_template: | ||
| name: "Start DDOS attack simulation" | ||
| job_type: "run" | ||
| inventory: "Workshop Inventory" | ||
| project: "Workshop Project" | ||
| playbook: "ddos_attack_simulation.yml" | ||
| state: "present" | ||
| limit: "attacker" | ||
| credential: "ec2-user credential" | ||
| become_enabled: true | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Job template stopping ddos attack simulation | ||
| tower_job_template: | ||
| name: "Stop DDOS attack simulation" | ||
| job_type: "run" | ||
| inventory: "Workshop Inventory" | ||
| project: "Workshop Project" | ||
| playbook: "ddos_stop_simulation.yml" | ||
| state: "present" | ||
| limit: "attacker" | ||
| credential: "ec2-user credential" | ||
| become_enabled: true | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Job template adding whitelist entry for attacker | ||
| tower_job_template: | ||
| name: "Whitelist attacker" | ||
| job_type: "run" | ||
| inventory: "Workshop Inventory" | ||
| project: "Workshop Project" | ||
| playbook: "whitelist_attacker.yml" | ||
| state: "present" | ||
| limit: "checkpoint" | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| - name: Job template adding blacklist entry for attacker | ||
| tower_job_template: | ||
| name: "Blacklist attacker" | ||
| job_type: "run" | ||
| inventory: "Workshop Inventory" | ||
| project: "Workshop Project" | ||
| playbook: "blacklist_attacker.yml" | ||
| state: "present" | ||
| limit: "checkpoint" | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
|
|
||
| # Permissions on Job Templates | ||
| - name: Ensure that opsfirewall has admin rights for own jobs | ||
| tower_role: | ||
| user: opsfirewall | ||
| role: admin | ||
| job_template: "{{ item }}" | ||
| state: present | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
| loop: | ||
| - "Send firewall logs to QRadar" | ||
| - "Whitelist attacker" | ||
| - "Blacklist attacker" | ||
|
|
||
| - name: Ensure that opsfirewall has admin rights for own jobs | ||
| tower_role: | ||
| user: opsids | ||
| role: admin | ||
| job_template: "{{ item }}" | ||
| state: present | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
| loop: | ||
| - "Send IDPS logs to QRadar" | ||
| - "Add IDPS rule" | ||
|
|
||
| - name: Ensure that analyst has admin rights for own jobs | ||
| tower_role: | ||
| user: analyst | ||
| role: admin | ||
| job_template: "{{ item }}" | ||
| state: present | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
| loop: | ||
| - "Accept firewall logs in QRadar" | ||
| - "Accept IDPS logs in QRadar" | ||
|
|
||
| - name: Ensure that analyst can execute IDPS job | ||
| tower_role: | ||
| user: analyst | ||
| role: execute | ||
| job_template: "{{ item }}" | ||
| state: present | ||
| tower_username: admin | ||
| tower_password: "{{ admin_password }}" | ||
| tower_host: "{{ username }}.{{ ec2_name_prefix }}.{{ workshop_dns_zone }}" | ||
| loop: | ||
| - "Roll back all changes" | ||
| - "Send IDPS logs to QRadar" |
13 changes: 13 additions & 0 deletions
13
provisioner/roles/populate_tower/templates/security_survey_ids_rule.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| { | ||
| "name": "IDS rule", | ||
| "description": "Provide Snort rule to be deployed", | ||
| "spec": [ | ||
| { | ||
| "type": "text", | ||
| "question_name": "Snort rule", | ||
| "question_description": "Input a Snort compatible rule", | ||
| "variable": "tower_snort_rule", | ||
| "required": true | ||
| } | ||
| ] | ||
| } |
Oops, something went wrong.