From c740fd5a50feb3653fe5b8224c80f71fefee3f85 Mon Sep 17 00:00:00 2001 From: areeqakbr Date: Thu, 14 Aug 2025 09:19:37 +0700 Subject: [PATCH] init projects --- inventory/production.yaml | 16 ++++ inventory/staging.yaml | 12 +++ playbooks/monitoring.yaml | 150 ++++++++++++++++++++++++++++++++ playbooks/site.yaml | 33 +++++++ playbooks/vault_install.yaml | 0 playbooks/vuln-scanner.yaml | 0 playbooks/wazuh_server.yaml | 0 roles/promotheus/task/main.yaml | 46 ++++++++++ roles/vault/task/main.yaml | 58 ++++++++++++ roles/wazuh/task/main.yaml | 42 +++++++++ 10 files changed, 357 insertions(+) create mode 100644 inventory/production.yaml create mode 100644 inventory/staging.yaml create mode 100644 playbooks/monitoring.yaml create mode 100644 playbooks/site.yaml create mode 100644 playbooks/vault_install.yaml create mode 100644 playbooks/vuln-scanner.yaml create mode 100644 playbooks/wazuh_server.yaml create mode 100644 roles/promotheus/task/main.yaml create mode 100644 roles/vault/task/main.yaml create mode 100644 roles/wazuh/task/main.yaml diff --git a/inventory/production.yaml b/inventory/production.yaml new file mode 100644 index 0000000..602871d --- /dev/null +++ b/inventory/production.yaml @@ -0,0 +1,16 @@ +all: + children: + security_servers: + hosts: + security-server-01: + ansible_host: 10.0.1.10 + ansible_user: ubuntu + ansible_ssh_private_key_file: ~/.ssh/security-key.pem + security-server-02: + ansible_host: 10.0.1.11 + ansible_user: ubuntu + ansible_ssh_private_key_file: ~/.ssh/security-key.pem + vars: + environment: production + vault_version: "1.15.2" + prometheus_version: "2.47.0" \ No newline at end of file diff --git a/inventory/staging.yaml b/inventory/staging.yaml new file mode 100644 index 0000000..7586518 --- /dev/null +++ b/inventory/staging.yaml @@ -0,0 +1,12 @@ +all: + children: + security_servers: + hosts: + security-staging-01: + ansible_host: 10.0.2.10 + ansible_user: ubuntu + ansible_ssh_private_key_file: ~/.ssh/staging-key.pem + vars: + environment: staging + vault_version: "1.15.2" + prometheus_version: "2.47.0" \ No newline at end of file diff --git a/playbooks/monitoring.yaml b/playbooks/monitoring.yaml new file mode 100644 index 0000000..12392cf --- /dev/null +++ b/playbooks/monitoring.yaml @@ -0,0 +1,150 @@ +- name: Deploy Security Monitoring Infrastructure + hosts: security_servers + become: true + vars: + prometheus_version: "2.47.0" + grafana_version: "10.1.0" + node_exporter_version: "1.6.1" + alertmanager_version: "0.25.0" + monitoring_retention_days: 30 + + roles: + - prometheus + - vault + - wazuh + + tasks: + - name: Install Node Exporter + block: + - name: Download Node Exporter + get_url: + url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz" + dest: /tmp/node_exporter.tar.gz + + - name: Extract Node Exporter + unarchive: + src: /tmp/node_exporter.tar.gz + dest: /opt/ + remote_src: yes + owner: prometheus + group: prometheus + + - name: Create Node Exporter symlink + file: + src: "/opt/node_exporter-{{ node_exporter_version }}.linux-amd64/node_exporter" + dest: /usr/local/bin/node_exporter + state: link + + - name: Create Node Exporter systemd service + copy: + content: | + [Unit] + Description=Node Exporter + Wants=network-online.target + After=network-online.target + + [Service] + User=prometheus + Group=prometheus + Type=simple + ExecStart=/usr/local/bin/node_exporter + + [Install] + WantedBy=multi-user.target + dest: /etc/systemd/system/node_exporter.service + notify: + - reload systemd + - restart node_exporter + + - name: Install Grafana + block: + - name: Add Grafana GPG key + apt_key: + url: https://packages.grafana.com/gpg.key + state: present + + - name: Add Grafana repository + apt_repository: + repo: "deb https://packages.grafana.com/oss/deb stable main" + state: present + + - name: Install Grafana + apt: + name: grafana + state: present + update_cache: yes + + - name: Start and enable Grafana + service: + name: grafana-server + state: started + enabled: yes + + - name: Configure security monitoring alerts + copy: + content: | + groups: + - name: security_alerts + rules: + - alert: WazuhManagerDown + expr: up{job="wazuh"} == 0 + for: 2m + labels: + severity: critical + annotations: + summary: "Wazuh Manager is down" + + - alert: VaultSealed + expr: vault_core_unsealed == 0 + for: 1m + labels: + severity: critical + annotations: + summary: "Vault is sealed" + + - alert: HighCPUUsage + expr: 100 - (avg by(instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) > 80 + for: 5m + labels: + severity: warning + annotations: + summary: "High CPU usage on {{ $labels.instance }}" + dest: /etc/prometheus/security_rules.yml + owner: prometheus + group: prometheus + notify: restart prometheus + + handlers: + - name: reload systemd + systemd: + daemon_reload: yes + + - name: restart prometheus + service: + name: prometheus + state: restarted + + - name: restart node_exporter + service: + name: node_exporter + state: restarted + enabled: yes + + post_tasks: + - name: Verify monitoring services + service: + name: "{{ item }}" + state: started + enabled: yes + loop: + - prometheus + - node_exporter + - grafana-server + + - name: Display monitoring URLs + debug: + msg: | + Monitoring services available at: + - Prometheus: http://{{ ansible_default_ipv4.address }}:9090 + - Grafana: http://{{ ansible_default_ipv4.address }}:3000 + - Node Exporter: http://{{ ansible_default_ipv4.address }}:9100 \ No newline at end of file diff --git a/playbooks/site.yaml b/playbooks/site.yaml new file mode 100644 index 0000000..75db6df --- /dev/null +++ b/playbooks/site.yaml @@ -0,0 +1,33 @@ +--- +- name: Deploy Centralized Security Server + hosts: security_servers + become: true + vars: + server_environment: production + vault_version: "1.15.2" + wazuh_version: "4.7.0" + + roles: + - common # Base system hardening + - docker # Container runtime + - nginx-proxy # Reverse proxy with SSL + - vault # HashiCorp Vault + - wazuh-server # OSSEC/Wazuh server + - elasticsearch # Log storage + - prometheus # Metrics collection + - grafana # Dashboards + - vulnerability-scanner # Security scanning + - backup-setup # Backup configuration + + post_tasks: + - name: Verify all services are running + service: + name: "{{ item }}" + state: started + enabled: yes + loop: + - vault + - wazuh-manager + - elasticsearch + - prometheus + - grafana \ No newline at end of file diff --git a/playbooks/vault_install.yaml b/playbooks/vault_install.yaml new file mode 100644 index 0000000..e69de29 diff --git a/playbooks/vuln-scanner.yaml b/playbooks/vuln-scanner.yaml new file mode 100644 index 0000000..e69de29 diff --git a/playbooks/wazuh_server.yaml b/playbooks/wazuh_server.yaml new file mode 100644 index 0000000..e69de29 diff --git a/roles/promotheus/task/main.yaml b/roles/promotheus/task/main.yaml new file mode 100644 index 0000000..6934213 --- /dev/null +++ b/roles/promotheus/task/main.yaml @@ -0,0 +1,46 @@ +# roles/prometheus/tasks/main.yml +--- +- name: Create prometheus user + user: + name: prometheus + system: yes + shell: /bin/false + +- name: Create prometheus directories + file: + path: "{{ item }}" + state: directory + owner: prometheus + group: prometheus + loop: + - /etc/prometheus + - /var/lib/prometheus + +- name: Download Prometheus + get_url: + url: "https://github.com/prometheus/prometheus/releases/download/v{{ prometheus_version }}/prometheus-{{ prometheus_version }}.linux-amd64.tar.gz" + dest: /tmp/prometheus.tar.gz + +- name: Extract Prometheus + unarchive: + src: /tmp/prometheus.tar.gz + dest: /opt/ + remote_src: yes + owner: prometheus + group: prometheus + +- name: Configure Prometheus + template: + src: prometheus.yml.j2 + dest: /etc/prometheus/prometheus.yml + owner: prometheus + group: prometheus + notify: restart prometheus + +- name: Create Prometheus systemd service + template: + src: prometheus.service.j2 + dest: /etc/systemd/system/prometheus.service + notify: + - reload systemd + - restart prometheus diff --git a/roles/vault/task/main.yaml b/roles/vault/task/main.yaml new file mode 100644 index 0000000..55b8eb6 --- /dev/null +++ b/roles/vault/task/main.yaml @@ -0,0 +1,58 @@ +# roles/vault/tasks/main.yml +--- +- name: Create vault user + user: + name: vault + system: yes + shell: /bin/false + home: /opt/vault + +- name: Download Vault binary + get_url: + url: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip" + dest: /tmp/vault.zip + mode: '0644' + +- name: Extract Vault binary + unarchive: + src: /tmp/vault.zip + dest: /usr/local/bin/ + remote_src: yes + owner: root + group: root + mode: '0755' + +- name: Create Vault directories + file: + path: "{{ item }}" + state: directory + owner: vault + group: vault + mode: '0750' + loop: + - /etc/vault.d + - /opt/vault/data + - /opt/vault/logs + +- name: Generate Vault configuration + template: + src: vault.hcl.j2 + dest: /etc/vault.d/vault.hcl + owner: vault + group: vault + mode: '0640' + notify: restart vault + +- name: Create Vault systemd service + template: + src: vault.service.j2 + dest: /etc/systemd/system/vault.service + notify: + - reload systemd + - restart vault + +- name: Start and enable Vault service + service: + name: vault + state: started + enabled: yes \ No newline at end of file diff --git a/roles/wazuh/task/main.yaml b/roles/wazuh/task/main.yaml new file mode 100644 index 0000000..de6be48 --- /dev/null +++ b/roles/wazuh/task/main.yaml @@ -0,0 +1,42 @@ +# roles/wazuh-server/tasks/main.yml +--- +- name: Add Wazuh repository + get_url: + url: https://packages.wazuh.com/key/GPG-KEY-WAZUH + dest: /tmp/GPG-KEY-WAZUH + +- name: Add Wazuh GPG key + apt_key: + file: /tmp/GPG-KEY-WAZUH + state: present + +- name: Add Wazuh repository + apt_repository: + repo: "deb https://packages.wazuh.com/4.x/apt/ stable main" + state: present + +- name: Install Wazuh manager + apt: + name: + - wazuh-manager + - wazuh-indexer + - wazuh-dashboard + state: present + update_cache: yes + +- name: Configure Wazuh manager + template: + src: ossec.conf.j2 + dest: /var/ossec/etc/ossec.conf + backup: yes + notify: restart wazuh-manager + +- name: Start Wazuh services + service: + name: "{{ item }}" + state: started + enabled: yes + loop: + - wazuh-manager + - wazuh-indexer + - wazuh-dashboard \ No newline at end of file