150 lines
4.3 KiB
YAML
150 lines
4.3 KiB
YAML
- name: Deploy Security Monitoring Infrastructure
|
|
hosts: security_servers
|
|
become: true
|
|
vars:
|
|
prometheus_version: "2.47.0"
|
|
grafana_version: "10.1.0"
|
|
node_exporter_version: "1.6.1"
|
|
alertmanager_version: "0.25.0"
|
|
monitoring_retention_days: 30
|
|
|
|
roles:
|
|
- prometheus
|
|
- vault
|
|
- wazuh
|
|
|
|
tasks:
|
|
- name: Install Node Exporter
|
|
block:
|
|
- name: Download Node Exporter
|
|
get_url:
|
|
url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz"
|
|
dest: /tmp/node_exporter.tar.gz
|
|
|
|
- name: Extract Node Exporter
|
|
unarchive:
|
|
src: /tmp/node_exporter.tar.gz
|
|
dest: /opt/
|
|
remote_src: yes
|
|
owner: prometheus
|
|
group: prometheus
|
|
|
|
- name: Create Node Exporter symlink
|
|
file:
|
|
src: "/opt/node_exporter-{{ node_exporter_version }}.linux-amd64/node_exporter"
|
|
dest: /usr/local/bin/node_exporter
|
|
state: link
|
|
|
|
- name: Create Node Exporter systemd service
|
|
copy:
|
|
content: |
|
|
[Unit]
|
|
Description=Node Exporter
|
|
Wants=network-online.target
|
|
After=network-online.target
|
|
|
|
[Service]
|
|
User=prometheus
|
|
Group=prometheus
|
|
Type=simple
|
|
ExecStart=/usr/local/bin/node_exporter
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
dest: /etc/systemd/system/node_exporter.service
|
|
notify:
|
|
- reload systemd
|
|
- restart node_exporter
|
|
|
|
- name: Install Grafana
|
|
block:
|
|
- name: Add Grafana GPG key
|
|
apt_key:
|
|
url: https://packages.grafana.com/gpg.key
|
|
state: present
|
|
|
|
- name: Add Grafana repository
|
|
apt_repository:
|
|
repo: "deb https://packages.grafana.com/oss/deb stable main"
|
|
state: present
|
|
|
|
- name: Install Grafana
|
|
apt:
|
|
name: grafana
|
|
state: present
|
|
update_cache: yes
|
|
|
|
- name: Start and enable Grafana
|
|
service:
|
|
name: grafana-server
|
|
state: started
|
|
enabled: yes
|
|
|
|
- name: Configure security monitoring alerts
|
|
copy:
|
|
content: |
|
|
groups:
|
|
- name: security_alerts
|
|
rules:
|
|
- alert: WazuhManagerDown
|
|
expr: up{job="wazuh"} == 0
|
|
for: 2m
|
|
labels:
|
|
severity: critical
|
|
annotations:
|
|
summary: "Wazuh Manager is down"
|
|
|
|
- alert: VaultSealed
|
|
expr: vault_core_unsealed == 0
|
|
for: 1m
|
|
labels:
|
|
severity: critical
|
|
annotations:
|
|
summary: "Vault is sealed"
|
|
|
|
- alert: HighCPUUsage
|
|
expr: 100 - (avg by(instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) > 80
|
|
for: 5m
|
|
labels:
|
|
severity: warning
|
|
annotations:
|
|
summary: "High CPU usage on {{ $labels.instance }}"
|
|
dest: /etc/prometheus/security_rules.yml
|
|
owner: prometheus
|
|
group: prometheus
|
|
notify: restart prometheus
|
|
|
|
handlers:
|
|
- name: reload systemd
|
|
systemd:
|
|
daemon_reload: yes
|
|
|
|
- name: restart prometheus
|
|
service:
|
|
name: prometheus
|
|
state: restarted
|
|
|
|
- name: restart node_exporter
|
|
service:
|
|
name: node_exporter
|
|
state: restarted
|
|
enabled: yes
|
|
|
|
post_tasks:
|
|
- name: Verify monitoring services
|
|
service:
|
|
name: "{{ item }}"
|
|
state: started
|
|
enabled: yes
|
|
loop:
|
|
- prometheus
|
|
- node_exporter
|
|
- grafana-server
|
|
|
|
- name: Display monitoring URLs
|
|
debug:
|
|
msg: |
|
|
Monitoring services available at:
|
|
- Prometheus: http://{{ ansible_default_ipv4.address }}:9090
|
|
- Grafana: http://{{ ansible_default_ipv4.address }}:3000
|
|
- Node Exporter: http://{{ ansible_default_ipv4.address }}:9100 |