From 9faf12dbbf6c696dcaeacb433ac4c14ab28cb984 Mon Sep 17 00:00:00 2001 From: Johnathon Date: Fri, 14 May 2021 13:07:30 -0600 Subject: [PATCH] Update roles with new vars (#580) * Update Spec file With python2 purged most packages were renamed or removed from repos. This addresses those name changes. * Delete rockctl.j2 Remove old control script that is no longer mantained * Update local services var The data structure of the rock_services var was changed to allow additional configuration options. This should now populate this task correctly * Update rock.spec * Update local_services based on new data structure * Update Roles with new installed, enabled, and rock_services vars --- roles/common/files/etc-issue.in | 2 +- roles/common/tasks/gather-facts.yml | 4 +++- roles/docket/handlers/main.yml | 8 ++++---- roles/docket/tasks/docket_config.yml | 6 +++--- roles/docket/tasks/lighttpd.yml | 2 +- roles/elasticsearch/tasks/after.yml | 2 +- roles/elasticsearch/tasks/before.yml | 2 +- roles/filebeat/tasks/main.yml | 4 ++-- roles/fsf/tasks/main.yml | 4 ++-- roles/kafka/tasks/main.yml | 4 ++-- roles/kibana/tasks/main.yml | 10 ++++------ roles/lighttpd/handlers/main.yml | 6 ++---- roles/lighttpd/tasks/main.yml | 15 ++++++++------- roles/logstash/handlers/main.yml | 2 +- roles/logstash/tasks/main.yml | 2 +- roles/stenographer/handlers/main.yml | 6 +++--- roles/stenographer/tasks/config.yml | 4 ++-- roles/suricata/tasks/main.yml | 16 ++++++++-------- roles/zeek/handlers/main.yml | 2 +- roles/zeek/tasks/main.yml | 6 +++--- roles/zookeeper/handlers/main.yml | 2 +- roles/zookeeper/tasks/main.yml | 2 +- 22 files changed, 55 insertions(+), 56 deletions(-) diff --git a/roles/common/files/etc-issue.in b/roles/common/files/etc-issue.in index 4e282d08a..2f5da959e 100644 --- a/roles/common/files/etc-issue.in +++ b/roles/common/files/etc-issue.in @@ -4,7 +4,7 @@ | / \\ | Kernel: \s | \\ / \\ | Build: \v | / \\ X \\ \\ | IP Addr: {{IP_ADDR}} - | / \\ / \\ / \\ ^_v___ ____ _____ _ __ | Release: ROCK {{ROCK_VERSION}} + | / \\ / \\ / \\ ^_v___ ____ _____ _ __ | Release: ROCK {{ROCK_VERSION}} | / v/ / /| __ \\ / __ \\ / ____| |/ / | | / / | |__) | | | | | | ' / | | / / | _ /| | | | | | < | Date: \d diff --git a/roles/common/tasks/gather-facts.yml b/roles/common/tasks/gather-facts.yml index e73883802..7fed472c1 100644 --- a/roles/common/tasks/gather-facts.yml +++ b/roles/common/tasks/gather-facts.yml @@ -2,5 +2,7 @@ # Set local system-specific facts - name: Gather local service facts specific to each host set_fact: - local_services: "{{ rock_services |map(attribute='name') | list | intersect(group_names) }}" + local_services: "{{ rock_services | map(attribute='name') | list | intersect(group_names) }}" + enabled_services: "{{ rock_services | rejectattr('enabled', 'equalto', False) | map(attribute='name') | list | intersect(group_names) }}" + installed_services: "{{ rock_services | rejectattr('installed', 'equalto', False) | map(attribute='name') | list | intersect(group_names) }}" ... diff --git a/roles/docket/handlers/main.yml b/roles/docket/handlers/main.yml index bbbd6935c..3b5b193b4 100644 --- a/roles/docket/handlers/main.yml +++ b/roles/docket/handlers/main.yml @@ -17,7 +17,7 @@ service: name: redis state: restarted - when: local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool + when: "'docket' in enabled_services" - name: Seed random key lineinfile: @@ -33,16 +33,16 @@ loop: - docket-celery-io - docket-celery-query - when: local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool + when: "'docket' in enabled_services" - name: Restart docket uwsgi service: name: docket state: restarted - when: local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool + when: "'docket' in enabled_services" - name: Restart lighttpd service: name: lighttpd state: restarted - when: local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool + when: "'docket' in enabled_services" diff --git a/roles/docket/tasks/docket_config.yml b/roles/docket/tasks/docket_config.yml index 642669c67..207c10e47 100644 --- a/roles/docket/tasks/docket_config.yml +++ b/roles/docket/tasks/docket_config.yml @@ -30,12 +30,12 @@ name: redis enabled: true notify: Restart redis - when: "local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool" + when: "'docket' in enabled_services" - name: Enable docket celery services service: name: "{{ item }}" - enabled: "{{ local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool }}" + enabled: "{{ 'docket' in enabled_services }}" notify: Restart docket celery services loop: - docket-celery-io @@ -44,5 +44,5 @@ - name: Enable docket uwsgi service service: name: docket - enabled: "{{ local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool }}" + enabled: "{{ 'docket' in enabled_services }}" notify: Restart docket uwsgi diff --git a/roles/docket/tasks/lighttpd.yml b/roles/docket/tasks/lighttpd.yml index 1859acca6..d51dda40d 100644 --- a/roles/docket/tasks/lighttpd.yml +++ b/roles/docket/tasks/lighttpd.yml @@ -41,5 +41,5 @@ - name: Enable lighttpd service service: name: lighttpd - enabled: "{{ local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool }}" + enabled: "{{ 'docket' in enabled_services }}" notify: Restart lighttpd diff --git a/roles/elasticsearch/tasks/after.yml b/roles/elasticsearch/tasks/after.yml index 6532c20db..784d580bd 100644 --- a/roles/elasticsearch/tasks/after.yml +++ b/roles/elasticsearch/tasks/after.yml @@ -32,7 +32,7 @@ url: "{{ es_url }}/_template/default" body: "{{ lookup('file', 'default-mapping.json') }}" body_format: json - when: (rock_services | selectattr('name', 'equalto', 'elasticsearch') | map(attribute='installed')) and default_index_template.status != 200 + when: "'elasticsearch' in installed_services and default_index_template.status != 200" run_once: true - name: Blanket install/update elasticsearch mappings diff --git a/roles/elasticsearch/tasks/before.yml b/roles/elasticsearch/tasks/before.yml index 709f5c264..74f7194b8 100644 --- a/roles/elasticsearch/tasks/before.yml +++ b/roles/elasticsearch/tasks/before.yml @@ -126,7 +126,7 @@ service: name: elasticsearch state: started - enabled: "{{ local_services | selectattr('name', 'equalto', 'elasticsearch') | map(attribute='enabled') | first | bool }}" + enabled: "{{ 'elasticsearch' in enabled_services }}" - name: Create internal firewall zone firewalld: diff --git a/roles/filebeat/tasks/main.yml b/roles/filebeat/tasks/main.yml index 49a2964fb..8d6720470 100644 --- a/roles/filebeat/tasks/main.yml +++ b/roles/filebeat/tasks/main.yml @@ -30,5 +30,5 @@ - name: Enable and start filebeat service: name: filebeat - state: "{{ 'started' if local_services | selectattr('name', 'equalto', 'filebeat') | map(attribute='enabled') | first | bool else 'stopped' }}" - enabled: "{{ local_services | selectattr('name', 'equalto', 'filebeat') | map(attribute='enabled') | first | bool }}" + state: "{{ 'started' if 'filebeat' in enabled_services else 'stopped' }}" + enabled: "{{ 'filebeat' in enabled_services }}" diff --git a/roles/fsf/tasks/main.yml b/roles/fsf/tasks/main.yml index 0ce7df250..8c24831d1 100644 --- a/roles/fsf/tasks/main.yml +++ b/roles/fsf/tasks/main.yml @@ -111,8 +111,8 @@ - name: Enable and start FSF service: name: fsf - state: "{{ 'started' if local_services | selectattr('name', 'equalto', 'fsf') | map(attribute='enabled') | first | bool else 'stopped' }}" - enabled: "{{ local_services | selectattr('name', 'equalto', 'fsf') | map(attribute='enabled') | first | bool }}" + state: "{{ 'started' if 'fsf' in enabled_services else 'stopped' }}" + enabled: "{{ 'fsf' in enabled_services }}" - name: Apply Logstash role include_role: diff --git a/roles/kafka/tasks/main.yml b/roles/kafka/tasks/main.yml index 29e6cc4d4..4ec63c897 100644 --- a/roles/kafka/tasks/main.yml +++ b/roles/kafka/tasks/main.yml @@ -153,8 +153,8 @@ service: name: "{{ item }}" daemon-reload: "{{ kafka_override_created.changed or wait_for_zk_created.changed }}" - state: "{{ 'started' if local_services | selectattr('name', 'equalto', 'kafka') | map(attribute='enabled') | bool else 'stopped' }}" - enabled: "{{ local_services | selectattr('name', 'equalto', 'kafka') | map(attribute='enabled') | bool }}" + state: "{{ 'started' if 'kafka' in enabled_services else 'stopped' }}" + enabled: "{{ 'kafka' in enabled_services }}" with_items: - wait-for-zookeeper - kafka diff --git a/roles/kibana/tasks/main.yml b/roles/kibana/tasks/main.yml index ca0d0e21e..5a2bf43aa 100644 --- a/roles/kibana/tasks/main.yml +++ b/roles/kibana/tasks/main.yml @@ -14,7 +14,7 @@ - name: Enable and start kibana service: name: kibana - enabled: "{{ local_services | selectattr('name', 'equalto', 'kibana') | map(attribute='enabled') | list | bool }}" + enabled: "{{ 'kibana' in enabled_services }}" - name: Flush handlers meta: flush_handlers @@ -119,8 +119,8 @@ mode: 0644 when: rock_online_install and ( - rock_services | selectattr('name', 'equalto', 'elasticsearch') | map(attribute='installed') | list | first | bool or - rock_services | selectattr('name', 'equalto', 'logstash') | map(attribute='installed') | list | first | bool + 'elasticsearch' in installed_services or + 'logstash' in installed_services ) - name: Extract RockNSM elastic configs @@ -131,6 +131,4 @@ group: root creates: "{{ rock_module_dir }}" remote_src: true - when: - rock_services | selectattr('name', 'equalto', 'elasticsearch') | map(attribute='installed') | list | first | bool or - rock_services | selectattr('name', 'equalto', 'logstash') | map(attribute='installed') | list | first | bool + when: "'elasticsearch' in installed_services or 'logstash' in installed_services" diff --git a/roles/lighttpd/handlers/main.yml b/roles/lighttpd/handlers/main.yml index cb2a65880..ad4e6c574 100644 --- a/roles/lighttpd/handlers/main.yml +++ b/roles/lighttpd/handlers/main.yml @@ -3,15 +3,13 @@ systemd: name: lighttpd state: >- - {%- if local_services | selectattr('name', 'equalto', 'lighttpd') | map(attribute='enabled') | first | bool or - local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool -%} + {%- if 'lighttpd' in enabled_services or 'docket' in enabled_services -%} restarted {%- else -%} stopped {%- endif -%} enabled: >- - {%- if local_services | selectattr('name', 'equalto', 'lighttpd') | map(attribute='enabled') | first | bool or - local_services | selectattr('name', 'equalto', 'docket') | map(attribute='enabled') | first | bool -%} + {%- if 'lighttpd' in enabled_services or 'docket' in enabled_services -%} True {%- else -%} False diff --git a/roles/lighttpd/tasks/main.yml b/roles/lighttpd/tasks/main.yml index 214ef4ec8..278220f68 100644 --- a/roles/lighttpd/tasks/main.yml +++ b/roles/lighttpd/tasks/main.yml @@ -14,7 +14,7 @@ mode: 0644 owner: root group: root - when: "local_services | selectattr('name', 'equalto', 'kibana') | map(attribute='installed') | bool" + when: "'kibana' in installed_services" loop: - 10-rock-auth.conf - 10-tls.conf @@ -41,19 +41,19 @@ name: httpd_can_network_connect state: true persistent: true - when: "local_services | selectattr('name', 'equalto', 'kibana') | map(attribute='installed') | bool" + when: "'kibana' in installed_services" - name: Generate sensor private key openssl_privatekey: path: "{{ http_tls_key }}" - when: "local_services | selectattr('name', 'equalto', 'kibana') | map(attribute='installed') | bool" + when: "'kibana' in installed_services" notify: Enable and restart lighttpd - name: Generate sensor public key openssl_publickey: path: "{{ http_tls_pub }}" privatekey_path: "{{ http_tls_key }}" - when: "local_services | selectattr('name', 'equalto', 'kibana') | map(attribute='installed') | bool" + when: "'kibana' in installed_services" notify: Enable and restart lighttpd - name: Generate sensor CSR @@ -67,7 +67,7 @@ organizational_unit_name: NSM Ninjas email_address: info@rocknsm.io common_name: "{{ ansible_hostname }}" - when: "local_services | selectattr('name', 'equalto', 'kibana') | map(attribute='installed') | bool" + when: "'kibana' in installed_services" notify: Enable and restart lighttpd - name: Generate sensor certificate @@ -76,7 +76,7 @@ privatekey_path: "{{ http_tls_key }}" csr_path: "{{ http_tls_pub }}.csr" provider: selfsigned - when: "local_services | selectattr('name', 'equalto', 'kibana') | map(attribute='installed') | bool" + when: "'kibana' in installed_services" notify: Enable and restart lighttpd - name: Combine sensor cert and key @@ -84,6 +84,7 @@ cat {{ http_tls_key }} {{ http_tls_crt }} > {{ http_tls_combined }} args: creates: "{{ http_tls_combined }}" + when: "'kibana' in installed_services" notify: Enable and restart lighttpd - name: Generate DH parameters @@ -91,7 +92,7 @@ openssl dhparam -out {{ http_tls_dhparams }} 2048 args: creates: "{{ http_tls_dhparams }}" - when: "local_services | selectattr('name', 'equalto', 'kibana') | map(attribute='installed') | list | bool" + when: "'kibana' in installed_services" notify: Enable and restart lighttpd - name: Configure firewall ports diff --git a/roles/logstash/handlers/main.yml b/roles/logstash/handlers/main.yml index c7e6c7952..1c3c62c25 100644 --- a/roles/logstash/handlers/main.yml +++ b/roles/logstash/handlers/main.yml @@ -3,4 +3,4 @@ - name: Restart logstash systemd: name: logstash - state: "{{ 'restarted' if local_services | selectattr('name', 'equalto', 'logstash') | map(attribute='enabled') | first | bool else 'stopped' }}" + state: "{{ 'restarted' if 'logstash' in enabled_services else 'stopped' }}" diff --git a/roles/logstash/tasks/main.yml b/roles/logstash/tasks/main.yml index b2e82ac06..482189a3d 100644 --- a/roles/logstash/tasks/main.yml +++ b/roles/logstash/tasks/main.yml @@ -89,7 +89,7 @@ - name: Enable and start Logstash service: name: logstash - enabled: "{{ local_services | selectattr('name', 'equalto', 'logstash') | map(attribute='enabled') | bool }}" + enabled: "{{ 'logstash' in enabled_services }}" # notify: Restart logstash tags: - molecule-idempotencie-notest diff --git a/roles/stenographer/handlers/main.yml b/roles/stenographer/handlers/main.yml index c68cb0dc3..d45e4a1e5 100644 --- a/roles/stenographer/handlers/main.yml +++ b/roles/stenographer/handlers/main.yml @@ -4,16 +4,16 @@ - name: Start stenographer service service: name: stenographer - state: "{{ 'started' if local_services | selectattr('name', 'equalto', 'stenographer') | map(attribute='enabled') | bool else 'stopped' }}" + state: "{{ 'started' if 'stenographer' in enabled_services else 'stopped' }}" - name: Start stenographer per interface service: name: "stenographer@{{ item }}" - state: "{{ 'started' if local_services | selectattr('name', 'equalto', 'stenographer') | map(attribute='enabled') | bool else 'stopped' }}" + state: "{{ 'started' if 'stenographer' in enabled_services else 'stopped' }}" loop: "{{ stenographer_monitor_interfaces }}" - name: Restart stenographer per interface service: name: "stenographer@{{ item }}" - state: "{{ 'restarted' if local_services | selectattr('name', 'equalto', 'stenographer') | map(attribute='enabled') | bool else 'stopped' }}" + state: "{{ 'started' if 'stenographer' in enabled_services else 'stopped' }}" loop: "{{ stenographer_monitor_interfaces }}" diff --git a/roles/stenographer/tasks/config.yml b/roles/stenographer/tasks/config.yml index 4cc48118c..3083cb47f 100644 --- a/roles/stenographer/tasks/config.yml +++ b/roles/stenographer/tasks/config.yml @@ -104,13 +104,13 @@ - name: Configure stenographer service service: name: stenographer - enabled: "{{ local_services | selectattr('name', 'equalto', 'stenographer') | map(attribute='enabled') | list | bool }}" + enabled: "{{ 'stenographer' in enabled_services }}" notify: Start stenographer service - name: Configure stenographer per interface service: name: "stenographer@{{ item }}" - enabled: "{{ local_services | selectattr('name', 'equalto', 'stenographer') | map(attribute='enabled') | list | bool }}" + enabled: "{{ 'stenographer' in enabled_services }}" loop: "{{ stenographer_monitor_interfaces }}" notify: Start stenographer per interface diff --git a/roles/suricata/tasks/main.yml b/roles/suricata/tasks/main.yml index 261e24c0e..93340ac93 100644 --- a/roles/suricata/tasks/main.yml +++ b/roles/suricata/tasks/main.yml @@ -175,7 +175,7 @@ command: /usr/bin/suricata-update add-source "emerging-threats-offline" "file:///srv/rocknsm/support/emerging.rules-suricata.tar.gz" args: creates: /var/lib/suricata/update/sources/emerging-threats-offline.yaml - when: "local_services | selectattr('name', 'equalto', 'suricata') | map(attribute='installed') | list | bool and not rock_online_install" + when: "'suricata' in installed_services and not rock_online_install" become: true become_user: "{{ suricata_user }}" @@ -183,7 +183,7 @@ command: /usr/bin/suricata-update update --reload-command "/usr/bin/systemctl kill -s USR2 suricata" args: creates: /var/lib/suricata/rules/suricata.rules - when: "local_services | selectattr('name', 'equalto', 'suricata') | map(attribute='enabled') | list | bool and not rock_online_install" + when: "'suricata' in enabled_services and not rock_online_install" become: true become_user: "{{ suricata_user }}" @@ -192,7 +192,7 @@ args: creates: /var/lib/suricata/update/cache/index.yaml chdir: /var/lib/suricata - when: "local_services | selectattr('name', 'equalto', 'suricata') | map(attribute='enabled') | list | bool and rock_online_install" + when: "'suricata' in enabled_services and rock_online_install" become: true become_user: "{{ suricata_user }}" @@ -201,7 +201,7 @@ args: creates: /var/lib/suricata/update/sources/et-open.yaml chdir: /var/lib/suricata - when: "local_services | selectattr('name', 'equalto', 'suricata') | map(attribute='enabled') | list | bool and rock_online_install" + when: "'suricata' in enabled_services and rock_online_install" become: true become_user: "{{ suricata_user }}" @@ -210,7 +210,7 @@ args: creates: /var/lib/suricata/rules/suricata.rules chdir: /var/lib/suricata - when: "local_services | selectattr('name', 'equalto', 'suricata') | map(attribute='enabled') | list | bool and rock_online_install" + when: "'suricata' in enabled_services and rock_online_install" become: true become_user: "{{ suricata_user }}" @@ -223,13 +223,13 @@ minute: "0" job: /usr/bin/suricata-update update --reload-command "/usr/bin/systemctl kill -s USR2 suricata" > /var/log/suricata-update.log 2>&1 - when: "local_services | selectattr('name', 'equalto', 'suricata') | map(attribute='enabled') | list | bool" + when: "'suricata' in enabled_services" - name: Enable and start suricata service: name: suricata - state: "{{ 'started' if local_services | selectattr('name', 'equalto', 'suricata') | map(attribute='enabled') | list | bool else 'stopped' }}" - enabled: "{{ local_services | selectattr('name', 'equalto', 'suricata') | map(attribute='enabled') | list | bool }}" + state: "{{ 'started' if 'suricata' in enabled_services else 'stopped' }}" + enabled: "{{ 'suricata' in enabled_services }}" - name: Apply Logstash role include_role: diff --git a/roles/zeek/handlers/main.yml b/roles/zeek/handlers/main.yml index ea9a475d2..daab1892f 100644 --- a/roles/zeek/handlers/main.yml +++ b/roles/zeek/handlers/main.yml @@ -11,4 +11,4 @@ service: name: zeek state: restarted - when: local_services | selectattr('name', 'equalto', 'zeek') | map(attribute='enabled') | first | bool + when: "'zeek' in enabled_services" diff --git a/roles/zeek/tasks/main.yml b/roles/zeek/tasks/main.yml index 2c9b7e595..2b3211027 100644 --- a/roles/zeek/tasks/main.yml +++ b/roles/zeek/tasks/main.yml @@ -209,7 +209,7 @@ dest: "{{ zeek_site_dir }}/local.zeek" line: "@load scripts/rock/plugins/kafka" state: present - when: "rock_services | selectattr('name', 'equalto', 'kafka') | map(attribute='enabled') | list | first | bool" + when: "'kafka' in enabled_services" - name: Add zeek aliases copy: @@ -337,8 +337,8 @@ - name: Enable and start zeek service: name: zeek - state: "{{ 'started' if local_services | selectattr('name', 'equalto', 'zeek') | map(attribute='enabled') | bool else 'stopped' }}" - enabled: "{{ local_services | selectattr('name', 'equalto', 'zeek') | map(attribute='enabled') | bool }}" + state: "{{ 'started' if 'zeek' in enabled_services else 'stopped' }}" + enabled: "{{ 'zeek' in enabled_services }}" - name: Apply Logstash role include_role: diff --git a/roles/zookeeper/handlers/main.yml b/roles/zookeeper/handlers/main.yml index caa75e890..2b5acce7c 100644 --- a/roles/zookeeper/handlers/main.yml +++ b/roles/zookeeper/handlers/main.yml @@ -3,4 +3,4 @@ - name: Restart zookeeper systemd: name: zookeeper - state: "{{ 'restarted' if local_services | selectattr('name', 'equalto', 'zookeeper') | map(attribute='enabled') | first | bool else 'stopped' }}" + state: "{{ 'restarted' if 'zookeeper' in enabled_services else 'stopped' }}" diff --git a/roles/zookeeper/tasks/main.yml b/roles/zookeeper/tasks/main.yml index 40606b3f8..a9184c4c7 100644 --- a/roles/zookeeper/tasks/main.yml +++ b/roles/zookeeper/tasks/main.yml @@ -9,7 +9,7 @@ - name: Enable and Start zookeeper systemd: name: zookeeper - enabled: "{{ local_services | selectattr('name', 'equalto', 'zookeeper') | map(attribute='enabled') | bool }}" + enabled: "{{ 'zookeeper' in enabled_services }}" notify: Restart zookeeper - name: Configure firewall ports