116 lines
3.8 KiB
YAML
116 lines
3.8 KiB
YAML
---
|
|
# deploy-ansipa-policies.yml — deploy the policy enforcement daemon to enrolled clients.
|
|
#
|
|
# Installs ansipa-enforce-policies.sh and a systemd timer that runs it every 30 minutes.
|
|
# Policies are declared by adding hosts to the following FreeIPA host groups:
|
|
#
|
|
# policy-block-binary-<name> Block execution of <name> via a PATH-priority wrapper + AppArmor
|
|
# policy-daemon-enable-<unit> Ensure <unit> is enabled and running; reverted when host leaves group
|
|
# policy-daemon-disable-<unit> Ensure <unit> is disabled and stopped; reverted when host leaves group
|
|
# policy-timeshift-backup Enforce daily Timeshift snapshots (03:00)
|
|
# policy-security-scan Enforce daily ClamAV + rkhunter + chkrootkit scans + SMB upload (02:00)
|
|
# policy-scan-notify Fetch alerts from server, notify user every 10 min until acknowledged
|
|
#
|
|
# Prerequisites:
|
|
# - Host enrolled in FreeIPA (sssd + ipa CLI available)
|
|
# - For security-scan / scan-notify: samba-client installed (handled below)
|
|
# - For security-scan / scan-notify: smb_scan_password set (use ansible-vault in production)
|
|
# - For security-scan tools: also add host to ansipa-module-anti-malware group
|
|
# - For timeshift-backup: also add host to ansipa-module-timeshift group
|
|
#
|
|
# Usage:
|
|
# ansible-playbook -i inventory deploy-ansipa-policies.yml \
|
|
# -e smb_scan_password=<password> # or use --vault-password-file
|
|
|
|
- name: Deploy FreeIPA policy enforcer
|
|
hosts: all
|
|
become: yes
|
|
|
|
vars:
|
|
smb_scan_password: "{{ smb_scan_password | mandatory('smb_scan_password is required — use -e smb_scan_password=... or ansible-vault') }}"
|
|
|
|
tasks:
|
|
|
|
- name: Install samba-client (required for scan upload and alert fetch)
|
|
package:
|
|
name: "{{ item }}"
|
|
state: present
|
|
loop:
|
|
- samba-client
|
|
ignore_errors: yes
|
|
|
|
- name: Deploy SMB credentials file
|
|
copy:
|
|
dest: /etc/ansipa-smb.creds
|
|
mode: '0600'
|
|
owner: root
|
|
group: root
|
|
content: |
|
|
username = scanupload
|
|
password = {{ smb_scan_password }}
|
|
domain = WORKGROUP
|
|
|
|
- name: Deploy policy enforcer script
|
|
copy:
|
|
src: ansipa-enforce-policies.sh
|
|
dest: /usr/local/bin/ansipa-enforce-policies.sh
|
|
mode: '0755'
|
|
|
|
- name: Deploy alert fetch script
|
|
copy:
|
|
src: ansipa-fetch-alerts.sh
|
|
dest: /usr/local/bin/ansipa-fetch-alerts.sh
|
|
mode: '0755'
|
|
|
|
- name: Deploy user notification daemon
|
|
copy:
|
|
src: ansipa-scan-notify.sh
|
|
dest: /usr/local/bin/ansipa-scan-notify.sh
|
|
mode: '0755'
|
|
|
|
- name: Create policy state directory
|
|
file:
|
|
path: /var/lib/ansipa-policies
|
|
state: directory
|
|
mode: '0700'
|
|
|
|
- name: Install policy enforcer systemd service
|
|
copy:
|
|
dest: /etc/systemd/system/ansipa-enforce-policies.service
|
|
mode: '0644'
|
|
content: |
|
|
[Unit]
|
|
Description=Enforce FreeIPA host-group policies (binary blocks, backups, scans)
|
|
After=network-online.target sssd.service
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/usr/local/bin/ansipa-enforce-policies.sh
|
|
StandardOutput=journal
|
|
StandardError=journal
|
|
|
|
- name: Install policy enforcer systemd timer
|
|
copy:
|
|
dest: /etc/systemd/system/ansipa-enforce-policies.timer
|
|
mode: '0644'
|
|
content: |
|
|
[Unit]
|
|
Description=Periodic FreeIPA policy enforcement
|
|
|
|
[Timer]
|
|
OnBootSec=5min
|
|
OnUnitActiveSec=30min
|
|
|
|
[Install]
|
|
WantedBy=timers.target
|
|
|
|
- name: Reload systemd
|
|
command: systemctl daemon-reload
|
|
|
|
- name: Enable and start policy enforcer timer
|
|
systemd:
|
|
name: ansipa-enforce-policies.timer
|
|
enabled: yes
|
|
state: started
|