From 8905c9cb0229118635cef6d2eaa89c0e76fbf62e Mon Sep 17 00:00:00 2001 From: Claudio Maradonna Date: Thu, 24 Nov 2022 10:21:06 +0100 Subject: [PATCH] add samba support; add samba iptables role --- .gitignore | 1 + handbook.yml | 37 +++++++----------- requirements.yml | 3 ++ roles/iptables-samba/.travis.yml | 29 ++++++++++++++ roles/iptables-samba/README.md | 34 +++++++++++++++++ roles/iptables-samba/defaults/main.yml | 4 ++ roles/iptables-samba/handlers/main.yml | 2 + roles/iptables-samba/meta/main.yml | 52 ++++++++++++++++++++++++++ roles/iptables-samba/tasks/main.yml | 26 +++++++++++++ roles/iptables-samba/tests/inventory | 2 + roles/iptables-samba/tests/test.yml | 5 +++ roles/iptables-samba/vars/main.yml | 2 + roles/samba/.travis.yml | 29 ++++++++++++++ roles/samba/README.md | 34 +++++++++++++++++ roles/samba/defaults/main.yml | 4 ++ roles/samba/handlers/main.yml | 2 + roles/samba/meta/main.yml | 52 ++++++++++++++++++++++++++ roles/samba/tasks/main.yml | 10 +++++ roles/samba/tests/inventory | 2 + roles/samba/tests/test.yml | 5 +++ roles/samba/vars/main.yml | 2 + 21 files changed, 314 insertions(+), 23 deletions(-) create mode 100644 requirements.yml create mode 100644 roles/iptables-samba/.travis.yml create mode 100644 roles/iptables-samba/README.md create mode 100644 roles/iptables-samba/defaults/main.yml create mode 100644 roles/iptables-samba/handlers/main.yml create mode 100644 roles/iptables-samba/meta/main.yml create mode 100644 roles/iptables-samba/tasks/main.yml create mode 100644 roles/iptables-samba/tests/inventory create mode 100644 roles/iptables-samba/tests/test.yml create mode 100644 roles/iptables-samba/vars/main.yml create mode 100644 roles/samba/.travis.yml create mode 100644 roles/samba/README.md create mode 100644 roles/samba/defaults/main.yml create mode 100644 roles/samba/handlers/main.yml create mode 100644 roles/samba/meta/main.yml create mode 100644 roles/samba/tasks/main.yml create mode 100644 roles/samba/tests/inventory create mode 100644 roles/samba/tests/test.yml create mode 100644 roles/samba/vars/main.yml diff --git a/.gitignore b/.gitignore index 6ed4276..368e4ed 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ inventory/* host_vars/* group_vars/* +vaults/* !group_vars/all.yml Dockerfile docker-compose.yml diff --git a/handbook.yml b/handbook.yml index 735bc03..069b60a 100644 --- a/handbook.yml +++ b/handbook.yml @@ -4,28 +4,19 @@ hosts: "{{ target if target is defined else 'planets' }}" roles: - # Hardening - # - role: iptables-persistent - # tags: [firewall, ips, ids] + # --- Hardening --- + # Basic rules or good practises to apply - - role: hardening-basic - tags: [hardening, ips, ids] - - role: iptables-basic - tags: [firewall, ips, ids] - - role: fail2ban-basic - tags: [fail2ban, ips, ids] - - role: auditd - tags: [auditd] + - { role: hardening-basic, tags: [hardening, ips, ids] } + - { role: iptables-basic, tags: [firewall, ips, ids] } + - { role: fail2ban-basic, tags: [fail2ban, ips, ids] } + - { role: auditd, tags: [auditd] } + - { role: iptables-webserver, tags: [firewall, webserver] } - - role: iptables-webserver - tags: [firewall, webserver] - - # Services - - role: ipfs - tags: [ipfs] - - role: yggdrasil - tags: [yggdrasil] - - role: snort-community - tags: [snort, ips, ids] - - role: dns-filter - tags: [dns_filter] + # --- Services --- + # Role relative to services, applications and so on + - { role: ipfs, tags: [ipfs] } + - { role: yggdrasil, tags: [yggdrasil] } + - { role: snort-community, tags: [snort, ips, ids] } + - { role: dns-filter, tags: [dns_filter] } + - { role: samba, tags: [samba, smb] } diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..4149222 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,3 @@ +--- +collections: + - name: vladgh.samba diff --git a/roles/iptables-samba/.travis.yml b/roles/iptables-samba/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/iptables-samba/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/iptables-samba/README.md b/roles/iptables-samba/README.md new file mode 100644 index 0000000..8924193 --- /dev/null +++ b/roles/iptables-samba/README.md @@ -0,0 +1,34 @@ +iptables-samba +========= + +This role setup iptables for Samba (SMB) + +Requirements +------------ + +. + +Role Variables +-------------- + +- **samba_ports** (array): List of ports to enable for TCP/UDP + +Dependencies +------------ + +. + +Example Playbook +---------------- + +This roles aims to be used by another role + +License +------- + +GPLv3 + +Author Information +------------------ + +- [Claudio Maradonna](https://social.unitoo.it/claudio) diff --git a/roles/iptables-samba/defaults/main.yml b/roles/iptables-samba/defaults/main.yml new file mode 100644 index 0000000..565c6ec --- /dev/null +++ b/roles/iptables-samba/defaults/main.yml @@ -0,0 +1,4 @@ +--- +# defaults file for iptables-samba + +samba_ports: [137,138,139,445] diff --git a/roles/iptables-samba/handlers/main.yml b/roles/iptables-samba/handlers/main.yml new file mode 100644 index 0000000..e75c847 --- /dev/null +++ b/roles/iptables-samba/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for iptables-samba diff --git a/roles/iptables-samba/meta/main.yml b/roles/iptables-samba/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/iptables-samba/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/iptables-samba/tasks/main.yml b/roles/iptables-samba/tasks/main.yml new file mode 100644 index 0000000..a7274cc --- /dev/null +++ b/roles/iptables-samba/tasks/main.yml @@ -0,0 +1,26 @@ +--- +# tasks file for iptables-samba +- name: Setup iptables for Samba + when: 'samba_enabled is true' + block: + - name: Allow new, established packets on TCP Samba ports + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ item }}" + ctstate: NEW,ESTABLISHED + jump: ACCEPT + with_items: '{{ samba_ports }}' + + - name: Allow new, established packets on UDP Samba ports + ansible.builtin.iptables: + chain: INPUT + protocol: udp + destination_port: "{{ item }}" + ctstate: NEW,ESTABLISHED + jump: ACCEPT + with_items: '{{ samba_ports }}' + + - name: iptables-persistent + ansible.builtin.include_role: + name: iptables-persistent diff --git a/roles/iptables-samba/tests/inventory b/roles/iptables-samba/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/iptables-samba/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/iptables-samba/tests/test.yml b/roles/iptables-samba/tests/test.yml new file mode 100644 index 0000000..7a8608f --- /dev/null +++ b/roles/iptables-samba/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - iptables-samba diff --git a/roles/iptables-samba/vars/main.yml b/roles/iptables-samba/vars/main.yml new file mode 100644 index 0000000..1d99e9c --- /dev/null +++ b/roles/iptables-samba/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for iptables-samba diff --git a/roles/samba/.travis.yml b/roles/samba/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/samba/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/samba/README.md b/roles/samba/README.md new file mode 100644 index 0000000..51ffd72 --- /dev/null +++ b/roles/samba/README.md @@ -0,0 +1,34 @@ +samba +========= + +This role depends to an external playbook. + +Requirements +------------ + +. + +Role Variables +-------------- + +- **samba_enabled** (boolean): Enable or disable samba support + +Dependencies +------------ + +- `ansible-galaxy collection install vladgh.samba --upgrade` + +Example Playbook +---------------- + +`ansible-playbook -i inventory/example.yml handbook.yml --tags samba` + +License +------- + +GPLv3 + +Author Information +------------------ + +- [Claudio Maradonna](https://social.unitoo.it/claudio) diff --git a/roles/samba/defaults/main.yml b/roles/samba/defaults/main.yml new file mode 100644 index 0000000..f3797ab --- /dev/null +++ b/roles/samba/defaults/main.yml @@ -0,0 +1,4 @@ +--- +# defaults file for samba + +samba_enabled: false diff --git a/roles/samba/handlers/main.yml b/roles/samba/handlers/main.yml new file mode 100644 index 0000000..6b8efe4 --- /dev/null +++ b/roles/samba/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for samba diff --git a/roles/samba/meta/main.yml b/roles/samba/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/samba/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/samba/tasks/main.yml b/roles/samba/tasks/main.yml new file mode 100644 index 0000000..05419ac --- /dev/null +++ b/roles/samba/tasks/main.yml @@ -0,0 +1,10 @@ +--- + +- name: Setup target as a Samba server + when: 'samba_enabled is true' + include_role: + name: vladgh.samba.server + +- name: Setup iptables samba + include_role: + name: iptables-samba diff --git a/roles/samba/tests/inventory b/roles/samba/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/samba/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/samba/tests/test.yml b/roles/samba/tests/test.yml new file mode 100644 index 0000000..2da65c6 --- /dev/null +++ b/roles/samba/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - samba diff --git a/roles/samba/vars/main.yml b/roles/samba/vars/main.yml new file mode 100644 index 0000000..aa367cb --- /dev/null +++ b/roles/samba/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for samba