mirror of https://github.com/MISP/MISP-maltego
chg: [doc] updated ansible TDS install scripts
parent
a4c2de36ce
commit
4ba072958c
|
@ -10,3 +10,5 @@
|
||||||
# Locally genenerated mtz
|
# Locally genenerated mtz
|
||||||
/*.mtz
|
/*.mtz
|
||||||
|
|
||||||
|
|
||||||
|
ansible/inventory.txt
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
server {
|
||||||
|
# dummy server for let's encrypt
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
root /var/www/html;
|
||||||
|
server_name _;
|
||||||
|
try_files $uri @redirect;
|
||||||
|
|
||||||
|
location @redirect {
|
||||||
|
return 302 https://github.com/MISP/MISP-maltego;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
# true reverse proxy for plume
|
||||||
|
listen 443 ssl default_server;
|
||||||
|
listen [::]:443 ssl default_server;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/misp-maltego.misp-project.org/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/misp-maltego.misp-project.org/privkey.pem;
|
||||||
|
|
||||||
|
root /var/www/html;
|
||||||
|
server_name _;
|
||||||
|
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
proxy_pass http://127.0.0.1:8080;
|
||||||
|
proxy_intercept_errors on;
|
||||||
|
error_page 404 = @redirect; # redirect to the github when page not found
|
||||||
|
}
|
||||||
|
location @redirect {
|
||||||
|
return 302 https://github.com/MISP/MISP-maltego;
|
||||||
|
}
|
||||||
|
}
|
|
@ -3,7 +3,7 @@
|
||||||
#
|
#
|
||||||
# DO NOT USE THIS UNLESS YOU REALLY KNOW YOU NEED THIS
|
# DO NOT USE THIS UNLESS YOU REALLY KNOW YOU NEED THIS
|
||||||
# - Most people usually probably want to use the local transforms
|
# - Most people usually probably want to use the local transforms
|
||||||
# - Others the 'ATT&CK - MISP' form the Transform Hub
|
# - Others the 'ATT&CK - MISP' from the Transform Hub
|
||||||
#
|
#
|
||||||
# First install your ubuntu system,
|
# First install your ubuntu system,
|
||||||
# Then run ansible-playbook -i inventory.txt plume.yaml
|
# Then run ansible-playbook -i inventory.txt plume.yaml
|
||||||
|
@ -19,51 +19,81 @@
|
||||||
# Save as "paired_config.mtz", upload on TDS
|
# Save as "paired_config.mtz", upload on TDS
|
||||||
|
|
||||||
- hosts: all
|
- hosts: all
|
||||||
remote_user: ubuntu
|
|
||||||
become: yes
|
become: yes
|
||||||
vars:
|
vars:
|
||||||
misp_maltego_version: 1.4.1 # FIXME change this !!!
|
misp_maltego_version: 1.4.4 # TODO change this !!!
|
||||||
|
host_locale: en_US.UTF-8
|
||||||
|
host_locale_dict: {
|
||||||
|
LANG: "{{ host_locale }}",
|
||||||
|
LC_COLLATE: "{{ host_locale }}",
|
||||||
|
LC_CTYPE: "{{ host_locale }}",
|
||||||
|
LC_MESSAGES: "{{ host_locale }}",
|
||||||
|
LC_MONETARY: "{{ host_locale }}",
|
||||||
|
LC_NUMERIC: "{{ host_locale }}",
|
||||||
|
LC_TIME: "{{ host_locale }}",
|
||||||
|
LC_ALL: "{{ host_locale }}",
|
||||||
|
}
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: install python3-pip
|
- name: install python3-pip
|
||||||
apt:
|
package:
|
||||||
name: python3-pip
|
name: python3-pip
|
||||||
state: present
|
state: present
|
||||||
- name: install python libs
|
- name: install python libs
|
||||||
pip:
|
pip:
|
||||||
executable: pip3
|
executable: /usr/bin/pip3
|
||||||
name: ['canari', 'PyMISP']
|
name: ['canari', 'pymisp']
|
||||||
state: latest
|
state: latest
|
||||||
|
|
||||||
# use the public pip package
|
# NGINX reverse proxy
|
||||||
- name: install MISP-maltego
|
# ######
|
||||||
pip:
|
- name: install nginx
|
||||||
executable: pip3
|
package:
|
||||||
name: ['MISP-maltego']
|
name: nginx
|
||||||
state: latest
|
state: present
|
||||||
|
|
||||||
# use local git repo instead, useful for development
|
|
||||||
# - name: bundle MISP-maltego
|
|
||||||
# delegate_to: 127.0.0.1
|
|
||||||
# command:
|
|
||||||
# cmd: python setup.py sdist
|
|
||||||
# chdir: ../
|
|
||||||
# become: no
|
|
||||||
# - name: copy MISP-maltego
|
|
||||||
# copy:
|
|
||||||
# src: ../dist/MISP_maltego-{{misp_maltego_version}}.tar.gz
|
|
||||||
# dest: /usr/local/src/
|
|
||||||
# - name: install MISP-maltego
|
|
||||||
# pip:
|
|
||||||
# executable: pip3
|
|
||||||
# name: file:///usr/local/src/MISP_maltego-{{misp_maltego_version}}.tar.gz
|
|
||||||
# state: forcereinstall
|
|
||||||
# - name: remove local MISP-maltego bundle
|
|
||||||
# delegate_to: 127.0.0.1
|
|
||||||
# file:
|
|
||||||
# path: ../dist/MISP_maltego-{{misp_maltego_version}}.tar.gz
|
|
||||||
# state: absent
|
|
||||||
# become: no
|
|
||||||
|
|
||||||
|
- name: letsencrypt certbot ppa
|
||||||
|
apt_repository:
|
||||||
|
repo: ppa:certbot/certbot
|
||||||
|
|
||||||
|
- name: letsencrypt certbot install
|
||||||
|
package:
|
||||||
|
name: ['certbot', 'python-certbot-nginx']
|
||||||
|
state: present
|
||||||
|
|
||||||
|
# FIXME generate the cert automagically, while answering the questions
|
||||||
|
# creates: /etc/letsencrypt/live/misp-maltego.misp-project.org/privkey.pem
|
||||||
|
# Requires input:
|
||||||
|
# - email address
|
||||||
|
# - agree terms
|
||||||
|
# - no sharing email with EFF
|
||||||
|
|
||||||
|
- name: nginx disable default config
|
||||||
|
file:
|
||||||
|
path: /etc/nginx/sites-enabled/default
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: nginx copy config
|
||||||
|
copy:
|
||||||
|
src: nginx.conf
|
||||||
|
dest: /etc/nginx/sites-available/plume
|
||||||
|
notify: restart nginx
|
||||||
|
|
||||||
|
- name: nginx enable plume config
|
||||||
|
file:
|
||||||
|
src: /etc/nginx/sites-available/plume
|
||||||
|
dest: /etc/nginx/sites-enabled/plume
|
||||||
|
state: link
|
||||||
|
notify: restart nginx
|
||||||
|
|
||||||
|
- name: letsencrypt auto-renew
|
||||||
|
cron:
|
||||||
|
name: "letsencrypt auto-renew SSL certificate"
|
||||||
|
special_time: daily
|
||||||
|
job: "/usr/sbin/certbot -q renew"
|
||||||
|
|
||||||
|
# PLUME
|
||||||
|
#######
|
||||||
- name: create nobody group - needed by plume
|
- name: create nobody group - needed by plume
|
||||||
group:
|
group:
|
||||||
name: nobody
|
name: nobody
|
||||||
|
@ -76,7 +106,51 @@
|
||||||
environment:
|
environment:
|
||||||
LC_ALL: 'C.UTF-8'
|
LC_ALL: 'C.UTF-8'
|
||||||
LANG: 'C.UTF-8'
|
LANG: 'C.UTF-8'
|
||||||
# LATER maybe we want to run plume with TLS?
|
|
||||||
|
- name: Start service plume at boot
|
||||||
|
file:
|
||||||
|
src: /etc/init.d/plume
|
||||||
|
dest: /etc/rc{{item}}.d/S20plume
|
||||||
|
state: link
|
||||||
|
with_items:
|
||||||
|
- 3
|
||||||
|
- 4
|
||||||
|
- 5
|
||||||
|
# LATER migrate to systemd service
|
||||||
|
|
||||||
|
|
||||||
|
# use the public pip package
|
||||||
|
- name: install MISP-maltego
|
||||||
|
pip:
|
||||||
|
executable: pip3
|
||||||
|
name: ['MISP-maltego']
|
||||||
|
state: latest
|
||||||
|
notify: restart plume
|
||||||
|
|
||||||
|
# use local git repo instead, useful for development
|
||||||
|
# - name: bundle MISP-maltego
|
||||||
|
# delegate_to: 127.0.0.1
|
||||||
|
# command:
|
||||||
|
# cmd: python3 setup.py sdist
|
||||||
|
# chdir: ../
|
||||||
|
# become: no
|
||||||
|
# - name: copy MISP-maltego
|
||||||
|
# copy:
|
||||||
|
# src: ../dist/MISP_maltego-{{misp_maltego_version}}.tar.gz
|
||||||
|
# dest: /usr/local/src/
|
||||||
|
# - name: install MISP-maltego
|
||||||
|
# pip:
|
||||||
|
# executable: /usr/bin/pip3
|
||||||
|
# name: file:///usr/local/src/MISP_maltego-{{misp_maltego_version}}.tar.gz
|
||||||
|
# state: forcereinstall
|
||||||
|
# environment: "{{host_locale_dict}}"
|
||||||
|
# notify: restart plume
|
||||||
|
# - name: remove local MISP-maltego bundle
|
||||||
|
# delegate_to: 127.0.0.1
|
||||||
|
# file:
|
||||||
|
# path: ../dist/MISP_maltego-{{misp_maltego_version}}.tar.gz
|
||||||
|
# state: absent
|
||||||
|
# become: no
|
||||||
|
|
||||||
- name: load plume package
|
- name: load plume package
|
||||||
command:
|
command:
|
||||||
|
@ -89,10 +163,65 @@
|
||||||
PLUME_ROOT: '/var/plume'
|
PLUME_ROOT: '/var/plume'
|
||||||
notify: restart plume
|
notify: restart plume
|
||||||
|
|
||||||
# FIXME /etc/init.d/plume start at boot
|
- name: Start service plume, if not started
|
||||||
|
service:
|
||||||
|
name: plume
|
||||||
|
state: started
|
||||||
|
|
||||||
|
# FIREWALLING
|
||||||
|
#############
|
||||||
|
- name: firewall logging
|
||||||
|
ufw:
|
||||||
|
logging: 'low'
|
||||||
|
|
||||||
|
- name: firewall inbound rate limited
|
||||||
|
ufw:
|
||||||
|
rule: limit
|
||||||
|
port: '2245' # ssh
|
||||||
|
proto: tcp
|
||||||
|
direction: in
|
||||||
|
|
||||||
|
- name: firewall inbound
|
||||||
|
ufw:
|
||||||
|
rule: allow
|
||||||
|
port: "{{item}}"
|
||||||
|
proto: tcp
|
||||||
|
direction: in
|
||||||
|
loop:
|
||||||
|
- '80' # nginx
|
||||||
|
- '443' # nginx plume
|
||||||
|
- '25324' # monitoring
|
||||||
|
|
||||||
|
- name: firewall outbound
|
||||||
|
ufw:
|
||||||
|
rule: allow
|
||||||
|
port: "{{ item.port }}"
|
||||||
|
proto: "{{ item.proto }}"
|
||||||
|
direction: out
|
||||||
|
loop:
|
||||||
|
- { port: '53', proto: 'udp'}
|
||||||
|
- { port: '123', proto: 'udp'}
|
||||||
|
- { port: '53', proto: 'tcp'}
|
||||||
|
- { port: '80', proto: 'tcp'}
|
||||||
|
- { port: '443', proto: 'tcp'}
|
||||||
|
- { port: '32526', proto: 'tcp'} # waagent
|
||||||
|
|
||||||
|
- name: firewall default rule
|
||||||
|
ufw:
|
||||||
|
state: enabled
|
||||||
|
default: deny
|
||||||
|
direction: '{{ item }}'
|
||||||
|
loop:
|
||||||
|
- incoming
|
||||||
|
- outgoing
|
||||||
|
|
||||||
handlers:
|
handlers:
|
||||||
- name: restart plume
|
- name: restart plume
|
||||||
service:
|
service:
|
||||||
name: plume
|
name: plume
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
|
- name: restart nginx
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
state: restarted
|
||||||
|
|
Loading…
Reference in New Issue