crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

[logall-cachan] flemme de pepcrans

certbot_on_virtu
_shirenn 2021-05-24 17:06:26 +02:00 committed by Yohann D'ANELLO
parent 9e5d931b06
commit 24fdf21bb4
Signed by: _ynerant
GPG Key ID: 3A75C55819C8CF85
4 changed files with 89 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
plays/firewall.yml
View File

@ -1,9 +1,13 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
- hosts: routeurs_vms - hosts: routeurs_vms !routeur-gulp.cachan-adm.crans.org
roles: roles:
- logall - logall
- hosts: routeur-gulp.cachan-adm.crans.org
roles:
- logall-cachan
- hosts: firewall - hosts: firewall
vars: vars:
service: "{{ glob_service_firewall | default({}) | combine(loc_service_firewall | default({})) }}" service: "{{ glob_service_firewall | default({}) | combine(loc_service_firewall | default({})) }}"

24
roles/logall-cachan/tasks/main.yml 100644
View File

@ -0,0 +1,24 @@
---
- name: Deploy firewall rsyslog
template:
src: rsyslog.d/10-firewall.conf.j2
dest: /etc/rsyslog.d/10-firewall.conf
mode: 0644
owner: root
group: root
- name: Create firewall log directory
file:
path: /var/log/firewall
mode: 0755
owner: root
group: root
state: directory
- name: Deploy firewall logrotate
template:
src: logrotate.d/firewall.j2
dest: /etc/logrotate.d/firewall
mode: 0644
owner: root
group: root

28
roles/logall-cachan/templates/logrotate.d/firewall.j2 100644
View File

@ -0,0 +1,28 @@
{{ ansible_header | comment }}
/var/log/firewall/trace.log
/var/log/firewall/filtre.log
/var/log/firewall/iptables.err
/var/log/firewall/iptables.log {
rotate 1
weekly
missingok
notifempty
compress
postrotate
/usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
endscript
}
/var/log/firewall/logall.log {
daily
compress
compresscmd /bin/bzip2
uncompresscmd /bin/bunzip2
compressext .bz2
rotate 365
notifempty
sharedscripts
postrotate
/usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
endscript
}

32
roles/logall-cachan/templates/rsyslog.d/10-firewall.conf.j2 100644
View File

@ -0,0 +1,32 @@
{{ ansible_header | comment }}
#$ModLoad imklog #Déjà présent dans rsyslog.conf
# Messages du firewall (ie de sa génération)
if $programname == 'firewall' and $syslogseverity <= '3' then /var/log/firewall/iptables.err
if $programname == 'firewall' then /var/log/firewall/iptables.log
# kernel (facility = 0):
# Discard broadcast (sinon trop de spam)
# Note: on discard tout au final, sinon, on risquerait d'envoyer du contenu
# (LOG_ALL est dans PREROUTING donc je sais pas si ça compte, mais je veux
# pas essayer)
if $syslogfacility == '0' and $msg contains 'ff:ff:ff:ff:ff:ff' then ~
# LOG_ALL pour … je sais plus à quoi ça sert …
if $syslogfacility == '0' and $msg contains 'LOG_ALL' and ($msg contains 'SRC=10.' or $msg contains 'SRC=100.64.' or $msg contains 'SRC=172.16.' or $msg contains 'SRC=185.230.76.' or $msg contains 'SRC=185.230.77.' or $msg contains 'SRC=185.230.78.' or $msg contains 'SRC=185.230.79.' or $msg contains 'SRC=2a0c:0700:') then /var/log/firewall/logall.log
& ~
# LOG_MAC_IP pour l'association mac_ip en ipv6
if $syslogfacility == '0' and $msg contains 'LOG_MAC_IP' then ~
# TRACE
if $syslogfacility == '0' and $msg contains 'TRACE:' then /var/log/firewall/trace.log
& ~
# filtre.log était parsé par un script pour gérer les déconnexions
#if $syslogfacility == '0' and $msg contains 'DST=' then /var/log/firewall/filtre.log
#& ~
if $syslogfacility == '0' and $msg contains 'LOG_ALL' then ~