From 7b4e4cf1e0661d3c4353245cbbb95f5c0f24bc52 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Sat, 15 Jan 2022 17:43:41 +0100
Subject: [PATCH] [firewall] Handle logs locally

---
 roles/logall/handlers/main.yml                | 10 ++++
 roles/logall/tasks/main.yml                   | 21 -------
 .../logall/templates/logrotate.d/firewall.j2  | 43 ++++++--------
 .../templates/rsyslog.d/10-firewall.conf.j2   | 58 +++++++++++--------
 .../templates/systemd/system/logs.mount.j2    | 14 -----
 roles/nfs-common/tasks/main.yml               |  5 +-
 roles/nfs-common/templates/nfs-common.j2      |  2 +-
 7 files changed, 66 insertions(+), 87 deletions(-)
 create mode 100644 roles/logall/handlers/main.yml
 delete mode 100644 roles/logall/templates/systemd/system/logs.mount.j2

diff --git a/roles/logall/handlers/main.yml b/roles/logall/handlers/main.yml
new file mode 100644
index 00000000..ae4936a5
--- /dev/null
+++ b/roles/logall/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: systemctl restart rsyslog.service
+  systemd:
+    name: rsyslog
+    state: restarted
+
+- name: systemctl restart logrotate.service
+  systemd:
+    name: logrotate
+    state: restarted
diff --git a/roles/logall/tasks/main.yml b/roles/logall/tasks/main.yml
index f63159b0..8a4b031d 100644
--- a/roles/logall/tasks/main.yml
+++ b/roles/logall/tasks/main.yml
@@ -22,24 +22,3 @@
     mode: 0644
     owner: root
     group: root
-
-- name: Create logs directory
-  file:
-    path: /logs
-    mode: 0755
-    owner: root
-    group: root
-    state: directory
-
-- name: Deploy nfs systemd mount
-  template:
-    src: systemd/system/logs.mount.j2
-    dest: /etc/systemd/system/logs.mount
-    mode: 0644
-
-- name: Load and activate nfs systemd mount
-  systemd:
-    name: logs.mount
-    daemon_reload: true
-    enabled: true
-    state: started
diff --git a/roles/logall/templates/logrotate.d/firewall.j2 b/roles/logall/templates/logrotate.d/firewall.j2
index 6d733471..644404ac 100644
--- a/roles/logall/templates/logrotate.d/firewall.j2
+++ b/roles/logall/templates/logrotate.d/firewall.j2
@@ -1,29 +1,24 @@
 {{ ansible_header | comment }}
 
-/var/log/firewall/trace.log
-/var/log/firewall/filtre.log
-/var/log/firewall/iptables.err
-/var/log/firewall/iptables.log {
-    rotate 1
-        weekly
-        missingok
-        notifempty
-        compress
-        postrotate
-        /usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
-    endscript
-}
-/var/log/firewall/logall.log {
+/var/log/firewall/logall.prerouting.log
+/var/log/firewall/logall.prerouting.json.log
+/var/log/firewall/logall.srv.log
+/var/log/firewall/logall.srv.json.log
+/var/log/firewall/logall.adh.log
+/var/log/firewall/logall.adh.json.log {
     daily
-        compress
-        compresscmd /bin/bzip2
-        uncompresscmd /bin/bunzip2
-        compressext .bz2
-        rotate 10
-        notifempty
-        sharedscripts
-        postrotate
-        /usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
-    QUIET=y /logs/firewall-logrotate-script.sh;
+    compress
+    compresscmd /bin/bzip2
+    uncompresscmd /bin/bunzip2
+    compressext .bz2
+    create 0640 root root
+    rotate 365
+    notifempty
+    sharedscripts
+    dateext
+    dateformat %Y-%m-%d.
+    extension log
+    postrotate
+        usr/lib/rsyslog/rsyslog-rotate
     endscript
 }
diff --git a/roles/logall/templates/rsyslog.d/10-firewall.conf.j2 b/roles/logall/templates/rsyslog.d/10-firewall.conf.j2
index 99055901..649dada6 100644
--- a/roles/logall/templates/rsyslog.d/10-firewall.conf.j2
+++ b/roles/logall/templates/rsyslog.d/10-firewall.conf.j2
@@ -1,32 +1,42 @@
 {{ ansible_header | comment }}
-#$ModLoad imklog #Déjà présent dans rsyslog.conf
+template(name="logall" type="list" option.jsonf="on"){
+	property(outname="@timestamp" name="timereported" dateFormat="rfc3339" format="jsonf")
+	property(outname="host" name="hostname" format="jsonf")
+	property(outname="message" name="msg" format="jsonf")
+}
 
-# Messages du firewall (ie de sa génération)
-if $programname == 'firewall' and $syslogseverity <= '3' then /var/log/firewall/iptables.err
+module(load="omprog")
 
-if $programname == 'firewall' then /var/log/firewall/iptables.log
+if ($syslogfacility == '0' and $msg contains 'LOG_ALL_PREROUTING')
+then {
+	action(type="omprog"
+		binary="/usr/bin/python3 /usr/local/src/scripts/firewall/logs_to_json.py"
+		template="logall"
+		output="/var/log/firewall/logall.prerouting.json.log")
+	action(type="omfile" file="/var/log/firewall/logall.prerouting.log" template="logall")
+	stop
+}
 
+if ($syslogfacility == '0' and $msg contains 'LOG_ALL_ADH')
+then {
+	action(type="omprog"
+		binary="/usr/bin/python3 /usr/local/src/scripts/firewall/logs_to_json.py"
+		template="logall"
+		output="/var/log/firewall/logall.adh.json.log")
+	action(type="omfile" file="/var/log/firewall/logall.adh.log" template="logall")
+	stop
+}
 
-# kernel (facility = 0):
-# Discard broadcast (sinon trop de spam)
-# Note: on discard tout au final, sinon, on risquerait d'envoyer du contenu
-# (LOG_ALL est dans PREROUTING donc je sais pas si ça compte, mais je veux
-# pas essayer)
-if $syslogfacility == '0' and $msg contains 'ff:ff:ff:ff:ff:ff' then ~
+if ($syslogfacility == '0' and $msg contains 'LOG_ALL_SRV')
+then {
+	action(type="omprog"
+		binary="/usr/bin/python3 /usr/local/src/scripts/firewall/logs_to_json.py"
+		template="logall"
+		output="/var/log/firewall/logall.srv.json.log")
+	action(type="omfile" file="/var/log/firewall/logall.srv.log" template="logall")
+	stop
+}
 
-# LOG_ALL pour … je sais plus à quoi ça sert …
+# Legacy LOG_ALL
 if $syslogfacility == '0' and $msg contains 'LOG_ALL' then /var/log/firewall/logall.log
 &   ~
-
-# LOG_MAC_IP pour l'association mac_ip en ipv6
-if $syslogfacility == '0' and $msg contains 'LOG_MAC_IP' then ~
-
-# TRACE
-if $syslogfacility == '0' and $msg contains 'TRACE:' then /var/log/firewall/trace.log
-&   ~
-
-# filtre.log était parsé par un script pour gérer les déconnexions
-#if $syslogfacility == '0' and $msg contains 'DST=' then /var/log/firewall/filtre.log
-#&   ~
-
-if $syslogfacility == '0' and $msg contains 'LOG_ALL' then ~
diff --git a/roles/logall/templates/systemd/system/logs.mount.j2 b/roles/logall/templates/systemd/system/logs.mount.j2
deleted file mode 100644
index cc726e5a..00000000
--- a/roles/logall/templates/systemd/system/logs.mount.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-{{ ansible_header | comment }}
-[Unit]
-Description=Mount home
-Wants=network-online.target
-After=network-online.target
-
-[Mount]
-What=172.16.10.1:/pool/logs
-Where=/logs
-Type=nfs
-Options=rw,nosuid
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/nfs-common/tasks/main.yml b/roles/nfs-common/tasks/main.yml
index ded88525..c0f9d083 100644
--- a/roles/nfs-common/tasks/main.yml
+++ b/roles/nfs-common/tasks/main.yml
@@ -16,10 +16,9 @@
 - name: Disable and mask rpcbind.service
   systemd:
     name: rpcbind.service
-    enabled: false
-    masked: true
+    masked: false
 
 - name:
   systemd:
     name: rpcbind.socket
-    masked: true
+    masked: false
diff --git a/roles/nfs-common/templates/nfs-common.j2 b/roles/nfs-common/templates/nfs-common.j2
index ef51d4e7..b860909d 100644
--- a/roles/nfs-common/templates/nfs-common.j2
+++ b/roles/nfs-common/templates/nfs-common.j2
@@ -14,7 +14,7 @@ NEED_STATD=
 STATDOPTS=
 
 # Do you want to start the idmapd daemon? It is only needed for NFSv4.
-NEED_IDMAPD=no
+NEED_IDMAPD=
 
 # Do you want to start the gssd daemon? It is required for Kerberos mounts.
 NEED_GSSD=