- name: install suricata gather_facts: no hosts: "{{target}}" become: "{{become}}" tasks: # todo - for redhat systems also - name: install dependencies ansible.builtin.apt: pkg: - alpine # cron job output - dma # cron job output - gnupg1 - lsb-release update_cache: true autoremove: true purge: true diff: true # launchpad oisf pgp pubkey https://keyserver.ubuntu.com/ # gpg1 --with-fingerprint < /usr/share/keyrings/suricata.gpg # Key fingerprint = 1215 04AD E276 E141 AD70 4A75 AC10 378C F205 C960 - name: deploy launchpad oisf pgp pubkey ansible.builtin.copy: src: suricata.gpg dest: /usr/share/keyrings/suricata.gpg diff: false # that's a binary # suricata binary packages only available for ubuntu # reverse-translate codename from debian to ubuntu # https://askubuntu.com/questions/445487/what-debian-version-are-the-different-ubuntu-versions-based-on - name: convert debian to ubuntu release codenames ansible.builtin.shell: executable: /bin/bash cmd: | set -e # debian distro flavor flavor=`lsb_release -is 2>/dev/null` if [[ $flavor = Debian ]]; then codename=`lsb_release -cs 2>/dev/null` if [[ $codename = bookworm ]]; then echo jammy else echo unknown debian release codename $codename -- fix playbook exit 1 fi # ubuntu distro flavor elif [[ $flavor = Ubuntu ]]; then lsb_release -cs 2>/dev/null else echo unknown debian system flavor $flavor -- not Debian nor Ubuntu exit 1 fi register: translated_codename changed_when: false check_mode: false - debug: var=translated_codename.stdout when: translated_codename.stdout != '' - debug: var=translated_codename.stderr when: translated_codename.stderr != '' # debian bookworm goes ubuntu jammy # noble fails with e.g. Depends: libc6 (>= 2.38) but 2.36-9+deb12u13 is to be installed - name: deploy oisf repository ansible.builtin.copy: # this points to latest ubuntu no matter what distro you're running # no need fo jinja2 here - just update ubuntu code name once in a while content: | deb [signed-by=/usr/share/keyrings/suricata.gpg] https://ppa.launchpadcontent.net/oisf/suricata-stable/ubuntu {{translated_codename.stdout}} main dest: /etc/apt/sources.list.d/suricata.list diff: true # enables and starts the service right away but fails to start since nic doesnt match and no rules are setup - name: install suricata ansible.builtin.apt: pkg: - suricata update_cache: true autoremove: true purge: true diff: true - name: clean-up preview ansible.builtin.shell: executable: /bin/bash cmd: | set -e cd /etc/suricata/ ls -lhF /etc/suricata/suricata.y* creates: /etc/suricata/suricata.yaml.clean check_mode: false changed_when: false register: clean_up - debug: var=clean_up.stdout when: ansible_check_mode and clean_up.stdout != '' - debug: var=clean_up.stderr when: ansible_check_mode and clean_up.stderr != '' - name: clean-up ansible.builtin.shell: executable: /bin/bash cmd: | set -e cd /etc/suricata/ mv -nv suricata.yaml suricata.yaml.dist [[ ! -f suricata.yaml ]] && sed -r '/^[[:space:]]*#/d; /^$/d' suricata.yaml.dist > suricata.yaml [[ ! -f suricata.yaml.clean ]] && sed -r '/^[[:space:]]*#/d; /^$/d' suricata.yaml.dist > suricata.yaml.clean creates: /etc/suricata/suricata.yaml.clean register: clean_up - debug: var=clean_up.stdout when: not ansible_check_mode and clean_up.stdout != '' - debug: var=clean_up.stderr when: not ansible_check_mode and clean_up.stderr != '' - name: log helper script ansible.builtin.copy: content: "tail -F /var/log/suricata/suricata*log\n" dest: /etc/suricata/logsuricata mode: "0755" diff: true - name: eve log helper script ansible.builtin.copy: content: "tail -F /var/log/suricata/eve.json\n" dest: /etc/suricata/logeve mode: "0755" diff: true