/
ids_policy.yml
148 lines (136 loc) · 3.9 KB
/
ids_policy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
---
- name: Testing IDS Policy
hosts: localhost
gather_facts: no
module_defaults:
group/ansibleguy.opnsense.all:
firewall: "{{ lookup('ansible.builtin.env', 'TEST_FIREWALL') }}"
api_credential_file: "{{ lookup('ansible.builtin.env', 'TEST_API_KEY') }}"
ssl_verify: false
ansibleguy.opnsense.list:
target: 'ids_policy'
tasks:
- name: Listing
ansibleguy.opnsense.list:
register: opn_pre1
failed_when: >
opn_pre1.failed or
'data' not in opn_pre1
- name: Adding 1 - failing because of non-existing/disabled ruleset
ansibleguy.opnsense.ids_policy:
description: 'ANSIBLE_TEST_1_1'
rulesets: "{{ item }}"
enabled: true
register: opn_fail1
failed_when: not opn_fail1.failed
loop:
- 'DOES-NOT-EXIST'
- 'abuse.ch/SSL IP Blacklist'
- name: Adding 1
ansibleguy.opnsense.ids_policy:
description: 'ANSIBLE_TEST_1_1'
priority: 1
rulesets: 'ET open/drop'
action: ['drop']
new_action: 'alert'
rules:
classtype: ['misc-attack', 'bad-unknown']
signature_severity: ['Minor']
- name: Adding 1 - nothing changed
ansibleguy.opnsense.ids_policy:
description: 'ANSIBLE_TEST_1_1'
priority: 1
rulesets: 'ET open/drop'
action: ['drop']
new_action: 'alert'
rules:
classtype: ['misc-attack', 'bad-unknown']
signature_severity: ['Minor']
register: opn6
failed_when: >
opn6.failed or
opn6.changed
when: not ansible_check_mode
- name: Changing 1
ansibleguy.opnsense.ids_policy:
description: 'ANSIBLE_TEST_1_1'
priority: 2
rulesets: 'ET open/drop'
action: ['alert', 'drop']
new_action: 'alert'
rules:
signature_severity: ['Minor']
tag: 'Dshield'
register: opn1
failed_when: >
opn1.failed or
not opn1.changed
when: not ansible_check_mode
- name: Changing 1 - nothing changed
ansibleguy.opnsense.ids_policy:
description: 'ANSIBLE_TEST_1_1'
priority: 2
rulesets: 'ET open/drop'
action: ['alert', 'drop']
new_action: 'alert'
rules:
signature_severity: 'Minor'
tag: 'Dshield'
register: opn5
failed_when: >
opn5.failed or
opn5.changed
when: not ansible_check_mode
- name: Disabling 1
ansibleguy.opnsense.ids_policy:
description: 'ANSIBLE_TEST_1_1'
priority: 2
rulesets: 'ET open/drop'
action: ['alert', 'drop']
new_action: 'alert'
rules:
signature_severity: ['Minor']
tag: 'Dshield'
enabled: false
register: opn2
failed_when: >
opn2.failed or
not opn2.changed
when: not ansible_check_mode
- name: Disabling 1 - nothing changed
ansibleguy.opnsense.ids_policy:
description: 'ANSIBLE_TEST_1_1'
priority: 2
rulesets: 'ET open/drop'
action: ['alert', 'drop']
new_action: 'alert'
rules:
signature_severity: ['Minor']
tag: 'Dshield'
enabled: false
register: opn3
failed_when: >
opn3.failed or
opn3.changed
when: not ansible_check_mode
- name: Enabling 1
ansibleguy.opnsense.ids_policy:
description: 'ANSIBLE_TEST_1_1'
priority: 2
rulesets: 'ET open/drop'
action: ['alert', 'drop']
new_action: 'alert'
rules:
signature_severity: ['Minor']
tag: 'Dshield'
enabled: true
register: opn4
failed_when: >
opn4.failed or
not opn4.changed
when: not ansible_check_mode
- name: Cleanup
ansibleguy.opnsense.ids_policy:
description: 'ANSIBLE_TEST_1_1'
state: absent
when: not ansible_check_mode