diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index 4f69c863..05a849a7 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -49,9 +49,14 @@ jobs: - name: Install Ansible collections run: | - ansible-galaxy collection install -r requirements.yml --force ansible-galaxy collection install -r ansible/requirements.yml --force + - name: Build and install collection locally + working-directory: ansible + run: | + ansible-galaxy collection build --force + ansible-galaxy collection install dreadnode-goad-*.tar.gz -p ~/.ansible/collections --force --pre + - name: Set up Go uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6 with: diff --git a/.github/workflows/syntax-check.yaml b/.github/workflows/syntax-check.yaml new file mode 100644 index 00000000..9f0cf859 --- /dev/null +++ b/.github/workflows/syntax-check.yaml @@ -0,0 +1,222 @@ +--- +name: Ansible Syntax Check +on: + merge_group: + pull_request: + branches: + - main + types: + - opened + - synchronize + - reopened + push: + branches: + - main + schedule: + # Runs every Sunday at 4 AM (see https://crontab.guru) + - cron: "0 4 * * 0" + workflow_dispatch: + inputs: + ROLE: + description: 'Role to test (e.g. "elk", "ad", "vulns_acls")' + required: false + default: '' + type: string + +concurrency: + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.event.pull_request.number || github.ref }} + +env: + ANSIBLE_FORCE_COLOR: "1" + COLLECTION_NAMESPACE: dreadnode + COLLECTION_NAME: goad + COLLECTION_PATH: ansible_collections/dreadnode/goad + REQUIREMENTS_FILE: .hooks/requirements.txt + PY_COLORS: "1" + PYTHON_VERSION: "3.14.3" + ROLE: ${{ github.event.inputs.ROLE }} + ANSIBLE_COLLECTIONS_PATH: ~/.ansible/collections + +jobs: + detect-changes: + runs-on: ubuntu-latest + outputs: + roles: ${{ steps.detect.outputs.roles }} + test_all: ${{ steps.check-event.outputs.test_all }} + steps: + - name: Checkout git repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + path: ${{ env.COLLECTION_PATH }} + fetch-depth: 0 + + - name: Check event type + id: check-event + run: | + if [[ "${{ github.event_name }}" == "push" ]] || \ + [[ "${{ github.event_name }}" == "schedule" ]] || \ + [[ "${{ github.event_name }}" == "merge_group" ]] || \ + [[ "${{ github.event_name }}" == "workflow_dispatch" && -z "${{ env.ROLE }}" ]]; then + echo "test_all=true" >> "$GITHUB_OUTPUT" + else + echo "test_all=false" >> "$GITHUB_OUTPUT" + fi + + - name: Detect changed roles + id: detect + if: steps.check-event.outputs.test_all == 'false' + working-directory: ${{ env.COLLECTION_PATH }} + run: | + if [[ "${{ github.event_name }}" == "pull_request" ]]; then + BASE="${{ github.event.pull_request.base.sha }}" + HEAD="${{ github.event.pull_request.head.sha }}" + else + BASE="origin/main" + HEAD="HEAD" + fi + + CHANGED_FILES=$(git diff --name-only "$BASE"..."$HEAD") + echo "Changed files:" + echo "$CHANGED_FILES" + + ROLES=$(echo "$CHANGED_FILES" | grep '^ansible/roles/' | cut -d'/' -f3 | sort -u | tr '\n' ' ') + echo "roles=$ROLES" >> "$GITHUB_OUTPUT" + echo "Changed roles: $ROLES" + + validate-inputs: + runs-on: ubuntu-latest + if: ${{ github.event.inputs.ROLE != '' }} + steps: + - name: Checkout git repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + path: ${{ env.COLLECTION_PATH }} + + - name: Validate inputs + run: | + if [[ -n "${{ env.ROLE }}" ]]; then + if [[ ! -d "${{ env.COLLECTION_PATH }}/ansible/roles/${{ env.ROLE }}" ]]; then + echo "::error::Role '${{ env.ROLE }}' not found in ansible/roles/" + exit 1 + fi + if [[ ! -f "${{ env.COLLECTION_PATH }}/ansible/roles/${{ env.ROLE }}/tasks/main.yml" ]]; then + echo "::error::Role '${{ env.ROLE }}' has no tasks/main.yml" + exit 1 + fi + fi + + syntax-check: + needs: detect-changes + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - name: Checkout git repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + path: ${{ env.COLLECTION_PATH }} + + - name: Set up Python + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + with: + python-version: ${{ env.PYTHON_VERSION }} + cache: 'pip' + cache-dependency-path: '${{ env.COLLECTION_PATH }}/${{ env.REQUIREMENTS_FILE }}' + + - name: Cache Ansible collections + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 + with: + path: ~/.ansible/collections + key: ${{ runner.os }}-ansible-${{ hashFiles('**/requirements.yml') }} + + - name: Install dependencies + run: | + python3 -m pip install -r "${{ env.COLLECTION_PATH }}/${{ env.REQUIREMENTS_FILE }}" + + - name: Install galaxy dependencies + working-directory: ${{ env.COLLECTION_PATH }}/ansible + run: | + ansible-galaxy collection install -r requirements.yml --force + + - name: Build and install collection locally + working-directory: ${{ env.COLLECTION_PATH }}/ansible + run: | + ansible-galaxy collection build --force + ansible-galaxy collection install ${{ env.COLLECTION_NAMESPACE }}-${{ env.COLLECTION_NAME }}-*.tar.gz -p ~/.ansible/collections --force --pre + + - name: Syntax check roles + env: + ANSIBLE_CONFIG: ${{ env.COLLECTION_PATH }}/ansible/ansible.cfg + ANSIBLE_ROLES_PATH: ${{ env.COLLECTION_PATH }}/ansible/roles + TEST_ALL: ${{ needs.detect-changes.outputs.test_all }} + CHANGED_ROLES: ${{ needs.detect-changes.outputs.roles }} + SINGLE_ROLE: ${{ env.ROLE }} + run: | + set -e + FAILED=0 + PASSED=0 + SKIPPED=0 + ROLES_DIR="${{ env.COLLECTION_PATH }}/ansible/roles" + TMPDIR=$(mktemp -d) + + for role_dir in "$ROLES_DIR"/*/; do + role=$(basename "$role_dir") + + # Skip roles without tasks + if [ ! -f "$role_dir/tasks/main.yml" ]; then + continue + fi + + # If a single role was specified, only test that one + if [ -n "$SINGLE_ROLE" ]; then + if [ "$role" != "$SINGLE_ROLE" ]; then + continue + fi + # If not testing all, filter to changed roles + elif [ "$TEST_ALL" != "true" ] && [ -n "$CHANGED_ROLES" ]; then + if ! echo "$CHANGED_ROLES" | grep -qw "$role"; then + SKIPPED=$((SKIPPED + 1)) + continue + fi + fi + + echo "::group::Syntax check: $role" + + # Generate temporary playbook + cat > "$TMPDIR/check_${role}.yml" < Roles[โš™๏ธ Roles]") for i, role in enumerate(structure['roles']): - role_label = role['name'] - if role['has_molecule']: - role_label += " ๐Ÿงช" - lines.append(f" Roles --> R{i}[{role_label}]") + lines.append(f" Roles --> R{i}[{role['name']}]") # Add playbooks if structure['playbooks']: lines.append(" Collection --> Playbooks[๐Ÿ“š Playbooks]") for i, playbook in enumerate(structure['playbooks']): - pb_label = playbook['name'] - if playbook['has_molecule']: - pb_label += " ๐Ÿงช" - lines.append(f" Playbooks --> PB{i}[{pb_label}]") + lines.append(f" Playbooks --> PB{i}[{playbook['name']}]") lines.append("```") return '\n'.join(lines) @@ -127,7 +119,7 @@ def update_readme(mermaid_content): def main(): """Main function for pre-commit hook""" # Analyze collection from current directory - analyzer = AnsibleCollectionAnalyzer('.') + analyzer = AnsibleCollectionAnalyzer('ansible') structure = analyzer.analyze() # Generate Mermaid diagram diff --git a/.hooks/linters/ansible-lint.yaml b/.hooks/linters/ansible-lint.yaml index 01515906..2e3abc84 100644 --- a/.hooks/linters/ansible-lint.yaml +++ b/.hooks/linters/ansible-lint.yaml @@ -11,11 +11,11 @@ exclude_paths: - ad/NHA/files/templates/ - docs/mkdocs/mkdocs.yml - noansible_requirements.yml - - requirements_311.yml + - ansible/requirements_311.yml - template/provider/ludus/ - playbooks.yml - - extensions/exchange/ansible/install.yml - - extensions/ws01/ansible/install.yml + - ansible/extensions/exchange/ansible/install.yml + - ansible/extensions/ws01/ansible/install.yml - ansible/roles/onlyusers/ skip_list: diff --git a/.hooks/linters/markdownlint.json b/.hooks/linters/markdownlint.json index 1ec7abaa..fce036cd 100644 --- a/.hooks/linters/markdownlint.json +++ b/.hooks/linters/markdownlint.json @@ -12,6 +12,7 @@ "MD055": false, "MD056": false, "MD057": false, + "MD060": false, "line-length": false, "no-multiple-blanks": false } diff --git a/.hooks/requirements.txt b/.hooks/requirements.txt index baadc1f2..587539ba 100644 --- a/.hooks/requirements.txt +++ b/.hooks/requirements.txt @@ -1,7 +1,3 @@ ansible-core==2.20.4 -docker==7.1.0 docsible==0.8.0 -molecule==26.3.0 -molecule-docker==2.1.0 -molecule-plugins[docker]==25.8.12 pre-commit==4.5.1 diff --git a/.hooks/templates/docsible-template.md.j2 b/.hooks/templates/docsible-template.md.j2 index b8fd21ff..afcfb167 100755 --- a/.hooks/templates/docsible-template.md.j2 +++ b/.hooks/templates/docsible-template.md.j2 @@ -23,7 +23,7 @@ ### Default Variables ({{ defaultfile.file }}) | Variable | Type | Default | Description | -|----------|------|---------|-------------| +| -------- | ---- | ------- | ----------- | {%- for key, details in defaultfile.data.items() %} {%- if not key.endswith('.0') and not key.endswith('.1') and not key.endswith('.2') and not key.endswith('.3') and not key.endswith('.4') and not key.endswith('.5') and not key.endswith('.6') and '.' not in key or key.count('.') == 1 %} | `{{ key }}` | {{ details.type }} | `{{ details.value }}` | {{ details.description or 'No description' }} | @@ -36,7 +36,7 @@ ### Role Variables ({{ varsfile.file }}) | Variable | Type | Value | Description | -|----------|------|-------|-------------| +| -------- | ---- | ----- | ----------- | {%- for key, details in varsfile.data.items() %} | `{{ key }}` | {{ details.type }} | `{{ details.value }}` | {{ details.description or 'No description' }} | {%- endfor %} @@ -63,7 +63,7 @@ ## Author Information - **Author**: {{ role.meta.galaxy_info.author }} -- **Company**: {{ role.meta.galaxy_info.company }} +- **Company**:{% if role.meta.galaxy_info.company %} {{ role.meta.galaxy_info.company }}{% endif %} - **License**: {{ role.meta.galaxy_info.license }} ## Platforms diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 68faf4d5..3bbc758d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -87,5 +87,5 @@ repos: language: python pass_filenames: false always_run: false - files: ^(roles/|plugins/|playbooks/).* + files: ^ansible/(roles/|plugins/|playbooks/).* additional_dependencies: [] diff --git a/Dockerfile b/Dockerfile index f0d14028..75bba12e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,4 +13,4 @@ RUN apt-get update -y && \ COPY ./ansible/requirements.yml . -RUN ansible-galaxy install -r requirements.yml +RUN ansible-galaxy collection install -r requirements.yml diff --git a/README.md b/README.md index 57607bb5..8d824e32 100644 --- a/README.md +++ b/README.md @@ -1,278 +1,340 @@ -
-

GOAD (Game Of Active Directory)

-
-
+# dreadnode.goad -## ๐Ÿš€ Overview +Ansible collection for deploying and configuring vulnerable Active Directory +lab environments for penetration testing and security research. -**DreadGOAD** is a heavily refactored version of -[GOAD (Game of Active Directory)](https://github.com/Orange-Cyberdefense/GOAD), -specifically tailored for efficient Active Directory (AD) pentesting -environments. It simplifies infrastructure provisioning using Terraform and -Ansible under the [DreadOps Project](https://github.com/dreadnode/DreadOps), -specifically within the [alpha-operator-range](https://github.com/dreadnode/DreadOps/tree/main/dread-infra/alpha-operator-range) -deployment. - -๐Ÿ“– **Legacy Documentation:** For historical reference, see [Original GOAD Documentation](./docs/original-readme.md). - ---- - -## ๐Ÿ“‹ Vulnerable Lab - -Currently, DreadGOAD provides the following windows-based lab environment: - -- [GOAD](https://orange-cyberdefense.github.io/GOAD/labs/GOAD/) : 5 VMs, 2 - forests, 3 domains - -
-GOAD -
- -**Please note:** - -- All of the other original GOAD labs are deprecated and unsupported. -- The IP addresses found in the above schema diagram are not accurate for the - DreadGOAD environment. Please refer to the - [AWS console](#-access-via-the-aws-console) for the correct IP addresses. - ---- - -## โš™๏ธ Getting Started - -DreadGOAD provisioning and management utilize Ansible and AWS Systems Manager -(SSM), orchestrated via [Task](https://taskfile.dev). Follow these steps to set -up and deploy the lab environment: - -### โœ… Prerequisites - -Before provisioning, ensure the following are installed and configured: - -- [AWS CLI](https://aws.amazon.com/cli/) -- [jq](https://stedolan.github.io/jq/) -- [Task](https://taskfile.dev) (`brew install go-task/tap/go-task`) - -### ๐Ÿšง Provisioning the Environment - -1. **Set Task environment variable:** - - ```bash - export TASK_X_REMOTE_TASKFILES=1 - ``` - -2. **List available Ansible playbooks:** - - ```bash - task -y list-plays - ``` - -3. **Update the Ansible inventory with AWS instance IDs:** - - ```bash - task -y update-inventory ENV=dev --force - ``` - -4. **Generate instance-to-IP mapping (recommended for faster provisioning):** - - ```bash - task generate-mapping ENV=dev - ``` - - This pre-computes instance ID โ†’ private IP mappings and caches them, skipping - the slow PowerShell network detection on each playbook run. This saves ~30-40 - seconds per playbook execution. - - > **Note:** Re-run this command if infrastructure changes (instances replaced, - > IPs changed, etc.) - -5. **Provision the AD environment:** - - ```bash - task provision ENV=dev - ``` - - > **Note:** Full provisioning of the DreadGOAD environment typically takes - > approximately **2.5 hours** to complete all playbooks. - ---- - -### ๐Ÿ› ๏ธ Useful Task Examples - -- **Provision using specific playbooks:** - - ```bash - task provision PLAYS="build.yml ad-servers.yml" ENV=staging - ``` - -- **Limit execution to specific hosts:** - - ```bash - task provision PLAYS=laps.yml LIMIT=srv03 - ``` - -- **Combine specific playbooks with host limits:** - - ```bash - task provision LIMIT="dc01,srv03" PLAYS="ad-members.yml laps.yml" - ``` - -- **Generate instance mapping for staging environment:** - - ```bash - task generate-mapping ENV=staging - ``` - -- **Inspect files related to specific playbooks:** - - ```bash - task get-files PLAYBOOK=security - ``` - -- **Run with verbose output for debugging:** - - ```bash - task provision PLAYS="ad-data.yml" DEBUG=true - ``` +Based on [GOAD (Game of Active Directory)](https://github.com/Orange-Cyberdefense/GOAD) +by Orange Cyberdefense. --- -## ๐Ÿ” Accessing Provisioned DreadGOAD Systems - -You can access the provisioned DreadGOAD systems through several methods -detailed below: - -### ๐Ÿ“Œ Access via the AWS Console - -**Step 1:** Navigate to the [AWS account portal](https://dreadnode.awsapps.com/start/#/?tab=accounts). - -**Step 2:** Click the **Administrator** link under the **Dreadnode - Lab** -account. If you do not have access, please contact Jayson or Nick. - -![AWS Account](docs/img/dreadGOAD/aws-account.png) - -**Step 3:** Click the **EC2** link on the left-hand side and navigate to the -running instances. - -![Running Instances](docs/img/dreadGOAD/running-instances.png) - -> **Note:** Ensure you are viewing the correct region: -> -> - **dev**: `us-west-2` -> - **staging**: `us-west-1` - -**Step 4:** Right-click the instance you want to access and select **Connect**. +## Architecture Diagram + +```mermaid +graph TD + Collection[Ansible Collection] + Collection --> Roles[โš™๏ธ Roles] + Roles --> R0[vulns_credentials] + Roles --> R1[sccm_install_wsus] + Roles --> R2[sccm_pxe] + Roles --> R3[sccm_install_iis] + Roles --> R4[vulns_ntlmdowngrade] + Roles --> R5[trusts] + Roles --> R6[mssql_reporting] + Roles --> R7[domain_controller_slave] + Roles --> R8[disable_user] + Roles --> R9[settings_copy_files] + Roles --> R10[vulns_mssql] + Roles --> R11[laps_verify] + Roles --> R12[ad] + Roles --> R13[vulns_enable_credssp_server] + Roles --> R14[sccm_install_mecm] + Roles --> R15[dc_audit_sacl] + Roles --> R16[security_ensure_kb_not_installed] + Roles --> R17[vulns_openshares] + Roles --> R18[sync_domains] + Roles --> R19[sccm_config_client_push] + Roles --> R20[vulns_schedule] + Roles --> R21[sccm_config_pxe] + Roles --> R22[vulns_shares] + Roles --> R23[laps_dc] + Roles --> R24[settings_updates] + Roles --> R25[groups_domains] + Roles --> R26[vulns_anonymous_enum] + Roles --> R27[sccm_config_client_install] + Roles --> R28[mssql_audit] + Roles --> R29[vulns_enable_llmnr] + Roles --> R30[sccm_config_accounts] + Roles --> R31[settings_admin_password] + Roles --> R32[vulns_acls] + Roles --> R33[security_enable_run_as_ppl] + Roles --> R34[gmsa_hosts] + Roles --> R35[onlyusers] + Roles --> R36[child_domain] + Roles --> R37[sccm_install_adk] + Roles --> R38[mssql_link] + Roles --> R39[vulns_files] + Roles --> R40[parent_child_dns] + Roles --> R41[adcs_templates] + Roles --> R42[laps_server] + Roles --> R43[settings_enable_nat_adapter] + Roles --> R44[elk] + Roles --> R45[sccm_install_prerequisites] + Roles --> R46[vulns_permissions] + Roles --> R47[sccm_config_discovery] + Roles --> R48[settings_windows_defender] + Roles --> R49[member_server] + Roles --> R50[dc_dns_conditional_forwarder] + Roles --> R51[common] + Roles --> R52[sccm_config_boundary] + Roles --> R53[ps] + Roles --> R54[adcs] + Roles --> R55[enable_user] + Roles --> R56[laps_permissions] + Roles --> R57[dns_conditional_forwarder] + Roles --> R58[sccm_config_users] + Roles --> R59[vulns_smbv1] + Roles --> R60[ldap_diagnostic_logging] + Roles --> R61[vulns_enable_credssp_client] + Roles --> R62[dhcp] + Roles --> R63[localusers] + Roles --> R64[sccm_config_naa] + Roles --> R65[password_policy] + Roles --> R66[security_powershell_restrict] + Roles --> R67[settings_keyboard] + Roles --> R68[vulns_autologon] + Roles --> R69[settings_user_rights] + Roles --> R70[commonwkstn] + Roles --> R71[vulns_enable_nbt_ns] + Roles --> R72[mssql_ssms] + Roles --> R73[webdav] + Roles --> R74[settings_gpo_remove] + Roles --> R75[settings_adjust_rights] + Roles --> R76[vulns_disable_firewall] + Roles --> R77[vulns_adcs_templates] + Roles --> R78[gmsa] + Roles --> R79[settings_gpmc] + Roles --> R80[settings_disable_nat_adapter] + Roles --> R81[security_account_is_sensitive] + Roles --> R82[domain_controller] + Roles --> R83[fix_dns] + Roles --> R84[vulns_administrator_folder] + Roles --> R85[iis] + Roles --> R86[move_to_ou] + Roles --> R87[vulns_directory] + Roles --> R88[mssql] + Roles --> R89[acl] + Roles --> R90[settings_no_updates] + Roles --> R91[logs_windows] + Roles --> R92[security_audit_policy] + Roles --> R93[security_asr] + Roles --> R94[settings_hostname] + Collection --> Playbooks[๐Ÿ“š Playbooks] + Playbooks --> PB0[base] +``` -![Connect Instance](docs/img/dreadGOAD/connect-step-one.png) +## Requirements -**Step 5:** Under the **Session Manager** tab, click **Connect**. +- Ansible >= 2.15 +- Windows target hosts accessible via WinRM or AWS SSM -![Session Manager Connect](docs/img/dreadGOAD/connect-step-two.png) +### Collection Dependencies -You should now have a PowerShell terminal open in your browser. +- `ansible.windows` >= 2.5.0 +- `community.general` +- `community.windows` >= 2.3.0 +- `chocolatey.chocolatey` >= 1.5.3 +- `microsoft.ad` --- -### ๐Ÿ“Œ Access via AWS CLI - -**Step 1:** [Install the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html). +## Installation -**Step 2:** Create a new profile in your `~/.aws/config`: +### From source ```bash -################################################################################ -############################### Dreadnode ###################################### -[sso-session organization-sso] -cli_pager= -sso_start_url = https://dreadnode.awsapps.com/start/# -sso_region = us-east-1 -sso_registration_scopes = sso:account:access - -[profile lab] -cli_pager= -sso_session = organization-sso -sso_account_id = 381491903301 -sso_role_name = Administrator -region = us-west-2 -output = json +ansible-galaxy collection build . +ansible-galaxy collection install dreadnode-goad-1.0.0.tar.gz ``` -**Step 3:** Log in via the AWS CLI: +### Install dependencies ```bash -export AWS_PROFILE=lab -export AWS_SDK_LOAD_CONFIG=1 -export AWS_DEFAULT_REGION=us-west-2 -aws sso login --profile lab --region us-west-2 +ansible-galaxy collection install -r ansible/requirements.yml ``` -**Step 4:** Install the Session Manager plugin: - -```bash -brew install cask session-manager-plugin --no-quarantine -``` - -**Step 5:** Start a session with: - -```bash -aws ssm start-session --target $INSTANCE_ID -``` - -> Replace `$INSTANCE_ID` with the ID of your desired instance. - --- -### ๐Ÿ“Œ Access via RDP +## Lab Environment -**Step 1:** Start a port forwarding session: +The GOAD lab provides: -```bash -aws ssm start-session --target $INSTANCE_ID --document-name AWS-StartPortForwardingSession --parameters "portNumber=3389,localPortNumber=13390" -``` - -> Replace `$INSTANCE_ID` with the ID of your desired instance. You can use any -> local port number. +- **3 domains**: `sevenkingdoms.local`, `north.sevenkingdoms.local`, + `essos.local` +- **2 forests** with cross-domain trusts +- **5-6 hosts**: Domain controllers + member servers (Windows Server 2016/2019) -**Step 2:** Open **Remote Desktop Connection** and connect to `localhost:13390`. +--- -Log in using either: +## Roles + +### Active Directory + +| Role | Description | +| ---- | ----------- | +| `domain_controller` | Promote server to domain controller | +| `domain_controller_slave` | Add replica domain controller | +| `child_domain` | Create child domain | +| `member_server` | Join server to domain | +| `ad` | Create AD users, groups, and OUs | +| `acl` | Configure AD ACLs and permissions | +| `adcs` | Install Active Directory Certificate Services | +| `adcs_templates` | Deploy ADCS certificate templates | +| `trusts` | Configure cross-domain trusts | +| `gmsa` | Configure group managed service accounts | +| `gmsa_hosts` | Configure gMSA host permissions | +| `password_policy` | Set domain password policies | +| `move_to_ou` | Move objects to organizational units | +| `groups_domains` | Configure cross-domain group membership | +| `dns_conditional_forwarder` | Configure DNS conditional forwarders | +| `dc_dns_conditional_forwarder` | Configure DC-specific DNS forwarders | +| `parent_child_dns` | Configure parent-child domain DNS | +| `sync_domains` | Synchronize domain data | +| `onlyusers` | Create AD users only | +| `disable_user` | Disable AD user accounts | +| `enable_user` | Enable AD user accounts | + +### Server Roles + +| Role | Description | +| ---- | ----------- | +| `common` | Base server configuration (DNS, proxy, modules) | +| `commonwkstn` | Workstation-specific configuration | +| `iis` | Install and configure IIS | +| `mssql` | Install and configure SQL Server | +| `mssql_link` | Configure SQL Server linked servers | +| `mssql_ssms` | Install SQL Server Management Studio | +| `mssql_reporting` | Install SQL Server Reporting Services | +| `mssql_audit` | Configure SQL Server audit logging | +| `elk` | Install Elasticsearch, Logstash, Kibana | +| `logs_windows` | Configure Windows event logging | +| `webdav` | Configure WebDAV server | +| `dhcp` | Configure DHCP server | +| `localusers` | Manage local user accounts | +| `fix_dns` | Fix DNS configuration issues | +| `ps` | Execute PowerShell scripts | + +### LAPS + +| Role | Description | +| ---- | ----------- | +| `laps_dc` | Install LAPS on domain controllers | +| `laps_server` | Install LAPS on member servers | +| `laps_verify` | Verify LAPS installation | +| `laps_permissions` | Configure LAPS permissions | + +### Settings + +| Role | Description | +| ---- | ----------- | +| `settings_hostname` | Set Windows hostname | +| `settings_admin_password` | Set local admin password | +| `settings_keyboard` | Configure keyboard layout | +| `settings_no_updates` | Disable Windows updates | +| `settings_updates` | Run Windows updates | +| `settings_windows_defender` | Enable/disable Windows Defender | +| `settings_copy_files` | Copy files to target hosts | +| `settings_adjust_rights` | Adjust local group membership | +| `settings_user_rights` | Configure user rights assignments | +| `settings_disable_nat_adapter` | Disable NAT network adapter | +| `settings_enable_nat_adapter` | Enable NAT network adapter | +| `settings_gpmc` | Install Group Policy Management Console | +| `settings_gpo_remove` | Remove Group Policy Objects | + +### Security + +| Role | Description | +| ---- | ----------- | +| `security_account_is_sensitive` | Mark accounts as sensitive | +| `security_asr` | Configure Attack Surface Reduction | +| `security_audit_policy` | Configure audit policies | +| `security_enable_run_as_ppl` | Enable RunAsPPL for LSASS | +| `security_ensure_kb_not_installed` | Ensure specific KBs not installed | +| `security_powershell_restrict` | Restrict PowerShell execution | +| `dc_audit_sacl` | Configure DC SACL auditing | +| `ldap_diagnostic_logging` | Configure LDAP diagnostic logging | + +### Vulnerabilities + +| Role | Description | +| ---- | ----------- | +| `vulns_disable_firewall` | Disable Windows Firewall | +| `vulns_credentials` | Plant credentials in various locations | +| `vulns_autologon` | Configure autologon credentials | +| `vulns_shares` | Create vulnerable file shares | +| `vulns_openshares` | Create open file shares | +| `vulns_directory` | Create vulnerable directories | +| `vulns_files` | Deploy vulnerable files | +| `vulns_enable_llmnr` | Enable LLMNR | +| `vulns_enable_nbt_ns` | Enable NBT-NS | +| `vulns_smbv1` | Enable SMBv1 | +| `vulns_ntlmdowngrade` | Downgrade NTLM settings | +| `vulns_enable_credssp_client` | Enable CredSSP client | +| `vulns_enable_credssp_server` | Enable CredSSP server | +| `vulns_anonymous_enum` | Enable anonymous enumeration | +| `vulns_administrator_folder` | Create vulnerable admin folders | +| `vulns_permissions` | Configure vulnerable permissions | +| `vulns_acls` | Configure vulnerable ACLs | +| `vulns_schedule` | Create vulnerable scheduled tasks | +| `vulns_mssql` | Configure MSSQL vulnerabilities | +| `vulns_adcs_templates` | Deploy vulnerable ADCS templates | + +### SCCM + +| Role | Description | +| ---- | ----------- | +| `sccm_install_prerequisites` | Install SCCM prerequisites | +| `sccm_install_iis` | Install IIS for SCCM | +| `sccm_install_adk` | Install Windows ADK | +| `sccm_install_wsus` | Install WSUS | +| `sccm_install_mecm` | Install MECM/SCCM | +| `sccm_config_discovery` | Configure SCCM discovery | +| `sccm_config_boundary` | Configure SCCM boundaries | +| `sccm_config_accounts` | Configure SCCM accounts | +| `sccm_config_client_push` | Configure client push installation | +| `sccm_config_client_install` | Install SCCM client | +| `sccm_config_naa` | Configure network access account | +| `sccm_config_pxe` | Configure PXE boot | +| `sccm_config_users` | Configure SCCM users | +| `sccm_pxe` | Configure PXE deployment | -- The `Administrator` account with the password located in the - environment-specific DreadOPS SOPS file, for example: +--- -> - **Dev (us-west-2):** [https://github.com/dreadnode/DreadOps/tree/main/dread-infra/alpha-operator-range/dev/us-west-2/secrets](https://github.com/dreadnode/DreadOps/tree/main/dread-infra/alpha-operator-range/dev/us-west-2/secrets) -> - **Staging (us-west-1):** [https://github.com/dreadnode/DreadOps/tree/main/dread-infra/alpha-operator-range/staging/us-west-1/secrets](https://github.com/dreadnode/DreadOps/tree/main/dread-infra/alpha-operator-range/staging/us-west-1/secrets) +## Custom Modules -or: +| Module | Description | +| ------ | ----------- | +| `win_ad_dacl` | Manage AD ACL/DACL entries | +| `win_ad_object` | Create/modify AD objects | +| `win_gpo` | Create/modify Group Policy Objects | +| `win_gpo_link` | Link GPOs to OUs | +| `win_gpo_reg` | Manage GPO registry settings | +| `sccm_boundary` | Manage SCCM boundaries | +| `sccm_boundary_group` | Manage SCCM boundary groups | +| `sccm_boundary_to_boundarygroup` | Map boundaries to groups | -- Any domain user/password combination listed in the corresponding - environment-specific configuration file, such as: +--- -> - `ad/GOAD/data/dev-config.json` -> - `ad/GOAD/data/staging-config.json` +## Usage +```yaml --- +- name: Deploy GOAD lab + hosts: all + collections: + - dreadnode.goad + + roles: + - role: dreadnode.goad.common + - role: dreadnode.goad.domain_controller +``` -## ๐Ÿ”— Additional Resources +For full orchestration, use the playbooks in the `ansible/playbooks/` directory with +the Taskfile: -- [GOAD Vulnerabilities & Attack Scenarios](./docs/GOAD-vulnerabilities-comprehensive.md) -- [Taskfile Reference](./docs/taskfile.md) -- [Troubleshooting Guide](./docs/troubleshooting.md) -- [Synchronizing DreadGOAD with Upstream](./docs/sync-upstream.md) +```bash +task provision ENV=dev +``` --- -## ๐Ÿšจ Important Notes +## License -- **AWS CLI configuration** (`aws configure`) is required. -- Run `update-inventory` when instance IDs change. -- Run `generate-mapping` after infrastructure changes for optimal performance. -- Provisioning tasks handle retries and error handling automatically. -- The mapping file (`/tmp/aws_instance_mapping.json`) speeds up provisioning by - ~30-40 seconds per playbook run. +GPL-3.0-or-later --- -## ๐Ÿ›ก๏ธ Disclaimer +## Disclaimer -This lab environment is intentionally vulnerable and is strictly intended for -security research. **Do not deploy this environment publicly or use it as a -template for production environments.** +This collection deploys intentionally vulnerable configurations for security +research and penetration testing. **Do not use in production environments.** diff --git a/Taskfile.yaml b/Taskfile.yaml index 1d0b2b11..3173fbcd 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -53,6 +53,29 @@ tasks: echo " Run a single playbook: task provision PLAYS=ad-data.yml" silent: true + check-ansible-version: + desc: Verify ansible-core version is compatible with AWS SSM Windows connections + internal: true + silent: true + cmds: + - | + ANSIBLE_VERSION=$(ansible --version 2>/dev/null | head -1 | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') + MAJOR=$(echo "$ANSIBLE_VERSION" | cut -d. -f1) + MINOR=$(echo "$ANSIBLE_VERSION" | cut -d. -f2) + if [ "$MAJOR" -gt 2 ] || { [ "$MAJOR" -eq 2 ] && [ "$MINOR" -ge 19 ]; }; then + echo "ERROR: ansible-core $ANSIBLE_VERSION detected. Versions >=2.19 break Windows" + echo " module execution over AWS SSM (pipelining bug in SSM plugin)." + echo "" + echo " Fix: pip install 'ansible-core>=2.17.0,<2.18.0'" + echo "" + echo " See requirements.txt for details." + exit 1 + fi + if [ -z "$ANSIBLE_VERSION" ]; then + echo "ERROR: ansible-core not found. Install it: pip install -r requirements.txt" + exit 1 + fi + provision: desc: Run the DreadGOAD provisioning process with error handling and retries summary: | @@ -82,6 +105,7 @@ tasks: # Generate log file name once for this provision run PROVISION_LOG_FILE: '$HOME/.ansible/logs/goad/{{.ENV}}-dreadgoad-{{now | date "20060102_150405"}}.log' deps: + - check-ansible-version - ssm:cleanup - ensure-log-dir - generate-mapping @@ -136,10 +160,10 @@ tasks: internal: true cmds: - cd ansible/roles/adcs_templates/files && zip -r ADCSTemplate.zip ADCSTemplate/ - - cd ansible/roles/vulns/adcs_templates/files && zip -r ADCSTemplate.zip ADCSTemplate/ + - cd ansible/roles/vulns_adcs_templates/files && zip -r ADCSTemplate.zip ADCSTemplate/ status: - test -f ansible/roles/adcs_templates/files/ADCSTemplate.zip - - test -f ansible/roles/vulns/adcs_templates/files/ADCSTemplate.zip + - test -f ansible/roles/vulns_adcs_templates/files/ADCSTemplate.zip log-provision-header: internal: true @@ -157,7 +181,7 @@ tasks: echo "" echo "Playbooks to be executed:" for playbook in $(echo '{{.PLAYS}}' | tr '\n' ' '); do - echo " - ansible/$playbook" + echo " - ansible/playbooks/$playbook" done echo "-----------------------------------------------" } | tee "{{.LOG_FILE}}" diff --git a/ad/GOAD-Light/data/config.json b/ad/GOAD-Light/data/config.json index 0c20da4f..51b04d07 100644 --- a/ad/GOAD-Light/data/config.json +++ b/ad/GOAD-Light/data/config.json @@ -67,7 +67,7 @@ "gpo_abuse.ps1", "rdp_scheduler.ps1" ], - "vulns" : ["disable_firewall", "directory", "credentials", "autologon", "files", "ntlmdowngrade", "enable_llmnr", "enable_nbt-ns", "shares"], + "vulns" : ["disable_firewall", "directory", "credentials", "autologon", "files", "ntlmdowngrade", "enable_llmnr", "enable_nbt_ns", "shares"], "vulns_vars" : { "directory": { "setup": "C:\\setup" diff --git a/ad/GOAD-variant-1/data/config.json b/ad/GOAD-variant-1/data/config.json index 61d95e19..78c4b6a4 100644 --- a/ad/GOAD-variant-1/data/config.json +++ b/ad/GOAD-variant-1/data/config.json @@ -68,7 +68,7 @@ "autologon", "files", "enable_llmnr", - "enable_nbt-ns", + "enable_nbt_ns", "shares" ], "vulns_vars": { diff --git a/ad/GOAD-variant-1/data/dev-config.json b/ad/GOAD-variant-1/data/dev-config.json index a6534649..cf02bb17 100644 --- a/ad/GOAD-variant-1/data/dev-config.json +++ b/ad/GOAD-variant-1/data/dev-config.json @@ -69,7 +69,7 @@ "autologon", "files", "enable_llmnr", - "enable_nbt-ns", + "enable_nbt_ns", "shares", "anonymous_enum" ], diff --git a/ad/GOAD-variant-1/data/staging-config.json b/ad/GOAD-variant-1/data/staging-config.json index 600f3b98..dfdf3ba4 100644 --- a/ad/GOAD-variant-1/data/staging-config.json +++ b/ad/GOAD-variant-1/data/staging-config.json @@ -69,7 +69,7 @@ "autologon", "files", "enable_llmnr", - "enable_nbt-ns", + "enable_nbt_ns", "shares", "anonymous_enum" ], diff --git a/ad/GOAD/data/config.json b/ad/GOAD/data/config.json index 520885f0..ed667279 100644 --- a/ad/GOAD/data/config.json +++ b/ad/GOAD/data/config.json @@ -50,7 +50,7 @@ "gpo_abuse.ps1", "rdp_scheduler.ps1" ], - "vulns" : ["disable_firewall","directory", "credentials", "autologon", "files", "enable_llmnr", "enable_nbt-ns", "shares"], + "vulns" : ["disable_firewall","directory", "credentials", "autologon", "files", "enable_llmnr", "enable_nbt_ns", "shares"], "vulns_vars" : { "directory": { "setup": "C:\\setup" diff --git a/ad/GOAD/data/dev-config.json b/ad/GOAD/data/dev-config.json index 64f18fda..773aba24 100644 --- a/ad/GOAD/data/dev-config.json +++ b/ad/GOAD/data/dev-config.json @@ -51,7 +51,7 @@ "rdp_scheduler.ps1", "unconstrained_delegation_user.ps1" ], - "vulns" : ["disable_firewall","directory", "credentials", "autologon", "files", "enable_llmnr", "enable_nbt-ns", "shares", "anonymous_enum"], + "vulns" : ["disable_firewall","directory", "credentials", "autologon", "files", "enable_llmnr", "enable_nbt_ns", "shares", "anonymous_enum"], "vulns_vars" : { "directory": { "setup": "C:\\setup" diff --git a/ad/GOAD/data/staging-config.json b/ad/GOAD/data/staging-config.json index 4aff0e27..8193c49a 100644 --- a/ad/GOAD/data/staging-config.json +++ b/ad/GOAD/data/staging-config.json @@ -51,7 +51,7 @@ "rdp_scheduler.ps1", "unconstrained_delegation_user.ps1" ], - "vulns" : ["disable_firewall","directory", "credentials", "autologon", "files", "enable_llmnr", "enable_nbt-ns", "shares", "anonymous_enum"], + "vulns" : ["disable_firewall","directory", "credentials", "autologon", "files", "enable_llmnr", "enable_nbt_ns", "shares", "anonymous_enum"], "vulns_vars" : { "directory": { "setup": "C:\\setup" diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 662eb10c..4368ce86 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -1,11 +1,19 @@ [defaults] +# IMPORTANT: This project requires ansible-core <2.19 for AWS SSM Windows support. +# ansible-core >=2.19 changed pipelining behavior which breaks the SSM connection +# plugin for Windows hosts. See requirements.txt for details. + # Core settings host_key_checking = False forks = 3 -retry_files_enabled = True +retry_files_enabled = False deprecation_warnings = False no_log = False +# Collection and role paths +roles_path = ~/.ansible/roles:./roles +collections_path = ~/.ansible/collections + # Remote temp directory for Windows SSM connections remote_tmp = C:\\Windows\\Temp diff --git a/ansible/build.yml b/ansible/build.yml deleted file mode 100644 index d99301cd..00000000 --- a/ansible/build.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -# Load data -- name: Import Data - ansible.builtin.import_playbook: data.yml - tags: data - -- name: Build all - hosts: domain - roles: - - { role: 'common', tags: 'common', http_proxy: "{{ enable_http_proxy }}"} - - { role: 'settings/keyboard', tags: 'keyboard', layouts: "{{ keyboard_layouts }}" } - -# do not add srv with no update -> generate error on iis install -- name: Build all no update - hosts: no_update - roles: - - { role: 'settings/no_updates', tags: 'no_updates' } - -- name: Launch windows updates before continue - hosts: update - roles: - - { role: 'settings/updates', tags: 'updates'} diff --git a/ansible/changelogs/changelog.yaml b/ansible/changelogs/changelog.yaml new file mode 100644 index 00000000..32e01774 --- /dev/null +++ b/ansible/changelogs/changelog.yaml @@ -0,0 +1,18 @@ +--- +ancestor: null +releases: + 1.0.0: + release_date: "2026-03-30" + changes: + release_summary: >- + Initial release of the dreadnode.goad Ansible collection. + Restructured from the DreadGOAD project into a proper + Ansible collection format. + major_changes: + - Restructured repository as a standalone Ansible collection (dreadnode.goad). + - Flattened nested roles (settings/*, security/*, vulns/*, laps/*, sccm/*) with prefix naming. + - Extracted custom PowerShell modules to plugins/modules/. + - All role references updated to use fully qualified collection names (FQCN). + - Removed non-Ansible components (Python provisioner, Vagrant, Packer, Terraform). + deprecated_features: + - Replaced community.windows.win_domain_user with microsoft.ad.user in onlyusers role. diff --git a/ansible/changelogs/config.yaml b/ansible/changelogs/config.yaml new file mode 100644 index 00000000..b67d0837 --- /dev/null +++ b/ansible/changelogs/config.yaml @@ -0,0 +1,5 @@ +--- +notesdir: fragments +changes_file: changelog.yaml +changes_format: combined +title: dreadnode.goad diff --git a/ansible/disable_vagrant.yml b/ansible/disable_vagrant.yml deleted file mode 100644 index 54288156..00000000 --- a/ansible/disable_vagrant.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: "Disable vagrant" - hosts: domain - roles: - - { role: 'disable_user', tags: 'disable_vagrant', username: "vagrant"} diff --git a/ansible/enable_vagrant.yml b/ansible/enable_vagrant.yml deleted file mode 100644 index 007f059a..00000000 --- a/ansible/enable_vagrant.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: "Enable vagrant" - hosts: domain - roles: - - { role: 'enable_user', tags: 'enable_vagrant', username: "vagrant"} diff --git a/extensions/elk/README.md b/ansible/extensions/elk/README.md similarity index 100% rename from extensions/elk/README.md rename to ansible/extensions/elk/README.md diff --git a/extensions/elk/ansible/install.yml b/ansible/extensions/elk/ansible/install.yml similarity index 100% rename from extensions/elk/ansible/install.yml rename to ansible/extensions/elk/ansible/install.yml diff --git a/extensions/elk/ansible/roles/elk/defaults/main.yml b/ansible/extensions/elk/ansible/roles/elk/defaults/main.yml similarity index 100% rename from extensions/elk/ansible/roles/elk/defaults/main.yml rename to ansible/extensions/elk/ansible/roles/elk/defaults/main.yml diff --git a/extensions/elk/ansible/roles/elk/files/elasticsearch.yml b/ansible/extensions/elk/ansible/roles/elk/files/elasticsearch.yml similarity index 100% rename from extensions/elk/ansible/roles/elk/files/elasticsearch.yml rename to ansible/extensions/elk/ansible/roles/elk/files/elasticsearch.yml diff --git a/extensions/elk/ansible/roles/elk/files/kibana.yml b/ansible/extensions/elk/ansible/roles/elk/files/kibana.yml similarity index 100% rename from extensions/elk/ansible/roles/elk/files/kibana.yml rename to ansible/extensions/elk/ansible/roles/elk/files/kibana.yml diff --git a/extensions/elk/ansible/roles/elk/tasks/main.yml b/ansible/extensions/elk/ansible/roles/elk/tasks/main.yml similarity index 100% rename from extensions/elk/ansible/roles/elk/tasks/main.yml rename to ansible/extensions/elk/ansible/roles/elk/tasks/main.yml diff --git a/extensions/elk/ansible/roles/logs_windows/defaults/main.yml b/ansible/extensions/elk/ansible/roles/logs_windows/defaults/main.yml similarity index 100% rename from extensions/elk/ansible/roles/logs_windows/defaults/main.yml rename to ansible/extensions/elk/ansible/roles/logs_windows/defaults/main.yml diff --git a/extensions/elk/ansible/roles/logs_windows/files/Sysmon.zip b/ansible/extensions/elk/ansible/roles/logs_windows/files/Sysmon.zip similarity index 100% rename from extensions/elk/ansible/roles/logs_windows/files/Sysmon.zip rename to ansible/extensions/elk/ansible/roles/logs_windows/files/Sysmon.zip diff --git a/extensions/elk/ansible/roles/logs_windows/files/sysmonconfig-export.xml b/ansible/extensions/elk/ansible/roles/logs_windows/files/sysmonconfig-export.xml similarity index 100% rename from extensions/elk/ansible/roles/logs_windows/files/sysmonconfig-export.xml rename to ansible/extensions/elk/ansible/roles/logs_windows/files/sysmonconfig-export.xml diff --git a/extensions/elk/ansible/roles/logs_windows/files/uninstall-service-winlogbeat.ps1 b/ansible/extensions/elk/ansible/roles/logs_windows/files/uninstall-service-winlogbeat.ps1 similarity index 100% rename from extensions/elk/ansible/roles/logs_windows/files/uninstall-service-winlogbeat.ps1 rename to ansible/extensions/elk/ansible/roles/logs_windows/files/uninstall-service-winlogbeat.ps1 diff --git a/extensions/elk/ansible/roles/logs_windows/handlers/main.yml b/ansible/extensions/elk/ansible/roles/logs_windows/handlers/main.yml similarity index 100% rename from extensions/elk/ansible/roles/logs_windows/handlers/main.yml rename to ansible/extensions/elk/ansible/roles/logs_windows/handlers/main.yml diff --git a/extensions/elk/ansible/roles/logs_windows/tasks/main.yml b/ansible/extensions/elk/ansible/roles/logs_windows/tasks/main.yml similarity index 100% rename from extensions/elk/ansible/roles/logs_windows/tasks/main.yml rename to ansible/extensions/elk/ansible/roles/logs_windows/tasks/main.yml diff --git a/extensions/elk/ansible/roles/logs_windows/tasks/winlogbeat.yml b/ansible/extensions/elk/ansible/roles/logs_windows/tasks/winlogbeat.yml similarity index 100% rename from extensions/elk/ansible/roles/logs_windows/tasks/winlogbeat.yml rename to ansible/extensions/elk/ansible/roles/logs_windows/tasks/winlogbeat.yml diff --git a/extensions/elk/ansible/roles/logs_windows/templates/winlogbeat.yml.j2 b/ansible/extensions/elk/ansible/roles/logs_windows/templates/winlogbeat.yml.j2 similarity index 100% rename from extensions/elk/ansible/roles/logs_windows/templates/winlogbeat.yml.j2 rename to ansible/extensions/elk/ansible/roles/logs_windows/templates/winlogbeat.yml.j2 diff --git a/extensions/elk/extension.json b/ansible/extensions/elk/extension.json similarity index 100% rename from extensions/elk/extension.json rename to ansible/extensions/elk/extension.json diff --git a/extensions/elk/inventory b/ansible/extensions/elk/inventory similarity index 100% rename from extensions/elk/inventory rename to ansible/extensions/elk/inventory diff --git a/extensions/elk/providers/aws/linux.tf b/ansible/extensions/elk/providers/aws/linux.tf similarity index 100% rename from extensions/elk/providers/aws/linux.tf rename to ansible/extensions/elk/providers/aws/linux.tf diff --git a/extensions/elk/providers/azure/linux.tf b/ansible/extensions/elk/providers/azure/linux.tf similarity index 100% rename from extensions/elk/providers/azure/linux.tf rename to ansible/extensions/elk/providers/azure/linux.tf diff --git a/extensions/elk/providers/ludus/config.yml b/ansible/extensions/elk/providers/ludus/config.yml similarity index 100% rename from extensions/elk/providers/ludus/config.yml rename to ansible/extensions/elk/providers/ludus/config.yml diff --git a/extensions/elk/providers/virtualbox/Vagrantfile b/ansible/extensions/elk/providers/virtualbox/Vagrantfile similarity index 100% rename from extensions/elk/providers/virtualbox/Vagrantfile rename to ansible/extensions/elk/providers/virtualbox/Vagrantfile diff --git a/extensions/elk/providers/vmware/Vagrantfile b/ansible/extensions/elk/providers/vmware/Vagrantfile similarity index 100% rename from extensions/elk/providers/vmware/Vagrantfile rename to ansible/extensions/elk/providers/vmware/Vagrantfile diff --git a/extensions/exchange/README.md b/ansible/extensions/exchange/README.md similarity index 100% rename from extensions/exchange/README.md rename to ansible/extensions/exchange/README.md diff --git a/extensions/exchange/ansible/ansible.cfg b/ansible/extensions/exchange/ansible/ansible.cfg similarity index 100% rename from extensions/exchange/ansible/ansible.cfg rename to ansible/extensions/exchange/ansible/ansible.cfg diff --git a/extensions/exchange/ansible/install.yml b/ansible/extensions/exchange/ansible/install.yml similarity index 96% rename from extensions/exchange/ansible/install.yml rename to ansible/extensions/exchange/ansible/install.yml index 4a32a445..e50e91af 100644 --- a/extensions/exchange/ansible/install.yml +++ b/ansible/extensions/exchange/ansible/install.yml @@ -1,8 +1,6 @@ --- # read global configuration file and set up adapters -- ansible.builtin.import_playbook: "../../../ansible/data.yml" - vars: - data_path: "../ad/{{domain_name}}/data/" +- ansible.builtin.import_playbook: "../../../ansible/playbooks/data.yml" tags: 'data' - name: Read local config file diff --git a/extensions/exchange/ansible/iso/.gitkeep b/ansible/extensions/exchange/ansible/iso/.gitkeep similarity index 100% rename from extensions/exchange/ansible/iso/.gitkeep rename to ansible/extensions/exchange/ansible/iso/.gitkeep diff --git a/extensions/exchange/ansible/roles/exchange_bot/files/botScheduler.ps1 b/ansible/extensions/exchange/ansible/roles/exchange_bot/files/botScheduler.ps1 similarity index 100% rename from extensions/exchange/ansible/roles/exchange_bot/files/botScheduler.ps1 rename to ansible/extensions/exchange/ansible/roles/exchange_bot/files/botScheduler.ps1 diff --git a/extensions/exchange/ansible/roles/exchange_bot/files/readMail.ps1 b/ansible/extensions/exchange/ansible/roles/exchange_bot/files/readMail.ps1 similarity index 100% rename from extensions/exchange/ansible/roles/exchange_bot/files/readMail.ps1 rename to ansible/extensions/exchange/ansible/roles/exchange_bot/files/readMail.ps1 diff --git a/extensions/exchange/ansible/roles/exchange_bot/tasks/main.yml b/ansible/extensions/exchange/ansible/roles/exchange_bot/tasks/main.yml similarity index 100% rename from extensions/exchange/ansible/roles/exchange_bot/tasks/main.yml rename to ansible/extensions/exchange/ansible/roles/exchange_bot/tasks/main.yml diff --git a/extensions/exchange/ansible/roles/ludus_exchange/README.md b/ansible/extensions/exchange/ansible/roles/ludus_exchange/README.md similarity index 100% rename from extensions/exchange/ansible/roles/ludus_exchange/README.md rename to ansible/extensions/exchange/ansible/roles/ludus_exchange/README.md diff --git a/extensions/exchange/ansible/roles/ludus_exchange/defaults/main.yml b/ansible/extensions/exchange/ansible/roles/ludus_exchange/defaults/main.yml similarity index 100% rename from extensions/exchange/ansible/roles/ludus_exchange/defaults/main.yml rename to ansible/extensions/exchange/ansible/roles/ludus_exchange/defaults/main.yml diff --git a/extensions/exchange/ansible/roles/ludus_exchange/meta/main.yml b/ansible/extensions/exchange/ansible/roles/ludus_exchange/meta/main.yml similarity index 100% rename from extensions/exchange/ansible/roles/ludus_exchange/meta/main.yml rename to ansible/extensions/exchange/ansible/roles/ludus_exchange/meta/main.yml diff --git a/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-create-mailbox.yml b/ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-create-mailbox.yml similarity index 100% rename from extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-create-mailbox.yml rename to ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-create-mailbox.yml diff --git a/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-download-exchange-2016.yml b/ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-download-exchange-2016.yml similarity index 100% rename from extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-download-exchange-2016.yml rename to ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-download-exchange-2016.yml diff --git a/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-download-exchange-2019.yml b/ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-download-exchange-2019.yml similarity index 100% rename from extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-download-exchange-2019.yml rename to ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-download-exchange-2019.yml diff --git a/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-exchange-2016-install.yml b/ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-exchange-2016-install.yml similarity index 100% rename from extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-exchange-2016-install.yml rename to ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-exchange-2016-install.yml diff --git a/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-exchange-2019-install.yml b/ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-exchange-2019-install.yml similarity index 100% rename from extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-exchange-2019-install.yml rename to ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-exchange-2019-install.yml diff --git a/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-exchange-dns.yml b/ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-exchange-dns.yml similarity index 100% rename from extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-exchange-dns.yml rename to ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-exchange-dns.yml diff --git a/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-exchange-pre.yml b/ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-exchange-pre.yml similarity index 100% rename from extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-exchange-pre.yml rename to ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus-exchange-pre.yml diff --git a/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus_sendconnector.yml b/ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus_sendconnector.yml similarity index 100% rename from extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus_sendconnector.yml rename to ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/ludus_sendconnector.yml diff --git a/extensions/exchange/ansible/roles/ludus_exchange/tasks/main.yml b/ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/main.yml similarity index 100% rename from extensions/exchange/ansible/roles/ludus_exchange/tasks/main.yml rename to ansible/extensions/exchange/ansible/roles/ludus_exchange/tasks/main.yml diff --git a/extensions/exchange/data/config.json b/ansible/extensions/exchange/data/config.json similarity index 100% rename from extensions/exchange/data/config.json rename to ansible/extensions/exchange/data/config.json diff --git a/extensions/exchange/extension.json b/ansible/extensions/exchange/extension.json similarity index 100% rename from extensions/exchange/extension.json rename to ansible/extensions/exchange/extension.json diff --git a/extensions/exchange/inventory b/ansible/extensions/exchange/inventory similarity index 100% rename from extensions/exchange/inventory rename to ansible/extensions/exchange/inventory diff --git a/extensions/exchange/providers/aws/windows.tf b/ansible/extensions/exchange/providers/aws/windows.tf similarity index 100% rename from extensions/exchange/providers/aws/windows.tf rename to ansible/extensions/exchange/providers/aws/windows.tf diff --git a/extensions/exchange/providers/azure/windows.tf b/ansible/extensions/exchange/providers/azure/windows.tf similarity index 100% rename from extensions/exchange/providers/azure/windows.tf rename to ansible/extensions/exchange/providers/azure/windows.tf diff --git a/extensions/exchange/providers/ludus/config.yml b/ansible/extensions/exchange/providers/ludus/config.yml similarity index 100% rename from extensions/exchange/providers/ludus/config.yml rename to ansible/extensions/exchange/providers/ludus/config.yml diff --git a/extensions/exchange/providers/proxmox/windows.tf b/ansible/extensions/exchange/providers/proxmox/windows.tf similarity index 100% rename from extensions/exchange/providers/proxmox/windows.tf rename to ansible/extensions/exchange/providers/proxmox/windows.tf diff --git a/extensions/exchange/providers/virtualbox/Vagrantfile b/ansible/extensions/exchange/providers/virtualbox/Vagrantfile similarity index 100% rename from extensions/exchange/providers/virtualbox/Vagrantfile rename to ansible/extensions/exchange/providers/virtualbox/Vagrantfile diff --git a/extensions/exchange/providers/vmware/Vagrantfile b/ansible/extensions/exchange/providers/vmware/Vagrantfile similarity index 100% rename from extensions/exchange/providers/vmware/Vagrantfile rename to ansible/extensions/exchange/providers/vmware/Vagrantfile diff --git a/extensions/wazuh/README.md b/ansible/extensions/wazuh/README.md similarity index 100% rename from extensions/wazuh/README.md rename to ansible/extensions/wazuh/README.md diff --git a/extensions/wazuh/ansible/install.yml b/ansible/extensions/wazuh/ansible/install.yml similarity index 100% rename from extensions/wazuh/ansible/install.yml rename to ansible/extensions/wazuh/ansible/install.yml diff --git a/extensions/wazuh/ansible/roles/wazuh_agent/defaults/main.yml b/ansible/extensions/wazuh/ansible/roles/wazuh_agent/defaults/main.yml similarity index 100% rename from extensions/wazuh/ansible/roles/wazuh_agent/defaults/main.yml rename to ansible/extensions/wazuh/ansible/roles/wazuh_agent/defaults/main.yml diff --git a/extensions/wazuh/ansible/roles/wazuh_agent/tasks/main.yml b/ansible/extensions/wazuh/ansible/roles/wazuh_agent/tasks/main.yml similarity index 100% rename from extensions/wazuh/ansible/roles/wazuh_agent/tasks/main.yml rename to ansible/extensions/wazuh/ansible/roles/wazuh_agent/tasks/main.yml diff --git a/extensions/wazuh/ansible/roles/wazuh_manager/defaults/main.yml b/ansible/extensions/wazuh/ansible/roles/wazuh_manager/defaults/main.yml similarity index 100% rename from extensions/wazuh/ansible/roles/wazuh_manager/defaults/main.yml rename to ansible/extensions/wazuh/ansible/roles/wazuh_manager/defaults/main.yml diff --git a/extensions/wazuh/ansible/roles/wazuh_manager/files/wazuh_socfortress_rules.sh b/ansible/extensions/wazuh/ansible/roles/wazuh_manager/files/wazuh_socfortress_rules.sh similarity index 100% rename from extensions/wazuh/ansible/roles/wazuh_manager/files/wazuh_socfortress_rules.sh rename to ansible/extensions/wazuh/ansible/roles/wazuh_manager/files/wazuh_socfortress_rules.sh diff --git a/extensions/wazuh/ansible/roles/wazuh_manager/tasks/main.yml b/ansible/extensions/wazuh/ansible/roles/wazuh_manager/tasks/main.yml similarity index 100% rename from extensions/wazuh/ansible/roles/wazuh_manager/tasks/main.yml rename to ansible/extensions/wazuh/ansible/roles/wazuh_manager/tasks/main.yml diff --git a/extensions/wazuh/extension.json b/ansible/extensions/wazuh/extension.json similarity index 100% rename from extensions/wazuh/extension.json rename to ansible/extensions/wazuh/extension.json diff --git a/extensions/wazuh/inventory b/ansible/extensions/wazuh/inventory similarity index 100% rename from extensions/wazuh/inventory rename to ansible/extensions/wazuh/inventory diff --git a/extensions/wazuh/providers/aws/linux.tf b/ansible/extensions/wazuh/providers/aws/linux.tf similarity index 100% rename from extensions/wazuh/providers/aws/linux.tf rename to ansible/extensions/wazuh/providers/aws/linux.tf diff --git a/extensions/wazuh/providers/azure/linux.tf b/ansible/extensions/wazuh/providers/azure/linux.tf similarity index 100% rename from extensions/wazuh/providers/azure/linux.tf rename to ansible/extensions/wazuh/providers/azure/linux.tf diff --git a/extensions/wazuh/providers/ludus/config.yml b/ansible/extensions/wazuh/providers/ludus/config.yml similarity index 100% rename from extensions/wazuh/providers/ludus/config.yml rename to ansible/extensions/wazuh/providers/ludus/config.yml diff --git a/extensions/wazuh/providers/virtualbox/Vagrantfile b/ansible/extensions/wazuh/providers/virtualbox/Vagrantfile similarity index 100% rename from extensions/wazuh/providers/virtualbox/Vagrantfile rename to ansible/extensions/wazuh/providers/virtualbox/Vagrantfile diff --git a/extensions/wazuh/providers/vmware/Vagrantfile b/ansible/extensions/wazuh/providers/vmware/Vagrantfile similarity index 100% rename from extensions/wazuh/providers/vmware/Vagrantfile rename to ansible/extensions/wazuh/providers/vmware/Vagrantfile diff --git a/extensions/ws01/README.md b/ansible/extensions/ws01/README.md similarity index 100% rename from extensions/ws01/README.md rename to ansible/extensions/ws01/README.md diff --git a/extensions/ws01/ansible/ansible.cfg b/ansible/extensions/ws01/ansible/ansible.cfg similarity index 100% rename from extensions/ws01/ansible/ansible.cfg rename to ansible/extensions/ws01/ansible/ansible.cfg diff --git a/extensions/ws01/ansible/install.yml b/ansible/extensions/ws01/ansible/install.yml similarity index 94% rename from extensions/ws01/ansible/install.yml rename to ansible/extensions/ws01/ansible/install.yml index 8c897e72..71c50dde 100644 --- a/extensions/ws01/ansible/install.yml +++ b/ansible/extensions/ws01/ansible/install.yml @@ -1,8 +1,6 @@ --- # read global configuration file and set up adapters -- ansible.builtin.import_playbook: "../../../ansible/data.yml" - vars: - data_path: "../ad/{{domain_name}}/data/" +- ansible.builtin.import_playbook: "../../../ansible/playbooks/data.yml" tags: 'data' - name: Read local config file diff --git a/extensions/ws01/data/config.json b/ansible/extensions/ws01/data/config.json similarity index 100% rename from extensions/ws01/data/config.json rename to ansible/extensions/ws01/data/config.json diff --git a/extensions/ws01/extension.json b/ansible/extensions/ws01/extension.json similarity index 100% rename from extensions/ws01/extension.json rename to ansible/extensions/ws01/extension.json diff --git a/extensions/ws01/inventory b/ansible/extensions/ws01/inventory similarity index 100% rename from extensions/ws01/inventory rename to ansible/extensions/ws01/inventory diff --git a/extensions/ws01/providers/aws/windows.tf b/ansible/extensions/ws01/providers/aws/windows.tf similarity index 100% rename from extensions/ws01/providers/aws/windows.tf rename to ansible/extensions/ws01/providers/aws/windows.tf diff --git a/extensions/ws01/providers/azure/windows.tf b/ansible/extensions/ws01/providers/azure/windows.tf similarity index 100% rename from extensions/ws01/providers/azure/windows.tf rename to ansible/extensions/ws01/providers/azure/windows.tf diff --git a/extensions/ws01/providers/ludus/config.yml b/ansible/extensions/ws01/providers/ludus/config.yml similarity index 100% rename from extensions/ws01/providers/ludus/config.yml rename to ansible/extensions/ws01/providers/ludus/config.yml diff --git a/extensions/ws01/providers/proxmox/windows.tf b/ansible/extensions/ws01/providers/proxmox/windows.tf similarity index 100% rename from extensions/ws01/providers/proxmox/windows.tf rename to ansible/extensions/ws01/providers/proxmox/windows.tf diff --git a/extensions/ws01/providers/proxmox/ws01.tf b/ansible/extensions/ws01/providers/proxmox/ws01.tf similarity index 100% rename from extensions/ws01/providers/proxmox/ws01.tf rename to ansible/extensions/ws01/providers/proxmox/ws01.tf diff --git a/extensions/ws01/providers/virtualbox/Vagrantfile b/ansible/extensions/ws01/providers/virtualbox/Vagrantfile similarity index 100% rename from extensions/ws01/providers/virtualbox/Vagrantfile rename to ansible/extensions/ws01/providers/virtualbox/Vagrantfile diff --git a/extensions/ws01/providers/vmware/Vagrantfile b/ansible/extensions/ws01/providers/vmware/Vagrantfile similarity index 100% rename from extensions/ws01/providers/vmware/Vagrantfile rename to ansible/extensions/ws01/providers/vmware/Vagrantfile diff --git a/ansible/galaxy.yml b/ansible/galaxy.yml new file mode 100644 index 00000000..984a8d1a --- /dev/null +++ b/ansible/galaxy.yml @@ -0,0 +1,42 @@ +--- +namespace: dreadnode +name: goad +version: 1.0.0 +readme: README.md +authors: + - Dreadnode +description: >- + Game of Active Directory (GOAD) - Ansible collection for deploying + and configuring vulnerable Active Directory lab environments for + penetration testing and security research. +license_file: LICENSE +tags: + - windows + - activedirectory + - security + - pentest + - goad +dependencies: + amazon.aws: ">=9.0.0" + ansible.windows: ">=2.5.0" + community.general: "*" + community.windows: ">=2.3.0" + chocolatey.chocolatey: ">=1.5.3" +repository: https://github.com/dreadnode/ansible-collection-goad +documentation: https://github.com/dreadnode/ansible-collection-goad +homepage: https://github.com/dreadnode/ansible-collection-goad +issues: https://github.com/dreadnode/ansible-collection-goad/issues +build_ignore: + - "*.retry" + - "*.log" + - "*.tar.gz" + - .git + - .github + - .claude + - .task + - .hooks + - .venv + - .ansible + - scripts + - docs + - "roles/*/molecule" diff --git a/ansible/meta/runtime.yml b/ansible/meta/runtime.yml new file mode 100644 index 00000000..6f0d27f4 --- /dev/null +++ b/ansible/meta/runtime.yml @@ -0,0 +1,4 @@ +--- +# ansible-core >=2.19 breaks Windows module execution over AWS SSM due to +# pipelining changes. See requirements.txt for full explanation. +requires_ansible: ">=2.15.0,<2.19.0" diff --git a/ansible/ad-acl.yml b/ansible/playbooks/ad-acl.yml similarity index 91% rename from ansible/ad-acl.yml rename to ansible/playbooks/ad-acl.yml index fdce4c77..a82ca555 100644 --- a/ansible/ad-acl.yml +++ b/ansible/playbooks/ad-acl.yml @@ -9,7 +9,7 @@ - name: ACL inside AD hosts: dc roles: - - { role: 'acl', tags: 'acl'} + - { role: 'dreadnode.goad.acl', tags: 'acl'} vars: ad_acls: "{{ lab.domains[lab.hosts[dict_key].domain].acls | default({}) }}" domain: "{{ lab.hosts[dict_key].domain }}" diff --git a/ansible/ad-child_domain.yml b/ansible/playbooks/ad-child_domain.yml similarity index 86% rename from ansible/ad-child_domain.yml rename to ansible/playbooks/ad-child_domain.yml index b392bc0e..33b6c217 100644 --- a/ansible/ad-child_domain.yml +++ b/ansible/playbooks/ad-child_domain.yml @@ -10,8 +10,8 @@ hosts: child_dc gather_facts: false roles: - - { role: 'child_domain', tags: 'child_domain'} - - { role: 'dns_conditional_forwarder', tags: 'dns_conditional_forwarder' } + - { role: 'dreadnode.goad.child_domain', tags: 'child_domain'} + - { role: 'dreadnode.goad.dns_conditional_forwarder', tags: 'dns_conditional_forwarder' } vars: domain: "{{ lab.hosts[dict_key].domain }}" domain_password: "{{ lab.domains[domain].domain_password }}" @@ -30,7 +30,7 @@ hosts: parent_dc gather_facts: false roles: - - { role: 'parent_child_dns', tags: 'parent_child_dns'} + - { role: 'dreadnode.goad.parent_child_dns', tags: 'parent_child_dns'} vars: lab: "{{ lab }}" domains: "{{ lab.domains.keys() }}" diff --git a/ansible/ad-data.yml b/ansible/playbooks/ad-data.yml similarity index 75% rename from ansible/ad-data.yml rename to ansible/playbooks/ad-data.yml index e30c77ef..d9e48c26 100644 --- a/ansible/ad-data.yml +++ b/ansible/playbooks/ad-data.yml @@ -8,8 +8,8 @@ - name: DCs AD data configuration hosts: dc roles: - - { role: 'password_policy', tags: 'policy', try_before_lock: "5", pass_length: "5", lock_duration: "00:05:00", lock_observation: "00:05:00", complexity: false} - - { role: 'ad', tags: 'ad_domain_data' } + - { role: 'dreadnode.goad.password_policy', tags: 'policy', try_before_lock: "5", pass_length: "5", lock_duration: "00:05:00", lock_observation: "00:05:00", complexity: false} + - { role: 'dreadnode.goad.ad', tags: 'ad_domain_data' } vars: hostname: "{{ lab.hosts[dict_key].hostname }}" domain: "{{ lab.hosts[dict_key].domain }}" @@ -23,7 +23,7 @@ - name: Servers AD data configuration hosts: server roles: - - { role: 'settings/copy_files', tags: 'download_files' } + - { role: 'dreadnode.goad.settings_copy_files', tags: 'download_files' } vars: hostname: "{{ lab.hosts[dict_key].hostname }}" domain_ou_path: "{{ lab.hosts[dict_key].path }}" @@ -31,7 +31,7 @@ - name: Move to OU hosts: dc roles: - - { role: 'move_to_ou', tags: 'move_to_ou'} + - { role: 'dreadnode.goad.move_to_ou', tags: 'move_to_ou'} vars: hosts_dict: "{{ lab.hosts }}" member_domain: "{{ lab.hosts[dict_key].domain }}" diff --git a/ansible/ad-gmsa.yml b/ansible/playbooks/ad-gmsa.yml similarity index 89% rename from ansible/ad-gmsa.yml rename to ansible/playbooks/ad-gmsa.yml index 6ae8ff69..816d844f 100644 --- a/ansible/ad-gmsa.yml +++ b/ansible/playbooks/ad-gmsa.yml @@ -9,7 +9,7 @@ - name: GMSA inside AD hosts: dc roles: - - { role: 'gmsa', tags: 'gmsa'} + - { role: 'dreadnode.goad.gmsa', tags: 'gmsa'} vars: ad_gmsa: "{{ lab.domains[lab.hosts[dict_key].domain].gmsa | default({}) }}" domain: "{{ lab.hosts[dict_key].domain }}" @@ -19,7 +19,7 @@ - name: GMSA hosts hosts: server, workstation roles: - - { role: 'gmsa_hosts', tags: 'gmsa'} + - { role: 'dreadnode.goad.gmsa_hosts', tags: 'gmsa'} vars: ad_gmsa: "{{ lab.domains[lab.hosts[dict_key].domain].gmsa | default({}) }}" domain: "{{ lab.hosts[dict_key].domain }}" diff --git a/ansible/ad-members.yml b/ansible/playbooks/ad-members.yml similarity index 92% rename from ansible/ad-members.yml rename to ansible/playbooks/ad-members.yml index f86170d2..1bc66c16 100644 --- a/ansible/ad-members.yml +++ b/ansible/playbooks/ad-members.yml @@ -8,7 +8,7 @@ - name: Servers AD configuration hosts: server roles: - - { role: 'member_server', tags: 'server'} + - { role: 'dreadnode.goad.member_server', tags: 'server'} vars: member_domain: "{{ lab.hosts[dict_key].domain }}" domain_username: "{{ admin_user }}@{{ member_domain }}" @@ -21,7 +21,7 @@ - name: Workstations AD configuration hosts: workstation roles: - - { role: 'commonwkstn', tags: 'workstation'} + - { role: 'dreadnode.goad.commonwkstn', tags: 'workstation'} vars: member_domain: "{{ lab.hosts[dict_key].domain }}" domain_username: "{{ admin_user }}@{{ member_domain }}" diff --git a/ansible/ad-parent_domain.yml b/ansible/playbooks/ad-parent_domain.yml similarity index 97% rename from ansible/ad-parent_domain.yml rename to ansible/playbooks/ad-parent_domain.yml index 439ea8ff..134a09b6 100644 --- a/ansible/ad-parent_domain.yml +++ b/ansible/playbooks/ad-parent_domain.yml @@ -63,7 +63,7 @@ when: pending_reboot_check.output[0] | default(false) | bool roles: - - { role: 'domain_controller', tags: 'dc_main_domains' } + - { role: 'dreadnode.goad.domain_controller', tags: 'dc_main_domains' } post_tasks: - name: Final verification of domain controller functionality diff --git a/ansible/ad-relations.yml b/ansible/playbooks/ad-relations.yml similarity index 80% rename from ansible/ad-relations.yml rename to ansible/playbooks/ad-relations.yml index d6e40fee..38decfa0 100644 --- a/ansible/ad-relations.yml +++ b/ansible/playbooks/ad-relations.yml @@ -9,8 +9,8 @@ - name: Adjust rights configuration hosts: domain roles: - - { role: "settings/adjust_rights", tags: 'adjust_rights'} - - { role: "settings/user_rights", tags: 'adjust_rights'} + - { role: "dreadnode.goad.settings_adjust_rights", tags: 'adjust_rights'} + - { role: "dreadnode.goad.settings_user_rights", tags: 'adjust_rights'} vars: local_groups: "{{ lab.hosts[dict_key].local_groups | default({}) }}" @@ -19,7 +19,7 @@ - name: Cross domain groups hosts: dc roles: - - { role: 'groups_domains', tags: 'groups_domains'} + - { role: 'dreadnode.goad.groups_domains', tags: 'groups_domains'} vars: domain: "{{ lab.hosts[dict_key].domain }}" domain_server: "{{ lab.hosts[dict_key].hostname }}.{{ domain }}" diff --git a/ansible/ad-servers.yml b/ansible/playbooks/ad-servers.yml similarity index 75% rename from ansible/ad-servers.yml rename to ansible/playbooks/ad-servers.yml index c86f445f..368b91ea 100644 --- a/ansible/ad-servers.yml +++ b/ansible/playbooks/ad-servers.yml @@ -10,8 +10,8 @@ hosts: domain tags: prepare_servers roles: - - { role: 'settings/admin_password', tags: 'admin_password' } - - { role: 'settings/hostname', tags: 'hostname' } + - { role: 'dreadnode.goad.settings_admin_password', tags: 'admin_password' } + - { role: 'dreadnode.goad.settings_hostname', tags: 'hostname' } vars: local_admin_password: "{{ lab.hosts[inventory_hostname].local_admin_password }}" hostname: "{{ lab.hosts[inventory_hostname].hostname }}" diff --git a/ansible/ad-trusts.yml b/ansible/playbooks/ad-trusts.yml similarity index 85% rename from ansible/ad-trusts.yml rename to ansible/playbooks/ad-trusts.yml index fa947981..e5f4f3ef 100644 --- a/ansible/ad-trusts.yml +++ b/ansible/playbooks/ad-trusts.yml @@ -8,8 +8,8 @@ - name: Trusts configuration prepare hosts: trust roles: - - { role: 'settings/disable_nat_adapter', tags: 'disable_nat_adapter'} - - { role: 'dns_conditional_forwarder', tags: 'dns_conditional_forwarder' } + - { role: 'dreadnode.goad.settings_disable_nat_adapter', tags: 'disable_nat_adapter'} + - { role: 'dreadnode.goad.dns_conditional_forwarder', tags: 'dns_conditional_forwarder' } vars: domain: "{{ lab.hosts[dict_key].domain }}" remote_forest: "{{ lab.domains[domain].trust }}" @@ -24,7 +24,7 @@ hosts: trust serial: 1 # add one trust at a time to avoid issues roles: - - { role: 'trusts', tags: 'trust' } + - { role: 'dreadnode.goad.trusts', tags: 'trust' } vars: domain: "{{ lab.hosts[dict_key].domain }}" domain_username: "{{ domain }}\\{{ admin_user }}" @@ -41,12 +41,12 @@ - name: Trusts configuration end hosts: trust roles: - - { role: 'settings/enable_nat_adapter', tags: 'enable_nat_adapter'} + - { role: 'dreadnode.goad.settings_enable_nat_adapter', tags: 'enable_nat_adapter'} - name: Adjust DNS conditional forwarded configuration hosts: trust roles: - - { role: 'dc_dns_conditional_forwarder', tags: 'dns_conditional_forwarder' } + - { role: 'dreadnode.goad.dc_dns_conditional_forwarder', tags: 'dns_conditional_forwarder' } vars: domain: "{{ lab.hosts[dict_key].domain }}" domain_username: "{{ domain }}\\{{ admin_user }}" diff --git a/ansible/ad.yml b/ansible/playbooks/ad.yml similarity index 100% rename from ansible/ad.yml rename to ansible/playbooks/ad.yml diff --git a/ansible/adcs.yml b/ansible/playbooks/adcs.yml similarity index 88% rename from ansible/adcs.yml rename to ansible/playbooks/adcs.yml index 89b66a9c..da682ad7 100644 --- a/ansible/adcs.yml +++ b/ansible/playbooks/adcs.yml @@ -8,7 +8,7 @@ - name: ADCS hosts: adcs roles: - - { role: 'adcs', tags: 'adcs'} + - { role: 'dreadnode.goad.adcs', tags: 'adcs'} vars: domain: "{{ lab.hosts[dict_key].domain }}" domain_username: "{{ domain }}\\{{ admin_user }}" @@ -19,7 +19,7 @@ - name: ADCS hosts: adcs_customtemplates roles: - - { role: 'adcs_templates', tags: 'adcs_templates'} + - { role: 'dreadnode.goad.adcs_templates', tags: 'adcs_templates'} vars: domain: "{{ lab.hosts[dict_key].domain }}" domain_username: "{{ domain }}\\{{ admin_user }}" diff --git a/ansible/playbooks/build.yml b/ansible/playbooks/build.yml new file mode 100644 index 00000000..df3f5c69 --- /dev/null +++ b/ansible/playbooks/build.yml @@ -0,0 +1,22 @@ +--- +# Load data +- name: Import Data + ansible.builtin.import_playbook: data.yml + tags: data + +- name: Build all + hosts: domain + roles: + - { role: 'dreadnode.goad.common', tags: 'common', http_proxy: "{{ enable_http_proxy }}"} + - { role: 'dreadnode.goad.settings_keyboard', tags: 'keyboard', layouts: "{{ keyboard_layouts }}" } + +# do not add srv with no update -> generate error on iis install +- name: Build all no update + hosts: no_update + roles: + - { role: 'dreadnode.goad.settings_no_updates', tags: 'no_updates' } + +- name: Launch windows updates before continue + hosts: update + roles: + - { role: 'dreadnode.goad.settings_updates', tags: 'updates'} diff --git a/ansible/data.yml b/ansible/playbooks/data.yml similarity index 97% rename from ansible/data.yml rename to ansible/playbooks/data.yml index f9ae539f..51c7fd7c 100644 --- a/ansible/data.yml +++ b/ansible/playbooks/data.yml @@ -20,7 +20,7 @@ file: "/tmp/aws_instance_mapping_{{ env }}.json" name: aws_mapping run_once: true - when: ansible_connection == 'aws_ssm' + when: ansible_connection is search('aws_ssm') ignore_errors: true - name: Display AWS instance to IP mappings @@ -29,7 +29,7 @@ loop: "{{ aws_mapping.instance_to_ip | dict2items }}" run_once: true when: - - ansible_connection == 'aws_ssm' + - ansible_connection is search('aws_ssm') - aws_mapping is defined - name: Set instance_to_ip mapping for all hosts @@ -43,7 +43,7 @@ loop_control: label: "{{ item }} ({{ hostvars[item].ansible_host | default('no instance_id') }})" when: - - ansible_connection == 'aws_ssm' + - ansible_connection is search('aws_ssm') - aws_mapping is defined - name: Set host_ipv4 from AWS instance mapping for SSM connections @@ -51,7 +51,7 @@ host_ipv4: "{{ instance_to_ip[ansible_host] | default('') }}" cacheable: true when: - - ansible_connection == 'aws_ssm' + - ansible_connection is search('aws_ssm') - instance_to_ip is defined - ansible_host in instance_to_ip @@ -59,7 +59,7 @@ ansible.builtin.debug: msg: "Host {{ inventory_hostname }} ({{ ansible_host }}) assigned IP: {{ host_ipv4 }}" when: - - ansible_connection == 'aws_ssm' + - ansible_connection is search('aws_ssm') - host_ipv4 is defined - host_ipv4 != '' diff --git a/ansible/dhcp.yml b/ansible/playbooks/dhcp.yml similarity index 90% rename from ansible/dhcp.yml rename to ansible/playbooks/dhcp.yml index aa53a1f1..7d7d9074 100644 --- a/ansible/dhcp.yml +++ b/ansible/playbooks/dhcp.yml @@ -1,14 +1,12 @@ --- - name: Import Data ansible.builtin.import_playbook: data.yml - vars: - data_path: "../ad/{{domain_name}}/data/" tags: 'data' - name: Setup Prerequisites hosts: dc roles: - - { role: 'dhcp', tags: 'dhcp_install'} + - { role: 'dreadnode.goad.dhcp', tags: 'dhcp_install'} vars: domain: "{{lab.hosts[dict_key].domain}}" domain_username: "{{domain}}\\{{admin_user}}" diff --git a/ansible/diagnose-dc01.yml b/ansible/playbooks/diagnose-dc01.yml similarity index 100% rename from ansible/diagnose-dc01.yml rename to ansible/playbooks/diagnose-dc01.yml diff --git a/ansible/playbooks/disable_vagrant.yml b/ansible/playbooks/disable_vagrant.yml new file mode 100644 index 00000000..ccfb00cb --- /dev/null +++ b/ansible/playbooks/disable_vagrant.yml @@ -0,0 +1,5 @@ +--- +- name: "Disable vagrant" + hosts: domain + roles: + - { role: 'dreadnode.goad.disable_user', tags: 'disable_vagrant', username: "vagrant"} diff --git a/ansible/elk.yml b/ansible/playbooks/elk.yml similarity index 68% rename from ansible/elk.yml rename to ansible/playbooks/elk.yml index 73b8a4ac..637ad370 100644 --- a/ansible/elk.yml +++ b/ansible/playbooks/elk.yml @@ -3,9 +3,9 @@ hosts: elk_server become: yes roles: - - { role: 'elk', tags: 'elk' } + - { role: 'dreadnode.goad.elk', tags: 'elk' } - name: Install log agent on windows vms hosts: elk_log roles: - - { role: 'logs_windows', tags: 'agent' } + - { role: 'dreadnode.goad.logs_windows', tags: 'agent' } diff --git a/ansible/playbooks/enable_vagrant.yml b/ansible/playbooks/enable_vagrant.yml new file mode 100644 index 00000000..8aef7523 --- /dev/null +++ b/ansible/playbooks/enable_vagrant.yml @@ -0,0 +1,5 @@ +--- +- name: "Enable vagrant" + hosts: domain + roles: + - { role: 'dreadnode.goad.enable_user', tags: 'enable_vagrant', username: "vagrant"} diff --git a/ansible/fix_dns.yml b/ansible/playbooks/fix_dns.yml similarity index 63% rename from ansible/fix_dns.yml rename to ansible/playbooks/fix_dns.yml index 1d688b75..d4f12396 100644 --- a/ansible/fix_dns.yml +++ b/ansible/playbooks/fix_dns.yml @@ -2,11 +2,9 @@ # Load data - name: Import Data ansible.builtin.import_playbook: data.yml - vars: - data_path: "../ad/{{domain_name}}/data/" tags: 'data' - name: Setup dns again on all domain computers hosts: domain roles: - - { role: 'fix_dns', tags: 'fix_dns' } + - { role: 'dreadnode.goad.fix_dns', tags: 'fix_dns' } diff --git a/ansible/fix_trust.yml b/ansible/playbooks/fix_trust.yml similarity index 95% rename from ansible/fix_trust.yml rename to ansible/playbooks/fix_trust.yml index 2b72bc70..a62c0fac 100644 --- a/ansible/fix_trust.yml +++ b/ansible/playbooks/fix_trust.yml @@ -1,8 +1,6 @@ --- - name: Import Data ansible.builtin.import_playbook: data.yml - vars: - data_path: "../ad/{{ domain_name }}/data/" # use this to change machine password if the trust between the dc and the computer is broken - name: Fix trust relationship between this workstation and the primary domain failed diff --git a/ansible/interfaces.yml b/ansible/playbooks/interfaces.yml similarity index 96% rename from ansible/interfaces.yml rename to ansible/playbooks/interfaces.yml index 0ff623c8..355e869b 100644 --- a/ansible/interfaces.yml +++ b/ansible/playbooks/interfaces.yml @@ -1,8 +1,6 @@ --- - name: Import Data ansible.builtin.import_playbook: data.yml - vars: - data_path: "../ad/{{ domain_name }}/data/" tags: 'data' #- name: show variables diff --git a/ansible/laps.yml b/ansible/playbooks/laps.yml similarity index 82% rename from ansible/laps.yml rename to ansible/playbooks/laps.yml index 65972043..2faed72d 100644 --- a/ansible/laps.yml +++ b/ansible/playbooks/laps.yml @@ -7,7 +7,7 @@ - name: Configure laps on DCs hosts: laps_dc roles: - - { role: 'laps/dc', tags: 'laps-dc'} + - { role: 'dreadnode.goad.laps_dc', tags: 'laps-dc'} vars: domain: "{{ lab.hosts[dict_key].domain }}" laps_path: "{{ lab.domains[domain].laps_path if lab.domains[domain].laps_path is defined else false }}" @@ -16,7 +16,7 @@ - name: Configure laps on servers hosts: laps_server, laps_workstation roles: - - { role: 'laps/server', tags: 'laps-server'} + - { role: 'dreadnode.goad.laps_server', tags: 'laps-server'} vars: domain: "{{ lab.hosts[dict_key].domain }}" laps_path: "{{ lab.domains[domain].laps_path if lab.domains[domain].laps_path is defined else false }}" @@ -25,7 +25,7 @@ - name: Verify and show laps passwords hosts: laps_dc roles: - - { role: 'laps/verify', tags: 'laps-verify'} + - { role: 'dreadnode.goad.laps_verify', tags: 'laps-verify'} vars: domain: "{{ lab.hosts[dict_key].domain }}" laps_path: "{{ lab.domains[domain].laps_path if lab.domains[domain].laps_path is defined else false }}" @@ -34,7 +34,7 @@ - name: Set laps users and groups permission hosts: laps_dc roles: - - { role: 'laps/permissions', tags: 'laps-permissions'} + - { role: 'dreadnode.goad.laps_permissions', tags: 'laps-permissions'} vars: domain: "{{ lab.hosts[dict_key].domain }}" laps_path: "{{ lab.domains[domain].laps_path if lab.domains[domain].laps_path is defined else false }}" diff --git a/ansible/localusers.yml b/ansible/playbooks/localusers.yml similarity index 76% rename from ansible/localusers.yml rename to ansible/playbooks/localusers.yml index 87b3028b..ac1d9dbc 100644 --- a/ansible/localusers.yml +++ b/ansible/playbooks/localusers.yml @@ -2,14 +2,12 @@ # Load data - name: Import Data ansible.builtin.import_playbook: data.yml - vars: - data_path: "../ad/{{domain_name}}/data/" tags: 'data' # set local users ================================================================================================== - name: Local Users hosts: domain roles: - - { role: 'localusers', tags: 'localusers' } + - { role: 'dreadnode.goad.localusers', tags: 'localusers' } vars: local_users: "{{ lab.hosts[dict_key].local_users | default({}) }}" diff --git a/ansible/main.yml b/ansible/playbooks/main.yml similarity index 97% rename from ansible/main.yml rename to ansible/playbooks/main.yml index 97b67c75..4a82d45f 100644 --- a/ansible/main.yml +++ b/ansible/playbooks/main.yml @@ -3,8 +3,6 @@ # Load data - name: Import Data ansible.builtin.import_playbook: data.yml - vars: - data_path: "../ad/{{ domain_name }}/data/" tags: 'data' # Prepare servers diff --git a/ansible/onlyusers.yml b/ansible/playbooks/onlyusers.yml similarity index 88% rename from ansible/onlyusers.yml rename to ansible/playbooks/onlyusers.yml index 81ed6f3b..ba091bbc 100644 --- a/ansible/onlyusers.yml +++ b/ansible/playbooks/onlyusers.yml @@ -2,15 +2,13 @@ # Load data - name: Import Data ansible.builtin.import_playbook: data.yml - vars: - data_path: "../ad/{{domain_name}}/data/" tags: 'data' # set AD data ================================================================================================== - name: DCs AD data configuration hosts: dc01,dc02 roles: - - { role: 'onlyusers', tags: 'onlyusers' } + - { role: 'dreadnode.goad.onlyusers', tags: 'onlyusers' } vars: hostname: "{{lab.hosts[dict_key].hostname}}" domain: "{{lab.hosts[dict_key].domain}}" diff --git a/ansible/reboot.yml b/ansible/playbooks/reboot.yml similarity index 100% rename from ansible/reboot.yml rename to ansible/playbooks/reboot.yml diff --git a/ansible/sccm-client.yml b/ansible/playbooks/sccm-client.yml similarity index 79% rename from ansible/sccm-client.yml rename to ansible/playbooks/sccm-client.yml index 3bb94924..ce447104 100644 --- a/ansible/sccm-client.yml +++ b/ansible/playbooks/sccm-client.yml @@ -1,14 +1,12 @@ --- - name: Import Data ansible.builtin.import_playbook: data.yml - vars: - data_path: "../ad/{{domain_name}}/data/" tags: 'data' - name: Client install hosts: sccm roles: - - { role: 'sccm/config/client_install', tags: 'sccm_client_install' } + - { role: 'dreadnode.goad.sccm_config_client_install', tags: 'sccm_client_install' } vars: domain: "{{lab.hosts[dict_key].domain}}" domain_username: "{{domain}}\\{{admin_user}}" diff --git a/ansible/sccm-config.yml b/ansible/playbooks/sccm-config.yml similarity index 75% rename from ansible/sccm-config.yml rename to ansible/playbooks/sccm-config.yml index 2bb2c285..cd1317b5 100644 --- a/ansible/sccm-config.yml +++ b/ansible/playbooks/sccm-config.yml @@ -1,20 +1,18 @@ --- - name: Import Data ansible.builtin.import_playbook: data.yml - vars: - data_path: "../ad/{{domain_name}}/data/" tags: 'data' - name: Config SCCM hosts: sccm roles: - - { role: 'sccm/config/discovery', tags: 'sccm_discovery'} - - { role: 'sccm/config/boundary', tags: 'sccm_boundary'} - - { role: 'sccm/config/accounts', tags: 'sccm_accounts'} - - { role: 'sccm/config/client_push', tags: 'sccm_client_push'} - - { role: 'sccm/config/naa', tags: 'sccm_naa'} - - { role: 'sccm/config/client_install', tags: 'sccm_client_install'} - - { role: 'sccm/config/users', tags: 'sccm_users'} + - { role: 'dreadnode.goad.sccm_config_discovery', tags: 'sccm_discovery'} + - { role: 'dreadnode.goad.sccm_config_boundary', tags: 'sccm_boundary'} + - { role: 'dreadnode.goad.sccm_config_accounts', tags: 'sccm_accounts'} + - { role: 'dreadnode.goad.sccm_config_client_push', tags: 'sccm_client_push'} + - { role: 'dreadnode.goad.sccm_config_naa', tags: 'sccm_naa'} + - { role: 'dreadnode.goad.sccm_config_client_install', tags: 'sccm_client_install'} + - { role: 'dreadnode.goad.sccm_config_users', tags: 'sccm_users'} vars: domain: "{{lab.hosts[dict_key].domain}}" domain_username: "{{domain}}\\{{admin_user}}" diff --git a/ansible/sccm-install.yml b/ansible/playbooks/sccm-install.yml similarity index 73% rename from ansible/sccm-install.yml rename to ansible/playbooks/sccm-install.yml index 1f1f037a..5d79643a 100644 --- a/ansible/sccm-install.yml +++ b/ansible/playbooks/sccm-install.yml @@ -1,14 +1,12 @@ --- - name: Import Data ansible.builtin.import_playbook: data.yml - vars: - data_path: "../ad/{{domain_name}}/data/" tags: 'data' - name: "Setup Prerequisites" hosts: dc roles: - - { role: 'sccm/install/prerequisites', tags: 'sccm_prerequisites', when: sccm_server != ''} + - { role: 'dreadnode.goad.sccm_install_prerequisites', tags: 'sccm_prerequisites', when: sccm_server != ''} vars: domain: "{{lab.hosts[dict_key].domain}}" domain_username: "{{domain}}\\{{admin_user}}" @@ -20,11 +18,11 @@ - name: "Install SCCM" hosts: sccm roles: - - { role: 'sccm/install/iis', tags: 'sccm_iis'} - - { role: 'sccm/install/adk', tags: 'sccm_adk'} + - { role: 'dreadnode.goad.sccm_install_iis', tags: 'sccm_iis'} + - { role: 'dreadnode.goad.sccm_install_adk', tags: 'sccm_adk'} # - { role: 'sccm/mssql', tags: 'sccm_wsus', when: sccm_server != ''} # done by the server playbook - - { role: 'sccm/install/wsus', tags: 'sccm_wsus'} - - { role: 'sccm/install/mecm', tags: 'sccm_mecm'} + - { role: 'dreadnode.goad.sccm_install_wsus', tags: 'sccm_wsus'} + - { role: 'dreadnode.goad.sccm_install_mecm', tags: 'sccm_mecm'} vars: domain: "{{lab.hosts[dict_key].domain}}" domain_username: "{{domain}}\\{{admin_user}}" diff --git a/ansible/sccm-pxe.yml b/ansible/playbooks/sccm-pxe.yml similarity index 84% rename from ansible/sccm-pxe.yml rename to ansible/playbooks/sccm-pxe.yml index ec01757c..c2fa304c 100644 --- a/ansible/sccm-pxe.yml +++ b/ansible/playbooks/sccm-pxe.yml @@ -1,15 +1,13 @@ --- - name: Import Data ansible.builtin.import_playbook: data.yml - vars: - data_path: "../ad/{{domain_name}}/data/" tags: 'data' - name: Setup SCCM PXE hosts: sccm roles: - - { role: 'sccm/config/pxe', tags: 'sccm_pxe'} - - { role: 'sccm/pxe', tags: 'sccm_pxe' } + - { role: 'dreadnode.goad.sccm_config_pxe', tags: 'sccm_pxe'} + - { role: 'dreadnode.goad.sccm_pxe', tags: 'sccm_pxe' } vars: domain: "{{lab.hosts[dict_key].domain}}" domain_username: "{{domain}}\\{{admin_user}}" diff --git a/ansible/security.yml b/ansible/playbooks/security.yml similarity index 64% rename from ansible/security.yml rename to ansible/playbooks/security.yml index 0f5357ec..55ecebb8 100644 --- a/ansible/security.yml +++ b/ansible/playbooks/security.yml @@ -7,23 +7,23 @@ - name: Setup enable defender hosts: defender_on roles: - - { role: 'settings/windows_defender', tags: 'windows_defender', windows_defender_status: 'on' } + - { role: 'dreadnode.goad.settings_windows_defender', tags: 'windows_defender', windows_defender_status: 'on' } vars: - script_path: "../ad/{{ domain_name }}/scripts" + script_path: "{{ playbook_dir }}/../../ad/{{ domain_name }}/scripts" - name: Setup disable defender hosts: defender_off roles: - - { role: 'settings/windows_defender', tags: 'windows_defender', windows_defender_status: 'off' } + - { role: 'dreadnode.goad.settings_windows_defender', tags: 'windows_defender', windows_defender_status: 'off' } vars: - script_path: "../ad/{{ domain_name }}/scripts" + script_path: "{{ playbook_dir }}/../../ad/{{ domain_name }}/scripts" - name: Setup security with tasks hosts: domain tasks: - name: "Include security role {{ secu }}" ansible.builtin.include_role: - name: "security/{{ secu }}" + name: "dreadnode.goad.security_{{ secu }}" vars: security_vars: "{{ lab.hosts[dict_key].security_vars[secu] | default({}) }}" domain: "{{ lab.hosts[dict_key].domain }}" @@ -37,4 +37,4 @@ - name: Configure DC SACL auditing for attack detection hosts: dc roles: - - { role: 'dc_audit_sacl', tags: 'dc_audit_sacl' } + - { role: 'dreadnode.goad.dc_audit_sacl', tags: 'dc_audit_sacl' } diff --git a/ansible/security_logging.yml b/ansible/playbooks/security_logging.yml similarity index 92% rename from ansible/security_logging.yml rename to ansible/playbooks/security_logging.yml index 76531d70..55af1dad 100644 --- a/ansible/security_logging.yml +++ b/ansible/playbooks/security_logging.yml @@ -20,7 +20,7 @@ hosts: dc gather_facts: true roles: - - role: ldap_diagnostic_logging + - role: dreadnode.goad.ldap_diagnostic_logging tags: - ldap - dc @@ -34,7 +34,7 @@ SQLSVCACCOUNT: "{{ sql_service_account | default('NT AUTHORITY\\NETWORK SERVICE') }}" SQLSVCPASSWORD: "{{ sql_service_password | default('') }}" roles: - - role: mssql_audit + - role: dreadnode.goad.mssql_audit tags: - mssql - sql diff --git a/ansible/servers.yml b/ansible/playbooks/servers.yml similarity index 86% rename from ansible/servers.yml rename to ansible/playbooks/servers.yml index f1335d95..75811ddd 100644 --- a/ansible/servers.yml +++ b/ansible/playbooks/servers.yml @@ -7,7 +7,7 @@ - name: Install IIS hosts: iis roles: - - { role: 'iis', tags: 'iis'} + - { role: 'dreadnode.goad.iis', tags: 'iis'} - name: Install MSSQL Express hosts: mssql @@ -35,8 +35,8 @@ roles: # mssql role now handles install/config split internally # Installation is skipped if already installed, but config ALWAYS runs - - { role: 'mssql', tags: 'mssql' } - - { role: 'mssql_link', tags: 'mssql, mssql_link'} + - { role: 'dreadnode.goad.mssql', tags: 'mssql' } + - { role: 'dreadnode.goad.mssql_link', tags: 'mssql, mssql_link'} vars: domain: "{{ lab.hosts[dict_key].domain }}" SQLSVCACCOUNT: "NT AUTHORITY\\NETWORK SERVICE" @@ -53,12 +53,12 @@ - name: Install SQL Server Management Studio hosts: mssql_ssms roles: - - { role: 'mssql_ssms', tags: 'mssql_ssms'} + - { role: 'dreadnode.goad.mssql_ssms', tags: 'mssql_ssms'} - name: Install SQL Server reporting hosts: mssql_reporting roles: - - { role: 'mssql_reporting', tags: 'mssql_reporting'} + - { role: 'dreadnode.goad.mssql_reporting', tags: 'mssql_reporting'} vars: domain: "{{ lab.hosts[dict_key].domain }}" domain_admin: "{{ domain }}\\{{ admin_user }}" @@ -67,4 +67,4 @@ - name: Install Webdav hosts: webdav roles: - - { role: 'webdav', tags: 'webdav'} + - { role: 'dreadnode.goad.webdav', tags: 'webdav'} diff --git a/ansible/vulnerabilities.yml b/ansible/playbooks/vulnerabilities.yml similarity index 83% rename from ansible/vulnerabilities.yml rename to ansible/playbooks/vulnerabilities.yml index 25d6e17b..3f858ca9 100644 --- a/ansible/vulnerabilities.yml +++ b/ansible/playbooks/vulnerabilities.yml @@ -9,7 +9,7 @@ tasks: - name: "Include vulnerability role {{ vuln }}" ansible.builtin.include_role: - name: "vulns/{{ vuln }}" + name: "dreadnode.goad.vulns_{{ vuln }}" vars: vulns_vars: "{{ lab.hosts[dict_key].vulns_vars[vuln] | default({}) }}" domain: "{{ lab.hosts[dict_key].domain }}" @@ -21,8 +21,8 @@ - name: "Include PowerShell script role" ansible.builtin.include_role: - name: "ps" + name: "dreadnode.goad.ps" vars: - script_path: "../ad/{{ domain_name }}/scripts" + script_path: "{{ playbook_dir }}/../../ad/{{ domain_name }}/scripts" ps_script: "{{ script_path }}/{{ item }}" loop: "{{ lab.hosts[dict_key].scripts | default([]) }}" diff --git a/ansible/wait5m.yml b/ansible/playbooks/wait5m.yml similarity index 100% rename from ansible/wait5m.yml rename to ansible/playbooks/wait5m.yml diff --git a/ansible/roles/sccm/config/boundary/library/sccm_boundary.ps1 b/ansible/plugins/modules/sccm_boundary.ps1 similarity index 100% rename from ansible/roles/sccm/config/boundary/library/sccm_boundary.ps1 rename to ansible/plugins/modules/sccm_boundary.ps1 diff --git a/ansible/roles/sccm/config/boundary/library/sccm_boundary_group.ps1 b/ansible/plugins/modules/sccm_boundary_group.ps1 similarity index 100% rename from ansible/roles/sccm/config/boundary/library/sccm_boundary_group.ps1 rename to ansible/plugins/modules/sccm_boundary_group.ps1 diff --git a/ansible/roles/sccm/config/boundary/library/sccm_boundary_to_boundarygroup.ps1 b/ansible/plugins/modules/sccm_boundary_to_boundarygroup.ps1 similarity index 100% rename from ansible/roles/sccm/config/boundary/library/sccm_boundary_to_boundarygroup.ps1 rename to ansible/plugins/modules/sccm_boundary_to_boundarygroup.ps1 diff --git a/ansible/roles/laps/dc/library/win_ad_dacl.ps1 b/ansible/plugins/modules/win_ad_dacl.ps1 similarity index 100% rename from ansible/roles/laps/dc/library/win_ad_dacl.ps1 rename to ansible/plugins/modules/win_ad_dacl.ps1 diff --git a/ansible/roles/laps/dc/library/win_ad_object.ps1 b/ansible/plugins/modules/win_ad_object.ps1 similarity index 100% rename from ansible/roles/laps/dc/library/win_ad_object.ps1 rename to ansible/plugins/modules/win_ad_object.ps1 diff --git a/ansible/roles/laps/dc/library/win_gpo.ps1 b/ansible/plugins/modules/win_gpo.ps1 similarity index 100% rename from ansible/roles/laps/dc/library/win_gpo.ps1 rename to ansible/plugins/modules/win_gpo.ps1 diff --git a/ansible/roles/laps/dc/library/win_gpo_link.ps1 b/ansible/plugins/modules/win_gpo_link.ps1 similarity index 100% rename from ansible/roles/laps/dc/library/win_gpo_link.ps1 rename to ansible/plugins/modules/win_gpo_link.ps1 diff --git a/ansible/roles/laps/dc/library/win_gpo_reg.ps1 b/ansible/plugins/modules/win_gpo_reg.ps1 similarity index 100% rename from ansible/roles/laps/dc/library/win_gpo_reg.ps1 rename to ansible/plugins/modules/win_gpo_reg.ps1 diff --git a/ansible/requirements.yml b/ansible/requirements.yml index 8d58bee7..81131957 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -1,12 +1,13 @@ --- collections: - # Install a collection from Ansible Galaxy. - name: ansible.windows - version: 3.5.0 + version: ">=2.5.0" - name: community.general - name: community.windows - version: 3.1.0 + version: ">=2.3.0" - name: chocolatey.chocolatey -# - name: goad.windows -# type: dir -# source: ./collections/goad/windows + version: ">=1.5.3" + - name: microsoft.ad + version: 1.10.0 + - name: amazon.aws + version: 11.2.0 diff --git a/ansible/requirements_311.yml b/ansible/requirements_311.yml index 2f247892..ea3d8fcb 100644 --- a/ansible/requirements_311.yml +++ b/ansible/requirements_311.yml @@ -1,13 +1,22 @@ ---- -collections: - # Install a collection from Ansible Galaxy. - # ansible.windows 2.5.0 and community.windows 2.3.0 need ansible-core >= 2.16 - - name: ansible.windows - version: 2.5.0 - - name: community.general - - name: community.windows - version: 2.3.0 - - name: chocolatey.chocolatey -# - name: goad.windows -# type: dir -# source: ./collections/goad/windows +rich +psutil +Jinja2 +pyyaml +# Ansible +# setuptools for python >= 3.12 +setuptools +ansible_runner +# IMPORTANT: ansible-core >=2.19 breaks Windows module execution over AWS SSM. +# See requirements.txt for full explanation. +# ansible-core 2.17.x is the latest series compatible with the SSM plugin. +ansible-core>=2.17.0,<2.18.0 +pywinrm +# AZURE +azure-identity +azure-mgmt-compute +azure-mgmt-network +# AWS +boto3 +# Proxmox +proxmoxer +requests diff --git a/ansible/roles/acl/README.md b/ansible/roles/acl/README.md new file mode 100644 index 00000000..797e9b4f --- /dev/null +++ b/ansible/roles/acl/README.md @@ -0,0 +1,38 @@ + +# acl + +## Description + +Configure Active Directory ACL permissions on objects + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Set ACL for AD objects** (ansible.windows.win_powershell) +- **Wait for ACL operations to complete** (ansible.builtin.async_status) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - acl +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/acl/meta/main.yml b/ansible/roles/acl/meta/main.yml new file mode 100644 index 00000000..695ff260 --- /dev/null +++ b/ansible/roles/acl/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: acl + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure Active Directory ACL permissions on objects + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - acl + - permissions + - security + +dependencies: [] diff --git a/ansible/roles/ad/README.md b/ansible/roles/ad/README.md new file mode 100644 index 00000000..e4adf4ec --- /dev/null +++ b/ansible/roles/ad/README.md @@ -0,0 +1,68 @@ + +# ad + +## Description + +Configure Active Directory domain administrator membership and settings + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### groups.yml + +- **Create Universal Groups** (ansible.windows.win_powershell) - Conditional +- **Wait for Universal group creation to complete** (ansible.builtin.async_status) - Conditional +- **Create Global Groups** (ansible.windows.win_powershell) - Conditional +- **Wait for Global group creation to complete** (ansible.builtin.async_status) - Conditional +- **Create DomainLocal Groups** (ansible.windows.win_powershell) - Conditional +- **Wait for DomainLocal group creation to complete** (ansible.builtin.async_status) - Conditional + +### main.yml + +- **Ensure Administrator is part of Domain Admins** (ansible.windows.win_powershell) +- **Organisation units** (ansible.builtin.import_tasks) +- **Groups** (ansible.builtin.import_tasks) +- **Users** (ansible.builtin.import_tasks) +- **Add members to the Domainlocal group, preserving existing membership** (microsoft.ad.group) - Conditional +- **Add members to the Universal group, preserving existing membership** (microsoft.ad.group) - Conditional +- **Add members to the Global group, preserving existing membership** (microsoft.ad.group) - Conditional +- **Assign managed_by domainlocal groups** (ansible.windows.win_powershell) - Conditional +- **Assign managed_by universal groups** (ansible.windows.win_powershell) - Conditional +- **Assign managed_by global groups** (ansible.windows.win_powershell) - Conditional + +### ou.yml + +- **Create OU** (ansible.windows.win_powershell) +- **Wait for OU creation to complete** (ansible.builtin.async_status) - Conditional + +### users.yml + +- **Sync the contents of one directory to another - hack to get Requires -Module Ansible.ModuleUtils.Legacy loaded** (community.windows.win_robocopy) +- **Create users** (ansible.windows.win_powershell) +- **Wait for user creation to complete** (ansible.builtin.async_status) - Conditional +- **Set users SPN lists** (ansible.windows.win_powershell) - Conditional +- **Wait for SPN configuration to complete** (ansible.builtin.async_status) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - ad +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/ad/meta/main.yml b/ansible/roles/ad/meta/main.yml new file mode 100644 index 00000000..7494811a --- /dev/null +++ b/ansible/roles/ad/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: ad + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure Active Directory domain administrator membership and settings + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - domain + - administration + +dependencies: [] diff --git a/ansible/roles/adcs/README.md b/ansible/roles/adcs/README.md new file mode 100644 index 00000000..612fae88 --- /dev/null +++ b/ansible/roles/adcs/README.md @@ -0,0 +1,42 @@ + +# adcs + +## Description + +Install and configure Active Directory Certificate Services + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Install ADCS** (ansible.windows.win_feature) +- **Install-WindowsFeature ADCS-Cert-Authority** (ansible.windows.win_feature) +- **Install-WindowsFeature ADCS-Web-Enrollment** (ansible.windows.win_feature) - Conditional +- **Install-ADCSCertificationAuthority-PS** (ansible.windows.win_powershell) +- **Enable Web enrollement** (ansible.windows.win_powershell) - Conditional +- **Refresh Group Policy** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - adcs +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/adcs/meta/main.yml b/ansible/roles/adcs/meta/main.yml new file mode 100644 index 00000000..79abb643 --- /dev/null +++ b/ansible/roles/adcs/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: adcs + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install and configure Active Directory Certificate Services + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - adcs + - certificate + - pki + +dependencies: [] diff --git a/ansible/roles/adcs_templates/README.md b/ansible/roles/adcs_templates/README.md new file mode 100644 index 00000000..2cb55266 --- /dev/null +++ b/ansible/roles/adcs_templates/README.md @@ -0,0 +1,42 @@ + +# adcs_templates + +## Description + +Deploy and configure ADCS certificate templates + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Refresh** (ansible.windows.win_command) +- **Copy ADCSTemplate zip to remote** (ansible.windows.win_copy) +- **Extract ADCSTemplate module** (ansible.windows.win_shell) +- **Create a template directory** (ansible.windows.win_file) +- **Copy templates json** (ansible.windows.win_copy) +- **Install templates** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - adcs_templates +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/adcs_templates/meta/main.yml b/ansible/roles/adcs_templates/meta/main.yml new file mode 100644 index 00000000..2f142032 --- /dev/null +++ b/ansible/roles/adcs_templates/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: adcs_templates + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Deploy and configure ADCS certificate templates + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - adcs + - certificate + - templates + +dependencies: [] diff --git a/ansible/roles/child_domain/README.md b/ansible/roles/child_domain/README.md new file mode 100644 index 00000000..92486f12 --- /dev/null +++ b/ansible/roles/child_domain/README.md @@ -0,0 +1,49 @@ + +# child_domain + +## Description + +Promote a Windows server as a child domain controller + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Disable the registration of the NAT interface in DNS** (ansible.windows.win_shell) - Conditional +- **Set configure DNS to parent domain** (ansible.windows.win_dns_client) +- **Install windows features - AD Domain Services** (ansible.windows.win_feature) +- **Install windows features - RSAT-ADDS** (ansible.windows.win_feature) +- **Add child domain to parent domain** (microsoft.ad.domain_child) +- **Configure DNS listener addresses** (ansible.windows.win_powershell) - Conditional +- **Enable TLS 1.2 permanently via registry** (ansible.windows.win_regedit) +- **Check if xDnsServer exists** (ansible.windows.win_shell) +- **Install xDnsServer only if needed** (community.windows.win_psmodule) - Conditional +- **Configure DNS Forwarders** (ansible.windows.win_dsc) +- **Check if ActiveDirectoryDSC exists** (ansible.windows.win_shell) +- **Install ActiveDirectoryDSC only if needed** (community.windows.win_psmodule) - Conditional +- **Enable the Active Directory Web Services** (ansible.windows.win_service) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - child_domain +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/child_domain/meta/main.yml b/ansible/roles/child_domain/meta/main.yml new file mode 100644 index 00000000..df1ccc9f --- /dev/null +++ b/ansible/roles/child_domain/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: child_domain + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Promote a Windows server as a child domain controller + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - domain + - child_domain + +dependencies: [] diff --git a/ansible/roles/common/README.md b/ansible/roles/common/README.md new file mode 100644 index 00000000..4aaeba3b --- /dev/null +++ b/ansible/roles/common/README.md @@ -0,0 +1,53 @@ + +# common + +## Description + +Apply common Windows configuration settings for domain-joined hosts + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### chocolatey.yml + +- **Ensure chocolatey is installed** (chocolatey.chocolatey.win_chocolatey) +- **Disable enhanced exit codes** (chocolatey.chocolatey.win_chocolatey_feature) +- **Install multiple packages sequentially** (chocolatey.chocolatey.win_chocolatey) + +### main.yml + +- **Force a DNS on the adapter {{ nat_adapter }}** (ansible.windows.win_dns_client) - Conditional +- **Set a proxy for specific protocols** (ansible.windows.win_inet_proxy) - Conditional +- **Configure IE to use a specific proxy per protocol** (ansible.windows.win_inet_proxy) - Conditional +- **Upgrade module PowerShellGet to fix accept license issue** (ansible.windows.win_shell) +- **Check all required modules** (ansible.windows.win_shell) +- **Install all missing modules in parallel** (community.windows.win_psmodule) - Conditional +- **Wait for module installations to complete** (ansible.builtin.async_status) - Conditional +- **Verify DSC LCM is ready** (ansible.windows.win_powershell) +- **Windows ยฆ Enable Remote Desktop** (ansible.windows.win_dsc) +- **Firewall ยฆ Allow RDP through Firewall** (ansible.windows.win_dsc) +- **Add a network static route** (ansible.windows.win_route) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - common +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/common/meta/main.yml b/ansible/roles/common/meta/main.yml new file mode 100644 index 00000000..02646eb9 --- /dev/null +++ b/ansible/roles/common/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: common + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Apply common Windows configuration settings for domain-joined hosts + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - configuration + - dns + - common + +dependencies: [] diff --git a/ansible/roles/commonwkstn/README.md b/ansible/roles/commonwkstn/README.md new file mode 100644 index 00000000..798855fa --- /dev/null +++ b/ansible/roles/commonwkstn/README.md @@ -0,0 +1,41 @@ + +# commonwkstn + +## Description + +Apply common configuration for Windows workstations + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Prioritize the domain interface as the default for routing** (ansible.windows.win_shell) - Conditional +- **Debug the DNS server IP** (ansible.builtin.debug) +- **Set configure dns to {{ dns_domain }}** (ansible.windows.win_dns_client) +- **Add workstation to {{ member_domain }}** (microsoft.ad.membership) +- **Reboot if needed** (ansible.windows.win_reboot) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - commonwkstn +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/commonwkstn/meta/main.yml b/ansible/roles/commonwkstn/meta/main.yml new file mode 100644 index 00000000..3800d190 --- /dev/null +++ b/ansible/roles/commonwkstn/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: commonwkstn + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Apply common configuration for Windows workstations + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - workstation + - configuration + - common + +dependencies: [] diff --git a/ansible/roles/dc_audit_sacl/README.md b/ansible/roles/dc_audit_sacl/README.md new file mode 100644 index 00000000..1e9b3b64 --- /dev/null +++ b/ansible/roles/dc_audit_sacl/README.md @@ -0,0 +1,56 @@ + +# dc_audit_sacl + +## Description + +Configure SACL auditing on Domain Controllers for attack detection + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +### Default Variables (main.yml) + +| Variable | Type | Default | Description | +| -------- | ---- | ------- | ----------- | +| `dc_audit_sacl_replication_guids` | list | `[]` | No description | +| `dc_audit_sacl_replication_guids.0` | dict | `{}` | No description | +| `dc_audit_sacl_replication_guids.1` | dict | `{}` | No description | +| `dc_audit_sacl_replication_guids.2` | dict | `{}` | No description | +| `dc_audit_sacl_principal` | str | `S-1-1-0` | No description | +| `dc_audit_sacl_flags` | str | `Success` | No description | +| `dc_audit_sacl_ensure_auditpol` | bool | `True` | No description | +| `dc_audit_sacl_subcategories` | list | `[]` | No description | +| `dc_audit_sacl_subcategories.0` | str | `Directory Service Access` | No description | +| `dc_audit_sacl_subcategories.1` | str | `Directory Service Changes` | No description | + +## Tasks + +### main.yml + +- **Configure auditpol for Directory Service Access** (ansible.windows.win_shell) - Conditional +- **Get current domain DN** (ansible.windows.win_shell) +- **Configure SACL for replication GUIDs (DCSync detection)** (ansible.windows.win_shell) +- **Verify SACL configuration** (ansible.windows.win_shell) +- **Display verification result** (ansible.builtin.debug) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - dc_audit_sacl +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/dc_audit_sacl/meta/main.yml b/ansible/roles/dc_audit_sacl/meta/main.yml index ed9ae244..08b1730e 100644 --- a/ansible/roles/dc_audit_sacl/meta/main.yml +++ b/ansible/roles/dc_audit_sacl/meta/main.yml @@ -1,18 +1,19 @@ --- galaxy_info: + role_name: dc_audit_sacl + namespace: dreadnode author: Dreadnode company: Dreadnode description: Configure SACL auditing on Domain Controllers for attack detection - license: proprietary - min_ansible_version: "2.14" + license: GPL-3.0-or-later + min_ansible_version: "2.15" platforms: - name: Windows versions: - - "2019" - - "2022" + - all galaxy_tags: - windows - - activedirectory + - active_directory - security - auditing - dcsync diff --git a/ansible/roles/dc_dns_conditional_forwarder/README.md b/ansible/roles/dc_dns_conditional_forwarder/README.md new file mode 100644 index 00000000..3ca4752d --- /dev/null +++ b/ansible/roles/dc_dns_conditional_forwarder/README.md @@ -0,0 +1,37 @@ + +# dc_dns_conditional_forwarder + +## Description + +Configure DNS conditional forwarders on Domain Controllers + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Add DNS server zone** (ansible.windows.win_dns_zone) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - dc_dns_conditional_forwarder +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/dc_dns_conditional_forwarder/meta/main.yml b/ansible/roles/dc_dns_conditional_forwarder/meta/main.yml new file mode 100644 index 00000000..c690f76d --- /dev/null +++ b/ansible/roles/dc_dns_conditional_forwarder/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: dc_dns_conditional_forwarder + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure DNS conditional forwarders on Domain Controllers + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - dns + - domain_controller + - forwarder + +dependencies: [] diff --git a/ansible/roles/dhcp/README.md b/ansible/roles/dhcp/README.md new file mode 100644 index 00000000..979deabc --- /dev/null +++ b/ansible/roles/dhcp/README.md @@ -0,0 +1,44 @@ + +# dhcp + +## Description + +Install and configure DHCP server on Windows + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Install DHCP** (ansible.windows.win_feature) +- **Reboot if installing windows feature requires it** (ansible.windows.win_reboot) - Conditional +- **Allow dhcp in dc** (ansible.windows.win_shell) +- **Set dhcp scope** (ansible.windows.win_shell) +- **Get default gateway** (ansible.windows.win_shell) +- **Set ip_gateway** (ansible.builtin.set_fact) +- **Add DNS Server and Default Gateway Options in DHCP** (ansible.windows.win_shell) +- **Restart service DHCP** (ansible.windows.win_service) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - dhcp +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/dhcp/meta/main.yml b/ansible/roles/dhcp/meta/main.yml new file mode 100644 index 00000000..ad15e9e3 --- /dev/null +++ b/ansible/roles/dhcp/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + role_name: dhcp + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install and configure DHCP server on Windows + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - dhcp + - networking + +dependencies: [] diff --git a/ansible/roles/disable_user/README.md b/ansible/roles/disable_user/README.md new file mode 100644 index 00000000..135a1492 --- /dev/null +++ b/ansible/roles/disable_user/README.md @@ -0,0 +1,37 @@ + +# disable_user + +## Description + +Disable an Active Directory user account + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Disable the user {{ username }}** (ansible.windows.win_user) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - disable_user +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/disable_user/meta/main.yml b/ansible/roles/disable_user/meta/main.yml new file mode 100644 index 00000000..9c11de17 --- /dev/null +++ b/ansible/roles/disable_user/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + role_name: disable_user + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Disable an Active Directory user account + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - user_management + +dependencies: [] diff --git a/ansible/roles/dns_conditional_forwarder/README.md b/ansible/roles/dns_conditional_forwarder/README.md new file mode 100644 index 00000000..ecd62595 --- /dev/null +++ b/ansible/roles/dns_conditional_forwarder/README.md @@ -0,0 +1,37 @@ + +# dns_conditional_forwarder + +## Description + +Configure DNS conditional forwarders on member servers + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Add DNS server zone** (ansible.windows.win_dns_zone) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - dns_conditional_forwarder +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/dns_conditional_forwarder/meta/main.yml b/ansible/roles/dns_conditional_forwarder/meta/main.yml new file mode 100644 index 00000000..677075f8 --- /dev/null +++ b/ansible/roles/dns_conditional_forwarder/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: dns_conditional_forwarder + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure DNS conditional forwarders on member servers + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - dns + - forwarder + - networking + +dependencies: [] diff --git a/ansible/roles/domain_controller/README.md b/ansible/roles/domain_controller/README.md new file mode 100644 index 00000000..054e2dea --- /dev/null +++ b/ansible/roles/domain_controller/README.md @@ -0,0 +1,60 @@ + +# domain_controller + +## Description + +Promote a Windows server as a primary domain controller + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Disable the registration of the NAT interface in DNS** (ansible.windows.win_shell) - Conditional +- **Ensure that domain exists** (microsoft.ad.domain) +- **Check if reboot is pending after domain creation** (ansible.windows.win_powershell) - Conditional +- **Reboot if domain creation requires it** (ansible.windows.win_reboot) - Conditional +- **Re-attempt domain creation** (microsoft.ad.domain) - Conditional +- **Reboot after retry if needed** (ansible.windows.win_reboot) - Conditional +- **Wait for domain to fully initialize** (ansible.windows.win_powershell) +- **Ensure the server is a domain controller** (microsoft.ad.domain_controller) +- **Reboot if domain controller promotion requires it** (ansible.windows.win_reboot) - Conditional +- **Re-attempt domain controller promotion if needed** (microsoft.ad.domain_controller) - Conditional +- **Reboot after DC promotion retry if needed** (ansible.windows.win_reboot) - Conditional +- **Check domain controller status** (ansible.windows.win_powershell) +- **Ensure DNS feature is installed** (ansible.windows.win_feature) +- **Reboot if DNS feature installation requires it** (ansible.windows.win_reboot) - Conditional +- **Check if xDnsServer exists** (ansible.windows.win_shell) +- **Install xDnsServer PowerShell module** (community.windows.win_psmodule) - Conditional +- **Configure DNS listener addresses** (ansible.windows.win_powershell) - Conditional +- **Configure DNS Forwarders** (ansible.windows.win_powershell) - Conditional +- **Check if ActiveDirectoryDSC exists** (ansible.windows.win_shell) +- **Install ActiveDirectoryDSC only if needed** (community.windows.win_psmodule) - Conditional +- **Enable the Active Directory Web Services** (ansible.windows.win_service) +- **Ensure admin groups are properly configured** (block) +- **Ensure admin user is part of Enterprise Admins** (microsoft.ad.group) +- **Ensure admin user is part of Domain Admins** (microsoft.ad.group) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - domain_controller +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/domain_controller/meta/main.yml b/ansible/roles/domain_controller/meta/main.yml new file mode 100644 index 00000000..224900a5 --- /dev/null +++ b/ansible/roles/domain_controller/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: domain_controller + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Promote a Windows server as a primary domain controller + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - domain_controller + - promotion + +dependencies: [] diff --git a/ansible/roles/domain_controller_slave/README.md b/ansible/roles/domain_controller_slave/README.md new file mode 100644 index 00000000..af9c2aaf --- /dev/null +++ b/ansible/roles/domain_controller_slave/README.md @@ -0,0 +1,38 @@ + +# domain_controller_slave + +## Description + +Promote a Windows server as a replica domain controller + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Set configure dns** (ansible.windows.win_dns_client) +- **Promote the server to additional DC** (microsoft.ad.domain_controller) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - domain_controller_slave +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/domain_controller_slave/meta/main.yml b/ansible/roles/domain_controller_slave/meta/main.yml new file mode 100644 index 00000000..b8a973e1 --- /dev/null +++ b/ansible/roles/domain_controller_slave/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: domain_controller_slave + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Promote a Windows server as a replica domain controller + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - domain_controller + - replication + +dependencies: [] diff --git a/ansible/roles/elk/README.md b/ansible/roles/elk/README.md new file mode 100644 index 00000000..0c9c1fbb --- /dev/null +++ b/ansible/roles/elk/README.md @@ -0,0 +1,61 @@ + +# elk + +## Description + +Install and configure the ELK stack for log aggregation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +### Default Variables (main.yml) + +| Variable | Type | Default | Description | +| -------- | ---- | ------- | ----------- | +| `elasticsearch_version` | str | `7.x` | No description | +| `es_cluster_name` | str | `elasticsearch` | No description | + +## Tasks + +### main.yml + +- **Update cache** (ansible.builtin.apt) +- **Add required dependencies.** (ansible.builtin.apt) +- **Add Elasticsearch apt key.** (ansible.builtin.apt_key) +- **Add Elasticsearch repository.** (ansible.builtin.apt_repository) +- **Install logstash** (ansible.builtin.apt) +- **Install java** (ansible.builtin.apt) +- **Install elasticsearch** (ansible.builtin.apt) +- **Install kibana** (ansible.builtin.apt) +- **Copy kibana config** (ansible.builtin.copy) +- **Elasticsearch change start timeout to 3min** (ansible.builtin.lineinfile) +- **Copy elasticsearch config** (ansible.builtin.copy) +- **Enable logstash** (ansible.builtin.service) +- **Enable elasticsearch** (ansible.builtin.service) +- **Enable kibana** (ansible.builtin.service) +- **Start logstash** (ansible.builtin.service) +- **Start elasticsearch** (ansible.builtin.service) +- **Start kibana** (ansible.builtin.service) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - elk +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Ubuntu: all +- Debian: all + diff --git a/ansible/roles/elk/meta/main.yml b/ansible/roles/elk/meta/main.yml new file mode 100644 index 00000000..8dc99738 --- /dev/null +++ b/ansible/roles/elk/meta/main.yml @@ -0,0 +1,24 @@ +--- +galaxy_info: + role_name: elk + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install and configure the ELK stack for log aggregation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Ubuntu + versions: + - all + - name: Debian + versions: + - all + galaxy_tags: + - linux + - elk + - elasticsearch + - logging + - monitoring + +dependencies: [] diff --git a/ansible/roles/enable_user/README.md b/ansible/roles/enable_user/README.md new file mode 100644 index 00000000..72eed867 --- /dev/null +++ b/ansible/roles/enable_user/README.md @@ -0,0 +1,37 @@ + +# enable_user + +## Description + +Enable a disabled Active Directory user account + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Enable the user {{ username }}** (ansible.windows.win_user) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - enable_user +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/enable_user/meta/main.yml b/ansible/roles/enable_user/meta/main.yml new file mode 100644 index 00000000..8dd4d206 --- /dev/null +++ b/ansible/roles/enable_user/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + role_name: enable_user + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Enable a disabled Active Directory user account + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - user_management + +dependencies: [] diff --git a/ansible/roles/fix_dns/README.md b/ansible/roles/fix_dns/README.md new file mode 100644 index 00000000..298f231c --- /dev/null +++ b/ansible/roles/fix_dns/README.md @@ -0,0 +1,41 @@ + +# fix_dns + +## Description + +Fix DNS client settings on Windows network adapters + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Change DNS on the adapter {{ nat_adapter }}** (ansible.windows.win_dns_client) - Conditional +- **Change DNS on the adapter {{ nat_adapter }}** (ansible.windows.win_dns_client) - Conditional +- **Change DNS on the adapter {{ nat_adapter }}** (ansible.windows.win_dns_client) - Conditional +- **Change DNS on the adapter {{ nat_adapter }}** (ansible.windows.win_dns_client) - Conditional +- **Change DNS on the adapter {{ domain_adapter }}** (ansible.windows.win_dns_client) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - fix_dns +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/fix_dns/meta/main.yml b/ansible/roles/fix_dns/meta/main.yml new file mode 100644 index 00000000..1f979c92 --- /dev/null +++ b/ansible/roles/fix_dns/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: fix_dns + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Fix DNS client settings on Windows network adapters + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - dns + - networking + - troubleshooting + +dependencies: [] diff --git a/ansible/roles/gmsa/README.md b/ansible/roles/gmsa/README.md new file mode 100644 index 00000000..0d1adb3c --- /dev/null +++ b/ansible/roles/gmsa/README.md @@ -0,0 +1,37 @@ + +# gmsa + +## Description + +Create and configure Group Managed Service Accounts + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create GMSA Account** (ansible.windows.win_powershell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - gmsa +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/gmsa/meta/main.yml b/ansible/roles/gmsa/meta/main.yml new file mode 100644 index 00000000..a1671423 --- /dev/null +++ b/ansible/roles/gmsa/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: gmsa + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Create and configure Group Managed Service Accounts + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - gmsa + - service_accounts + +dependencies: [] diff --git a/ansible/roles/gmsa_hosts/README.md b/ansible/roles/gmsa_hosts/README.md new file mode 100644 index 00000000..92adf1e7 --- /dev/null +++ b/ansible/roles/gmsa_hosts/README.md @@ -0,0 +1,38 @@ + +# gmsa_hosts + +## Description + +Configure hosts authorized to use Group Managed Service Accounts + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Install-WindowsFeature RSAT-AD-PowerShell** (ansible.windows.win_feature) - Conditional +- **Install ADServiceAccount** (ansible.windows.win_powershell) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - gmsa_hosts +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/gmsa_hosts/meta/main.yml b/ansible/roles/gmsa_hosts/meta/main.yml new file mode 100644 index 00000000..a4ab2354 --- /dev/null +++ b/ansible/roles/gmsa_hosts/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: gmsa_hosts + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure hosts authorized to use Group Managed Service Accounts + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - gmsa + - service_accounts + +dependencies: [] diff --git a/ansible/roles/groups_domains/README.md b/ansible/roles/groups_domains/README.md new file mode 100644 index 00000000..279ab55d --- /dev/null +++ b/ansible/roles/groups_domains/README.md @@ -0,0 +1,39 @@ + +# groups_domains + +## Description + +Create and configure Active Directory groups across domains + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Reboot and wait for the AD system to restart** (ansible.windows.win_reboot) +- **Synchronize all domains with proper credentials** (ansible.windows.win_powershell) +- **Add cross-domain users/groups using PowerShell Direct** (ansible.windows.win_powershell) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - groups_domains +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/groups_domains/meta/main.yml b/ansible/roles/groups_domains/meta/main.yml new file mode 100644 index 00000000..1751e1f9 --- /dev/null +++ b/ansible/roles/groups_domains/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: groups_domains + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Create and configure Active Directory groups across domains + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - groups + - domain + +dependencies: [] diff --git a/ansible/roles/iis/README.md b/ansible/roles/iis/README.md new file mode 100644 index 00000000..6d8afd9b --- /dev/null +++ b/ansible/roles/iis/README.md @@ -0,0 +1,43 @@ + +# iis + +## Description + +Install and configure Internet Information Services web server + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Enable update service** (ansible.windows.win_service) +- **Check if IIS features are already installed** (ansible.windows.win_powershell) +- **Install all IIS features in single operation** (ansible.windows.win_feature) - Conditional +- **Add SYSTEM allow rights to machine keys** (ansible.windows.win_acl) +- **Create IIS directories** (ansible.windows.win_file) +- **Deploy default website index** (ansible.windows.win_copy) +- **Reboot if required** (ansible.windows.win_reboot) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - iis +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/iis/meta/main.yml b/ansible/roles/iis/meta/main.yml new file mode 100644 index 00000000..e3a6ea3e --- /dev/null +++ b/ansible/roles/iis/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + role_name: iis + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install and configure Internet Information Services web server + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - iis + - web_server + +dependencies: [] diff --git a/ansible/roles/laps_dc/README.md b/ansible/roles/laps_dc/README.md new file mode 100644 index 00000000..c00ef07c --- /dev/null +++ b/ansible/roles/laps_dc/README.md @@ -0,0 +1,89 @@ + +# laps_dc + +## Description + +Install and configure LAPS on Domain Controllers + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +### Default Variables (main.yml) + +| Variable | Type | Default | Description | +| -------- | ---- | ------- | ----------- | +| `move_computer` | bool | `False` | No description | +| `prep_servers` | bool | `False` | No description | +| `apply_dacl` | bool | `False` | No description | +| `create_gpo` | bool | `False` | No description | +| `gpo_linked` | bool | `False` | No description | +| `install_servers` | bool | `False` | No description | +| `test_deployment` | bool | `False` | No description | + +### Role Variables (main.yml) + +| Variable | Type | Value | Description | +| -------- | ---- | ----- | ----------- | +| `pri_laps_password_policy_complexity` | dict | `{}` | No description | +| `pri_laps_password_policy_complexity.uppercase` | int | `1` | No description | +| `pri_laps_password_policy_complexity.uppercase,lowercase` | int | `2` | No description | +| `pri_laps_password_policy_complexity.uppercase,lowercase,digits` | int | `3` | No description | +| `pri_laps_password_policy_complexity.uppercase,lowercase,digits,symbols` | int | `4` | No description | +| `opt_laps_gpo_name` | str | `ansible-laps` | No description | +| `opt_laps_password_policy_complexity` | str | `uppercase,lowercase,digits,symbols` | No description | +| `opt_laps_password_policy_length` | int | `14` | No description | +| `opt_laps_password_policy_age` | int | `30` | No description | + +## Tasks + +### install.yml + +- **Create Laps OU if not exist** (ansible.windows.win_dsc) +- **Create temp directory for downloads** (ansible.windows.win_file) +- **Download LAPS installer to domain controller** (ansible.windows.win_get_url) +- **Install LAPS Package on Servers** (ansible.windows.win_package) - Conditional +- **Reboot After Installing LAPS on Servers** (ansible.windows.win_reboot) - Conditional +- **Configure Password Properties** (dreadnode.goad.win_ad_object) +- **Configure Password Expiry Time** (dreadnode.goad.win_ad_object) +- **Add LAPS attributes to the Computer Attribute** (dreadnode.goad.win_ad_object) +- **Apply DACL to OU Containers** (dreadnode.goad.win_ad_dacl) +- **Create LAPS GPO** (dreadnode.goad.win_gpo) +- **Add LAPS extension to GPO** (dreadnode.goad.win_ad_object) +- **Configure Password Policy Settings on GPO** (dreadnode.goad.win_gpo_reg) +- **Configure Expiration Protection on GPO** (dreadnode.goad.win_gpo_reg) +- **Remove Configuration for Expiration Protection on GPO** (dreadnode.goad.win_gpo_reg) +- **Configure Custom Admin Username Policy on GPO** (dreadnode.goad.win_gpo_reg) +- **Enable the GPO** (dreadnode.goad.win_gpo_reg) +- **Create Comment File for GPO** (ansible.windows.win_copy) +- **Ensure GPO is Linked** (dreadnode.goad.win_gpo_link) + +### main.yml + +- **Laps dc install** (ansible.builtin.import_tasks) - Conditional +- **Move to laps ou** (ansible.builtin.import_tasks) - Conditional + +### move_server_to_ou.yml + +- **Move server to Laps OU** (ansible.windows.win_shell) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - laps_dc +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/laps/dc/defaults/main.yml b/ansible/roles/laps_dc/defaults/main.yml similarity index 100% rename from ansible/roles/laps/dc/defaults/main.yml rename to ansible/roles/laps_dc/defaults/main.yml diff --git a/ansible/roles/laps/dc/files/comment.cmtx b/ansible/roles/laps_dc/files/comment.cmtx similarity index 100% rename from ansible/roles/laps/dc/files/comment.cmtx rename to ansible/roles/laps_dc/files/comment.cmtx diff --git a/ansible/roles/laps_dc/meta/main.yml b/ansible/roles/laps_dc/meta/main.yml new file mode 100644 index 00000000..aa47f507 --- /dev/null +++ b/ansible/roles/laps_dc/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: laps_dc + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install and configure LAPS on Domain Controllers + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - laps + - security + - passwords + +dependencies: [] diff --git a/ansible/roles/laps/dc/tasks/install.yml b/ansible/roles/laps_dc/tasks/install.yml similarity index 94% rename from ansible/roles/laps/dc/tasks/install.yml rename to ansible/roles/laps_dc/tasks/install.yml index d30de3c6..a430760a 100644 --- a/ansible/roles/laps/dc/tasks/install.yml +++ b/ansible/roles/laps_dc/tasks/install.yml @@ -38,7 +38,7 @@ when: pri_laps_install.reboot_required - name: Configure Password Properties - win_ad_object: + dreadnode.goad.win_ad_object: name: ms-Mcs-AdmPwd attributes: adminDescription: LAPS Password Attribute @@ -70,7 +70,7 @@ - "'already exists' not in passwordprop.msg | default('')" - name: Configure Password Expiry Time - win_ad_object: + dreadnode.goad.win_ad_object: name: ms-Mcs-AdmPwdExpirationTime attributes: adminDescription: LAPS Password Expiration Time Attribute @@ -100,7 +100,7 @@ - "'already exists' not in password_expire_time.msg | default('')" - name: Add LAPS attributes to the Computer Attribute - win_ad_object: + dreadnode.goad.win_ad_object: name: Computer may_contain: - ms-Mcs-AdmPwd @@ -117,7 +117,7 @@ ansible_become_user: SYSTEM - name: Apply DACL to OU Containers - win_ad_dacl: + dreadnode.goad.win_ad_dacl: path: "{{ laps_path }}" state: present aces: @@ -137,14 +137,14 @@ account: S-1-5-10 - name: Create LAPS GPO - win_gpo: + dreadnode.goad.win_gpo: name: "{{ opt_laps_gpo_name }}" description: Setup by Ansible for LAPS state: present register: pri_laps_gpo - name: Add LAPS extension to GPO - win_ad_object: + dreadnode.goad.win_ad_object: name: "{{ pri_laps_gpo.path }}" attributes: # [Registry:Admin Tool][AdmPwd:Admin Tool] @@ -152,7 +152,7 @@ [{D76B9641-3288-4F75-942D-087DE603E3EA}{D02B1F72-3407-48AE-BA88-E8213C6761F1}]" - name: Configure Password Policy Settings on GPO - win_gpo_reg: + dreadnode.goad.win_gpo_reg: gpo: "{{ opt_laps_gpo_name }}" name: "{{ item.name }}" path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd' @@ -168,7 +168,7 @@ value: 30 - name: Configure Expiration Protection on GPO - win_gpo_reg: + dreadnode.goad.win_gpo_reg: gpo: "{{ opt_laps_gpo_name }}" name: PwdExpirationProtectionEnabled path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd' @@ -177,14 +177,14 @@ value: 1 - name: Remove Configuration for Expiration Protection on GPO - win_gpo_reg: + dreadnode.goad.win_gpo_reg: gpo: "{{ opt_laps_gpo_name }}" name: PwdExpirationProtectionEnabled path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd' state: absent - name: Configure Custom Admin Username Policy on GPO - win_gpo_reg: + dreadnode.goad.win_gpo_reg: gpo: "{{ opt_laps_gpo_name }}" name: AdminAccountName path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd' @@ -192,7 +192,7 @@ type: string - name: Enable the GPO - win_gpo_reg: + dreadnode.goad.win_gpo_reg: gpo: "{{ opt_laps_gpo_name }}" name: AdmPwdEnabled path: 'HKLM\Software\Policies\Microsoft Services\AdmPwd' @@ -206,7 +206,7 @@ dest: C:\Windows\SYSVOL\domain\Policies\{{ '{' }}{{ pri_laps_gpo.id }}{{ '}' }}\Machine\comment.cmtx - name: Ensure GPO is Linked - win_gpo_link: + dreadnode.goad.win_gpo_link: name: "{{ opt_laps_gpo_name }}" target: "{{ laps_path }}" state: present diff --git a/ansible/roles/laps/dc/tasks/main.yml b/ansible/roles/laps_dc/tasks/main.yml similarity index 100% rename from ansible/roles/laps/dc/tasks/main.yml rename to ansible/roles/laps_dc/tasks/main.yml diff --git a/ansible/roles/laps/dc/tasks/move_server_to_ou.yml b/ansible/roles/laps_dc/tasks/move_server_to_ou.yml similarity index 100% rename from ansible/roles/laps/dc/tasks/move_server_to_ou.yml rename to ansible/roles/laps_dc/tasks/move_server_to_ou.yml diff --git a/ansible/roles/laps/dc/vars/main.yml b/ansible/roles/laps_dc/vars/main.yml similarity index 100% rename from ansible/roles/laps/dc/vars/main.yml rename to ansible/roles/laps_dc/vars/main.yml diff --git a/ansible/roles/laps_permissions/README.md b/ansible/roles/laps_permissions/README.md new file mode 100644 index 00000000..4f532662 --- /dev/null +++ b/ansible/roles/laps_permissions/README.md @@ -0,0 +1,41 @@ + +# laps_permissions + +## Description + +Configure LAPS permissions for OU-level password access + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Ensure AdmPwd.PS module is imported** (ansible.windows.win_shell) +- **Verify LAPS schema attributes exist** (ansible.windows.win_shell) +- **Update LAPS schema if attributes not found** (ansible.windows.win_shell) - Conditional +- **Verify LAPS OU exists** (ansible.windows.win_shell) +- **Add user or group permission to read Laps** (ansible.windows.win_powershell) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - laps_permissions +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/laps_permissions/meta/main.yml b/ansible/roles/laps_permissions/meta/main.yml new file mode 100644 index 00000000..820b4806 --- /dev/null +++ b/ansible/roles/laps_permissions/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: laps_permissions + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure LAPS permissions for OU-level password access + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - laps + - security + - permissions + +dependencies: [] diff --git a/ansible/roles/laps/permissions/tasks/main.yml b/ansible/roles/laps_permissions/tasks/main.yml similarity index 100% rename from ansible/roles/laps/permissions/tasks/main.yml rename to ansible/roles/laps_permissions/tasks/main.yml diff --git a/ansible/roles/laps_server/README.md b/ansible/roles/laps_server/README.md new file mode 100644 index 00000000..37dfbe64 --- /dev/null +++ b/ansible/roles/laps_server/README.md @@ -0,0 +1,45 @@ + +# laps_server + +## Description + +Install LAPS client on member servers + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### install.yml + +- **Create temporary directory for downloads** (ansible.windows.win_file) +- **Download LAPS Package** (ansible.windows.win_get_url) +- **Install to Servers** (ansible.windows.win_package) +- **Reboot after installing LAPS (if required)** (ansible.windows.win_reboot) - Conditional +- **Refresh GPO on the Clients** (ansible.windows.win_shell) + +### main.yml + +- **Laps server install** (ansible.builtin.import_tasks) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - laps_server +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/laps_server/meta/main.yml b/ansible/roles/laps_server/meta/main.yml new file mode 100644 index 00000000..8fc72a11 --- /dev/null +++ b/ansible/roles/laps_server/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: laps_server + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install LAPS client on member servers + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - laps + - security + - passwords + +dependencies: [] diff --git a/ansible/roles/laps/server/tasks/install.yml b/ansible/roles/laps_server/tasks/install.yml similarity index 100% rename from ansible/roles/laps/server/tasks/install.yml rename to ansible/roles/laps_server/tasks/install.yml diff --git a/ansible/roles/laps/server/tasks/main.yml b/ansible/roles/laps_server/tasks/main.yml similarity index 100% rename from ansible/roles/laps/server/tasks/main.yml rename to ansible/roles/laps_server/tasks/main.yml diff --git a/ansible/roles/laps_verify/README.md b/ansible/roles/laps_verify/README.md new file mode 100644 index 00000000..6bd424f1 --- /dev/null +++ b/ansible/roles/laps_verify/README.md @@ -0,0 +1,38 @@ + +# laps_verify + +## Description + +Verify LAPS password retrieval is working correctly + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Retrieve LAPS Password on server** (ansible.windows.win_shell) - Conditional +- **Show new laps password** (ansible.builtin.debug) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - laps_verify +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/laps_verify/meta/main.yml b/ansible/roles/laps_verify/meta/main.yml new file mode 100644 index 00000000..75c75465 --- /dev/null +++ b/ansible/roles/laps_verify/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: laps_verify + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Verify LAPS password retrieval is working correctly + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - laps + - security + - validation + +dependencies: [] diff --git a/ansible/roles/laps/verify/tasks/main.yml b/ansible/roles/laps_verify/tasks/main.yml similarity index 100% rename from ansible/roles/laps/verify/tasks/main.yml rename to ansible/roles/laps_verify/tasks/main.yml diff --git a/ansible/roles/ldap_diagnostic_logging/README.md b/ansible/roles/ldap_diagnostic_logging/README.md new file mode 100644 index 00000000..0f67b8e6 --- /dev/null +++ b/ansible/roles/ldap_diagnostic_logging/README.md @@ -0,0 +1,60 @@ + +# ldap_diagnostic_logging + +## Description + +Configure LDAP diagnostic logging on Domain Controllers for security monitoring + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +### Default Variables (main.yml) + +| Variable | Type | Default | Description | +| -------- | ---- | ------- | ----------- | +| `ldap_interface_events_level` | int | `2` | No description | +| `field_engineering_level` | int | `5` | No description | +| `ldap_expensive_search_threshold` | int | `1` | No description | +| `ldap_inefficient_search_threshold` | int | `1` | No description | +| `ldap_search_time_threshold` | int | `100` | No description | +| `directory_service_log_max_size_kb` | int | `102400` | No description | +| `ldap_enable_all_diagnostics` | bool | `True` | No description | + +## Tasks + +### main.yml + +- **Enable LDAP Interface Events logging (16 LDAP Interface Events)** (ansible.windows.win_regedit) +- **Enable Field Engineering diagnostics (for Event ID 1644)** (ansible.windows.win_regedit) +- **Set Expensive Search Results Threshold** (ansible.windows.win_regedit) +- **Set Inefficient Search Results Threshold** (ansible.windows.win_regedit) +- **Set Search Time Threshold** (ansible.windows.win_regedit) +- **Enable additional NTDS diagnostics** (ansible.windows.win_regedit) - Conditional +- **Set Directory Service event log maximum size** (ansible.windows.win_shell) +- **Enable Directory Service Access auditing via auditpol** (ansible.windows.win_shell) +- **Create custom event source for LDAP security events** (ansible.windows.win_shell) +- **Ensure Scripts directory exists** (ansible.windows.win_file) +- **Create LDAP monitoring script** (ansible.windows.win_copy) +- **Create scheduled task to monitor LDAP queries** (community.windows.win_scheduled_task) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - ldap_diagnostic_logging +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/ldap_diagnostic_logging/meta/main.yml b/ansible/roles/ldap_diagnostic_logging/meta/main.yml index ff36d8d6..6eaacea1 100644 --- a/ansible/roles/ldap_diagnostic_logging/meta/main.yml +++ b/ansible/roles/ldap_diagnostic_logging/meta/main.yml @@ -1,22 +1,22 @@ --- galaxy_info: + role_name: ldap_diagnostic_logging + namespace: dreadnode author: Dreadnode + company: Dreadnode description: Configure LDAP diagnostic logging on Domain Controllers for security monitoring - license: MIT + license: GPL-3.0-or-later min_ansible_version: "2.15" - platforms: - name: Windows versions: - - "2019" - - "2022" - + - all galaxy_tags: + - windows - ldap - active_directory - audit - security - - windows - domain_controller dependencies: [] diff --git a/ansible/roles/localusers/README.md b/ansible/roles/localusers/README.md new file mode 100644 index 00000000..d94403cd --- /dev/null +++ b/ansible/roles/localusers/README.md @@ -0,0 +1,37 @@ + +# localusers + +## Description + +Create and manage local Windows user accounts + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create local users** (ansible.windows.win_user) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - localusers +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/localusers/meta/main.yml b/ansible/roles/localusers/meta/main.yml new file mode 100644 index 00000000..65720e77 --- /dev/null +++ b/ansible/roles/localusers/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + role_name: localusers + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Create and manage local Windows user accounts + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - user_management + - local_accounts + +dependencies: [] diff --git a/ansible/roles/logs_windows/README.md b/ansible/roles/logs_windows/README.md new file mode 100644 index 00000000..3a3ac7e5 --- /dev/null +++ b/ansible/roles/logs_windows/README.md @@ -0,0 +1,77 @@ + +# logs_windows + +## Description + +Install and configure Winlogbeat for Windows event log shipping + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +### Default Variables (main.yml) + +| Variable | Type | Default | Description | +| -------- | ---- | ------- | ----------- | +| `sysmon_download_url_base` | str | `https://download.sysinternals.com/files` | No description | +| `sysmon_install_location` | str | `C:\sysmon` | No description | +| `sysmon_download_file` | str | `Sysmon` | No description | +| `file_ext` | str | `.zip` | No description | +| `sysmon_config_url` | str | `https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml` | No description | +| `winlogbeat_service` | dict | `{}` | No description | +| `winlogbeat_service.install_path_64` | str | `C:\Program Files\Elastic\winlogbeat` | No description | +| `winlogbeat_service.install_path_32` | str | `C:\Program Files (x86)\Elastic\winlogbeat` | No description | +| `winlogbeat_service.version` | str | `7.17.6` | No description | +| `winlogbeat_service.download` | bool | `True` | No description | + +## Tasks + +### main.yml + +- **Install winlogbeat** (ansible.builtin.import_tasks) +- **Set winlogbeat config file** (ansible.windows.win_copy) +- **Create directory** (ansible.windows.win_file) +- **Get sysmon zip** (ansible.windows.win_copy) +- **Unzip sysmon** (community.windows.win_unzip) +- **Copy sysmon config** (ansible.windows.win_copy) +- **Check sysmon service** (ansible.windows.win_service) +- **Run sysmon** (ansible.windows.win_command) - Conditional +- **Check winlogbeat service** (ansible.windows.win_service) +- **Reboot before launch setup** (ansible.windows.win_reboot) - Conditional +- **Run winlogbeat setup** (ansible.windows.win_command) - Conditional +- **Check winlogbeat service** (ansible.windows.win_service) - Conditional + +### winlogbeat.yml + +- **Create 64-bit install directory** (ansible.windows.win_file) +- **Check if winlogbeat service is installed** (ansible.windows.win_service) +- **Check if winlogbeat is using current version** (ansible.windows.win_stat) +- **Copy winlogbeat uninstall script** (ansible.windows.win_copy) - Conditional +- **Uninstall winlogbeat** (ansible.windows.win_shell) - Conditional +- **Download winlogbeat** (ansible.windows.win_get_url) - Conditional +- **Copy winlogbeat** (ansible.windows.win_copy) - Conditional +- **Unzip winlogbeat** (community.windows.win_unzip) - Conditional +- **Configure winlogbeat** (ansible.windows.win_template) +- **Install winlogbeat** (ansible.windows.win_shell) - Conditional +- **Remove other winlogbeat installations** (ansible.windows.win_shell) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - logs_windows +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/logs_windows/meta/main.yml b/ansible/roles/logs_windows/meta/main.yml new file mode 100644 index 00000000..5b00c9f6 --- /dev/null +++ b/ansible/roles/logs_windows/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: logs_windows + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install and configure Winlogbeat for Windows event log shipping + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - logging + - winlogbeat + - monitoring + - elk + +dependencies: [] diff --git a/ansible/roles/member_server/README.md b/ansible/roles/member_server/README.md new file mode 100644 index 00000000..d4adcc1a --- /dev/null +++ b/ansible/roles/member_server/README.md @@ -0,0 +1,41 @@ + +# member_server + +## Description + +Join a Windows server to an Active Directory domain + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Prioritize the domain interface as the default for routing** (ansible.windows.win_shell) - Conditional +- **Set configure DNS to domain controller** (ansible.windows.win_dns_client) +- **Verify File Server Role is installed** (ansible.windows.win_feature) +- **Add member server** (microsoft.ad.membership) +- **Reboot if needed** (ansible.windows.win_reboot) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - member_server +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/member_server/meta/main.yml b/ansible/roles/member_server/meta/main.yml new file mode 100644 index 00000000..a6cf261e --- /dev/null +++ b/ansible/roles/member_server/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: member_server + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Join a Windows server to an Active Directory domain + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - domain_join + - member_server + +dependencies: [] diff --git a/ansible/roles/move_to_ou/README.md b/ansible/roles/move_to_ou/README.md new file mode 100644 index 00000000..217493bb --- /dev/null +++ b/ansible/roles/move_to_ou/README.md @@ -0,0 +1,37 @@ + +# move_to_ou + +## Description + +Move computer objects to specified Organizational Units + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Move computer to OU** (ansible.windows.win_powershell) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - move_to_ou +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/move_to_ou/meta/main.yml b/ansible/roles/move_to_ou/meta/main.yml new file mode 100644 index 00000000..ae8b4270 --- /dev/null +++ b/ansible/roles/move_to_ou/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + role_name: move_to_ou + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Move computer objects to specified Organizational Units + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - organizational_unit + +dependencies: [] diff --git a/ansible/roles/mssql/README.md b/ansible/roles/mssql/README.md new file mode 100644 index 00000000..a1c1d869 --- /dev/null +++ b/ansible/roles/mssql/README.md @@ -0,0 +1,92 @@ + +# mssql + +## Description + +Install and configure Microsoft SQL Server Express + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +### Default Variables (main.yml) + +| Variable | Type | Default | Description | +| -------- | ---- | ------- | ----------- | +| `sql_instance_name` | str | `SQLEXPRESS` | No description | +| `sql_version` | str | `MSSQL_2019` | No description | +| `download_url_2019` | str | `https://download.microsoft.com/download/7/f/8/7f8a9c43-8c8a-4f7c-9f92-83c18d96b681/SQL2019-SSEI-Expr.exe` | No description | +| `download_url_2022` | str | `https://download.microsoft.com/download/5/1/4/5145fe04-4d30-4b85-b0d1-39533663a2f1/SQL2022-SSEI-Expr.exe` | No description | +| `connection_type_2019` | str | `-E` | No description | +| `connection_type_2022` | str | `-S 127.0.0.1,1433` | No description | + +## Tasks + +### config.yml + +- **Add MSSQL admin** (ansible.windows.win_shell) +- **Log MSSQL admin errors** (ansible.builtin.debug) - Conditional +- **Add IMPERSONATE on login** (ansible.windows.win_shell) +- **Log IMPERSONATE login errors** (ansible.builtin.debug) - Conditional +- **Add IMPERSONATE on user** (ansible.windows.win_shell) +- **Log IMPERSONATE user errors** (ansible.builtin.debug) - Conditional +- **Enable sa account** (ansible.windows.win_shell) +- **Log sa account errors** (ansible.builtin.debug) - Conditional +- **Enable MSSQL authentication and windows authent** (ansible.windows.win_shell) +- **Restart service MSSQL** (ansible.windows.win_service) - Conditional + +### install.yml + +- **Check if reboot is pending before install** (ansible.windows.win_shell) +- **Reboot before install if pending (long timeout in case of update)** (ansible.windows.win_reboot) - Conditional +- **Create SQL Server installation directories** (ansible.windows.win_file) +- **Create and load user profile** (ansible.windows.win_shell) +- **Create SQL Server configuration file** (ansible.windows.win_template) +- **Check if installation media already exists** (ansible.windows.win_stat) +- **Download SQL Server installation media** (ansible.windows.win_get_url) - Conditional +- **Add service account to Log on as a service** (ansible.windows.win_user_right) - Conditional +- **Check if SQL Express media file exists** (ansible.windows.win_stat) +- **Run the installer to download SQL Express installation files** (ansible.windows.win_command) - Conditional +- **Check if MSSQL is installed via registry** (ansible.windows.win_reg_stat) +- **Extract SQL Server installation files** (ansible.windows.win_command) - Conditional +- **Check for lingering SQL Server setup processes** (ansible.windows.win_powershell) - Conditional +- **Install SQL Server** (ansible.windows.win_command) - Conditional +- **Add or update registry for ip port (2022)** (ansible.windows.win_regedit) - Conditional +- **Add or update registry for ip port (2019)** (ansible.windows.win_regedit) - Conditional +- **Reboot if registry was changed** (ansible.windows.win_reboot) - Conditional +- **Firewall ยฆ Allow MSSQL through Firewall** (ansible.windows.win_dsc) +- **Firewall ยฆ Allow MSSQL discover through Firewall** (ansible.windows.win_dsc) +- **Be sure service is started** (ansible.windows.win_service) +- **Wait for port 1433 to become open on the host, start checking every 5 seconds** (ansible.windows.win_wait_for) + +### main.yml + +- **Set variables** (ansible.builtin.set_fact) +- **Set service name** (ansible.builtin.set_fact) +- **Display mssql variables in use** (ansible.builtin.debug) +- **Check if SQL Server service exists** (ansible.windows.win_service) +- **Run MSSQL installation tasks** (ansible.builtin.include_tasks) - Conditional +- **Ensure MSSQL service is started** (ansible.windows.win_service) - Conditional +- **Wait for port 1433 to become open** (ansible.windows.win_wait_for) +- **Run MSSQL configuration tasks** (ansible.builtin.include_tasks) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - mssql +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/mssql/meta/main.yml b/ansible/roles/mssql/meta/main.yml new file mode 100644 index 00000000..bbafaf60 --- /dev/null +++ b/ansible/roles/mssql/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: mssql + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install and configure Microsoft SQL Server Express + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - mssql + - database + - sql_server + +dependencies: [] diff --git a/ansible/roles/mssql_audit/README.md b/ansible/roles/mssql_audit/README.md new file mode 100644 index 00000000..53c11216 --- /dev/null +++ b/ansible/roles/mssql_audit/README.md @@ -0,0 +1,60 @@ + +# mssql_audit + +## Description + +Configure SQL Server auditing for security monitoring + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +### Default Variables (main.yml) + +| Variable | Type | Default | Description | +| -------- | ---- | ------- | ----------- | +| `mssql_audit_name` | str | `GOAD_SecurityAudit` | No description | +| `mssql_audit_spec_name` | str | `GOAD_AuditSpec` | No description | +| `mssql_audit_file_path` | str | `C:\SQLAudit` | No description | +| `mssql_audit_max_file_size` | int | `100` | No description | +| `mssql_audit_max_rollover_files` | int | `10` | No description | +| `mssql_audit_destination` | str | `APPLICATION_LOG` | No description | +| `mssql_enable_xevents` | bool | `True` | No description | +| `mssql_xevents_session_name` | str | `GOAD_SecurityMonitoring` | No description | +| `mssql_xevents_file_path` | str | `C:\SQLAudit\xevents` | No description | + +## Tasks + +### main.yml + +- **Set MSSQL connection string** (ansible.builtin.set_fact) +- **Create audit directory** (ansible.windows.win_file) +- **Create XEvents directory** (ansible.windows.win_file) - Conditional +- **Enable SQL Server login auditing (all successful and failed logins)** (ansible.windows.win_shell) +- **Create Extended Events session for security monitoring** (ansible.windows.win_shell) - Conditional +- **Start Extended Events session** (ansible.windows.win_shell) - Conditional +- **Create MSSQL SecurityAudit event source** (ansible.windows.win_shell) +- **Create XEvents export script** (ansible.windows.win_copy) - Conditional +- **Create scheduled task to export XEvents to Event Log** (community.windows.win_scheduled_task) - Conditional +- **Restart MSSQL service to apply login audit setting** (ansible.windows.win_service) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - mssql_audit +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/mssql_audit/meta/main.yml b/ansible/roles/mssql_audit/meta/main.yml index de6c02d7..5ee36d79 100644 --- a/ansible/roles/mssql_audit/meta/main.yml +++ b/ansible/roles/mssql_audit/meta/main.yml @@ -1,20 +1,20 @@ --- galaxy_info: + role_name: mssql_audit + namespace: dreadnode author: Dreadnode + company: Dreadnode description: Configure SQL Server auditing for security monitoring - license: MIT + license: GPL-3.0-or-later min_ansible_version: "2.15" - platforms: - name: Windows versions: - - "2019" - - "2022" - + - all galaxy_tags: + - windows - mssql - audit - security - - windows dependencies: [] diff --git a/ansible/roles/mssql_link/README.md b/ansible/roles/mssql_link/README.md new file mode 100644 index 00000000..ab57619e --- /dev/null +++ b/ansible/roles/mssql_link/README.md @@ -0,0 +1,45 @@ + +# mssql_link + +## Description + +Configure linked servers between SQL Server instances + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### logins.yml + +- **Ensure SQL Server is in multi-user mode before creating logins** (ansible.windows.win_powershell) +- **Configure logins mapping to specific users** (ansible.windows.win_powershell) + +### main.yml + +- **Set SqlCmd path** (ansible.windows.win_shell) +- **Create SQL Linked server and enable RPC** (ansible.windows.win_powershell) +- **Create logins** (ansible.builtin.include_tasks) +- **Default login impersonation** (ansible.windows.win_powershell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - mssql_link +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/mssql_link/meta/main.yml b/ansible/roles/mssql_link/meta/main.yml new file mode 100644 index 00000000..05a67084 --- /dev/null +++ b/ansible/roles/mssql_link/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: mssql_link + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure linked servers between SQL Server instances + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - mssql + - linked_server + - database + +dependencies: [] diff --git a/ansible/roles/mssql_reporting/README.md b/ansible/roles/mssql_reporting/README.md new file mode 100644 index 00000000..3848f446 --- /dev/null +++ b/ansible/roles/mssql_reporting/README.md @@ -0,0 +1,41 @@ + +# mssql_reporting + +## Description + +Install SQL Server Reporting Services + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create directory to store the install files** (ansible.windows.win_file) +- **Create directory to store the install files** (ansible.windows.win_file) +- **Reporting Services 2022 exists** (ansible.windows.win_stat) +- **Download SQL Server 2022 Reporting Services** (ansible.windows.win_get_url) - Conditional +- **Install SQL Server 2022 Reporting Services** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - mssql_reporting +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/mssql_reporting/meta/main.yml b/ansible/roles/mssql_reporting/meta/main.yml new file mode 100644 index 00000000..7e841963 --- /dev/null +++ b/ansible/roles/mssql_reporting/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: mssql_reporting + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install SQL Server Reporting Services + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - mssql + - reporting + - ssrs + +dependencies: [] diff --git a/ansible/roles/mssql_ssms/README.md b/ansible/roles/mssql_ssms/README.md new file mode 100644 index 00000000..8c9415e9 --- /dev/null +++ b/ansible/roles/mssql_ssms/README.md @@ -0,0 +1,43 @@ + +# mssql_ssms + +## Description + +Install SQL Server Management Studio + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Check if reboot is pending before SSMS install** (ansible.windows.win_powershell) +- **Reboot before SSMS install if pending** (ansible.windows.win_reboot) - Conditional +- **Check SQL Server Manager Studio installer exists** (ansible.windows.win_stat) +- **Get the installer** (ansible.windows.win_get_url) - Conditional +- **Check SSMS installation already done** (ansible.windows.win_powershell) +- **Install SSMS** (ansible.windows.win_command) - Conditional +- **Reboot after install** (ansible.windows.win_reboot) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - mssql_ssms +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/mssql_ssms/meta/main.yml b/ansible/roles/mssql_ssms/meta/main.yml new file mode 100644 index 00000000..1a9486af --- /dev/null +++ b/ansible/roles/mssql_ssms/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: mssql_ssms + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install SQL Server Management Studio + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - mssql + - ssms + - management + +dependencies: [] diff --git a/ansible/roles/onlyusers/README.md b/ansible/roles/onlyusers/README.md new file mode 100644 index 00000000..5a3ae797 --- /dev/null +++ b/ansible/roles/onlyusers/README.md @@ -0,0 +1,37 @@ + +# onlyusers + +## Description + +Create Active Directory user accounts with attributes + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create users** (microsoft.ad.user) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - onlyusers +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/onlyusers/meta/main.yml b/ansible/roles/onlyusers/meta/main.yml new file mode 100644 index 00000000..d22b9454 --- /dev/null +++ b/ansible/roles/onlyusers/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + role_name: onlyusers + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Create Active Directory user accounts with attributes + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - user_management + +dependencies: [] diff --git a/ansible/roles/onlyusers/tasks/main.yml b/ansible/roles/onlyusers/tasks/main.yml index 212f9137..69558b6c 100644 --- a/ansible/roles/onlyusers/tasks/main.yml +++ b/ansible/roles/onlyusers/tasks/main.yml @@ -1,5 +1,5 @@ - name: "Create users" - community.windows.win_domain_user: + microsoft.ad.user: name: "{{ item.key }}" firstname: "{{item.value.firstname}}" surname: "{{ item.value.surname }}" diff --git a/ansible/roles/parent_child_dns/README.md b/ansible/roles/parent_child_dns/README.md new file mode 100644 index 00000000..bcae262c --- /dev/null +++ b/ansible/roles/parent_child_dns/README.md @@ -0,0 +1,39 @@ + +# parent_child_dns + +## Description + +Configure DNS delegation between parent and child domains + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Add dns delegation to child domain** (ansible.windows.win_shell) - Conditional +- **Create conditional forwarder to child domain** (ansible.windows.win_dns_zone) - Conditional +- **Debug IP resolution for child domains** (ansible.builtin.debug) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - parent_child_dns +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/parent_child_dns/meta/main.yml b/ansible/roles/parent_child_dns/meta/main.yml new file mode 100644 index 00000000..c45dd2f5 --- /dev/null +++ b/ansible/roles/parent_child_dns/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: parent_child_dns + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure DNS delegation between parent and child domains + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - dns + - domain + - delegation + +dependencies: [] diff --git a/ansible/roles/password_policy/README.md b/ansible/roles/password_policy/README.md new file mode 100644 index 00000000..64c03791 --- /dev/null +++ b/ansible/roles/password_policy/README.md @@ -0,0 +1,37 @@ + +# password_policy + +## Description + +Configure Active Directory password policy settings + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Set password policy** (ansible.windows.win_powershell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - password_policy +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/password_policy/meta/main.yml b/ansible/roles/password_policy/meta/main.yml new file mode 100644 index 00000000..a49ec570 --- /dev/null +++ b/ansible/roles/password_policy/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: password_policy + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure Active Directory password policy settings + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - security + - password_policy + +dependencies: [] diff --git a/ansible/roles/ps/README.md b/ansible/roles/ps/README.md new file mode 100644 index 00000000..90349ea3 --- /dev/null +++ b/ansible/roles/ps/README.md @@ -0,0 +1,37 @@ + +# ps + +## Description + +Execute arbitrary PowerShell scripts on Windows hosts + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Play task {{ ps_script }}** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - ps +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/ps/meta/main.yml b/ansible/roles/ps/meta/main.yml new file mode 100644 index 00000000..d6cd8cd4 --- /dev/null +++ b/ansible/roles/ps/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + role_name: ps + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Execute arbitrary PowerShell scripts on Windows hosts + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - powershell + - automation + +dependencies: [] diff --git a/ansible/roles/sccm_config_accounts/README.md b/ansible/roles/sccm_config_accounts/README.md new file mode 100644 index 00000000..82d2ec22 --- /dev/null +++ b/ansible/roles/sccm_config_accounts/README.md @@ -0,0 +1,37 @@ + +# sccm_config_accounts + +## Description + +Configure SCCM service accounts and permissions + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create CMA Accounts** (ansible.windows.win_powershell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - sccm_config_accounts +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/sccm_config_accounts/meta/main.yml b/ansible/roles/sccm_config_accounts/meta/main.yml new file mode 100644 index 00000000..3174be39 --- /dev/null +++ b/ansible/roles/sccm_config_accounts/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: sccm_config_accounts + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure SCCM service accounts and permissions + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - sccm + - mecm + - accounts + - configuration + +dependencies: [] diff --git a/ansible/roles/sccm/config/accounts/tasks/main.yml b/ansible/roles/sccm_config_accounts/tasks/main.yml similarity index 100% rename from ansible/roles/sccm/config/accounts/tasks/main.yml rename to ansible/roles/sccm_config_accounts/tasks/main.yml diff --git a/ansible/roles/sccm_config_boundary/README.md b/ansible/roles/sccm_config_boundary/README.md new file mode 100644 index 00000000..4b34c436 --- /dev/null +++ b/ansible/roles/sccm_config_boundary/README.md @@ -0,0 +1,39 @@ + +# sccm_config_boundary + +## Description + +Configure SCCM site boundaries and boundary groups + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create boundary** (dreadnode.goad.sccm_boundary) +- **Create boundary group** (dreadnode.goad.sccm_boundary_group) +- **Add boundary to boundary group** (dreadnode.goad.sccm_boundary_to_boundarygroup) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - sccm_config_boundary +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/sccm_config_boundary/meta/main.yml b/ansible/roles/sccm_config_boundary/meta/main.yml new file mode 100644 index 00000000..3bf91e50 --- /dev/null +++ b/ansible/roles/sccm_config_boundary/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: sccm_config_boundary + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure SCCM site boundaries and boundary groups + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - sccm + - mecm + - boundary + - configuration + +dependencies: [] diff --git a/ansible/roles/sccm/config/boundary/tasks/main.yml b/ansible/roles/sccm_config_boundary/tasks/main.yml similarity index 90% rename from ansible/roles/sccm/config/boundary/tasks/main.yml rename to ansible/roles/sccm_config_boundary/tasks/main.yml index caab2f82..f6af108e 100644 --- a/ansible/roles/sccm/config/boundary/tasks/main.yml +++ b/ansible/roles/sccm_config_boundary/tasks/main.yml @@ -1,5 +1,5 @@ - name: Create boundary - sccm_boundary: + dreadnode.goad.sccm_boundary: name: "ADSiteBoundary01" type: "ADSite" value: "Default-First-Site-Name" @@ -13,7 +13,7 @@ ansible_become_flags: logon_flags= - name: Create boundary group - sccm_boundary_group: + dreadnode.goad.sccm_boundary_group: name: "BoundaryGroup01" server: "{{ sccm_server }}.{{ domain }}" site_code: "{{ site_code }}" @@ -25,7 +25,7 @@ ansible_become_flags: logon_flags= - name: Add boundary to boundary group - sccm_boundary_to_boundarygroup: + dreadnode.goad.sccm_boundary_to_boundarygroup: boundary_name: "ADSiteBoundary01" boundary_group: "BoundaryGroup01" site_code: "{{ site_code }}" diff --git a/ansible/roles/sccm_config_client_install/README.md b/ansible/roles/sccm_config_client_install/README.md new file mode 100644 index 00000000..681e0ed4 --- /dev/null +++ b/ansible/roles/sccm_config_client_install/README.md @@ -0,0 +1,37 @@ + +# sccm_config_client_install + +## Description + +Install SCCM client on managed endpoints + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Install client** (ansible.windows.win_powershell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - sccm_config_client_install +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/sccm_config_client_install/meta/main.yml b/ansible/roles/sccm_config_client_install/meta/main.yml new file mode 100644 index 00000000..a785de8c --- /dev/null +++ b/ansible/roles/sccm_config_client_install/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: sccm_config_client_install + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install SCCM client on managed endpoints + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - sccm + - mecm + - client + - deployment + +dependencies: [] diff --git a/ansible/roles/sccm/config/client_install/tasks/main.yml b/ansible/roles/sccm_config_client_install/tasks/main.yml similarity index 100% rename from ansible/roles/sccm/config/client_install/tasks/main.yml rename to ansible/roles/sccm_config_client_install/tasks/main.yml diff --git a/ansible/roles/sccm_config_client_push/README.md b/ansible/roles/sccm_config_client_push/README.md new file mode 100644 index 00000000..2111ac37 --- /dev/null +++ b/ansible/roles/sccm_config_client_push/README.md @@ -0,0 +1,37 @@ + +# sccm_config_client_push + +## Description + +Configure SCCM client push installation settings + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create Configuration For client push** (ansible.windows.win_powershell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - sccm_config_client_push +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/sccm_config_client_push/meta/main.yml b/ansible/roles/sccm_config_client_push/meta/main.yml new file mode 100644 index 00000000..fe83b712 --- /dev/null +++ b/ansible/roles/sccm_config_client_push/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: sccm_config_client_push + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure SCCM client push installation settings + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - sccm + - mecm + - client_push + - deployment + +dependencies: [] diff --git a/ansible/roles/sccm/config/client_push/tasks/main.yml b/ansible/roles/sccm_config_client_push/tasks/main.yml similarity index 100% rename from ansible/roles/sccm/config/client_push/tasks/main.yml rename to ansible/roles/sccm_config_client_push/tasks/main.yml diff --git a/ansible/roles/sccm_config_discovery/README.md b/ansible/roles/sccm_config_discovery/README.md new file mode 100644 index 00000000..bb13a3e6 --- /dev/null +++ b/ansible/roles/sccm_config_discovery/README.md @@ -0,0 +1,38 @@ + +# sccm_config_discovery + +## Description + +Configure SCCM Active Directory discovery methods + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Restart service SMS_SITE_COMPONENT_MANAGER** (ansible.windows.win_service) +- **Setup discovery** (ansible.windows.win_powershell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - sccm_config_discovery +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/sccm_config_discovery/meta/main.yml b/ansible/roles/sccm_config_discovery/meta/main.yml new file mode 100644 index 00000000..083b806f --- /dev/null +++ b/ansible/roles/sccm_config_discovery/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: sccm_config_discovery + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure SCCM Active Directory discovery methods + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - sccm + - mecm + - discovery + - configuration + +dependencies: [] diff --git a/ansible/roles/sccm/config/discovery/tasks/main.yml b/ansible/roles/sccm_config_discovery/tasks/main.yml similarity index 100% rename from ansible/roles/sccm/config/discovery/tasks/main.yml rename to ansible/roles/sccm_config_discovery/tasks/main.yml diff --git a/ansible/roles/sccm_config_naa/README.md b/ansible/roles/sccm_config_naa/README.md new file mode 100644 index 00000000..9bbb5ed5 --- /dev/null +++ b/ansible/roles/sccm_config_naa/README.md @@ -0,0 +1,37 @@ + +# sccm_config_naa + +## Description + +Configure SCCM Network Access Account + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create Configuration Manager user account** (ansible.windows.win_powershell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - sccm_config_naa +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/sccm_config_naa/meta/main.yml b/ansible/roles/sccm_config_naa/meta/main.yml new file mode 100644 index 00000000..31e0c67d --- /dev/null +++ b/ansible/roles/sccm_config_naa/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: sccm_config_naa + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure SCCM Network Access Account + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - sccm + - mecm + - naa + - configuration + +dependencies: [] diff --git a/ansible/roles/sccm/config/naa/tasks/main.yml b/ansible/roles/sccm_config_naa/tasks/main.yml similarity index 100% rename from ansible/roles/sccm/config/naa/tasks/main.yml rename to ansible/roles/sccm_config_naa/tasks/main.yml diff --git a/ansible/roles/sccm_config_pxe/README.md b/ansible/roles/sccm_config_pxe/README.md new file mode 100644 index 00000000..b456288c --- /dev/null +++ b/ansible/roles/sccm_config_pxe/README.md @@ -0,0 +1,37 @@ + +# sccm_config_pxe + +## Description + +Configure SCCM PXE distribution point settings + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create PXE config** (ansible.windows.win_powershell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - sccm_config_pxe +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/sccm_config_pxe/meta/main.yml b/ansible/roles/sccm_config_pxe/meta/main.yml new file mode 100644 index 00000000..31471155 --- /dev/null +++ b/ansible/roles/sccm_config_pxe/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: sccm_config_pxe + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure SCCM PXE distribution point settings + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - sccm + - mecm + - pxe + - deployment + +dependencies: [] diff --git a/ansible/roles/sccm/config/pxe/tasks/main.yml b/ansible/roles/sccm_config_pxe/tasks/main.yml similarity index 100% rename from ansible/roles/sccm/config/pxe/tasks/main.yml rename to ansible/roles/sccm_config_pxe/tasks/main.yml diff --git a/ansible/roles/sccm_config_users/README.md b/ansible/roles/sccm_config_users/README.md new file mode 100644 index 00000000..2f393fa7 --- /dev/null +++ b/ansible/roles/sccm_config_users/README.md @@ -0,0 +1,37 @@ + +# sccm_config_users + +## Description + +Configure SCCM administrative users and permissions + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Add full administrators accounts** (ansible.windows.win_powershell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - sccm_config_users +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/sccm_config_users/meta/main.yml b/ansible/roles/sccm_config_users/meta/main.yml new file mode 100644 index 00000000..3036a3b3 --- /dev/null +++ b/ansible/roles/sccm_config_users/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: sccm_config_users + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure SCCM administrative users and permissions + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - sccm + - mecm + - administrators + - configuration + +dependencies: [] diff --git a/ansible/roles/sccm/config/users/tasks/main.yml b/ansible/roles/sccm_config_users/tasks/main.yml similarity index 100% rename from ansible/roles/sccm/config/users/tasks/main.yml rename to ansible/roles/sccm_config_users/tasks/main.yml diff --git a/ansible/roles/sccm_install_adk/README.md b/ansible/roles/sccm_install_adk/README.md new file mode 100644 index 00000000..d87695a3 --- /dev/null +++ b/ansible/roles/sccm_install_adk/README.md @@ -0,0 +1,44 @@ + +# sccm_install_adk + +## Description + +Install Windows Assessment and Deployment Kit for SCCM + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create directory to store the install files** (ansible.windows.win_file) +- **Create directory to store the install files** (ansible.windows.win_file) +- **Check ADK version 2004 installation exists** (ansible.windows.win_stat) +- **Download ADK version 2004** (ansible.windows.win_get_url) - Conditional +- **Check ADK adkwinpesetup exists** (ansible.windows.win_stat) +- **Download PE add-on** (ansible.windows.win_get_url) - Conditional +- **Installing ADK version 2004** (ansible.windows.win_shell) +- **Installing PE add-on** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - sccm_install_adk +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/sccm_install_adk/meta/main.yml b/ansible/roles/sccm_install_adk/meta/main.yml new file mode 100644 index 00000000..82a9eedc --- /dev/null +++ b/ansible/roles/sccm_install_adk/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: sccm_install_adk + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install Windows Assessment and Deployment Kit for SCCM + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - sccm + - mecm + - adk + - installation + +dependencies: [] diff --git a/ansible/roles/sccm/install/adk/tasks/main.yml b/ansible/roles/sccm_install_adk/tasks/main.yml similarity index 100% rename from ansible/roles/sccm/install/adk/tasks/main.yml rename to ansible/roles/sccm_install_adk/tasks/main.yml diff --git a/ansible/roles/sccm_install_iis/README.md b/ansible/roles/sccm_install_iis/README.md new file mode 100644 index 00000000..8f931e35 --- /dev/null +++ b/ansible/roles/sccm_install_iis/README.md @@ -0,0 +1,44 @@ + +# sccm_install_iis + +## Description + +Install IIS prerequisites for SCCM site server + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create directory to store the install files** (ansible.windows.win_file) +- **Create directory to store the install files** (ansible.windows.win_file) +- **Install features Remote Differential Compression feature and BITS** (ansible.windows.win_feature) +- **Reboot if installing windows feature requires it** (ansible.windows.win_reboot) - Conditional +- **Enable update service** (ansible.windows.win_service) +- **Install .NET Framework 3.5 with DISM** (ansible.windows.win_shell) +- **Install IIS feature and other components** (ansible.windows.win_feature) +- **Reboot if installing windows feature requires it** (ansible.windows.win_reboot) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - sccm_install_iis +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/sccm_install_iis/meta/main.yml b/ansible/roles/sccm_install_iis/meta/main.yml new file mode 100644 index 00000000..fbc91c35 --- /dev/null +++ b/ansible/roles/sccm_install_iis/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: sccm_install_iis + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install IIS prerequisites for SCCM site server + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - sccm + - mecm + - iis + - prerequisites + +dependencies: [] diff --git a/ansible/roles/sccm/install/iis/tasks/main.yml b/ansible/roles/sccm_install_iis/tasks/main.yml similarity index 100% rename from ansible/roles/sccm/install/iis/tasks/main.yml rename to ansible/roles/sccm_install_iis/tasks/main.yml diff --git a/ansible/roles/sccm_install_mecm/README.md b/ansible/roles/sccm_install_mecm/README.md new file mode 100644 index 00000000..8b2f5dcb --- /dev/null +++ b/ansible/roles/sccm_install_mecm/README.md @@ -0,0 +1,51 @@ + +# sccm_install_mecm + +## Description + +Install Microsoft Endpoint Configuration Manager site server + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create directory to store the downloaded prerequisite files** (ansible.windows.win_file) +- **Download Visual C++ 2017 Redistributable** (ansible.windows.win_get_url) +- **Install Visual C++ 2017 Redistributable** (ansible.windows.win_package) - Conditional +- **Install ODBC Mssql 18 driver** (ansible.windows.win_package) +- **Reboot after installing ODBC if required** (ansible.windows.win_reboot) - Conditional +- **Create directory to store the downloaded prerequisite files** (ansible.windows.win_file) +- **MECM installation media exists** (ansible.windows.win_stat) +- **Download MECM installation media** (ansible.windows.win_get_url) - Conditional +- **Remove directory cd.retail.LN if exist** (ansible.windows.win_file) +- **Extract MECM installation media** (ansible.windows.win_shell) +- **Create directory to store the downloaded prerequisite files** (ansible.windows.win_file) +- **Download prerequisite files** (ansible.windows.win_shell) +- **Copy the configuration file** (ansible.windows.win_template) +- **Fix MSSQL generate certificate issue (change crypto rsa permissions)** (ansible.windows.win_acl) +- **Install MECM (this one take an eternity ~ 1 hour )** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - sccm_install_mecm +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/sccm/install/mecm/files/ConfigMgrAutoSave.ini b/ansible/roles/sccm_install_mecm/files/ConfigMgrAutoSave.ini similarity index 100% rename from ansible/roles/sccm/install/mecm/files/ConfigMgrAutoSave.ini rename to ansible/roles/sccm_install_mecm/files/ConfigMgrAutoSave.ini diff --git a/ansible/roles/sccm_install_mecm/meta/main.yml b/ansible/roles/sccm_install_mecm/meta/main.yml new file mode 100644 index 00000000..a5c3aa92 --- /dev/null +++ b/ansible/roles/sccm_install_mecm/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: sccm_install_mecm + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install Microsoft Endpoint Configuration Manager site server + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - sccm + - mecm + - installation + +dependencies: [] diff --git a/ansible/roles/sccm/install/mecm/tasks/main.yml b/ansible/roles/sccm_install_mecm/tasks/main.yml similarity index 100% rename from ansible/roles/sccm/install/mecm/tasks/main.yml rename to ansible/roles/sccm_install_mecm/tasks/main.yml diff --git a/ansible/roles/sccm_install_prerequisites/README.md b/ansible/roles/sccm_install_prerequisites/README.md new file mode 100644 index 00000000..f0a05f8e --- /dev/null +++ b/ansible/roles/sccm_install_prerequisites/README.md @@ -0,0 +1,44 @@ + +# sccm_install_prerequisites + +## Description + +Install SCCM prerequisites including System Management container + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create the System Management Container** (ansible.windows.win_powershell) +- **Create the System Management Container** (ansible.windows.win_powershell) +- **Create directory to store the downloaded prerequisite files** (ansible.windows.win_file) +- **Check MECM installation media exists** (ansible.windows.win_stat) +- **Download MECM installation media** (ansible.windows.win_get_url) - Conditional +- **Remove directory if exist** (ansible.windows.win_file) +- **Extract MECM installation media** (ansible.windows.win_shell) +- **Launching the Active Directory schema extension** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - sccm_install_prerequisites +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/sccm_install_prerequisites/meta/main.yml b/ansible/roles/sccm_install_prerequisites/meta/main.yml new file mode 100644 index 00000000..be641497 --- /dev/null +++ b/ansible/roles/sccm_install_prerequisites/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: sccm_install_prerequisites + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install SCCM prerequisites including System Management container + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - sccm + - mecm + - prerequisites + - installation + +dependencies: [] diff --git a/ansible/roles/sccm/install/prerequisites/tasks/main.yml b/ansible/roles/sccm_install_prerequisites/tasks/main.yml similarity index 100% rename from ansible/roles/sccm/install/prerequisites/tasks/main.yml rename to ansible/roles/sccm_install_prerequisites/tasks/main.yml diff --git a/ansible/roles/sccm_install_wsus/README.md b/ansible/roles/sccm_install_wsus/README.md new file mode 100644 index 00000000..f85faa60 --- /dev/null +++ b/ansible/roles/sccm_install_wsus/README.md @@ -0,0 +1,40 @@ + +# sccm_install_wsus + +## Description + +Install WSUS role as SCCM software update point + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Install WSUS** (ansible.windows.win_feature) +- **Reboot and wait for the AD system to restart** (ansible.windows.win_reboot) - Conditional +- **Create directory to store updates** (ansible.windows.win_file) +- **WSUS Post-installation (setup the link with the SQL Server database and a directory to store updates)** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - sccm_install_wsus +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/sccm_install_wsus/meta/main.yml b/ansible/roles/sccm_install_wsus/meta/main.yml new file mode 100644 index 00000000..4a6391ba --- /dev/null +++ b/ansible/roles/sccm_install_wsus/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: sccm_install_wsus + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install WSUS role as SCCM software update point + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - sccm + - mecm + - wsus + - installation + +dependencies: [] diff --git a/ansible/roles/sccm/install/wsus/tasks/main.yml b/ansible/roles/sccm_install_wsus/tasks/main.yml similarity index 100% rename from ansible/roles/sccm/install/wsus/tasks/main.yml rename to ansible/roles/sccm_install_wsus/tasks/main.yml diff --git a/ansible/roles/sccm_pxe/README.md b/ansible/roles/sccm_pxe/README.md new file mode 100644 index 00000000..4ccd5826 --- /dev/null +++ b/ansible/roles/sccm_pxe/README.md @@ -0,0 +1,54 @@ + +# sccm_pxe + +## Description + +Configure PXE boot with Windows 10 image for SCCM OSD + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +### Default Variables (main.yml) + +| Variable | Type | Default | Description | +| -------- | ---- | ------- | ----------- | +| `win10_iso_url` | str | `https://software-static.download.prss.microsoft.com/dbazure/988969d5-f34g-4e03-ac9d-1f9786c66750/19045.2006.220908-0225.22h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso` | No description | + +## Tasks + +### main.yml + +- **Check downloaded iso file exists** (ansible.windows.win_stat) +- **Check wim file exists** (ansible.windows.win_stat) +- **Download win10 iso file (~ 5.4GB )** (ansible.windows.win_get_url) - Conditional +- **Create share folder** (ansible.windows.win_file) +- **Ensure share exists** (ansible.windows.win_share) +- **Check wim file exists** (ansible.windows.win_stat) +- **Open ISO and extract wim file** (ansible.windows.win_powershell) - Conditional +- **Create Operating system image** (ansible.windows.win_powershell) +- **Create Task sequence** (ansible.windows.win_powershell) +- **Start distribute content** (ansible.windows.win_powershell) +- **Update unknown computers collection** (ansible.windows.win_powershell) +- **Deploy Task sequence** (ansible.windows.win_powershell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - sccm_pxe +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/sccm/pxe/defaults/main.yml b/ansible/roles/sccm_pxe/defaults/main.yml similarity index 100% rename from ansible/roles/sccm/pxe/defaults/main.yml rename to ansible/roles/sccm_pxe/defaults/main.yml diff --git a/ansible/roles/sccm_pxe/meta/main.yml b/ansible/roles/sccm_pxe/meta/main.yml new file mode 100644 index 00000000..0f4adc77 --- /dev/null +++ b/ansible/roles/sccm_pxe/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: sccm_pxe + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure PXE boot with Windows 10 image for SCCM OSD + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - sccm + - mecm + - pxe + - osd + +dependencies: [] diff --git a/ansible/roles/sccm/pxe/tasks/main.yml b/ansible/roles/sccm_pxe/tasks/main.yml similarity index 100% rename from ansible/roles/sccm/pxe/tasks/main.yml rename to ansible/roles/sccm_pxe/tasks/main.yml diff --git a/ansible/roles/security_account_is_sensitive/README.md b/ansible/roles/security_account_is_sensitive/README.md new file mode 100644 index 00000000..8137cbc7 --- /dev/null +++ b/ansible/roles/security_account_is_sensitive/README.md @@ -0,0 +1,37 @@ + +# security_account_is_sensitive + +## Description + +Mark Active Directory accounts as sensitive to prevent delegation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Account is sensitive** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - security_account_is_sensitive +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/security_account_is_sensitive/meta/main.yml b/ansible/roles/security_account_is_sensitive/meta/main.yml new file mode 100644 index 00000000..8f3a730d --- /dev/null +++ b/ansible/roles/security_account_is_sensitive/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: security_account_is_sensitive + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Mark Active Directory accounts as sensitive to prevent delegation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - security + - delegation + - hardening + +dependencies: [] diff --git a/ansible/roles/security/account_is_sensitive/tasks/main.yml b/ansible/roles/security_account_is_sensitive/tasks/main.yml similarity index 100% rename from ansible/roles/security/account_is_sensitive/tasks/main.yml rename to ansible/roles/security_account_is_sensitive/tasks/main.yml diff --git a/ansible/roles/security_asr/README.md b/ansible/roles/security_asr/README.md new file mode 100644 index 00000000..bbd729cf --- /dev/null +++ b/ansible/roles/security_asr/README.md @@ -0,0 +1,37 @@ + +# security_asr + +## Description + +Configure Windows Defender Attack Surface Reduction rules + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Enable ASR rule** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - security_asr +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/security_asr/meta/main.yml b/ansible/roles/security_asr/meta/main.yml new file mode 100644 index 00000000..3a7a48ad --- /dev/null +++ b/ansible/roles/security_asr/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: security_asr + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure Windows Defender Attack Surface Reduction rules + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - security + - asr + - defender + - hardening + +dependencies: [] diff --git a/ansible/roles/security/asr/tasks/main.yml b/ansible/roles/security_asr/tasks/main.yml similarity index 100% rename from ansible/roles/security/asr/tasks/main.yml rename to ansible/roles/security_asr/tasks/main.yml diff --git a/ansible/roles/security_audit_policy/README.md b/ansible/roles/security_audit_policy/README.md new file mode 100644 index 00000000..d9a4f311 --- /dev/null +++ b/ansible/roles/security_audit_policy/README.md @@ -0,0 +1,44 @@ + +# security_audit_policy + +## Description + +Configure Windows audit policies for file share and object access logging + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Enable Detailed File Share auditing (Event 5145)** (ansible.windows.win_shell) +- **Enable File System auditing (Event 4663 - Step 1)** (ansible.windows.win_shell) +- **Enable Handle Manipulation auditing (Event 4658, 4690)** (ansible.windows.win_shell) +- **Configure SACL on SYSVOL folder (Event 4663 - Step 2)** (ansible.windows.win_shell) +- **Configure SACL on NETLOGON folder (Event 4663 - Step 2)** (ansible.windows.win_shell) +- **Configure SACL on additional sensitive folders** (ansible.windows.win_shell) - Conditional +- **Verify audit policies are enabled** (ansible.windows.win_shell) +- **Display audit policy verification** (ansible.builtin.debug) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - security_audit_policy +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/security_audit_policy/meta/main.yml b/ansible/roles/security_audit_policy/meta/main.yml new file mode 100644 index 00000000..95587ded --- /dev/null +++ b/ansible/roles/security_audit_policy/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: security_audit_policy + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure Windows audit policies for file share and object access logging + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - security + - audit + - logging + - hardening + +dependencies: [] diff --git a/ansible/roles/security/audit_policy/tasks/main.yml b/ansible/roles/security_audit_policy/tasks/main.yml similarity index 100% rename from ansible/roles/security/audit_policy/tasks/main.yml rename to ansible/roles/security_audit_policy/tasks/main.yml diff --git a/ansible/roles/security_enable_run_as_ppl/README.md b/ansible/roles/security_enable_run_as_ppl/README.md new file mode 100644 index 00000000..3cd0da94 --- /dev/null +++ b/ansible/roles/security_enable_run_as_ppl/README.md @@ -0,0 +1,37 @@ + +# security_enable_run_as_ppl + +## Description + +Enable LSA Protection (RunAsPPL) for credential hardening + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Enable run as PPL** (ansible.windows.win_regedit) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - security_enable_run_as_ppl +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/security_enable_run_as_ppl/meta/main.yml b/ansible/roles/security_enable_run_as_ppl/meta/main.yml new file mode 100644 index 00000000..84aa3b77 --- /dev/null +++ b/ansible/roles/security_enable_run_as_ppl/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: security_enable_run_as_ppl + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Enable LSA Protection (RunAsPPL) for credential hardening + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - security + - lsa + - hardening + - credentials + +dependencies: [] diff --git a/ansible/roles/security/enable_run_as_ppl/tasks/main.yml b/ansible/roles/security_enable_run_as_ppl/tasks/main.yml similarity index 100% rename from ansible/roles/security/enable_run_as_ppl/tasks/main.yml rename to ansible/roles/security_enable_run_as_ppl/tasks/main.yml diff --git a/ansible/roles/security_ensure_kb_not_installed/README.md b/ansible/roles/security_ensure_kb_not_installed/README.md new file mode 100644 index 00000000..3d6f4d91 --- /dev/null +++ b/ansible/roles/security_ensure_kb_not_installed/README.md @@ -0,0 +1,40 @@ + +# security_ensure_kb_not_installed + +## Description + +Ensure specific Windows KB updates are not installed + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Check if KB5008380 is installed** (ansible.windows.win_shell) +- **Remove KB5008380 if installed** (ansible.windows.win_shell) - Conditional +- **Display removal status** (ansible.builtin.debug) +- **Warn if removal failed** (ansible.builtin.debug) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - security_ensure_kb_not_installed +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/security_ensure_kb_not_installed/meta/main.yml b/ansible/roles/security_ensure_kb_not_installed/meta/main.yml new file mode 100644 index 00000000..f3294a3a --- /dev/null +++ b/ansible/roles/security_ensure_kb_not_installed/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: security_ensure_kb_not_installed + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Ensure specific Windows KB updates are not installed + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - security + - updates + - hardening + +dependencies: [] diff --git a/ansible/roles/security/ensure_kb_not_installed/tasks/main.yml b/ansible/roles/security_ensure_kb_not_installed/tasks/main.yml similarity index 100% rename from ansible/roles/security/ensure_kb_not_installed/tasks/main.yml rename to ansible/roles/security_ensure_kb_not_installed/tasks/main.yml diff --git a/ansible/roles/security_powershell_restrict/README.md b/ansible/roles/security_powershell_restrict/README.md new file mode 100644 index 00000000..e8007465 --- /dev/null +++ b/ansible/roles/security_powershell_restrict/README.md @@ -0,0 +1,37 @@ + +# security_powershell_restrict + +## Description + +Configure PowerShell execution policy restrictions + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Powershell Restrict** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - security_powershell_restrict +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/security_powershell_restrict/meta/main.yml b/ansible/roles/security_powershell_restrict/meta/main.yml new file mode 100644 index 00000000..4d000912 --- /dev/null +++ b/ansible/roles/security_powershell_restrict/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: security_powershell_restrict + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure PowerShell execution policy restrictions + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - security + - powershell + - hardening + +dependencies: [] diff --git a/ansible/roles/security/powershell_restrict/tasks/main.yml b/ansible/roles/security_powershell_restrict/tasks/main.yml similarity index 100% rename from ansible/roles/security/powershell_restrict/tasks/main.yml rename to ansible/roles/security_powershell_restrict/tasks/main.yml diff --git a/ansible/roles/settings_adjust_rights/README.md b/ansible/roles/settings_adjust_rights/README.md new file mode 100644 index 00000000..0c34fb78 --- /dev/null +++ b/ansible/roles/settings_adjust_rights/README.md @@ -0,0 +1,37 @@ + +# settings_adjust_rights + +## Description + +Configure local group membership for domain users + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Add domain users to local groups** (ansible.windows.win_group_membership) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - settings_adjust_rights +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/settings_adjust_rights/meta/main.yml b/ansible/roles/settings_adjust_rights/meta/main.yml new file mode 100644 index 00000000..3f61138f --- /dev/null +++ b/ansible/roles/settings_adjust_rights/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: settings_adjust_rights + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure local group membership for domain users + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - configuration + - groups + - permissions + +dependencies: [] diff --git a/ansible/roles/settings/adjust_rights/tasks/main.yml b/ansible/roles/settings_adjust_rights/tasks/main.yml similarity index 100% rename from ansible/roles/settings/adjust_rights/tasks/main.yml rename to ansible/roles/settings_adjust_rights/tasks/main.yml diff --git a/ansible/roles/settings_admin_password/README.md b/ansible/roles/settings_admin_password/README.md new file mode 100644 index 00000000..69ad071a --- /dev/null +++ b/ansible/roles/settings_admin_password/README.md @@ -0,0 +1,37 @@ + +# settings_admin_password + +## Description + +Set the local administrator account password + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Ensure that Admin is present with a valid password** (ansible.windows.win_user) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - settings_admin_password +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/settings_admin_password/meta/main.yml b/ansible/roles/settings_admin_password/meta/main.yml new file mode 100644 index 00000000..df1051c2 --- /dev/null +++ b/ansible/roles/settings_admin_password/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: settings_admin_password + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Set the local administrator account password + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - configuration + - passwords + - administration + +dependencies: [] diff --git a/ansible/roles/settings/admin_password/tasks/main.yml b/ansible/roles/settings_admin_password/tasks/main.yml similarity index 100% rename from ansible/roles/settings/admin_password/tasks/main.yml rename to ansible/roles/settings_admin_password/tasks/main.yml diff --git a/ansible/roles/settings_copy_files/README.md b/ansible/roles/settings_copy_files/README.md new file mode 100644 index 00000000..39a5dda1 --- /dev/null +++ b/ansible/roles/settings_copy_files/README.md @@ -0,0 +1,38 @@ + +# settings_copy_files + +## Description + +Copy files to Windows hosts for lab configuration + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create directory** (ansible.windows.win_file) +- **Download GOAD img in C:\tmp** (ansible.windows.win_copy) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - settings_copy_files +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/settings/copy_files/files/GOAD.png b/ansible/roles/settings_copy_files/files/GOAD.png similarity index 100% rename from ansible/roles/settings/copy_files/files/GOAD.png rename to ansible/roles/settings_copy_files/files/GOAD.png diff --git a/ansible/roles/settings/copy_files/files/starks.jpg b/ansible/roles/settings_copy_files/files/starks.jpg similarity index 100% rename from ansible/roles/settings/copy_files/files/starks.jpg rename to ansible/roles/settings_copy_files/files/starks.jpg diff --git a/ansible/roles/settings_copy_files/meta/main.yml b/ansible/roles/settings_copy_files/meta/main.yml new file mode 100644 index 00000000..ecd9b3f7 --- /dev/null +++ b/ansible/roles/settings_copy_files/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + role_name: settings_copy_files + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Copy files to Windows hosts for lab configuration + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - configuration + - files + +dependencies: [] diff --git a/ansible/roles/settings/copy_files/tasks/main.yml b/ansible/roles/settings_copy_files/tasks/main.yml similarity index 100% rename from ansible/roles/settings/copy_files/tasks/main.yml rename to ansible/roles/settings_copy_files/tasks/main.yml diff --git a/ansible/roles/settings_disable_nat_adapter/README.md b/ansible/roles/settings_disable_nat_adapter/README.md new file mode 100644 index 00000000..5f4d4d4b --- /dev/null +++ b/ansible/roles/settings_disable_nat_adapter/README.md @@ -0,0 +1,37 @@ + +# settings_disable_nat_adapter + +## Description + +Disable the NAT network adapter on Windows hosts + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Disable interface {{ nat_adapter }}** (ansible.windows.win_shell) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - settings_disable_nat_adapter +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/settings_disable_nat_adapter/meta/main.yml b/ansible/roles/settings_disable_nat_adapter/meta/main.yml new file mode 100644 index 00000000..64e0dea4 --- /dev/null +++ b/ansible/roles/settings_disable_nat_adapter/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + role_name: settings_disable_nat_adapter + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Disable the NAT network adapter on Windows hosts + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - networking + - configuration + +dependencies: [] diff --git a/ansible/roles/settings/disable_nat_adapter/tasks/main.yml b/ansible/roles/settings_disable_nat_adapter/tasks/main.yml similarity index 100% rename from ansible/roles/settings/disable_nat_adapter/tasks/main.yml rename to ansible/roles/settings_disable_nat_adapter/tasks/main.yml diff --git a/ansible/roles/settings_enable_nat_adapter/README.md b/ansible/roles/settings_enable_nat_adapter/README.md new file mode 100644 index 00000000..08e4f455 --- /dev/null +++ b/ansible/roles/settings_enable_nat_adapter/README.md @@ -0,0 +1,37 @@ + +# settings_enable_nat_adapter + +## Description + +Enable the NAT network adapter on Windows hosts + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Enable interface {{ nat_adapter }}** (ansible.windows.win_shell) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - settings_enable_nat_adapter +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/settings_enable_nat_adapter/meta/main.yml b/ansible/roles/settings_enable_nat_adapter/meta/main.yml new file mode 100644 index 00000000..f062ba2b --- /dev/null +++ b/ansible/roles/settings_enable_nat_adapter/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + role_name: settings_enable_nat_adapter + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Enable the NAT network adapter on Windows hosts + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - networking + - configuration + +dependencies: [] diff --git a/ansible/roles/settings/enable_nat_adapter/tasks/main.yml b/ansible/roles/settings_enable_nat_adapter/tasks/main.yml similarity index 100% rename from ansible/roles/settings/enable_nat_adapter/tasks/main.yml rename to ansible/roles/settings_enable_nat_adapter/tasks/main.yml diff --git a/ansible/roles/settings_gpmc/README.md b/ansible/roles/settings_gpmc/README.md new file mode 100644 index 00000000..5ab1467f --- /dev/null +++ b/ansible/roles/settings_gpmc/README.md @@ -0,0 +1,37 @@ + +# settings_gpmc + +## Description + +Install Group Policy Management Console + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Install Group Policy Management Console** (ansible.windows.win_feature) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - settings_gpmc +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/settings_gpmc/meta/main.yml b/ansible/roles/settings_gpmc/meta/main.yml new file mode 100644 index 00000000..b7bbafa3 --- /dev/null +++ b/ansible/roles/settings_gpmc/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: settings_gpmc + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install Group Policy Management Console + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - gpo + - management + +dependencies: [] diff --git a/ansible/roles/settings/gpmc/tasks/main.yml b/ansible/roles/settings_gpmc/tasks/main.yml similarity index 100% rename from ansible/roles/settings/gpmc/tasks/main.yml rename to ansible/roles/settings_gpmc/tasks/main.yml diff --git a/ansible/roles/settings_gpo_remove/README.md b/ansible/roles/settings_gpo_remove/README.md new file mode 100644 index 00000000..c5047a9a --- /dev/null +++ b/ansible/roles/settings_gpo_remove/README.md @@ -0,0 +1,37 @@ + +# settings_gpo_remove + +## Description + +Remove specified Group Policy Objects from the domain + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Remove Group Policy Object "StarkWallpaper" to set back background image for North users** (ansible.builtin.script) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - settings_gpo_remove +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/settings/gpo_remove/files/remove-gpo.ps1 b/ansible/roles/settings_gpo_remove/files/remove-gpo.ps1 similarity index 100% rename from ansible/roles/settings/gpo_remove/files/remove-gpo.ps1 rename to ansible/roles/settings_gpo_remove/files/remove-gpo.ps1 diff --git a/ansible/roles/settings_gpo_remove/meta/main.yml b/ansible/roles/settings_gpo_remove/meta/main.yml new file mode 100644 index 00000000..1839a5b6 --- /dev/null +++ b/ansible/roles/settings_gpo_remove/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: settings_gpo_remove + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Remove specified Group Policy Objects from the domain + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - gpo + - configuration + +dependencies: [] diff --git a/ansible/roles/settings/gpo_remove/tasks/main.yml b/ansible/roles/settings_gpo_remove/tasks/main.yml similarity index 100% rename from ansible/roles/settings/gpo_remove/tasks/main.yml rename to ansible/roles/settings_gpo_remove/tasks/main.yml diff --git a/ansible/roles/settings_hostname/README.md b/ansible/roles/settings_hostname/README.md new file mode 100644 index 00000000..7ad07ec3 --- /dev/null +++ b/ansible/roles/settings_hostname/README.md @@ -0,0 +1,40 @@ + +# settings_hostname + +## Description + +Configure Windows hostname and scheduled maintenance tasks + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create scheduled task to keep ssm-user enabled (survives GPO refresh)** (ansible.windows.win_powershell) +- **Change the hostname** (ansible.windows.win_hostname) +- **Reboot if needed** (ansible.windows.win_reboot) - Conditional +- **Ensure ssm-user is enabled after reboot (prevents connection failures)** (ansible.windows.win_powershell) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - settings_hostname +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/settings_hostname/meta/main.yml b/ansible/roles/settings_hostname/meta/main.yml new file mode 100644 index 00000000..460e1851 --- /dev/null +++ b/ansible/roles/settings_hostname/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + role_name: settings_hostname + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure Windows hostname and scheduled maintenance tasks + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - configuration + - hostname + +dependencies: [] diff --git a/ansible/roles/settings/hostname/tasks/main.yml b/ansible/roles/settings_hostname/tasks/main.yml similarity index 100% rename from ansible/roles/settings/hostname/tasks/main.yml rename to ansible/roles/settings_hostname/tasks/main.yml diff --git a/ansible/roles/settings_keyboard/README.md b/ansible/roles/settings_keyboard/README.md new file mode 100644 index 00000000..a698da8b --- /dev/null +++ b/ansible/roles/settings_keyboard/README.md @@ -0,0 +1,38 @@ + +# settings_keyboard + +## Description + +Configure keyboard layout and language settings on Windows + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Add Keyboard Layouts registry key** (ansible.windows.win_regedit) +- **Add Keyboard Layouts registry key for default users** (ansible.windows.win_regedit) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - settings_keyboard +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/settings_keyboard/meta/main.yml b/ansible/roles/settings_keyboard/meta/main.yml new file mode 100644 index 00000000..3fd69c00 --- /dev/null +++ b/ansible/roles/settings_keyboard/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: settings_keyboard + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure keyboard layout and language settings on Windows + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - configuration + - keyboard + - locale + +dependencies: [] diff --git a/ansible/roles/settings/keyboard/tasks/main.yml b/ansible/roles/settings_keyboard/tasks/main.yml similarity index 100% rename from ansible/roles/settings/keyboard/tasks/main.yml rename to ansible/roles/settings_keyboard/tasks/main.yml diff --git a/ansible/roles/settings_no_updates/README.md b/ansible/roles/settings_no_updates/README.md new file mode 100644 index 00000000..02b0f861 --- /dev/null +++ b/ansible/roles/settings_no_updates/README.md @@ -0,0 +1,37 @@ + +# settings_no_updates + +## Description + +Disable Windows Update service to preserve lab state + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Disable windows update** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - settings_no_updates +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/settings_no_updates/meta/main.yml b/ansible/roles/settings_no_updates/meta/main.yml new file mode 100644 index 00000000..f1d126ec --- /dev/null +++ b/ansible/roles/settings_no_updates/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + role_name: settings_no_updates + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Disable Windows Update service to preserve lab state + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - configuration + - updates + +dependencies: [] diff --git a/ansible/roles/settings/no_updates/tasks/main.yml b/ansible/roles/settings_no_updates/tasks/main.yml similarity index 100% rename from ansible/roles/settings/no_updates/tasks/main.yml rename to ansible/roles/settings_no_updates/tasks/main.yml diff --git a/ansible/roles/settings_updates/README.md b/ansible/roles/settings_updates/README.md new file mode 100644 index 00000000..3cb7e7b4 --- /dev/null +++ b/ansible/roles/settings_updates/README.md @@ -0,0 +1,38 @@ + +# settings_updates + +## Description + +Install Windows updates on managed hosts + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### default.yml + +- **Enable update service** (ansible.windows.win_service) +- **Install all updates and reboot as many times as needed** (ansible.windows.win_updates) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - settings_updates +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/settings_updates/meta/main.yml b/ansible/roles/settings_updates/meta/main.yml new file mode 100644 index 00000000..4de83346 --- /dev/null +++ b/ansible/roles/settings_updates/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + role_name: settings_updates + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install Windows updates on managed hosts + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - configuration + - updates + +dependencies: [] diff --git a/ansible/roles/settings/updates/tasks/default.yml b/ansible/roles/settings_updates/tasks/default.yml similarity index 100% rename from ansible/roles/settings/updates/tasks/default.yml rename to ansible/roles/settings_updates/tasks/default.yml diff --git a/ansible/roles/settings_user_rights/README.md b/ansible/roles/settings_user_rights/README.md new file mode 100644 index 00000000..b97ca99c --- /dev/null +++ b/ansible/roles/settings_user_rights/README.md @@ -0,0 +1,37 @@ + +# settings_user_rights + +## Description + +Configure user rights assignments for Remote Desktop access + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Add remote desktop and administrators group to RDP** (ansible.windows.win_user_right) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - settings_user_rights +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/settings_user_rights/meta/main.yml b/ansible/roles/settings_user_rights/meta/main.yml new file mode 100644 index 00000000..c1abedec --- /dev/null +++ b/ansible/roles/settings_user_rights/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: settings_user_rights + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure user rights assignments for Remote Desktop access + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - configuration + - security + - rdp + - user_rights + +dependencies: [] diff --git a/ansible/roles/settings/user_rights/tasks/main.yml b/ansible/roles/settings_user_rights/tasks/main.yml similarity index 100% rename from ansible/roles/settings/user_rights/tasks/main.yml rename to ansible/roles/settings_user_rights/tasks/main.yml diff --git a/ansible/roles/settings_windows_defender/README.md b/ansible/roles/settings_windows_defender/README.md new file mode 100644 index 00000000..5f80864e --- /dev/null +++ b/ansible/roles/settings_windows_defender/README.md @@ -0,0 +1,42 @@ + +# settings_windows_defender + +## Description + +Install and configure Windows Defender antivirus settings + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Install windows defender** (ansible.windows.win_feature) +- **Reboot if needed** (ansible.windows.win_reboot) - Conditional +- **Disable Windows Defender MAPS cloud reporting** (ansible.windows.win_shell) +- **Disable Windows Defender sample submission consent** (ansible.windows.win_shell) +- **Disable network drive scanning** (ansible.windows.win_shell) - Conditional +- **Disable realtime monitoring** (ansible.windows.win_shell) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - settings_windows_defender +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/settings_windows_defender/meta/main.yml b/ansible/roles/settings_windows_defender/meta/main.yml new file mode 100644 index 00000000..a9be9e60 --- /dev/null +++ b/ansible/roles/settings_windows_defender/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: settings_windows_defender + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install and configure Windows Defender antivirus settings + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - security + - defender + - antivirus + +dependencies: [] diff --git a/ansible/roles/settings/windows_defender/tasks/main.yml b/ansible/roles/settings_windows_defender/tasks/main.yml similarity index 100% rename from ansible/roles/settings/windows_defender/tasks/main.yml rename to ansible/roles/settings_windows_defender/tasks/main.yml diff --git a/ansible/roles/sync_domains/README.md b/ansible/roles/sync_domains/README.md new file mode 100644 index 00000000..a4f81148 --- /dev/null +++ b/ansible/roles/sync_domains/README.md @@ -0,0 +1,37 @@ + +# sync_domains + +## Description + +Synchronize Active Directory replication across all domain controllers + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Synchronizes all domains before change schema** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - sync_domains +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/sync_domains/meta/main.yml b/ansible/roles/sync_domains/meta/main.yml new file mode 100644 index 00000000..5891a2c8 --- /dev/null +++ b/ansible/roles/sync_domains/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: sync_domains + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Synchronize Active Directory replication across all domain controllers + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - replication + - domain + +dependencies: [] diff --git a/ansible/roles/trusts/README.md b/ansible/roles/trusts/README.md new file mode 100644 index 00000000..d859cb58 --- /dev/null +++ b/ansible/roles/trusts/README.md @@ -0,0 +1,39 @@ + +# trusts + +## Description + +Configure Active Directory domain trust relationships + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Prepare to trust flush and renew dns** (ansible.windows.win_shell) +- **Add trusts between domain** (ansible.windows.win_powershell) +- **Reboot and wait for the AD system to restart** (ansible.windows.win_reboot) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - trusts +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/trusts/meta/main.yml b/ansible/roles/trusts/meta/main.yml new file mode 100644 index 00000000..fd3d3da9 --- /dev/null +++ b/ansible/roles/trusts/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: trusts + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure Active Directory domain trust relationships + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - trusts + - domain + +dependencies: [] diff --git a/ansible/roles/vulns/disable_firewall/tasks/main.yml b/ansible/roles/vulns/disable_firewall/tasks/main.yml deleted file mode 100644 index e16d99ae..00000000 --- a/ansible/roles/vulns/disable_firewall/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Disable Domain firewall - ansible.windows.win_firewall: - state: disabled - profiles: - - Domain - - Private - - Public - tags: disable_firewall diff --git a/ansible/roles/vulns_acls/README.md b/ansible/roles/vulns_acls/README.md new file mode 100644 index 00000000..cea6ffe2 --- /dev/null +++ b/ansible/roles/vulns_acls/README.md @@ -0,0 +1,37 @@ + +# vulns_acls + +## Description + +Configure vulnerable ACL permissions for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Set acl** (ansible.windows.win_powershell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_acls +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_acls/meta/main.yml b/ansible/roles/vulns_acls/meta/main.yml new file mode 100644 index 00000000..113c0269 --- /dev/null +++ b/ansible/roles/vulns_acls/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: vulns_acls + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure vulnerable ACL permissions for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - vulnerability + - acl + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns/acls/tasks/main.yml b/ansible/roles/vulns_acls/tasks/main.yml similarity index 100% rename from ansible/roles/vulns/acls/tasks/main.yml rename to ansible/roles/vulns_acls/tasks/main.yml diff --git a/ansible/roles/vulns_adcs_templates/README.md b/ansible/roles/vulns_adcs_templates/README.md new file mode 100644 index 00000000..97ecd294 --- /dev/null +++ b/ansible/roles/vulns_adcs_templates/README.md @@ -0,0 +1,41 @@ + +# vulns_adcs_templates + +## Description + +Deploy vulnerable ADCS certificate templates for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Refresh** (ansible.windows.win_command) +- **Copy ADCSTemplate zip to remote** (ansible.windows.win_copy) +- **Extract ADCSTemplate module** (ansible.windows.win_shell) +- **Create a directory for templates** (ansible.windows.win_file) +- **Install templates** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_adcs_templates +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns/adcs_templates/files/ADCSTemplate/.gitignore b/ansible/roles/vulns_adcs_templates/files/ADCSTemplate/.gitignore similarity index 100% rename from ansible/roles/vulns/adcs_templates/files/ADCSTemplate/.gitignore rename to ansible/roles/vulns_adcs_templates/files/ADCSTemplate/.gitignore diff --git a/ansible/roles/vulns/adcs_templates/files/ADCSTemplate/ADCSTemplate.psd1 b/ansible/roles/vulns_adcs_templates/files/ADCSTemplate/ADCSTemplate.psd1 similarity index 100% rename from ansible/roles/vulns/adcs_templates/files/ADCSTemplate/ADCSTemplate.psd1 rename to ansible/roles/vulns_adcs_templates/files/ADCSTemplate/ADCSTemplate.psd1 diff --git a/ansible/roles/vulns/adcs_templates/files/ADCSTemplate/ADCSTemplate.psm1 b/ansible/roles/vulns_adcs_templates/files/ADCSTemplate/ADCSTemplate.psm1 similarity index 100% rename from ansible/roles/vulns/adcs_templates/files/ADCSTemplate/ADCSTemplate.psm1 rename to ansible/roles/vulns_adcs_templates/files/ADCSTemplate/ADCSTemplate.psm1 diff --git a/ansible/roles/vulns/adcs_templates/files/ADCSTemplate/DSCResources/COMMUNITY_ADCSTemplate/COMMUNITY_ADCSTemplate.psm1 b/ansible/roles/vulns_adcs_templates/files/ADCSTemplate/DSCResources/COMMUNITY_ADCSTemplate/COMMUNITY_ADCSTemplate.psm1 similarity index 100% rename from ansible/roles/vulns/adcs_templates/files/ADCSTemplate/DSCResources/COMMUNITY_ADCSTemplate/COMMUNITY_ADCSTemplate.psm1 rename to ansible/roles/vulns_adcs_templates/files/ADCSTemplate/DSCResources/COMMUNITY_ADCSTemplate/COMMUNITY_ADCSTemplate.psm1 diff --git a/ansible/roles/vulns/adcs_templates/files/ADCSTemplate/DSCResources/COMMUNITY_ADCSTemplate/COMMUNITY_ADCSTemplate.schema.mof b/ansible/roles/vulns_adcs_templates/files/ADCSTemplate/DSCResources/COMMUNITY_ADCSTemplate/COMMUNITY_ADCSTemplate.schema.mof similarity index 100% rename from ansible/roles/vulns/adcs_templates/files/ADCSTemplate/DSCResources/COMMUNITY_ADCSTemplate/COMMUNITY_ADCSTemplate.schema.mof rename to ansible/roles/vulns_adcs_templates/files/ADCSTemplate/DSCResources/COMMUNITY_ADCSTemplate/COMMUNITY_ADCSTemplate.schema.mof diff --git a/ansible/roles/vulns/adcs_templates/files/ADCSTemplate/Examples/Build-ADCS.ps1 b/ansible/roles/vulns_adcs_templates/files/ADCSTemplate/Examples/Build-ADCS.ps1 similarity index 100% rename from ansible/roles/vulns/adcs_templates/files/ADCSTemplate/Examples/Build-ADCS.ps1 rename to ansible/roles/vulns_adcs_templates/files/ADCSTemplate/Examples/Build-ADCS.ps1 diff --git a/ansible/roles/vulns/adcs_templates/files/ADCSTemplate/Examples/Demo.ps1 b/ansible/roles/vulns_adcs_templates/files/ADCSTemplate/Examples/Demo.ps1 similarity index 100% rename from ansible/roles/vulns/adcs_templates/files/ADCSTemplate/Examples/Demo.ps1 rename to ansible/roles/vulns_adcs_templates/files/ADCSTemplate/Examples/Demo.ps1 diff --git a/ansible/roles/vulns/adcs_templates/files/ADCSTemplate/Examples/PowerShellCMS.json b/ansible/roles/vulns_adcs_templates/files/ADCSTemplate/Examples/PowerShellCMS.json similarity index 100% rename from ansible/roles/vulns/adcs_templates/files/ADCSTemplate/Examples/PowerShellCMS.json rename to ansible/roles/vulns_adcs_templates/files/ADCSTemplate/Examples/PowerShellCMS.json diff --git a/ansible/roles/vulns/adcs_templates/files/ADCSTemplate/Examples/Tanium.json b/ansible/roles/vulns_adcs_templates/files/ADCSTemplate/Examples/Tanium.json similarity index 100% rename from ansible/roles/vulns/adcs_templates/files/ADCSTemplate/Examples/Tanium.json rename to ansible/roles/vulns_adcs_templates/files/ADCSTemplate/Examples/Tanium.json diff --git a/ansible/roles/vulns/adcs_templates/files/ADCSTemplate/LICENSE b/ansible/roles/vulns_adcs_templates/files/ADCSTemplate/LICENSE similarity index 100% rename from ansible/roles/vulns/adcs_templates/files/ADCSTemplate/LICENSE rename to ansible/roles/vulns_adcs_templates/files/ADCSTemplate/LICENSE diff --git a/ansible/roles/vulns/adcs_templates/files/ADCSTemplate/README.md b/ansible/roles/vulns_adcs_templates/files/ADCSTemplate/README.md similarity index 100% rename from ansible/roles/vulns/adcs_templates/files/ADCSTemplate/README.md rename to ansible/roles/vulns_adcs_templates/files/ADCSTemplate/README.md diff --git a/ansible/roles/vulns_adcs_templates/meta/main.yml b/ansible/roles/vulns_adcs_templates/meta/main.yml new file mode 100644 index 00000000..87016ea3 --- /dev/null +++ b/ansible/roles/vulns_adcs_templates/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: vulns_adcs_templates + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Deploy vulnerable ADCS certificate templates for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - active_directory + - vulnerability + - adcs + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns/adcs_templates/tasks/main.yml b/ansible/roles/vulns_adcs_templates/tasks/main.yml similarity index 100% rename from ansible/roles/vulns/adcs_templates/tasks/main.yml rename to ansible/roles/vulns_adcs_templates/tasks/main.yml diff --git a/ansible/roles/vulns_administrator_folder/README.md b/ansible/roles/vulns_administrator_folder/README.md new file mode 100644 index 00000000..c8efc505 --- /dev/null +++ b/ansible/roles/vulns_administrator_folder/README.md @@ -0,0 +1,44 @@ + +# vulns_administrator_folder + +## Description + +Configure administrator profile folder for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Check if administrator folder already exist** (ansible.windows.win_stat) +- **Check if administrator folder already exist** (ansible.windows.win_stat) +- **Create administrator directory** (ansible.windows.win_file) - Conditional +- **Create administrator desktop directory** (ansible.windows.win_file) - Conditional +- **Disable inherited ACE's** (ansible.windows.win_acl_inheritance) - Conditional +- **Allow C:\users\administrator to administrators** (ansible.windows.win_acl) - Conditional +- **Allow C:\users\administrator to administrators** (ansible.windows.win_acl) - Conditional +- **Allow C:\users\administrator to administrators** (ansible.windows.win_acl) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_administrator_folder +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_administrator_folder/meta/main.yml b/ansible/roles/vulns_administrator_folder/meta/main.yml new file mode 100644 index 00000000..64cc685c --- /dev/null +++ b/ansible/roles/vulns_administrator_folder/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + role_name: vulns_administrator_folder + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure administrator profile folder for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns/administrator_folder/tasks/main.yml b/ansible/roles/vulns_administrator_folder/tasks/main.yml similarity index 100% rename from ansible/roles/vulns/administrator_folder/tasks/main.yml rename to ansible/roles/vulns_administrator_folder/tasks/main.yml diff --git a/ansible/roles/vulns_anonymous_enum/README.md b/ansible/roles/vulns_anonymous_enum/README.md new file mode 100644 index 00000000..73411e36 --- /dev/null +++ b/ansible/roles/vulns_anonymous_enum/README.md @@ -0,0 +1,49 @@ + +# vulns_anonymous_enum + +## Description + +Enable anonymous and null session enumeration for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Enable anonymous enumeration (RestrictAnonymous = 0)** (ansible.windows.win_regedit) +- **Enable anonymous SAM enumeration (RestrictAnonymousSAM = 0)** (ansible.windows.win_regedit) +- **Enable EveryoneIncludesAnonymous** (ansible.windows.win_regedit) +- **Create minimal security policy template with LSAAnonymousNameLookup** (ansible.windows.win_shell) +- **Apply LSAAnonymousNameLookup security policy** (ansible.windows.win_shell) +- **Read secedit log for LSAAnonymousNameLookup apply** (ansible.windows.win_shell) +- **Read scesrv.log tail for LSAAnonymousNameLookup apply** (ansible.windows.win_shell) +- **Remove temporary policy file** (ansible.windows.win_file) +- **Verify LSAAnonymousNameLookup is enabled** (ansible.windows.win_shell) +- **Update Default Domain Controllers Policy if local policy did not apply** (ansible.windows.win_shell) - Conditional +- **Verify LSAAnonymousNameLookup after GPO update** (ansible.windows.win_shell) - Conditional +- **Fail if LSAAnonymousNameLookup not applied** (ansible.builtin.fail) - Conditional +- **Display LSAAnonymousNameLookup verification** (ansible.builtin.debug) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_anonymous_enum +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_anonymous_enum/meta/main.yml b/ansible/roles/vulns_anonymous_enum/meta/main.yml new file mode 100644 index 00000000..5d73e707 --- /dev/null +++ b/ansible/roles/vulns_anonymous_enum/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: vulns_anonymous_enum + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Enable anonymous and null session enumeration for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - enumeration + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns/anonymous_enum/tasks/main.yml b/ansible/roles/vulns_anonymous_enum/tasks/main.yml similarity index 100% rename from ansible/roles/vulns/anonymous_enum/tasks/main.yml rename to ansible/roles/vulns_anonymous_enum/tasks/main.yml diff --git a/ansible/roles/vulns_autologon/README.md b/ansible/roles/vulns_autologon/README.md new file mode 100644 index 00000000..dc5e2aaa --- /dev/null +++ b/ansible/roles/vulns_autologon/README.md @@ -0,0 +1,37 @@ + +# vulns_autologon + +## Description + +Configure Windows autologon credentials for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Add windows autologon** (ansible.windows.win_auto_logon) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_autologon +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_autologon/meta/main.yml b/ansible/roles/vulns_autologon/meta/main.yml new file mode 100644 index 00000000..020697be --- /dev/null +++ b/ansible/roles/vulns_autologon/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: vulns_autologon + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure Windows autologon credentials for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - autologon + - credentials + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns/autologon/tasks/main.yml b/ansible/roles/vulns_autologon/tasks/main.yml similarity index 100% rename from ansible/roles/vulns/autologon/tasks/main.yml rename to ansible/roles/vulns_autologon/tasks/main.yml diff --git a/ansible/roles/vulns_credentials/README.md b/ansible/roles/vulns_credentials/README.md new file mode 100644 index 00000000..8b08cccd --- /dev/null +++ b/ansible/roles/vulns_credentials/README.md @@ -0,0 +1,37 @@ + +# vulns_credentials + +## Description + +Store credentials in Windows Credential Manager for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Store a password in Credential Manager** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_credentials +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_credentials/meta/main.yml b/ansible/roles/vulns_credentials/meta/main.yml new file mode 100644 index 00000000..0d96c6a4 --- /dev/null +++ b/ansible/roles/vulns_credentials/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: vulns_credentials + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Store credentials in Windows Credential Manager for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - credentials + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns/credentials/tasks/main.yml b/ansible/roles/vulns_credentials/tasks/main.yml similarity index 100% rename from ansible/roles/vulns/credentials/tasks/main.yml rename to ansible/roles/vulns_credentials/tasks/main.yml diff --git a/ansible/roles/vulns_directory/README.md b/ansible/roles/vulns_directory/README.md new file mode 100644 index 00000000..e3d4661c --- /dev/null +++ b/ansible/roles/vulns_directory/README.md @@ -0,0 +1,37 @@ + +# vulns_directory + +## Description + +Create vulnerable directory structures for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create directory** (ansible.windows.win_file) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_directory +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_directory/meta/main.yml b/ansible/roles/vulns_directory/meta/main.yml new file mode 100644 index 00000000..393d3670 --- /dev/null +++ b/ansible/roles/vulns_directory/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: vulns_directory + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Create vulnerable directory structures for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - filesystem + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns/directory/tasks/main.yml b/ansible/roles/vulns_directory/tasks/main.yml similarity index 100% rename from ansible/roles/vulns/directory/tasks/main.yml rename to ansible/roles/vulns_directory/tasks/main.yml diff --git a/ansible/roles/vulns_disable_firewall/README.md b/ansible/roles/vulns_disable_firewall/README.md new file mode 100644 index 00000000..844eb095 --- /dev/null +++ b/ansible/roles/vulns_disable_firewall/README.md @@ -0,0 +1,37 @@ + +# vulns_disable_firewall + +## Description + +Disable Windows Firewall profiles for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Disable Domain firewall** (ansible.windows.win_powershell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_disable_firewall +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_disable_firewall/meta/main.yml b/ansible/roles/vulns_disable_firewall/meta/main.yml new file mode 100644 index 00000000..0365c3f5 --- /dev/null +++ b/ansible/roles/vulns_disable_firewall/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: vulns_disable_firewall + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Disable Windows Firewall profiles for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - firewall + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns_disable_firewall/tasks/main.yml b/ansible/roles/vulns_disable_firewall/tasks/main.yml new file mode 100644 index 00000000..9c535474 --- /dev/null +++ b/ansible/roles/vulns_disable_firewall/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: Disable Domain firewall + ansible.windows.win_powershell: + script: | + Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled False + $Ansible.Changed = $true + tags: disable_firewall diff --git a/ansible/roles/vulns_enable_credssp_client/README.md b/ansible/roles/vulns_enable_credssp_client/README.md new file mode 100644 index 00000000..2be23224 --- /dev/null +++ b/ansible/roles/vulns_enable_credssp_client/README.md @@ -0,0 +1,37 @@ + +# vulns_enable_credssp_client + +## Description + +Enable CredSSP client authentication for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Enable wsman credssp** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_enable_credssp_client +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_enable_credssp_client/meta/main.yml b/ansible/roles/vulns_enable_credssp_client/meta/main.yml new file mode 100644 index 00000000..c493c03c --- /dev/null +++ b/ansible/roles/vulns_enable_credssp_client/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: vulns_enable_credssp_client + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Enable CredSSP client authentication for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - credssp + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns/enable_credssp_client/tasks/main.yml b/ansible/roles/vulns_enable_credssp_client/tasks/main.yml similarity index 75% rename from ansible/roles/vulns/enable_credssp_client/tasks/main.yml rename to ansible/roles/vulns_enable_credssp_client/tasks/main.yml index 921018cb..51e92f3f 100644 --- a/ansible/roles/vulns/enable_credssp_client/tasks/main.yml +++ b/ansible/roles/vulns_enable_credssp_client/tasks/main.yml @@ -1,3 +1,3 @@ -- name: "Enable wsman credssp " +- name: "Enable wsman credssp" ansible.windows.win_shell: Enable-WSManCredSSP -Role "Client" -DelegateComputer "*" -Force diff --git a/ansible/roles/vulns_enable_credssp_server/README.md b/ansible/roles/vulns_enable_credssp_server/README.md new file mode 100644 index 00000000..27181e6f --- /dev/null +++ b/ansible/roles/vulns_enable_credssp_server/README.md @@ -0,0 +1,37 @@ + +# vulns_enable_credssp_server + +## Description + +Enable CredSSP server authentication for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Enable wsman credssp** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_enable_credssp_server +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_enable_credssp_server/meta/main.yml b/ansible/roles/vulns_enable_credssp_server/meta/main.yml new file mode 100644 index 00000000..a7f80ef1 --- /dev/null +++ b/ansible/roles/vulns_enable_credssp_server/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: vulns_enable_credssp_server + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Enable CredSSP server authentication for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - credssp + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns/enable_credssp_server/tasks/main.yml b/ansible/roles/vulns_enable_credssp_server/tasks/main.yml similarity index 69% rename from ansible/roles/vulns/enable_credssp_server/tasks/main.yml rename to ansible/roles/vulns_enable_credssp_server/tasks/main.yml index c58d8131..481bfa9b 100644 --- a/ansible/roles/vulns/enable_credssp_server/tasks/main.yml +++ b/ansible/roles/vulns_enable_credssp_server/tasks/main.yml @@ -1,3 +1,3 @@ -- name: "Enable wsman credssp " +- name: "Enable wsman credssp" ansible.windows.win_shell: Enable-WSManCredSSP -Role Server -Force diff --git a/ansible/roles/vulns_enable_llmnr/README.md b/ansible/roles/vulns_enable_llmnr/README.md new file mode 100644 index 00000000..65b91f98 --- /dev/null +++ b/ansible/roles/vulns_enable_llmnr/README.md @@ -0,0 +1,37 @@ + +# vulns_enable_llmnr + +## Description + +Enable LLMNR protocol for poisoning attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Enable LLMNR protocol** (ansible.windows.win_powershell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_enable_llmnr +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_enable_llmnr/meta/main.yml b/ansible/roles/vulns_enable_llmnr/meta/main.yml new file mode 100644 index 00000000..2a45683f --- /dev/null +++ b/ansible/roles/vulns_enable_llmnr/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: vulns_enable_llmnr + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Enable LLMNR protocol for poisoning attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - llmnr + - pentest + - poisoning + +dependencies: [] diff --git a/ansible/roles/vulns/enable_llmnr/tasks/main.yml b/ansible/roles/vulns_enable_llmnr/tasks/main.yml similarity index 100% rename from ansible/roles/vulns/enable_llmnr/tasks/main.yml rename to ansible/roles/vulns_enable_llmnr/tasks/main.yml diff --git a/ansible/roles/vulns_enable_nbt_ns/README.md b/ansible/roles/vulns_enable_nbt_ns/README.md new file mode 100644 index 00000000..6a158b9f --- /dev/null +++ b/ansible/roles/vulns_enable_nbt_ns/README.md @@ -0,0 +1,37 @@ + +# vulns_enable_nbt_ns + +## Description + +Enable NetBIOS Name Service for poisoning attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Enable NBT-NS protocol** (ansible.windows.win_powershell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_enable_nbt_ns +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_enable_nbt_ns/meta/main.yml b/ansible/roles/vulns_enable_nbt_ns/meta/main.yml new file mode 100644 index 00000000..c51dfecd --- /dev/null +++ b/ansible/roles/vulns_enable_nbt_ns/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: vulns_enable_nbt_ns + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Enable NetBIOS Name Service for poisoning attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - nbt_ns + - pentest + - poisoning + +dependencies: [] diff --git a/ansible/roles/vulns/enable_nbt-ns/tasks/main.yml b/ansible/roles/vulns_enable_nbt_ns/tasks/main.yml similarity index 100% rename from ansible/roles/vulns/enable_nbt-ns/tasks/main.yml rename to ansible/roles/vulns_enable_nbt_ns/tasks/main.yml diff --git a/ansible/roles/vulns_files/README.md b/ansible/roles/vulns_files/README.md new file mode 100644 index 00000000..b168e8a2 --- /dev/null +++ b/ansible/roles/vulns_files/README.md @@ -0,0 +1,37 @@ + +# vulns_files + +## Description + +Deploy sensitive files to hosts for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Copy a single file** (ansible.windows.win_copy) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_files +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_files/meta/main.yml b/ansible/roles/vulns_files/meta/main.yml new file mode 100644 index 00000000..9b4b78c3 --- /dev/null +++ b/ansible/roles/vulns_files/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: vulns_files + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Deploy sensitive files to hosts for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - files + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns/files/tasks/main.yml b/ansible/roles/vulns_files/tasks/main.yml similarity index 59% rename from ansible/roles/vulns/files/tasks/main.yml rename to ansible/roles/vulns_files/tasks/main.yml index 7a41bf94..0b9f3a09 100644 --- a/ansible/roles/vulns/files/tasks/main.yml +++ b/ansible/roles/vulns_files/tasks/main.yml @@ -1,5 +1,5 @@ - name: Copy a single file ansible.windows.win_copy: - src: "../ad/{{ domain_name }}/files/{{ item.value.src }}" + src: "{{ playbook_dir }}/../../ad/{{ domain_name }}/files/{{ item.value.src }}" dest: "{{ item.value.dest }}" with_dict: "{{ vulns_vars }}" diff --git a/ansible/roles/vulns_mssql/README.md b/ansible/roles/vulns_mssql/README.md new file mode 100644 index 00000000..5059707c --- /dev/null +++ b/ansible/roles/vulns_mssql/README.md @@ -0,0 +1,37 @@ + +# vulns_mssql + +## Description + +Configure vulnerable SQL Server settings for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Run SQL COMMAND** (ansible.windows.win_shell) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_mssql +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_mssql/meta/main.yml b/ansible/roles/vulns_mssql/meta/main.yml new file mode 100644 index 00000000..b9aa8e5c --- /dev/null +++ b/ansible/roles/vulns_mssql/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: vulns_mssql + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure vulnerable SQL Server settings for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - mssql + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns/mssql/tasks/main.yml b/ansible/roles/vulns_mssql/tasks/main.yml similarity index 100% rename from ansible/roles/vulns/mssql/tasks/main.yml rename to ansible/roles/vulns_mssql/tasks/main.yml diff --git a/ansible/roles/vulns_ntlmdowngrade/README.md b/ansible/roles/vulns_ntlmdowngrade/README.md new file mode 100644 index 00000000..75538abc --- /dev/null +++ b/ansible/roles/vulns_ntlmdowngrade/README.md @@ -0,0 +1,37 @@ + +# vulns_ntlmdowngrade + +## Description + +Configure NTLM authentication downgrade for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Enable LmCompatibilityLevel** (ansible.windows.win_regedit) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_ntlmdowngrade +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_ntlmdowngrade/meta/main.yml b/ansible/roles/vulns_ntlmdowngrade/meta/main.yml new file mode 100644 index 00000000..07d45e0a --- /dev/null +++ b/ansible/roles/vulns_ntlmdowngrade/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: vulns_ntlmdowngrade + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure NTLM authentication downgrade for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - ntlm + - pentest + - authentication + +dependencies: [] diff --git a/ansible/roles/vulns/ntlmdowngrade/tasks/main.yml b/ansible/roles/vulns_ntlmdowngrade/tasks/main.yml similarity index 100% rename from ansible/roles/vulns/ntlmdowngrade/tasks/main.yml rename to ansible/roles/vulns_ntlmdowngrade/tasks/main.yml diff --git a/ansible/roles/vulns_openshares/README.md b/ansible/roles/vulns_openshares/README.md new file mode 100644 index 00000000..eeae3c5c --- /dev/null +++ b/ansible/roles/vulns_openshares/README.md @@ -0,0 +1,43 @@ + +# vulns_openshares + +## Description + +Create open SMB shares for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Ensure directory structure for public share exists** (ansible.windows.win_file) +- **Ensure public share exists** (ansible.windows.win_share) +- **Add or update registry path to allow guest access in SMB** (ansible.windows.win_regedit) +- **Activate guest account** (ansible.windows.win_command) +- **Ensure directory structure for all share exists** (ansible.windows.win_file) +- **Add all share everyone rights** (ansible.windows.win_acl) +- **All shares** (ansible.windows.win_share) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_openshares +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_openshares/meta/main.yml b/ansible/roles/vulns_openshares/meta/main.yml new file mode 100644 index 00000000..04f8284d --- /dev/null +++ b/ansible/roles/vulns_openshares/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: vulns_openshares + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Create open SMB shares for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - smb + - shares + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns/openshares/tasks/main.yml b/ansible/roles/vulns_openshares/tasks/main.yml similarity index 100% rename from ansible/roles/vulns/openshares/tasks/main.yml rename to ansible/roles/vulns_openshares/tasks/main.yml diff --git a/ansible/roles/vulns_permissions/README.md b/ansible/roles/vulns_permissions/README.md new file mode 100644 index 00000000..21bf1953 --- /dev/null +++ b/ansible/roles/vulns_permissions/README.md @@ -0,0 +1,37 @@ + +# vulns_permissions + +## Description + +Configure weak file and folder permissions for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Change folder allow rights** (ansible.windows.win_acl) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_permissions +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_permissions/meta/main.yml b/ansible/roles/vulns_permissions/meta/main.yml new file mode 100644 index 00000000..ef8fa74a --- /dev/null +++ b/ansible/roles/vulns_permissions/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: vulns_permissions + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Configure weak file and folder permissions for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - permissions + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns/permissions/tasks/main.yml b/ansible/roles/vulns_permissions/tasks/main.yml similarity index 100% rename from ansible/roles/vulns/permissions/tasks/main.yml rename to ansible/roles/vulns_permissions/tasks/main.yml diff --git a/ansible/roles/vulns_schedule/README.md b/ansible/roles/vulns_schedule/README.md new file mode 100644 index 00000000..efc35299 --- /dev/null +++ b/ansible/roles/vulns_schedule/README.md @@ -0,0 +1,37 @@ + +# vulns_schedule + +## Description + +Create vulnerable scheduled tasks for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create a task that will be repeated every minute** (community.windows.win_scheduled_task) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_schedule +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_schedule/meta/main.yml b/ansible/roles/vulns_schedule/meta/main.yml new file mode 100644 index 00000000..fafd7479 --- /dev/null +++ b/ansible/roles/vulns_schedule/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: vulns_schedule + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Create vulnerable scheduled tasks for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - scheduled_tasks + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns/schedule/tasks/main.yml b/ansible/roles/vulns_schedule/tasks/main.yml similarity index 100% rename from ansible/roles/vulns/schedule/tasks/main.yml rename to ansible/roles/vulns_schedule/tasks/main.yml diff --git a/ansible/roles/vulns_shares/README.md b/ansible/roles/vulns_shares/README.md new file mode 100644 index 00000000..650267c9 --- /dev/null +++ b/ansible/roles/vulns_shares/README.md @@ -0,0 +1,38 @@ + +# vulns_shares + +## Description + +Create SMB file shares for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Create directory if not exist** (ansible.windows.win_file) +- **Create share** (ansible.windows.win_share) + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_shares +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_shares/meta/main.yml b/ansible/roles/vulns_shares/meta/main.yml new file mode 100644 index 00000000..8fd857a2 --- /dev/null +++ b/ansible/roles/vulns_shares/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + role_name: vulns_shares + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Create SMB file shares for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - smb + - shares + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns/shares/tasks/main.yml b/ansible/roles/vulns_shares/tasks/main.yml similarity index 100% rename from ansible/roles/vulns/shares/tasks/main.yml rename to ansible/roles/vulns_shares/tasks/main.yml diff --git a/ansible/roles/vulns_smbv1/README.md b/ansible/roles/vulns_smbv1/README.md new file mode 100644 index 00000000..0323bf0f --- /dev/null +++ b/ansible/roles/vulns_smbv1/README.md @@ -0,0 +1,38 @@ + +# vulns_smbv1 + +## Description + +Enable SMBv1 protocol for attack simulation + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Enable SMBV1 feature** (ansible.windows.win_feature) +- **Reboot if feature requires it** (ansible.windows.win_reboot) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - vulns_smbv1 +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/vulns_smbv1/meta/main.yml b/ansible/roles/vulns_smbv1/meta/main.yml new file mode 100644 index 00000000..c8717df5 --- /dev/null +++ b/ansible/roles/vulns_smbv1/meta/main.yml @@ -0,0 +1,20 @@ +--- +galaxy_info: + role_name: vulns_smbv1 + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Enable SMBv1 protocol for attack simulation + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - vulnerability + - smb + - pentest + +dependencies: [] diff --git a/ansible/roles/vulns/smbv1/tasks/main.yml b/ansible/roles/vulns_smbv1/tasks/main.yml similarity index 100% rename from ansible/roles/vulns/smbv1/tasks/main.yml rename to ansible/roles/vulns_smbv1/tasks/main.yml diff --git a/ansible/roles/webdav/README.md b/ansible/roles/webdav/README.md new file mode 100644 index 00000000..3ebd91e0 --- /dev/null +++ b/ansible/roles/webdav/README.md @@ -0,0 +1,38 @@ + +# webdav + +## Description + +Install and configure WebDAV client on Windows hosts + +## Requirements + +- Ansible >= 2.15 + +## Role Variables + +## Tasks + +### main.yml + +- **Ensure WebDAV client feature is installed** (ansible.windows.win_feature) +- **Reboot after installing WebDAV client feature** (ansible.windows.win_reboot) - Conditional + +## Example Playbook + +```yaml +- hosts: servers + roles: + - webdav +``` + +## Author Information + +- **Author**: Dreadnode +- **Company**: Dreadnode +- **License**: GPL-3.0-or-later + +## Platforms + +- Windows: all + diff --git a/ansible/roles/webdav/meta/main.yml b/ansible/roles/webdav/meta/main.yml new file mode 100644 index 00000000..5704cd74 --- /dev/null +++ b/ansible/roles/webdav/meta/main.yml @@ -0,0 +1,19 @@ +--- +galaxy_info: + role_name: webdav + namespace: dreadnode + author: Dreadnode + company: Dreadnode + description: Install and configure WebDAV client on Windows hosts + license: GPL-3.0-or-later + min_ansible_version: "2.15" + platforms: + - name: Windows + versions: + - all + galaxy_tags: + - windows + - webdav + - configuration + +dependencies: [] diff --git a/dev-inventory b/dev-inventory index 257ed3a0..ddac8f98 100644 --- a/dev-inventory +++ b/dev-inventory @@ -11,7 +11,7 @@ env=dev ; SSM connection (windows) ansible_become=false -ansible_connection=aws_ssm +ansible_connection=amazon.aws.aws_ssm ansible_aws_ssm_bucket_name=dread-infra-alpha-operator-range-dev-us-west-2 ansible_aws_ssm_region=us-west-2 ansible_shell_type=powershell @@ -19,7 +19,7 @@ ansible_aws_ssm_s3_addressing_style=virtual ansible_remote_tmp=C:\Windows\Temp ; miscellaneous -data_path="{{ playbook_dir }}/../ad/GOAD-variant-1/data" +data_path="{{ playbook_dir }}/../../ad/GOAD-variant-1/data" ; global settings inventory default value keyboard_layouts=["en-US", "da-DK", "fr-FR"] diff --git a/docs/mkdocs/docs/installation/linux.md b/docs/mkdocs/docs/installation/linux.md index ff5d329f..8978d808 100644 --- a/docs/mkdocs/docs/installation/linux.md +++ b/docs/mkdocs/docs/installation/linux.md @@ -164,7 +164,7 @@ - Install ansible-galaxy requirements: - If python < 3.11 ``` - poetry run ansible-galaxy ansible/requirements.yml + poetry run ansible-galaxy collection install -r ansible/requirements.yml ``` - If python >= 3.11 diff --git a/docs/olddocs/provisioning.md b/docs/olddocs/provisioning.md index 44757424..f37b9173 100644 --- a/docs/olddocs/provisioning.md +++ b/docs/olddocs/provisioning.md @@ -64,7 +64,7 @@ python3 -m pip install pywinrm - **ansible community.general** ```bash -ansible-galaxy install -r requirements.yml +ansible-galaxy collection install -r ansible/requirements.yml ``` - And than you can launch the ansible provisioning with (note that the vms must be in a running state, so vagrant up must have been done before that) diff --git a/goad/provisioner/ansible/ansible.py b/goad/provisioner/ansible/ansible.py index 6483a2a9..0d2240cd 100644 --- a/goad/provisioner/ansible/ansible.py +++ b/goad/provisioner/ansible/ansible.py @@ -51,7 +51,7 @@ def get_playbook_list(self, lab_name): # validate playbooks for playbook in playbook_datas: - playbook_path = GoadPath.get_provisioner_path() + playbook + playbook_path = GoadPath.get_provisioner_path() + 'playbooks' + os.path.sep + playbook if not os.path.isfile(playbook_path): Log.error(f'{playbook} not valid, file {playbook_path} not found') else: diff --git a/goad/provisioner/ansible/docker.py b/goad/provisioner/ansible/docker.py index cc7a653e..1805ef54 100644 --- a/goad/provisioner/ansible/docker.py +++ b/goad/provisioner/ansible/docker.py @@ -53,7 +53,7 @@ def run_playbook(self, playbook, inventories, tries=3, timeout=30, playbook_path if playbook_path is not None: ansible_path = Utils.transform_local_path_to_remote_path(playbook_path, self.remote_project_path) else: - ansible_path = '/goad/ansible' + ansible_path = '/goad/ansible/playbooks' while not run_complete: nb_try += 1 run_complete = self.command.run_docker_ansible(command, GoadPath.get_project_path(), ansible_path, self.sudo) diff --git a/goad/provisioner/ansible/local.py b/goad/provisioner/ansible/local.py index b97c0501..d943fecf 100644 --- a/goad/provisioner/ansible/local.py +++ b/goad/provisioner/ansible/local.py @@ -1,3 +1,4 @@ +import os from goad.log import Log from goad.utils import * from goad.provisioner.ansible.ansible import Ansible @@ -8,7 +9,7 @@ class LocalAnsibleProvisionerCmd(Ansible): def run_playbook(self, playbook, inventories, tries=3, timeout=30, playbook_path=None): if playbook_path is None: - playbook_path = self.path + playbook_path = self.path + 'playbooks' + os.path.sep Log.info(f'Run playbook : {playbook} with inventory file(s) : {", ".join(inventories)}') diff --git a/goad/provisioner/ansible/remote.py b/goad/provisioner/ansible/remote.py index a799b4b1..a7b3b558 100644 --- a/goad/provisioner/ansible/remote.py +++ b/goad/provisioner/ansible/remote.py @@ -34,7 +34,7 @@ def run(self, playbook=None): def run_playbook(self, playbook, inventories, tries=3, timeout=30, playbook_path=None): if playbook_path is None: - playbook_path = self.remote_project_path + '/ansible/' + playbook_path = self.remote_project_path + '/ansible/playbooks/' else: playbook_path = Utils.transform_local_path_to_remote_path(playbook_path, self.remote_project_path) diff --git a/goad/provisioner/ansible/runner.py b/goad/provisioner/ansible/runner.py index 25db7a01..33726ca1 100644 --- a/goad/provisioner/ansible/runner.py +++ b/goad/provisioner/ansible/runner.py @@ -1,3 +1,4 @@ +import os import time import ansible_runner @@ -11,7 +12,7 @@ class LocalAnsibleProvisionerEmbed(Ansible): def run_playbook(self, playbook, inventories, tries=3, timeout=30, playbook_path=None): if playbook_path is None: - playbook_path = self.path + playbook_path = self.path + 'playbooks' + os.path.sep Log.info(f'Run playbook : {playbook} with inventory file(s) : {", ".join(inventories)}') Log.cmd(f'ansible-playbook -i {" -i ".join(inventories)} {playbook}') diff --git a/goad/provisioner/ansible/vm.py b/goad/provisioner/ansible/vm.py index 92d0788a..80678f7d 100644 --- a/goad/provisioner/ansible/vm.py +++ b/goad/provisioner/ansible/vm.py @@ -38,7 +38,7 @@ def run(self, playbook=None): def run_playbook(self, playbook, inventories, tries=3, timeout=30, playbook_path=None): if playbook_path is None: - playbook_path = self.remote_project_path + '/ansible/' + playbook_path = self.remote_project_path + '/ansible/playbooks/' else: playbook_path = Utils.transform_local_path_to_remote_path(playbook_path, self.remote_project_path) diff --git a/requirements.txt b/requirements.txt index 1b2a4f33..b258da5d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,7 +7,14 @@ pyyaml boto3==1.42.79 botocore==1.42.79 # Ansible -ansible-core==2.20.4 +# IMPORTANT: ansible-core >=2.19 breaks Windows module execution over AWS SSM. +# In 2.19+, the `has_pipelining` gate was removed from `is_pipelining_enabled()`, +# causing the SSM plugin's `always_pipeline_modules=True` to force pipelining mode. +# Since the SSM plugin never sends `in_data` to the remote host, the PowerShell +# bootstrap_wrapper receives null input and all Windows modules fail with: +# "ConvertFrom-Json: Cannot bind argument to parameter 'InputObject' because it is null" +# Pin to 2.17.x until the amazon.aws SSM plugin properly handles pipelined in_data. +ansible-core>=2.17.0,<2.18.0 ansible_runner pywinrm # AZURE diff --git a/requirements.yml b/requirements.yml deleted file mode 100644 index 0b0f3e29..00000000 --- a/requirements.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -collections: - - name: microsoft.ad - version: 1.10.0 - - name: amazon.aws - version: 11.2.0 diff --git a/requirements_311.yml b/requirements_311.yml deleted file mode 100644 index 518a8a97..00000000 --- a/requirements_311.yml +++ /dev/null @@ -1,21 +0,0 @@ -rich -psutil -Jinja2 -pyyaml -# Ansible -# setuptools for python >= 3.12 -setuptools -ansible_runner -# fix ansible-core version to avoid breaking changes -# ansible-core 2.18.0 min version python 3.11 -ansible-core==2.18.0 -pywinrm -# AZURE -azure-identity -azure-mgmt-compute -azure-mgmt-network -# AWS -boto3 -# Proxmox -proxmoxer -requests diff --git a/scripts/check.sh b/scripts/check.sh index e8a9ec51..4e176842 100755 --- a/scripts/check.sh +++ b/scripts/check.sh @@ -299,7 +299,7 @@ check_ansible_env() { fi done if [ $GALAXY_OK -eq 0 ]; then - (echo >&2 "${ERROR} ansible-galaxy requirements missing consider doing : ansible-galaxy install -r ansible/requirements.yml") + (echo >&2 "${ERROR} ansible-galaxy requirements missing consider doing : ansible-galaxy collection install -r ansible/requirements.yml") exit 1 else (echo >&2 "${GOODTOGO} ansible-galaxy requirements ok") diff --git a/scripts/get-playbook-files.sh b/scripts/get-playbook-files.sh index 9fc1c4be..93ce17b2 100755 --- a/scripts/get-playbook-files.sh +++ b/scripts/get-playbook-files.sh @@ -20,119 +20,119 @@ declare -a files case "${PLAYBOOK}" in build) files=( - "ansible/build.yml" + "ansible/playbooks/build.yml" "ansible/roles/common/tasks/main.yml" - "ansible/roles/settings/keyboard/tasks/main.yml" - "ansible/roles/settings/no_updates/tasks/main.yml" - "ansible/roles/settings/updates/tasks/default.yml" + "ansible/roles/settings_keyboard/tasks/main.yml" + "ansible/roles/settings_no_updates/tasks/main.yml" + "ansible/roles/settings_updates/tasks/default.yml" "ad/GOAD/data/${ENV}-config.json" - "ansible/data.yml" + "ansible/playbooks/data.yml" ) ;; ad-servers) files=( - "ansible/ad-servers.yml" - "ansible/roles/settings/admin_password/tasks/main.yml" - "ansible/roles/settings/hostname/tasks/main.yml" + "ansible/playbooks/ad-servers.yml" + "ansible/roles/settings_admin_password/tasks/main.yml" + "ansible/roles/settings_hostname/tasks/main.yml" "ad/GOAD/data/${ENV}-config.json" - "ansible/data.yml" + "ansible/playbooks/data.yml" ) ;; ad-parent-domain) files=( - "ansible/ad-parent_domain.yml" + "ansible/playbooks/ad-parent_domain.yml" "ansible/roles/domain_controller/tasks/main.yml" "${ENV}-inventory" "ad/GOAD/data/${ENV}-config.json" - "ansible/data.yml" + "ansible/playbooks/data.yml" ) ;; ad-child-domain) files=( - "ansible/ad-child_domain.yml" + "ansible/playbooks/ad-child_domain.yml" "ansible/roles/child_domain/tasks/main.yml" "ansible/roles/dns_conditional_forwarder/tasks/main.yml" "ansible/roles/parent_child_dns/tasks/main.yml" "${ENV}-inventory" "ad/GOAD/data/${ENV}-config.json" - "ansible/data.yml" + "ansible/playbooks/data.yml" ) ;; ad-members) files=( - "ansible/ad-members.yml" + "ansible/playbooks/ad-members.yml" "ansible/roles/member_server/tasks/main.yml" "ansible/roles/commonwkstn/tasks/main.yml" "${ENV}-inventory" "ad/GOAD/data/${ENV}-config.json" - "ansible/data.yml" + "ansible/playbooks/data.yml" ) ;; ad-trusts) files=( - "ansible/ad-trusts.yml" - "ansible/roles/settings/disable_nat_adapter/tasks/main.yml" + "ansible/playbooks/ad-trusts.yml" + "ansible/roles/settings_disable_nat_adapter/tasks/main.yml" "ansible/roles/dns_conditional_forwarder/tasks/main.yml" "ansible/roles/trusts/tasks/main.yml" - "ansible/roles/settings/enable_nat_adapter/tasks/main.yml" + "ansible/roles/settings_enable_nat_adapter/tasks/main.yml" "ansible/roles/dc_dns_conditional_forwarder/tasks/main.yml" "${ENV}-inventory" "ad/GOAD/data/${ENV}-config.json" - "ansible/data.yml" + "ansible/playbooks/data.yml" ) ;; ad-data) files=( - "ansible/ad-data.yml" + "ansible/playbooks/ad-data.yml" "ansible/roles/password_policy/tasks/main.yml" "ansible/roles/ad/tasks/main.yml" "ansible/roles/ad/tasks/users.yml" "ansible/roles/ad/tasks/groups.yml" "ansible/roles/ad/tasks/ou.yml" - "ansible/roles/settings/copy_files/tasks/main.yml" + "ansible/roles/settings_copy_files/tasks/main.yml" "ansible/roles/move_to_ou/tasks/main.yml" "${ENV}-inventory" "ad/GOAD/data/${ENV}-config.json" - "ansible/data.yml" + "ansible/playbooks/data.yml" ) ;; ad-gmsa) files=( - "ansible/ad-gmsa.yml" + "ansible/playbooks/ad-gmsa.yml" "ansible/roles/gmsa/tasks/main.yml" "ansible/roles/gmsa_hosts/tasks/main.yml" "${ENV}-inventory" "ad/GOAD/data/${ENV}-config.json" - "ansible/data.yml" + "ansible/playbooks/data.yml" ) ;; laps) files=( - "ansible/laps.yml" - "ansible/roles/laps/dc/tasks/main.yml" - "ansible/roles/laps/dc/vars/main.yml" - "ansible/roles/laps/dc/tasks/move_server_to_ou.yml" - "ansible/roles/laps/dc/tasks/install.yml" - "ansible/roles/laps/dc/defaults/main.yml" + "ansible/playbooks/laps.yml" + "ansible/roles/laps_dc/tasks/main.yml" + "ansible/roles/laps_dc/vars/main.yml" + "ansible/roles/laps_dc/tasks/move_server_to_ou.yml" + "ansible/roles/laps_dc/tasks/install.yml" + "ansible/roles/laps_dc/defaults/main.yml" "${ENV}-inventory" "ad/GOAD/data/${ENV}-config.json" - "ansible/data.yml" + "ansible/playbooks/data.yml" ) ;; ad-relations) files=( - "ansible/ad-relations.yml" - "ansible/roles/settings/adjust_rights/tasks/main.yml" - "ansible/roles/settings/user_rights/tasks/main.yml" + "ansible/playbooks/ad-relations.yml" + "ansible/roles/settings_adjust_rights/tasks/main.yml" + "ansible/roles/settings_user_rights/tasks/main.yml" "ansible/roles/groups_domains/tasks/main.yml" "${ENV}-inventory" "ad/GOAD/data/${ENV}-config.json" - "ansible/data.yml" + "ansible/playbooks/data.yml" ) ;; adcs) files=( - "ansible/adcs.yml" + "ansible/playbooks/adcs.yml" "ansible/roles/adcs/tasks/main.yml" "ansible/roles/adcs_templates/tasks/main.yml" "ansible/roles/adcs_templates/files/ESC1.json" @@ -146,21 +146,21 @@ case "${PLAYBOOK}" in "ansible/roles/adcs_templates/files/ADCSTemplate/ADCSTemplate.psm1" "${ENV}-inventory" "ad/GOAD/data/${ENV}-config.json" - "ansible/data.yml" + "ansible/playbooks/data.yml" ) ;; ad-acl) files=( - "ansible/ad-acl.yml" + "ansible/playbooks/ad-acl.yml" "ansible/roles/acl/tasks/main.yml" "${ENV}-inventory" "ad/GOAD/data/${ENV}-config.json" - "ansible/data.yml" + "ansible/playbooks/data.yml" ) ;; servers) files=( - "ansible/servers.yml" + "ansible/playbooks/servers.yml" "ansible/roles/iis/tasks/main.yml" "ansible/roles/iis/files/index.html" "ansible/roles/mssql/tasks/main.yml" @@ -173,54 +173,54 @@ case "${PLAYBOOK}" in "ansible/roles/webdav/tasks/main.yml" "${ENV}-inventory" "ad/GOAD/data/${ENV}-config.json" - "ansible/data.yml" + "ansible/playbooks/data.yml" ) ;; security) files=( - "ansible/security.yml" - "ansible/roles/settings/windows_defender/tasks/main.yml" - "ansible/roles/security/account_is_sensitive/tasks/main.yml" - "ansible/roles/security/powershell_restrict/tasks/main.yml" - "ansible/roles/security/enable_run_as_ppl/tasks/main.yml" + "ansible/playbooks/security.yml" + "ansible/roles/settings_windows_defender/tasks/main.yml" + "ansible/roles/security_account_is_sensitive/tasks/main.yml" + "ansible/roles/security_powershell_restrict/tasks/main.yml" + "ansible/roles/security_enable_run_as_ppl/tasks/main.yml" "${ENV}-inventory" "ad/GOAD/data/${ENV}-config.json" - "ansible/data.yml" + "ansible/playbooks/data.yml" ) ;; vulnerabilities) files=( - "ansible/vulnerabilities.yml" - "ansible/roles/vulns/schedule/tasks/main.yml" - "ansible/roles/vulns/autologon/tasks/main.yml" - "ansible/roles/vulns/openshares/tasks/main.yml" - "ansible/roles/vulns/disable_firewall/tasks/main.yml" - "ansible/roles/vulns/ntlmdowngrade/tasks/main.yml" - "ansible/roles/vulns/enable_credssp_client/tasks/main.yml" - "ansible/roles/vulns/administrator_folder/tasks/main.yml" - "ansible/roles/vulns/acls/tasks/main.yml" - "ansible/roles/vulns/smbv1/tasks/main.yml" - "ansible/roles/vulns/enable_llmnr/tasks/main.yml" - "ansible/roles/vulns/adcs_templates/tasks/main.yml" - "ansible/roles/vulns/adcs_templates/files/ADCSTemplate/ADCSTemplate.psd1" - "ansible/roles/vulns/adcs_templates/files/ADCSTemplate/ADCSTemplate.psm1" - "ansible/roles/vulns/adcs_templates/files/ADCSTemplate/Examples/Tanium.json" - "ansible/roles/vulns/adcs_templates/files/ADCSTemplate/Examples/Demo.ps1" - "ansible/roles/vulns/adcs_templates/files/ADCSTemplate/Examples/Build-ADCS.ps1" - "ansible/roles/vulns/adcs_templates/files/ADCSTemplate/Examples/PowerShellCMS.json" - "ansible/roles/vulns/adcs_templates/files/ADCSTemplate/DSCResources/COMMUNITY_ADCSTemplate/COMMUNITY_ADCSTemplate.psm1" - "ansible/roles/vulns/adcs_templates/files/ADCSTemplate/DSCResources/COMMUNITY_ADCSTemplate/COMMUNITY_ADCSTemplate.schema.mof" - "ansible/roles/vulns/permissions/tasks/main.yml" - "ansible/roles/vulns/enable_nbt-ns/tasks/main.yml" - "ansible/roles/vulns/directory/tasks/main.yml" - "ansible/roles/vulns/files/tasks/main.yml" - "ansible/roles/vulns/enable_credssp_server/tasks/main.yml" - "ansible/roles/vulns/shares/tasks/main.yml" - "ansible/roles/vulns/mssql/tasks/main.yml" - "ansible/roles/vulns/credentials/tasks/main.yml" + "ansible/playbooks/vulnerabilities.yml" + "ansible/roles/vulns_schedule/tasks/main.yml" + "ansible/roles/vulns_autologon/tasks/main.yml" + "ansible/roles/vulns_openshares/tasks/main.yml" + "ansible/roles/vulns_disable_firewall/tasks/main.yml" + "ansible/roles/vulns_ntlmdowngrade/tasks/main.yml" + "ansible/roles/vulns_enable_credssp_client/tasks/main.yml" + "ansible/roles/vulns_administrator_folder/tasks/main.yml" + "ansible/roles/vulns_acls/tasks/main.yml" + "ansible/roles/vulns_smbv1/tasks/main.yml" + "ansible/roles/vulns_enable_llmnr/tasks/main.yml" + "ansible/roles/vulns_adcs_templates/tasks/main.yml" + "ansible/roles/vulns_adcs_templates/files/ADCSTemplate/ADCSTemplate.psd1" + "ansible/roles/vulns_adcs_templates/files/ADCSTemplate/ADCSTemplate.psm1" + "ansible/roles/vulns_adcs_templates/files/ADCSTemplate/Examples/Tanium.json" + "ansible/roles/vulns_adcs_templates/files/ADCSTemplate/Examples/Demo.ps1" + "ansible/roles/vulns_adcs_templates/files/ADCSTemplate/Examples/Build-ADCS.ps1" + "ansible/roles/vulns_adcs_templates/files/ADCSTemplate/Examples/PowerShellCMS.json" + "ansible/roles/vulns_adcs_templates/files/ADCSTemplate/DSCResources/COMMUNITY_ADCSTemplate/COMMUNITY_ADCSTemplate.psm1" + "ansible/roles/vulns_adcs_templates/files/ADCSTemplate/DSCResources/COMMUNITY_ADCSTemplate/COMMUNITY_ADCSTemplate.schema.mof" + "ansible/roles/vulns_permissions/tasks/main.yml" + "ansible/roles/vulns_enable_nbt_ns/tasks/main.yml" + "ansible/roles/vulns_directory/tasks/main.yml" + "ansible/roles/vulns_files/tasks/main.yml" + "ansible/roles/vulns_enable_credssp_server/tasks/main.yml" + "ansible/roles/vulns_shares/tasks/main.yml" + "ansible/roles/vulns_mssql/tasks/main.yml" + "ansible/roles/vulns_credentials/tasks/main.yml" "${ENV}-inventory" "ad/GOAD/data/${ENV}-config.json" - "ansible/data.yml" + "ansible/playbooks/data.yml" ) ;; *) diff --git a/scripts/run-playbook-with-retry.sh b/scripts/run-playbook-with-retry.sh index 49f77101..5c0fa7c7 100755 --- a/scripts/run-playbook-with-retry.sh +++ b/scripts/run-playbook-with-retry.sh @@ -374,7 +374,7 @@ retry_with_error_specific_settings() { ${limit_args[@]+"${limit_args[@]}"} --forks=1 \ -e "ansible_facts_gathering_timeout=60" \ -e "gather_timeout=60" \ - "ansible/$playbook" + "ansible/playbooks/$playbook" ;; network_adapter) log_message "Retrying with network adapter fix..." @@ -383,7 +383,7 @@ retry_with_error_specific_settings() { ${limit_args[@]+"${limit_args[@]}"} \ -e "skip_network_adapter_config=true" \ -e "bypass_ethernet3_check=true" \ - "ansible/$playbook" + "ansible/playbooks/$playbook" ;; ssm_transfer_error) log_message "SSM transfer error detected - likely ssm-user account issue on DC..." @@ -411,7 +411,7 @@ retry_with_error_specific_settings() { -e "ansible_connection_timeout=300" \ -e "ansible_command_timeout=300" \ -e "ansible_aws_ssm_timeout=300" \ - "ansible/$playbook" + "ansible/playbooks/$playbook" ;; connection_error) log_message "Retrying with increased connection timeout..." @@ -420,7 +420,7 @@ retry_with_error_specific_settings() { ${limit_args[@]+"${limit_args[@]}"} \ -e "ansible_connection_timeout=180" \ -e "ansible_timeout=180" \ - "ansible/$playbook" + "ansible/playbooks/$playbook" ;; powershell_interactive) log_message "Retrying with PowerShell interactive mode fix..." @@ -430,7 +430,7 @@ retry_with_error_specific_settings() { -e "ansible_shell_type=powershell" \ -e "force_ps_module=true" \ -e "ansible_ps_version=5.1" \ - "ansible/$playbook" + "ansible/playbooks/$playbook" ;; ssm_reconnection_needed) log_message "TargetNotConnected detected - waiting for SSM reconnection after reboot..." @@ -468,7 +468,7 @@ retry_with_error_specific_settings() { -e "ansible_connection_timeout=180" \ -e "ansible_timeout=180" \ -e "ansible_facts_gathering_timeout=60" \ - "ansible/$playbook" + "ansible/playbooks/$playbook" ;; ssm_user_account_issue) log_message "SSM user account issue detected (likely after DC promotion)..." @@ -491,7 +491,7 @@ retry_with_error_specific_settings() { -e "ansible_connection_timeout=180" \ -e "ansible_timeout=180" \ -e "ansible_aws_ssm_timeout=300" \ - "ansible/$playbook" + "ansible/playbooks/$playbook" ;; msi_installer_error) log_message "MSI installer error (rc 1603/3010) - usually requires reboot..." @@ -507,14 +507,14 @@ retry_with_error_specific_settings() { run_ansible_command "$temp_log" \ ansible-playbook ${VERBOSE_FLAG:+"${VERBOSE_FLAG}"} -i "${ENV}-inventory" \ ${limit_args[@]+"${limit_args[@]}"} --forks=1 \ - "ansible/$playbook" + "ansible/playbooks/$playbook" ;; unclassified:* | *) log_message "Retrying with general robust settings..." ANSIBLE_SSH_RETRIES=5 ANSIBLE_TIMEOUT=120 run_ansible_command "$temp_log" \ ansible-playbook ${VERBOSE_FLAG:+"${VERBOSE_FLAG}"} -i "${ENV}-inventory" \ ${limit_args[@]+"${limit_args[@]}"} --forks=1 \ - "ansible/$playbook" + "ansible/playbooks/$playbook" ;; esac } @@ -526,12 +526,12 @@ temp_log="/tmp/ansible_temp_$(date +%s)_$RANDOM.log" while [[ $retry_count -lt ${MAX_RETRIES} ]] && [[ "$success" = "false" ]]; do if [[ $retry_count -gt 0 ]]; then - log_message "Retry attempt $retry_count for ansible/${PLAYBOOK}..." + log_message "Retry attempt $retry_count for playbooks/${PLAYBOOK}..." log_message "Waiting ${RETRY_DELAY} seconds before retrying..." sleep "${RETRY_DELAY}" fi - log_message "Starting ansible/${PLAYBOOK}..." + log_message "Starting playbooks/${PLAYBOOK}..." true > "$temp_log" ansible_exit_code=0 @@ -557,7 +557,7 @@ while [[ $retry_count -lt ${MAX_RETRIES} ]] && [[ "$success" = "false" ]]; do ansible-playbook ${VERBOSE_FLAG:+"${VERBOSE_FLAG}"} -i "${ENV}-inventory" \ ${LIMIT_ARGS[@]+"${LIMIT_ARGS[@]}"} \ -e "ansible_facts_gathering_timeout=60" \ - "ansible/${PLAYBOOK}" 2>&1 | tee "$temp_log" | tee -a "${LOG_FILE}" + "ansible/playbooks/${PLAYBOOK}" 2>&1 | tee "$temp_log" | tee -a "${LOG_FILE}" echo $? > /tmp/ansible_exit_$$ } & @@ -617,7 +617,7 @@ while [[ $retry_count -lt ${MAX_RETRIES} ]] && [[ "$success" = "false" ]]; do log_message "Will retry playbook..." continue else - log_message "ERROR: ansible/${PLAYBOOK} timed out after ${MAX_RETRIES} attempts. Stopping execution." + log_message "ERROR: playbooks/${PLAYBOOK} timed out after ${MAX_RETRIES} attempts. Stopping execution." rm -f "$temp_log" exit 1 fi @@ -625,7 +625,7 @@ while [[ $retry_count -lt ${MAX_RETRIES} ]] && [[ "$success" = "false" ]]; do if [[ "$ansible_exit_code" -eq 0 ]] && check_ansible_success "$temp_log"; then success=true - log_message "Completed ansible/${PLAYBOOK} successfully." + log_message "Completed playbooks/${PLAYBOOK} successfully." else log_message "Playbook failed" @@ -647,11 +647,11 @@ while [[ $retry_count -lt ${MAX_RETRIES} ]] && [[ "$success" = "false" ]]; do if [[ "$retry_exit_code" -eq 0 ]] && check_ansible_success "$temp_log"; then success=true - log_message "Completed ansible/${PLAYBOOK} successfully after error-specific retry." + log_message "Completed playbooks/${PLAYBOOK} successfully after error-specific retry." else retry_count=$((retry_count + 1)) if [[ $retry_count -eq ${MAX_RETRIES} ]]; then - log_message "ERROR: ansible/${PLAYBOOK} failed after ${MAX_RETRIES} attempts. Stopping execution." + log_message "ERROR: playbooks/${PLAYBOOK} failed after ${MAX_RETRIES} attempts. Stopping execution." { echo "===============================================" echo "SSM Provisioning Script failed at $(date)" diff --git a/scripts/setup_aws.sh b/scripts/setup_aws.sh index 8c0b0314..61bcf76c 100755 --- a/scripts/setup_aws.sh +++ b/scripts/setup_aws.sh @@ -13,7 +13,7 @@ python3 -m pip install ansible-core==2.12.6 python3 -m pip install pywinrm # Install the required ansible libraries -/home/goad/.local/bin/ansible-galaxy install -r /home/goad/GOAD/ansible/requirements.yml +/home/goad/.local/bin/ansible-galaxy collection install -r /home/goad/GOAD/ansible/requirements.yml # set color sudo sed -i '/force_color_prompt=yes/s/^#//g' /home/*/.bashrc diff --git a/scripts/setup_azure.sh b/scripts/setup_azure.sh index 8c0b0314..61bcf76c 100755 --- a/scripts/setup_azure.sh +++ b/scripts/setup_azure.sh @@ -13,7 +13,7 @@ python3 -m pip install ansible-core==2.12.6 python3 -m pip install pywinrm # Install the required ansible libraries -/home/goad/.local/bin/ansible-galaxy install -r /home/goad/GOAD/ansible/requirements.yml +/home/goad/.local/bin/ansible-galaxy collection install -r /home/goad/GOAD/ansible/requirements.yml # set color sudo sed -i '/force_color_prompt=yes/s/^#//g' /home/*/.bashrc diff --git a/scripts/setup_esxi.sh b/scripts/setup_esxi.sh index 137f4eb6..a6cf5833 100755 --- a/scripts/setup_esxi.sh +++ b/scripts/setup_esxi.sh @@ -21,7 +21,7 @@ python3 -m pip install pywinrm ###################################################################################################### # ANSIBLE Galaxy -ansible-galaxy install -r ansible/requirements.yml +ansible-galaxy collection install -r ansible/requirements.yml echo "#################################################" echo "You will need to run: source .venv/bin/activate" diff --git a/scripts/setup_local_jumpbox.sh b/scripts/setup_local_jumpbox.sh index 61d40470..4d692e35 100755 --- a/scripts/setup_local_jumpbox.sh +++ b/scripts/setup_local_jumpbox.sh @@ -22,8 +22,8 @@ python3 -m pip install --upgrade pip cd "$GOAD_REPO" || exit python3 -m pip install -r requirements.yml -cd "$GOAD_REPO/ansible" || exit -/home/vagrant/.local/bin/ansible-galaxy install -r requirements.yml +cd "$GOAD_REPO" || exit +/home/vagrant/.local/bin/ansible-galaxy collection install -r ansible/requirements.yml # set color sudo sed -i '/force_color_prompt=yes/s/^#//g' /home/*/.bashrc diff --git a/scripts/setup_proxmox.sh b/scripts/setup_proxmox.sh index 8fb15dcb..c849262c 100755 --- a/scripts/setup_proxmox.sh +++ b/scripts/setup_proxmox.sh @@ -36,7 +36,7 @@ python3 -m pip install pywinrm ###################################################################################################### # ANSIBLE Galaxy -ansible-galaxy install -r ansible/requirements.yml +ansible-galaxy collection install -r ansible/requirements.yml echo "#################################################" echo "You will need to run: source .venv/bin/activate" diff --git a/staging-inventory b/staging-inventory index e6b732b8..8978aee0 100644 --- a/staging-inventory +++ b/staging-inventory @@ -11,7 +11,7 @@ env=staging ; SSM connection (windows) ansible_become=false -ansible_connection=aws_ssm +ansible_connection=amazon.aws.aws_ssm ansible_aws_ssm_bucket_name=dread-infra-alpha-operator-range-staging-us-west-1 ansible_aws_ssm_region=us-west-1 ansible_shell_type=powershell @@ -20,7 +20,7 @@ ansible_aws_ssm_retries=3 ansible_remote_tmp=C:\Windows\Temp ; miscellaneous -data_path="{{ playbook_dir }}/../ad/GOAD/data" +data_path="{{ playbook_dir }}/../../ad/GOAD/data" ; global settings inventory default value keyboard_layouts=["en-US", "da-DK", "fr-FR"]