-
Notifications
You must be signed in to change notification settings - Fork 0
/
playbook.yaml
88 lines (77 loc) · 2.89 KB
/
playbook.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
---
- hosts: ansible-srv1
gather_facts: true
tasks:
- name: Prowler Execution
block:
- name: Create Scan ID
set_fact:
scan_id: "{{ ansible_date_time.iso8601 }}"
- name: Set Execution Facts
set_fact:
splunk_event: "{{ { 'sourcetype': 'prowler:json', 'event': { 'scan_id': scan_id, 'data': [] } } }}"
# example: https://splunk:8088/services/collector/event
splunk_hec_url: "https://{{ lookup('env','SPLUNK_HEC_SERVER') }}:{{ lookup('env','SPLUNK_HEC_PORT') }}/services/collector/event"
- name: Ensure python and jq are installed
yum:
name:
- python3
- python3-pip
- jq
state: present
become: true
- name: Ensure python modules awscli and detect-secret
pip:
name:
- awscli
- detect-secrets
state: present
become: true
- name: Download prowler.tgz
get_url:
url: https://github.com/toniblyx/prowler/archive/refs/tags/2.4.1.tar.gz
dest: ~/prowler.tgz
- name: Extract prowler.tgz
unarchive:
src: ~/prowler.tgz
dest: ~/
remote_src: true
- name: Remove prowler folder prior to extraction
file:
path: ~/prowler
state: absent
- name: Rename the repo folder
shell: mv ~/prowler-* ~/prowler
- name: Execute prowler
environment:
AWS_ACCESS_KEY_ID: "{{ lookup('env','AWS_ACCESS_KEY_ID')}}"
AWS_SECRET_ACCESS_KEY: "{{ lookup('env','AWS_SECRET_ACCESS_KEY')}}"
shell: cd prowler && ./prowler -b -n -M json -g cislevel1 > ~/results.json
register: task_result
ignore_errors: true
- name: Output prower result
debug:
msg:
- "{{ task_result }}"
- name: Pull the results locally to read json
ansible.builtin.fetch:
src: ~/results.json
dest: ~/results.json
flat: true
- name: Send to splunk from localhost
delegate_to: localhost
uri:
url: "{{ splunk_hec_url }}"
method: 'POST'
body_format: json
status_code: [200, 202]
return_content: true
headers:
Content-Type: application/json
Authorization: "Splunk {{ lookup('env','SPLUNK_HEC_TOKEN') }}"
body: "{{ { 'sourcetype': 'prowler:json', 'event': { 'scan_id': scan_id, 'data': splunk_event.event.data + [ (item | from_json) ] } } }}"
validate_certs: false
with_items: "{{ lookup('file', '~/results.json').splitlines() }}"
tags:
- prowler
- prowler-aws