Move to subfolder & adapt paths

cloud/open-telekom-cloud/ansible/custom_ews.yaml

@@ -0,0 +1,10 @@
+# This playbook sets a custom EWS config on the T-Pot
+
+- hosts: TPOT
+  remote_user: linux
+  become: yes
+  become_user: root
+  become_method: sudo
+
+  roles:
+    - custom_ews

cloud/open-telekom-cloud/ansible/install.yaml

@@ -0,0 +1,13 @@
+# This playbook deploys a T-Pot
+
+- hosts: TPOT
+  remote_user: linux
+  become: yes
+  become_user: root
+  become_method: sudo
+  gather_facts: no
+
+  roles:
+    - install
+
+

cloud/open-telekom-cloud/ansible/reboot.yaml

@@ -0,0 +1,12 @@
+# This playbook reboots a T-Pot
+
+- hosts: TPOT
+  remote_user: linux
+  become: yes
+  become_user: root
+  become_method: sudo
+
+  tasks:
+    - name: Finally rebooting t-pot in one minute - make sure your next login is on port 64295 or via https:// on port 64297
+      shell: /sbin/shutdown -r -t 1
+      become: true

cloud/open-telekom-cloud/ansible/roles/custom_ews/tasks/main.yaml

@@ -0,0 +1,40 @@
+- name: Copy ews configuration file
+  template:
+    src: ../templates/ews.cfg
+    dest: /data/ews/conf
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Patching tpot.yml with custom ews configuration file
+  lineinfile:
+    path: /opt/tpot/etc/tpot.yml
+    insertafter: '/opt/ewsposter/ews.ip'
+    line: '     - /data/ews/conf/ews.cfg:/opt/ewsposter/ews.cfg'
+
+- name: Lookup HPFEED environment variables
+  set_fact:
+    myENABLE: "{{ lookup('env', 'myENABLE') }}"
+    myHOST: "{{ lookup('env', 'myHOST') }}"
+    myPORT: "{{ lookup('env', 'myPORT') }}"
+    myCHANNEL: "{{ lookup('env', 'myCHANNEL') }}"
+    myIDENT: "{{ lookup('env', 'myIDENT') }}"
+    mySECRET: "{{ lookup('env', 'mySECRET') }}"
+    myCERT: "{{ lookup('env', 'myCERT') }}"
+    myFORMAT: "{{ lookup('env', 'myFORMAT') }}"
+
+- name: Apply HPFEED settings in tpot.yml
+  lineinfile:
+    path: /opt/tpot/etc/tpot.yml
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  with_items:
+    - { regexp: 'EWS_HPFEEDS_ENABLE.*', line: '     - EWS_HPFEEDS_ENABLE={{ myENABLE | lower }}' }
+    - { regexp: 'EWS_HPFEEDS_HOST.*', line: '     - EWS_HPFEEDS_HOST={{ myHOST }}' }
+    - { regexp: 'EWS_HPFEEDS_PORT.*', line: '     - EWS_HPFEEDS_PORT={{ myPORT }}' }
+    - { regexp: 'EWS_HPFEEDS_CHANNELS.*', line: '     - EWS_HPFEEDS_CHANNELS={{ myCHANNEL }}' }
+    - { regexp: 'EWS_HPFEEDS_IDENT.*', line: '     - EWS_HPFEEDS_IDENT={{ myIDENT }}' }
+    - { regexp: 'EWS_HPFEEDS_SECRET.*', line: '     - EWS_HPFEEDS_SECRET={{ mySECRET }}' }
+    - { regexp: 'EWS_HPFEEDS_TLSCERT.*', line: '     - EWS_HPFEEDS_TLSCERT={{ myCERT }}' }
+    - { regexp: 'EWS_HPFEEDS_TLSCERT.False', line: '     - EWS_HPFEEDS_TLSCERT={{ myCERT | lower }}' }
+    - { regexp: 'EWS_HPFEEDS_FORMAT.*', line: '     - EWS_HPFEEDS_FORMAT={{ myFORMAT }}' }

cloud/open-telekom-cloud/ansible/roles/custom_ews/templates/ews.cfg

@@ -0,0 +1,137 @@
+[MAIN]
+homedir = /opt/ewsposter/
+spooldir = /opt/ewsposter/spool/
+logdir = /opt/ewsposter/log/
+del_malware_after_send = false
+send_malware = true
+sendlimit = 500
+contact = your_email_address
+proxy =
+ip =
+
+[EWS]
+ews = true
+username = your_username
+token = your_token
+rhost_first = https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage
+rhost_second = https://community.sicherheitstacho.eu/ews-0.1/alert/postSimpleMessage
+ignorecert = false
+
+[HPFEED]
+hpfeed = %(EWS_HPFEEDS_ENABLE)s
+host = %(EWS_HPFEEDS_HOST)s
+port = %(EWS_HPFEEDS_PORT)s
+channels = %(EWS_HPFEEDS_CHANNELS)s
+ident = %(EWS_HPFEEDS_IDENT)s
+secret= %(EWS_HPFEEDS_SECRET)s
+# path/to/certificate for tls broker - or "false" for non-tls broker
+tlscert = %(EWS_HPFEEDS_TLSCERT)s
+# hpfeeds submission format: "ews" (xml) or "json"
+hpfformat = %(EWS_HPFEEDS_FORMAT)s
+
+[EWSJSON]
+json = false
+jsondir = /data/ews/json/
+
+[GLASTOPFV3]
+glastopfv3 = true
+nodeid = glastopfv3-{{ HPNAME }}
+sqlitedb = /data/glastopf/db/glastopf.db
+malwaredir = /data/glastopf/data/files/
+
+[GLASTOPFV2]
+glastopfv2 = false
+nodeid =
+mysqlhost =
+mysqldb =
+mysqluser =
+mysqlpw =
+malwaredir =
+
+[KIPPO]
+kippo = false
+nodeid =
+mysqlhost =
+mysqldb =
+mysqluser =
+mysqlpw =
+malwaredir =
+
+[COWRIE]
+cowrie = true
+nodeid = cowrie-{{ HPNAME }}
+logfile = /data/cowrie/log/cowrie.json
+
+[DIONAEA]
+dionaea = true
+nodeid = dionaea-{{ HPNAME }}
+malwaredir = /data/dionaea/binaries/
+sqlitedb = /data/dionaea/log/dionaea.sqlite
+
+[HONEYTRAP]
+honeytrap = true
+nodeid = honeytrap-{{ HPNAME }}
+newversion = true
+payloaddir = /data/honeytrap/attacks/
+attackerfile = /data/honeytrap/log/attacker.log
+
+[RDPDETECT]
+rdpdetect = false
+nodeid =
+iptableslog =
+targetip =
+
+[EMOBILITY]
+eMobility = false
+nodeid = emobility-{{ HPNAME }}
+logfile = /data/emobility/log/centralsystemEWS.log
+
+[CONPOT]
+conpot = true
+nodeid = conpot-{{ HPNAME }}
+logfile = /data/conpot/log/conpot*.json
+
+[ELASTICPOT]
+elasticpot = true
+nodeid = elasticpot-{{ HPNAME }}
+logfile = /data/elasticpot/log/elasticpot.log
+
+[SURICATA]
+suricata = true
+nodeid = suricata-{{ HPNAME }}
+logfile = /data/suricata/log/eve.json
+
+[MAILONEY]
+mailoney = true
+nodeid = mailoney-{{ HPNAME }}
+logfile = /data/mailoney/log/commands.log
+
+[RDPY]
+rdpy = true
+nodeid = rdpy-{{ HPNAME }}
+logfile = /data/rdpy/log/rdpy.log
+
+[VNCLOWPOT]
+vnclowpot = true
+nodeid = vnclowpot-{{ HPNAME }}
+logfile = /data/vnclowpot/log/vnclowpot.log
+
+[HERALDING]
+heralding = true
+nodeid = heralding-{{ HPNAME }}
+logfile = /data/heralding/log/auth.csv
+
+[CISCOASA]
+ciscoasa = true
+nodeid = ciscoasa-{{ HPNAME }}
+logfile = /data/ciscoasa/log/ciscoasa.log
+
+[TANNER]
+tanner = true
+nodeid = tanner-{{ HPNAME }}
+logfile = /data/tanner/log/tanner_report.json
+
+[GLUTTON]
+glutton = true
+nodeid = glutton-{{ HPNAME }}
+logfile = /data/glutton/log/glutton.log

cloud/open-telekom-cloud/ansible/roles/install/tasks/main.yaml

@@ -0,0 +1,50 @@
+- name: Waiting for SSH connection
+  wait_for_connection:
+    delay: 30
+    timeout: 300
+
+- name: Gathering Facts
+  setup:
+
+- name: Cloning t-pot install directory
+  git:
+    repo: 'https://github.com/dtag-dev-sec/tpotce.git'
+    dest: /root/tpot
+
+- name: Prepare to set user password 
+  set_fact:
+    user_password: "{{ lookup('env', 'LINUX_PASS') }}"
+    user_salt: 's0mew1ck3dTpoT'
+
+- name: Changing password for user linux to {{ user_password }}
+  user:
+   name: "linux"
+   password: "{{ user_password | password_hash('sha512', user_salt) }}"
+   state: present
+   shell: /bin/bash
+   update_password: always
+
+- name: Copy t-pot configuration file
+  template:
+    src: ../../../../../../iso/installer/tpot.conf.dist
+    dest: /root/tpot.conf
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Install t-pot on ECS -  be patient, this might take 15 to 30 minutes depending on the connection speed. No further output is given. 
+  command: /root/tpot/iso/installer/install.sh --type=auto --conf=/root/tpot.conf
+
+- name: Delete t-pot configuration file
+  file:
+    path: /root/tpot.conf
+    state: absent
+
+- name: Change unattended-upgrades to take default action
+  blockinfile:
+    dest: /etc/apt/apt.conf.d/50unattended-upgrades
+    block: |
+      Dpkg::Options {
+        "--force-confdef";
+        "--force-confold";
+      }