Merge pull request #9 from nginxinc/threat-campaigns

Threat campaigns

Author: aknot242

README.md

@@ -111,6 +111,10 @@ This is a sample playbook file for using the role to install NGINX App Protect o
     # This option installs the latest NGINX App Protect signatures.
     app_protect_install_signatures: true
 
+    # The installation of NGINX App Protect can include a page of frequently-updated, high-accuracy signatures called Threat Campaigns.
+    # This option installs the latest NGINX App Protect Threat Campaigns signatures.
+    app_protect_install_threat_campaigns: true
+
     # Creates basic configuration files and enables NGINX App Protect on the target host
     app_protect_configure: true
 

defaults/main.yml

@@ -22,6 +22,10 @@ app_protect_selinux_enforcing: true
 # This option installs the latest NGINX App Protect signatures.
 app_protect_install_signatures: true
 
+# The installation of NGINX App Protect can include a page of frequently-updated, high-accuracy signatures called Threat Campaigns.
+# This option installs the latest NGINX App Protect Threat Campaigns signatures.
+app_protect_install_threat_campaigns: false
+
 # Creates basic configuration files and enables NGINX App Protect on the target host
 app_protect_configure: false
 

molecule/default/converge.yml

@@ -4,6 +4,7 @@
   vars:
     app_protect_enable: true
     app_protect_install_signatures: true
+    app_protect_install_threat_campaigns: true
     app_protect_configure: true
     app_protect_security_policy_template_enable: true
     security_policy_enforcement_mode: blocking

tasks/configure-selinux.yml

@@ -99,7 +99,7 @@
     group: nginx
     mode: u=rwx,go=rx,g+s
     state: directory
-  
+
 - name: "(Install: SELinux: Contexts) Apply contexts to log"
   command: restorecon -iRv /var/log/app_protect
   changed_when: false

tasks/delete-license.yml

@@ -10,8 +10,8 @@
     state: absent
   when: ansible_distribution != "Alpine"
 
-- import_tasks: setup-debian.yml
+- import_tasks: setup-debian-repos.yml
   when: ansible_os_family == "Debian"
 
-- import_tasks: setup-redhat.yml
+- import_tasks: setup-redhat-repos.yml
   when: ansible_os_family == "RedHat"

tasks/install-app-protect-linux.yml

@@ -1,11 +1,11 @@
 ---
-- name: "Remove NGINX App Protect"
+- name: "Setup NGINX App Protect Repositories"
   block:
 
-    - import_tasks: setup-debian.yml
+    - import_tasks: setup-debian-repos.yml
       when: ansible_os_family == "Debian"
 
-    - import_tasks: setup-redhat.yml
+    - import_tasks: setup-redhat-repos.yml
       when: ansible_os_family == "RedHat"
 
   when: app_protect_state != "absent"

tasks/install-threat-campaigns.yml

@@ -0,0 +1,28 @@
+---
+- name: Get NGINX Plus version
+  set_fact:
+    key_value: "" # appeasing the linter
+    nginx_plus_version: "{{ ansible_facts.packages['nginx-plus'] | map(attribute='version') | list | first | regex_search('^(\\d{1,3})') }}"
+  when: "'nginx-plus' in ansible_facts.packages"
+
+- name: Debug nginx plus version
+  debug:
+    msg: "nginx_plus_version {{ nginx_plus_version }}"
+    verbosity: 2
+
+- name: Fail if NGINX+ version preconditions fail
+  assert:
+    that:
+      - nginx_plus_version is defined
+      - nginx_plus_version | int >= 19
+    fail_msg: >
+      "'nginx_plus_version' release version must be a minimum of 19 for App Protect.
+      Actual: {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
+    success_msg: "'nginx_plus_version' is {{ (nginx_plus_version is defined) | ternary(nginx_plus_version, 'NONE') }}"
+    quiet: true
+
+- name: "(Install: Linux) Install Latest NGINX App Protect Threat Campaigns"
+  package:
+    name: "app-protect-threat-campaigns"
+    state: "{{ app_protect_state }}"
+  notify: "(Handler: All OSs) Restart NGINX"

tasks/main.yml

@@ -40,18 +40,25 @@
     - import_tasks: keys/apt-key.yml
       when:
         - ansible_os_family == "Debian"
-        - app_protect_install_signatures
+        - app_protect_state != "absent"
+          or app_protect_install_signatures
+          or app_protect_install_threat_campaigns
       tags: nginx_aptkey
 
     - import_tasks: keys/rpm-key.yml
       when:
         - ansible_os_family == "RedHat"
-        - app_protect_install_signatures
+        - app_protect_state != "absent"
+          or app_protect_install_signatures
+          or app_protect_install_threat_campaigns
       tags: nginx_rpmkey
 
     - name: "(All OSs) Setup license"
       import_tasks: setup-license.yml
-      when: app_protect_install_signatures
+      when:
+        - app_protect_state != "absent"
+          or app_protect_install_signatures
+          or app_protect_install_threat_campaigns
 
     - name: "Install NGINX App Protect"
       import_tasks: install-app-protect.yml
@@ -60,6 +67,10 @@
       import_tasks: install-signatures.yml
       when: app_protect_install_signatures
 
+    - name: "NGINX App Protect Threat Campaigns"
+      import_tasks: install-threat-campaigns.yml
+      when: app_protect_install_threat_campaigns
+
     - name: "Remove license"
       import_tasks: delete-license.yml
       when:
@@ -74,7 +85,7 @@
 
 - name: "(Install: CentOS) Setup SELinux"
   include_tasks: "{{ role_path }}/tasks/configure-selinux.yml"
-  when: 
+  when:
     - app_protect_selinux
     - ansible_os_family == "RedHat"