debops/debops-playbooks

Proposed role: debops.ids

tobijb opened this issue · 1 comments

Provide default intrusion detection systems like debops.ossec + debops.audit? Leverage ELK stack for audit views and ossec for notifications (email + script)?

Should:

  • Audit user logins
  • Audit known activities (DDOS, Synflood, Auth attempts)
  • Audit custom activities (Watch this file in /opt/secret for changes)
  • Notify for known activities (MD5 change of core lib or executable)
  • Notify for custom activities (if desired)
    ...

Graylog could be used instead of the ELK stack, but this role would be great.