---
# Author: Simon Monai
# Copyright: Sidarion AG 2021
# License: MIT

- name: Fix FortiSIEM 6.3.x from Log4J CVE-2021-44228 on Supervisors
  hosts: fortisiem_super

  vars:
    - elastic: yes

  tasks:

    - name: Disable Lookup in log4j.properties for Elastic-Based deployments
      ansible.builtin.lineinfile:
        path: /opt/phoenix/config/javaQueryServer/log4j.properties
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        backup: yes
        state: present
      loop:
        - { regexp: '^log4j\.appender\.stdout\.layout\.ConversionPattern=%5p \[%t\] \(%F:%L\) - %m%n$', line: 'log4j.appender.stdout.layout.ConversionPattern=%5p [%t] (%F:%L) - %m{nolookups}%n' }
        - { regexp: '^log4j\.appender\.R\.layout\.ConversionPattern=%d %p \[%t\] %c - %m%n$', line: 'log4j.appender.R.layout.ConversionPattern=%d %p [%t] %c - %m{nolookups}%n' }
        - { regexp: '^log4j\.appender\.SYSLOG\.layout\.ConversionPattern=%d\{MMM dd HH:mm:ss\} %m%n$', line: 'log4j.appender.SYSLOG.layout.ConversionPattern=%d{MMM dd HH:mm:ss} %m{nolookups}%n' }
      when: elastic # Only when elastic is enabled
      tags:
        - elastic
        - fortisiem_super
        - fortisiem
        - cve-2021-44228

    - name: Add JVM Option
      ansible.builtin.lineinfile:
        path: /opt/glassfish/domains/domain1/config/domain.xml
        line: '<jvm-options>-Dlog4j2.formatMsgNoLookups=true</jvm-options>'
        insertbefore: '<\/java-config>$'
        #insertafter: '<jvm-options>-Dcom\.sun\.enterprise\.server\.logging\.max_history_files=20<\/jvm-options>$'
        state: present
        backup: yes
      tags:
        - fortisiem
        - cve-2021-44228

- name: Fix FortiSIEM 6.3.x from Log4J CVE-2021-44228 on all type of machines
  hosts: fortisiem

  tasks:

    - name: Disable Lookup in log4j.properties R Conversion Pattern
      ansible.builtin.lineinfile:
        path: /opt/phoenix/config/log4j.properties
        regexp: '^log4j\.appender\.R\.layout\.ConversionPattern=%d %p \[%t\] %c - %m%n$'
        line: 'log4j.appender.R.layout.ConversionPattern=%d %p [%t] %c - %m{nolookups}%n'
        backup: yes
        state: present
      tags:
        - fortisiem
        - cve-2021-44228

    - name: Disable Lookup in log4j.properties in Syslog Conversion pattern
      ansible.builtin.lineinfile:
        path: /opt/phoenix/config/log4j.properties
        regexp: '^log4j\.appender\.SYSLOG\.layout\.ConversionPattern=%d{MMM dd HH:mm:ss} %m%n$'
        line: 'log4j.appender.SYSLOG.layout.ConversionPattern=%d{MMM dd HH:mm:ss} %m{nolookups}%n'
        backup: yes
        state: present
      tags:
        - fortisiem
        - cve-2021-44228

    - name: Add No Lookups Line to Config file
      ansible.builtin.lineinfile:
        path: /opt/phoenix/config/log4j.properties
        line: "log4j2.formatMsgNoLookups=True"
        backup: yes
        state: present
      tags:
        - fortisiem
        - cve-2021-44228

    - name: Restart FortiSIEM
      become: yes
      ansible.builtin.command: killall -9 java
      tags:
        - fortisiem
        - cve-2021-44228