fix(crowdsec): update parser 'crowdsecurity/nextcloud-whitelist'

update note: - deprecate custom whitelist expression - apply 'crowdsecurity/nextcloud-whitelist' parser
2026-05-03 07:19:59 +09:00
parent 70bf539546
commit 880857a70a
3 changed files with 26 additions and 14 deletions
@@ -36,10 +36,15 @@
  ansible.builtin.set_fact:
    acquisd_list:
      fw:
-        collection: "crowdsecurity/suricata"
+        collection:
          - "crowdsecurity/suricata"
        parser: []
        config: "suricata.yaml"
      auth:
-        collection: "crowdsecurity/caddy"
+        collection:
          - "crowdsecurity/caddy"
        parser:
          - "crowdsecurity/nextcloud-whitelist"
        config: "caddy.yaml"
 - name: Deploy crowdsec-update service files
@@ -181,7 +186,8 @@
  block:
    - name: Install crowdsec collection
      ansible.builtin.command:
-        cmd: "cscli collections install {{ acquisd_list[node['name']]['collection'] }}"
+        cmd: "cscli collections install {{ item }}"
      loop: "{{ acquisd_list[node['name']]['collection'] }}"
      become: true
      changed_when: "'overwrite' not in is_collection_installed.stderr"
      failed_when:
@@ -189,6 +195,17 @@
        - "'already installed' not in is_collection_installed.stderr"
      register: "is_collection_installed"
    - name: Install crowdsec parser
      ansible.builtin.command:
        cmd: "cscli parsers install {{ item }}"
      loop: "{{ acquisd_list[node['name']]['parser'] }}"
      become: true
      changed_when: "'overwrite' not in is_parser_installed.stderr"
      failed_when:
        - is_parser_installed.rc != 0
        - "'already installed' not in is_parser_installed.stderr"
      register: "is_parser_installed"
    - name: Create crowdsec acquis.d directory
      ansible.builtin.file:
        path: "/etc/crowdsec/acquis.d"
@@ -18,9 +18,4 @@ whitelist:
        - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'"
        # opencloud chunk request false positive
        - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'"
        # nextcloud chunk request false positive (crowdsecurity/http-crawl-non_statics)
        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/apps/viewer/js/'"
        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/dist/'"
        # nextcloud upload directory request 404 error false positive (crowdsecurity/http-probing)
        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/remote.php/dav/files/'"
 {% endif %}
@@ -14,18 +14,18 @@
  - fw ban users' IP address.
 ## Reason
- Nextcloud uses chunks for actions, and uploading and downloading
+- Nextcloud has a lot of workflows which can be caught from crowdsec
    - chunks on '/apps/viewer/js', '/dist/'
    - `crowdsecurity/http-crawl-non_statics`
 - Nextcloud keeps checking directory which is uploading
    - upload directory '/remote.php/dav/files/'
    - `crowdsecurity/http-probing`
 ## Timeline
 - 2026-05-02: Release nextcloud
 - 2026-05-02: Find the false positive case, and add whitelist
 - 2026-05-03: Install crowdsecurity/nextcloud-whitelist parser
 - 2026-05-03: Make previous expressions annotation
 ## Solution
 - Install crowdsecurity/nextcloud-whitelist on auth node
 ### Deprecated solution
 - Access to fw
  - Check the ban list with `sudo cscli alerts list`
  - Read the ban case with `sudo cscli alerts inspect $NUMBER`