other/Puppet: modules/apache/manifests/mod/security.pp annotate

annotate modules/apache/manifests/mod/security.pp @ 275:d9352a684e62

Mass update of modules to remove deprecation warnings

author	IBBoard <dev@ibboard.co.uk>
date	Sun, 26 Jan 2020 11:36:07 +0000
parents	675c1cc61eaf
children	b8d6ada284dd

rev	line source
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	1
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	2 # @summary
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	3 # Installs and configures `mod_security`.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	4 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	5 # @param version
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	6 # Manage mod_security or mod_security2
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	7 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	8 # @param logroot
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	9 # Configures the location of audit and debug logs.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	10 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	11 # @param crs_package
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	12 # Name of package that installs CRS rules.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	13 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	14 # @param activated_rules
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	15 # An array of rules from the modsec_crs_path or absolute to activate via symlinks.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	16 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	17 # @param modsec_dir
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	18 # Defines the path where Puppet installs the modsec configuration and activated rules links.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	19 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	20 # @param modsec_secruleengine
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	21 # Configures the rules engine.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	22 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	23 # @param audit_log_relevant_status
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	24 # Configures which response status code is to be considered relevant for the purpose of audit logging.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	25 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	26 # @param audit_log_parts
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	27 # Defines which parts of each transaction are going to be recorded in the audit log. Each part is assigned a single letter; when a
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	28 # letter appears in the list then the equivalent part will be recorded.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	29 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	30 # @param secpcrematchlimit
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	31 # Sets the match limit in the PCRE library.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	32 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	33 # @param secpcrematchlimitrecursion
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	34 # Sets the match limit recursion in the PCRE library.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	35 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	36 # @param allowed_methods
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	37 # A space-separated list of allowed HTTP methods.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	38 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	39 # @param content_types
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	40 # A list of one or more allowed MIME types.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	41 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	42 # @param restricted_extensions
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	43 # A space-sparated list of prohibited file extensions.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	44 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	45 # @param restricted_headers
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	46 # A list of restricted headers separated by slashes and spaces.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	47 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	48 # @param secdefaultaction
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	49 # Defines the default list of actions, which will be inherited by the rules in the same configuration context.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	50 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	51 # @param anomaly_score_blocking
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	52 # Activates or deactivates the Collaborative Detection Blocking of the OWASP ModSecurity Core Rule Set.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	53 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	54 # @param inbound_anomaly_threshold
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	55 # Sets the scoring threshold level of the inbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	56 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	57 # @param outbound_anomaly_threshold
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	58 # Sets the scoring threshold level of the outbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	59 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	60 # @param critical_anomaly_score
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	61 # Sets the Anomaly Score for rules assigned with a critical severity.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	62 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	63 # @param error_anomaly_score
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	64 # Sets the Anomaly Score for rules assigned with a error severity.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	65 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	66 # @param warning_anomaly_score
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	67 # Sets the Anomaly Score for rules assigned with a warning severity.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	68 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	69 # @param notice_anomaly_score
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	70 # Sets the Anomaly Score for rules assigned with a notice severity.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	71 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	72 # @param secrequestmaxnumargs
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	73 # Sets the maximum number of arguments in the request.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	74 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	75 # @param secrequestbodylimit
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	76 # Sets the maximum request body size ModSecurity will accept for buffering.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	77 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	78 # @param secrequestbodynofileslimit
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	79 # Configures the maximum request body size ModSecurity will accept for buffering, excluding the size of any files being transported
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	80 # in the request.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	81 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	82 # @param secrequestbodyinmemorylimit
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	83 # Configures the maximum request body size that ModSecurity will store in memory.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	84 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	85 # @param manage_security_crs
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	86 # Toggles whether to manage ModSecurity Core Rule Set
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	87 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	88 # @see https://github.com/SpiderLabs/ModSecurity/wiki for additional documentation.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	89 #
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	90 class apache::mod::security (
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	91 $logroot = $::apache::params::logroot,
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	92 $version = $::apache::params::modsec_version,
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	93 $crs_package = $::apache::params::modsec_crs_package,
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	94 $activated_rules = $::apache::params::modsec_default_rules,
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	95 $modsec_dir = $::apache::params::modsec_dir,
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	96 $modsec_secruleengine = $::apache::params::modsec_secruleengine,
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	97 $audit_log_relevant_status = '^(?:5\|4(?!04))',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	98 $audit_log_parts = $::apache::params::modsec_audit_log_parts,
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	99 $secpcrematchlimit = $::apache::params::secpcrematchlimit,
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	100 $secpcrematchlimitrecursion = $::apache::params::secpcrematchlimitrecursion,
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	101 $allowed_methods = 'GET HEAD POST OPTIONS',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	102 $content_types = 'application/x-www-form-urlencoded\|multipart/form-data\|text/xml\|application/xml\|application/x-amf',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	103 $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	104 $restricted_headers = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	105 $secdefaultaction = 'deny',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	106 $anomaly_score_blocking = 'off',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	107 $inbound_anomaly_threshold = '5',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	108 $outbound_anomaly_threshold = '4',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	109 $critical_anomaly_score = '5',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	110 $error_anomaly_score = '4',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	111 $warning_anomaly_score = '3',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	112 $notice_anomaly_score = '2',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	113 $secrequestmaxnumargs = '255',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	114 $secrequestbodylimit = '13107200',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	115 $secrequestbodynofileslimit = '131072',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	116 $secrequestbodyinmemorylimit = '131072',
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	117 $manage_security_crs = true,
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	118 ) inherits ::apache::params {
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	119 include ::apache
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	120
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	121 $_secdefaultaction = $secdefaultaction ? {
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	122 /log/ => $secdefaultaction, # it has log or nolog,auditlog or log,noauditlog
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	123 default => "${secdefaultaction},log",
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	124 }
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	125
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	126 if $::osfamily == 'FreeBSD' {
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	127 fail('FreeBSD is not currently supported')
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	128 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	129
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	130 if ($::osfamily == 'Suse' and $::operatingsystemrelease < '11') {
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	131 fail('SLES 10 is not currently supported.')
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	132 }
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	133
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	134 case $version {
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	135 1: {
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	136 $mod_name = 'security'
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	137 $mod_conf_name = 'security.conf'
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	138 }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	139 2: {
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	140 $mod_name = 'security2'
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	141 $mod_conf_name = 'security2.conf'
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	142 }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	143 default: {
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	144 fail('Unsuported version for mod security')
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	145 }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	146 }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	147 ::apache::mod { $mod_name:
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	148 id => 'security2_module',
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	149 lib => 'mod_security2.so',
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	150 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	151
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	152
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	153 ::apache::mod { 'unique_id_module':
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	154 id => 'unique_id_module',
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	155 lib => 'mod_unique_id.so',
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	156 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	157
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	158 if $crs_package {
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	159 package { $crs_package:
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	160 ensure => 'installed',
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	161 before => [
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	162 File[$::apache::confd_dir],
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	163 File[$modsec_dir],
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	164 ],
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	165 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	166 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	167
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	168 # Template uses:
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	169 # - logroot
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	170 # - $modsec_dir
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	171 # - $audit_log_parts
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	172 # - secpcrematchlimit
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	173 # - secpcrematchlimitrecursion
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	174 # - secrequestbodylimit
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	175 # - secrequestbodynofileslimit
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	176 # - secrequestbodyinmemorylimit
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	177 file { 'security.conf':
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	178 ensure => file,
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	179 content => template('apache/mod/security.conf.erb'),
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	180 mode => $::apache::file_mode,
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	181 path => "${::apache::mod_dir}/${mod_conf_name}",
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	182 owner => $::apache::params::user,
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	183 group => $::apache::params::group,
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	184 require => Exec["mkdir ${::apache::mod_dir}"],
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	185 before => File[$::apache::mod_dir],
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	186 notify => Class['apache::service'],
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	187 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	188
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	189 file { $modsec_dir:
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	190 ensure => directory,
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	191 owner => 'root',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	192 group => 'root',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	193 mode => '0755',
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	194 purge => true,
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	195 force => true,
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	196 recurse => true,
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	197 require => Package['httpd'],
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	198 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	199
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	200 file { "${modsec_dir}/activated_rules":
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	201 ensure => directory,
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	202 owner => $::apache::params::user,
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	203 group => $::apache::params::group,
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	204 mode => '0555',
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	205 purge => true,
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	206 force => true,
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	207 recurse => true,
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	208 notify => Class['apache::service'],
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	209 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	210
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	211 if $manage_security_crs {
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	212 # Template uses:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	213 # - $_secdefaultaction
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	214 # - $critical_anomaly_score
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	215 # - $error_anomaly_score
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	216 # - $warning_anomaly_score
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	217 # - $notice_anomaly_score
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	218 # - $inbound_anomaly_threshold
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	219 # - $outbound_anomaly_threshold
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	220 # - $anomaly_score_blocking
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	221 # - $allowed_methods
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	222 # - $content_types
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	223 # - $restricted_extensions
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	224 # - $restricted_headers
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	225 # - $secrequestmaxnumargs
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	226 file { "${modsec_dir}/security_crs.conf":
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	227 ensure => file,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	228 content => template('apache/mod/security_crs.conf.erb'),
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	229 require => File[$modsec_dir],
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	230 notify => Class['apache::service'],
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	231 }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	232
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	233 # Debian 9 has a different rule setup
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	234 unless $::operatingsystem == 'SLES' or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') >= 0) or ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '18.04') >= 0) {
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	235 apache::security::rule_link { $activated_rules: }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	236 }
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	237 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	238 }

Mercurial > repos > other > Puppet

annotate modules/apache/manifests/mod/security.pp @ 275:d9352a684e62