other/Puppet: modules/apache/manifests/mod/security.pp annotate

annotate modules/apache/manifests/mod/security.pp @ 482:d83de9b3a62b default tip

Update hiera.yaml within Puppet config Forgot that we manage it from here. Now has content to match new packages

author	IBBoard <dev@ibboard.co.uk>
date	Fri, 30 Aug 2024 16:10:36 +0100
parents	adf6fe9bbc17
children

rev	line source
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	1 # @summary
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	2 # Installs and configures `mod_security`.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	3 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	4 # @param version
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	5 # Manage mod_security or mod_security2
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	6 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	7 # @param logroot
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	8 # Configures the location of audit and debug logs.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	9 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	10 # @param crs_package
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	11 # Name of package that installs CRS rules.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	12 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	13 # @param activated_rules
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	14 # An array of rules from the modsec_crs_path or absolute to activate via symlinks.
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	15 #
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	16 # @param custom_rules
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	17 #
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	18 # @param custom_rules_set
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	19 #
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	20 # @param modsec_dir
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	21 # Defines the path where Puppet installs the modsec configuration and activated rules links.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	22 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	23 # @param modsec_secruleengine
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	24 # Configures the rules engine.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	25 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	26 # @param audit_log_relevant_status
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	27 # Configures which response status code is to be considered relevant for the purpose of audit logging.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	28 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	29 # @param audit_log_parts
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	30 # Defines which parts of each transaction are going to be recorded in the audit log. Each part is assigned a single letter; when a
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	31 # letter appears in the list then the equivalent part will be recorded.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	32 #
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	33 # @param audit_log_type
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	34 # Defines the type of audit logging mechanism to be used.
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	35 #
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	36 # @param audit_log_storage_dir
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	37 # Defines the directory where concurrent audit log entries are to be stored. This directive is only needed when concurrent audit logging is used.
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	38 #
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	39 # @param secpcrematchlimit
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	40 # Sets the match limit in the PCRE library.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	41 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	42 # @param secpcrematchlimitrecursion
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	43 # Sets the match limit recursion in the PCRE library.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	44 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	45 # @param allowed_methods
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	46 # A space-separated list of allowed HTTP methods.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	47 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	48 # @param content_types
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	49 # A list of one or more allowed MIME types.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	50 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	51 # @param restricted_extensions
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	52 # A space-sparated list of prohibited file extensions.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	53 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	54 # @param restricted_headers
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	55 # A list of restricted headers separated by slashes and spaces.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	56 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	57 # @param secdefaultaction
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	58 # Defines the default list of actions, which will be inherited by the rules in the same configuration context.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	59 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	60 # @param inbound_anomaly_threshold
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	61 # Sets the scoring threshold level of the inbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	62 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	63 # @param outbound_anomaly_threshold
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	64 # Sets the scoring threshold level of the outbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	65 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	66 # @param critical_anomaly_score
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	67 # Sets the Anomaly Score for rules assigned with a critical severity.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	68 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	69 # @param error_anomaly_score
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	70 # Sets the Anomaly Score for rules assigned with a error severity.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	71 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	72 # @param warning_anomaly_score
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	73 # Sets the Anomaly Score for rules assigned with a warning severity.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	74 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	75 # @param notice_anomaly_score
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	76 # Sets the Anomaly Score for rules assigned with a notice severity.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	77 #
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	78 # @param paranoia_level
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	79 # Sets the paranoia level in the OWASP ModSecurity Core Rule Set.
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	80 #
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	81 # @param executing_paranoia_level
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	82 # Sets the executing paranoia level in the OWASP ModSecurity Core Rule Set.
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	83 # The default is equal to, and cannot be lower than, $paranoia_level.
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	84 #
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	85 # @param secrequestmaxnumargs
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	86 # Sets the maximum number of arguments in the request.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	87 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	88 # @param secrequestbodylimit
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	89 # Sets the maximum request body size ModSecurity will accept for buffering.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	90 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	91 # @param secrequestbodynofileslimit
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	92 # Configures the maximum request body size ModSecurity will accept for buffering, excluding the size of any files being transported
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	93 # in the request.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	94 #
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	95 # @param secrequestbodyinmemorylimit
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	96 # Configures the maximum request body size that ModSecurity will store in memory.
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	97 #
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	98 # @param secrequestbodyaccess
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	99 # Toggle SecRequestBodyAccess On or Off
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	100 #
478 adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	101 # @param secrequestbodylimitaction
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	102 # Controls what happens once a request body limit, configured with
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	103 # SecRequestBodyLimit, is encountered
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	104 #
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	105 # @param secresponsebodyaccess
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	106 # Toggle SecResponseBodyAccess On or Off
478 adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	107 #
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	108 # @param secresponsebodylimitaction
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	109 # Controls what happens once a response body limit, configured with
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	110 # SecResponseBodyLimitAction, is encountered.
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	111 #
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	112 # @param manage_security_crs
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	113 # Toggles whether to manage ModSecurity Core Rule Set
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	114 #
478 adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	115 # @param enable_dos_protection
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	116 # Toggles the optional OWASP ModSecurity Core Rule Set DOS protection rule
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	117 # (rule id 900700)
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	118 #
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	119 # @param dos_burst_time_slice
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	120 # Configures time in which a burst is measured for the OWASP ModSecurity Core Rule Set DOS protection rule
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	121 # (rule id 900700)
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	122 #
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	123 # @param dos_counter_threshold
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	124 # Configures the amount of requests that can be made within dos_burst_time_slice before it is considered a burst in
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	125 # the OWASP ModSecurity Core Rule Set DOS protection rule (rule id 900700)
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	126 #
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	127 # @param dos_block_timeout
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	128 # Configures how long the client should be blocked when the dos_counter_threshold is exceeded in the OWASP
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	129 # ModSecurity Core Rule Set DOS protection rule (rule id 900700)
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	130 #
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	131 # @see https://github.com/SpiderLabs/ModSecurity/wiki for additional documentation.
478 adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	132 # @see https://coreruleset.org/docs/ for addional documentation
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	133 #
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	134 class apache::mod::security (
478 adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	135 Stdlib::Absolutepath $logroot = $apache::params::logroot,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	136 Integer $version = $apache::params::modsec_version,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	137 Optional[String] $crs_package = $apache::params::modsec_crs_package,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	138 Array[String] $activated_rules = $apache::params::modsec_default_rules,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	139 Boolean $custom_rules = $apache::params::modsec_custom_rules,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	140 Optional[Array[String]] $custom_rules_set = $apache::params::modsec_custom_rules_set,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	141 Stdlib::Absolutepath $modsec_dir = $apache::params::modsec_dir,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	142 String $modsec_secruleengine = $apache::params::modsec_secruleengine,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	143 String $audit_log_relevant_status = '^(?:5\|4(?!04))',
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	144 String $audit_log_parts = $apache::params::modsec_audit_log_parts,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	145 String $audit_log_type = $apache::params::modsec_audit_log_type,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	146 Optional[Stdlib::Absolutepath] $audit_log_storage_dir = undef,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	147 Integer $secpcrematchlimit = $apache::params::secpcrematchlimit,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	148 Integer $secpcrematchlimitrecursion = $apache::params::secpcrematchlimitrecursion,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	149 String $allowed_methods = 'GET HEAD POST OPTIONS',
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	150 String $content_types = 'application/x-www-form-urlencoded\|multipart/form-data\|text/xml\|application/xml\|application/x-amf',
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	151 String $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	152 String $restricted_headers = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	153 String $secdefaultaction = 'deny',
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	154 Integer $inbound_anomaly_threshold = 5,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	155 Integer $outbound_anomaly_threshold = 4,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	156 Integer $critical_anomaly_score = 5,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	157 Integer $error_anomaly_score = 4,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	158 Integer $warning_anomaly_score = 3,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	159 Integer $notice_anomaly_score = 2,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	160 Integer $secrequestmaxnumargs = 255,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	161 Integer $secrequestbodylimit = 13107200,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	162 Integer $secrequestbodynofileslimit = 131072,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	163 Integer $secrequestbodyinmemorylimit = 131072,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	164 Integer[1,4] $paranoia_level = 1,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	165 Integer[1,4] $executing_paranoia_level = $paranoia_level,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	166 Apache::OnOff $secrequestbodyaccess = 'On',
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	167 Apache::OnOff $secresponsebodyaccess = 'Off',
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	168 Enum['Reject', 'ProcessPartial'] $secrequestbodylimitaction = 'Reject',
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	169 Enum['Reject', 'ProcessPartial'] $secresponsebodylimitaction = 'ProcessPartial',
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	170 Boolean $manage_security_crs = true,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	171 Boolean $enable_dos_protection = true,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	172 Integer[1, default] $dos_burst_time_slice = 60,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	173 Integer[1, default] $dos_counter_threshold = 100,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	174 Integer[1, default] $dos_block_timeout = 600,
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	175 ) inherits apache::params {
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	176 include apache
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	177
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	178 $_secdefaultaction = $secdefaultaction ? {
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	179 /log/ => $secdefaultaction, # it has log or nolog,auditlog or log,noauditlog
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	180 default => "${secdefaultaction},log",
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	181 }
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	182
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	183 if $facts['os']['family'] == 'FreeBSD' {
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	184 fail('FreeBSD is not currently supported')
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	185 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	186
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	187 if ($facts['os']['family'] == 'Suse' and versioncmp($facts['os']['release']['major'], '11') < 0) {
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	188 fail('SLES 10 is not currently supported.')
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	189 }
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	190
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	191 if ($executing_paranoia_level < $paranoia_level) {
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	192 fail('Executing paranoia level cannot be lower than paranoia level')
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	193 }
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	194
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	195 case $version {
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	196 1: {
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	197 $mod_name = 'security'
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	198 $mod_conf_name = 'security.conf'
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	199 }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	200 2: {
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	201 $mod_name = 'security2'
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	202 $mod_conf_name = 'security2.conf'
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	203 }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	204 default: {
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	205 fail('Unsuported version for mod security')
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	206 }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	207 }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	208 ::apache::mod { $mod_name:
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	209 id => 'security2_module',
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	210 lib => 'mod_security2.so',
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	211 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	212
478 adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	213 ::apache::mod { 'unique_id':
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	214 id => 'unique_id_module',
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	215 lib => 'mod_unique_id.so',
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	216 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	217
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	218 if $crs_package {
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	219 package { $crs_package:
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	220 ensure => 'installed',
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	221 before => [
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	222 File[$apache::confd_dir],
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	223 File[$modsec_dir],
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	224 ],
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	225 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	226 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	227
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	228 # Template uses:
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	229 # - logroot
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	230 # - $modsec_dir
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	231 # - $audit_log_parts
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	232 # - $audit_log_type
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	233 # - $audit_log_storage_dir
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	234 # - secpcrematchlimit
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	235 # - secpcrematchlimitrecursion
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	236 # - secrequestbodylimit
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	237 # - secrequestbodynofileslimit
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	238 # - secrequestbodyinmemorylimit
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	239 # - secrequestbodyaccess
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	240 # - secresponsebodyaccess
478 adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	241 # - secrequestbodylimitaction
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	242 # - secresponsebodylimitaction
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	243 $security_conf_parameters = {
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	244 'modsec_secruleengine' => $modsec_secruleengine,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	245 'secrequestbodyaccess' => $secrequestbodyaccess,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	246 'custom_rules' => $custom_rules,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	247 'modsec_dir' => $modsec_dir,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	248 'secrequestbodylimit' => $secrequestbodylimit,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	249 'secrequestbodynofileslimit' => $secrequestbodynofileslimit,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	250 'secrequestbodyinmemorylimit' => $secrequestbodyinmemorylimit,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	251 'secrequestbodylimitaction' => $secrequestbodylimitaction,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	252 'secpcrematchlimit' => $secpcrematchlimit,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	253 'secpcrematchlimitrecursion' => $secpcrematchlimitrecursion,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	254 'secresponsebodyaccess' => $secresponsebodyaccess,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	255 'secresponsebodylimitaction' => $secresponsebodylimitaction,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	256 'audit_log_relevant_status' => $audit_log_relevant_status,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	257 'audit_log_parts' => $audit_log_parts,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	258 'audit_log_type' => $audit_log_type,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	259 'audit_log_storage_dir' => $audit_log_storage_dir,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	260 'logroot' => $logroot,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	261 }
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	262
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	263 file { 'security.conf':
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	264 ensure => file,
478 adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	265 content => epp('apache/mod/security.conf.epp', $security_conf_parameters),
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	266 mode => $apache::file_mode,
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	267 path => "${apache::mod_dir}/${mod_conf_name}",
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	268 owner => $apache::params::user,
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	269 group => $apache::params::group,
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	270 require => Exec["mkdir ${apache::mod_dir}"],
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	271 before => File[$apache::mod_dir],
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	272 notify => Class['apache::service'],
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	273 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	274
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	275 file { $modsec_dir:
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	276 ensure => directory,
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	277 owner => 'root',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	278 group => 'root',
675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	279 mode => '0755',
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	280 purge => true,
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	281 force => true,
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	282 recurse => true,
257 675c1cc61eaf Update Apache module to get CentOS 8 support IBBoard <dev@ibboard.co.uk> parents: 36 diff changeset	283 require => Package['httpd'],
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	284 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	285
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	286 file { "${modsec_dir}/activated_rules":
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	287 ensure => directory,
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	288 owner => $apache::params::user,
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	289 group => $apache::params::group,
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	290 mode => '0555',
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	291 purge => true,
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	292 force => true,
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	293 recurse => true,
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	294 notify => Class['apache::service'],
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	295 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	296
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	297 if $custom_rules {
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	298 # Template to add custom rule and included in security configuration
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	299 file { "${modsec_dir}/custom_rules":
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	300 ensure => directory,
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	301 owner => $apache::params::user,
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	302 group => $apache::params::group,
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	303 mode => $apache::file_mode,
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	304 require => File[$modsec_dir],
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	305 }
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	306
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	307 file { "${modsec_dir}/custom_rules/custom_01_rules.conf":
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	308 ensure => file,
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	309 owner => $apache::params::user,
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	310 group => $apache::params::group,
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	311 mode => $apache::file_mode,
478 adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	312 content => epp('apache/mod/security_custom.conf.epp', { 'custom_rules_set' => $custom_rules_set, }),
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	313 require => File["${modsec_dir}/custom_rules"],
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	314 notify => Class['apache::service'],
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	315 }
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	316 }
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	317
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	318 if $manage_security_crs {
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	319 # Template uses:
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	320 # - $_secdefaultaction
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	321 # - $critical_anomaly_score
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	322 # - $error_anomaly_score
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	323 # - $warning_anomaly_score
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	324 # - $notice_anomaly_score
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	325 # - $inbound_anomaly_threshold
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	326 # - $outbound_anomaly_threshold
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	327 # - $paranoia_level
b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	328 # - $executing_paranoia_level
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	329 # - $allowed_methods
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	330 # - $content_types
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	331 # - $restricted_extensions
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	332 # - $restricted_headers
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	333 # - $secrequestmaxnumargs
478 adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	334 # - $enable_dos_protection
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	335 # - $dos_burst_time_slice
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	336 # - $dos_counter_threshold
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	337 # - $dos_block_timeout
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	338 $security_crs_parameters = {
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	339 '_secdefaultaction' => $_secdefaultaction,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	340 'critical_anomaly_score' => $critical_anomaly_score,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	341 'error_anomaly_score' => $error_anomaly_score,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	342 'warning_anomaly_score' => $warning_anomaly_score,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	343 'notice_anomaly_score' => $notice_anomaly_score,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	344 'inbound_anomaly_threshold' => $inbound_anomaly_threshold,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	345 'outbound_anomaly_threshold' => $outbound_anomaly_threshold,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	346 'secrequestmaxnumargs' => $secrequestmaxnumargs,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	347 'allowed_methods' => $allowed_methods,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	348 'content_types' => $content_types,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	349 'restricted_extensions' => $restricted_extensions,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	350 'restricted_headers' => $restricted_headers,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	351 'paranoia_level' => $paranoia_level,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	352 'executing_paranoia_level' => $executing_paranoia_level,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	353 'enable_dos_protection' => $enable_dos_protection,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	354 'dos_burst_time_slice' => $dos_burst_time_slice,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	355 'dos_counter_threshold' => $dos_counter_threshold,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	356 'dos_block_timeout' => $dos_block_timeout,
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	357 }
adf6fe9bbc17 Update Puppet modules to latest versions IBBoard <dev@ibboard.co.uk> parents: 437 diff changeset	358
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	359 file { "${modsec_dir}/security_crs.conf":
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	360 ensure => file,
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	361 content => template('apache/mod/security_crs.conf.erb'),
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	362 require => File[$modsec_dir],
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	363 notify => Class['apache::service'],
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	364 }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	365
437 b8d6ada284dd Update Apache module to latest version IBBoard <dev@ibboard.co.uk> parents: 275 diff changeset	366 unless $facts['os']['name'] == 'SLES' or $facts['os']['name'] == 'Debian' or $facts['os']['name'] == 'Ubuntu' {
275 d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	367 apache::security::rule_link { $activated_rules: }
d9352a684e62 Mass update of modules to remove deprecation warnings IBBoard <dev@ibboard.co.uk> parents: 257 diff changeset	368 }
36 37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	369 }
37675581a273 Update Puppet module for Apache (pulls in concat module) IBBoard <dev@ibboard.co.uk> parents: diff changeset	370 }

Mercurial > repos > other > Puppet

annotate modules/apache/manifests/mod/security.pp @ 482:d83de9b3a62b default tip