Puppet Class: apache::mod::security

Inherits:
::apache::params
Defined in:
manifests/mod/security.pp

Overview

Parameters:

  • crs_package (Any) (defaults to: $::apache::params::modsec_crs_package)
  • activated_rules (Any) (defaults to: $::apache::params::modsec_default_rules)
  • modsec_dir (Any) (defaults to: $::apache::params::modsec_dir)
  • modsec_secruleengine (Any) (defaults to: $::apache::params::modsec_secruleengine)
  • audit_log_parts (Any) (defaults to: $::apache::params::modsec_audit_log_parts)
  • secpcrematchlimit (Any) (defaults to: $::apache::params::secpcrematchlimit)
  • secpcrematchlimitrecursion (Any) (defaults to: $::apache::params::secpcrematchlimitrecursion)
  • allowed_methods (Any) (defaults to: 'GET HEAD POST OPTIONS')
  • content_types (Any) (defaults to: 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf')
  • restricted_extensions (Any) (defaults to: '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/')
  • restricted_headers (Any) (defaults to: '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/')
  • secdefaultaction (Any) (defaults to: 'deny')
  • anomaly_score_blocking (Any) (defaults to: 'off')
  • inbound_anomaly_threshold (Any) (defaults to: '5')
  • outbound_anomaly_threshold (Any) (defaults to: '4')
  • critical_anomaly_score (Any) (defaults to: '5')
  • error_anomaly_score (Any) (defaults to: '4')
  • warning_anomaly_score (Any) (defaults to: '3')
  • notice_anomaly_score (Any) (defaults to: '2') 


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
 
# File 'manifests/mod/security.pp', line 1

class apache::mod::security (
  $crs_package                = $::apache::params::modsec_crs_package,
  $activated_rules            = $::apache::params::modsec_default_rules,
  $modsec_dir                 = $::apache::params::modsec_dir,
  $modsec_secruleengine       = $::apache::params::modsec_secruleengine,
  $audit_log_parts            = $::apache::params::modsec_audit_log_parts,
  $secpcrematchlimit          = $::apache::params::secpcrematchlimit,
  $secpcrematchlimitrecursion = $::apache::params::secpcrematchlimitrecursion,
  $allowed_methods            = 'GET HEAD POST OPTIONS',
  $content_types              = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf',
  $restricted_extensions      = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',
  $restricted_headers         = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',
  $secdefaultaction           = 'deny',
  $anomaly_score_blocking     = 'off',
  $inbound_anomaly_threshold  = '5',
  $outbound_anomaly_threshold = '4',
  $critical_anomaly_score     = '5',
  $error_anomaly_score        = '4',
  $warning_anomaly_score      = '3',
  $notice_anomaly_score       = '2',
) inherits ::apache::params {
  include ::apache

  if $::osfamily == 'FreeBSD' {
    fail('FreeBSD is not currently supported')
  }

  ::apache::mod { 'security':
    id  => 'security2_module',
    lib => 'mod_security2.so',
  }

  ::apache::mod { 'unique_id_module':
    id  => 'unique_id_module',
    lib => 'mod_unique_id.so',
  }

  if $crs_package  {
    package { $crs_package:
      ensure => 'latest',
      before => File[$::apache::confd_dir],
    }
  }

  # Template uses:
  # - $modsec_dir
  # - $audit_log_parts
  # - secpcrematchlimit
  # - secpcrematchlimitrecursion
  file { 'security.conf':
    ensure  => file,
    content => template('apache/mod/security.conf.erb'),
    mode    => $::apache::file_mode,
    path    => "${::apache::mod_dir}/security.conf",
    owner   => $::apache::params::user,
    group   => $::apache::params::group,
    require => Exec["mkdir ${::apache::mod_dir}"],
    before  => File[$::apache::mod_dir],
    notify  => Class['apache::service'],
  }

  file { $modsec_dir:
    ensure  => directory,
    owner   => $::apache::params::user,
    group   => $::apache::params::group,
    mode    => '0555',
    purge   => true,
    force   => true,
    recurse => true,
  }

  file { "${modsec_dir}/activated_rules":
    ensure  => directory,
    owner   => $::apache::params::user,
    group   => $::apache::params::group,
    mode    => '0555',
    purge   => true,
    force   => true,
    recurse => true,
    notify  => Class['apache::service'],
  }

  file { "${modsec_dir}/security_crs.conf":
    ensure  => file,
    content => template('apache/mod/security_crs.conf.erb'),
    require => File[$modsec_dir],
    notify  => Class['apache::service'],
  }

  apache::security::rule_link { $activated_rules: }

}