1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
# File 'manifests/mod/security.pp', line 1
class apache::mod::security (
$logroot = $::apache::params::logroot,
$crs_package = $::apache::params::modsec_crs_package,
$activated_rules = $::apache::params::modsec_default_rules,
$modsec_dir = $::apache::params::modsec_dir,
$modsec_secruleengine = $::apache::params::modsec_secruleengine,
$audit_log_relevant_status = '^(?:5|4(?!04))',
$audit_log_parts = $::apache::params::modsec_audit_log_parts,
$secpcrematchlimit = $::apache::params::secpcrematchlimit,
$secpcrematchlimitrecursion = $::apache::params::secpcrematchlimitrecursion,
$allowed_methods = 'GET HEAD POST OPTIONS',
$content_types = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf',
$restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',
$restricted_headers = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',
$secdefaultaction = 'deny',
$anomaly_score_blocking = 'off',
$inbound_anomaly_threshold = '5',
$outbound_anomaly_threshold = '4',
$critical_anomaly_score = '5',
$error_anomaly_score = '4',
$warning_anomaly_score = '3',
$notice_anomaly_score = '2',
$secrequestmaxnumargs = '255',
$secrequestbodylimit = '13107200',
$secrequestbodynofileslimit = '131072',
$secrequestbodyinmemorylimit = '131072',
$manage_security_crs = true,
) inherits ::apache::params {
include ::apache
$_secdefaultaction = $secdefaultaction ? {
/log/ => $secdefaultaction, # it has log or nolog,auditlog or log,noauditlog
default => "${secdefaultaction},log",
}
if $::osfamily == 'FreeBSD' {
fail('FreeBSD is not currently supported')
}
if ($::osfamily == 'Suse' and $::operatingsystemrelease < '11') {
fail('SLES 10 is not currently supported.')
}
::apache::mod { 'security':
id => 'security2_module',
lib => 'mod_security2.so',
}
::apache::mod { 'unique_id_module':
id => 'unique_id_module',
lib => 'mod_unique_id.so',
}
if $crs_package {
package { $crs_package:
ensure => 'installed',
before => [
File[$::apache::confd_dir],
File[$modsec_dir],
],
}
}
# Template uses:
# - logroot
# - $modsec_dir
# - $audit_log_parts
# - secpcrematchlimit
# - secpcrematchlimitrecursion
# - secrequestbodylimit
# - secrequestbodynofileslimit
# - secrequestbodyinmemorylimit
file { 'security.conf':
ensure => file,
content => template('apache/mod/security.conf.erb'),
mode => $::apache::file_mode,
path => "${::apache::mod_dir}/security.conf",
owner => $::apache::params::user,
group => $::apache::params::group,
require => Exec["mkdir ${::apache::mod_dir}"],
before => File[$::apache::mod_dir],
notify => Class['apache::service'],
}
file { $modsec_dir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
purge => true,
force => true,
recurse => true,
require => Package['httpd'],
}
file { "${modsec_dir}/activated_rules":
ensure => directory,
owner => $::apache::params::user,
group => $::apache::params::group,
mode => '0555',
purge => true,
force => true,
recurse => true,
notify => Class['apache::service'],
}
if $manage_security_crs {
# Template uses:
# - $_secdefaultaction
# - $critical_anomaly_score
# - $error_anomaly_score
# - $warning_anomaly_score
# - $notice_anomaly_score
# - $inbound_anomaly_threshold
# - $outbound_anomaly_threshold
# - $anomaly_score_blocking
# - $allowed_methods
# - $content_types
# - $restricted_extensions
# - $restricted_headers
# - $secrequestmaxnumargs
file { "${modsec_dir}/security_crs.conf":
ensure => file,
content => template('apache/mod/security_crs.conf.erb'),
require => File[$modsec_dir],
notify => Class['apache::service'],
}
}
# Debian 9 has a different rule setup
unless $::operatingsystem == 'SLES' or ($::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '9') >= 0) or ($::operatingsystem == 'Ubuntu' and versioncmp($::operatingsystemrelease, '18.04') >= 0) {
apache::security::rule_link { $activated_rules: }
}
}
|