Puppet Class: pulsevtm::security

Defined in:
manifests/security.pp

Overview

class: pulsevtm::security

Security Settings Security settings that restrict remote administration for the cluster. Additional security options can be found in Global Settings.

Parameters

basic__access

Access to the admin server and REST API is restricted by usernames and passwords. You can further restrict access to just trusted IP addresses, CIDR IP subnets or DNS wildcards. These access restrictions are also used when another traffic manager initially joins the cluster, after joining the cluster these restrictions are no longer used. Care must be taken when changing this setting, as it can cause the administration server to become inaccessible.</br>Access to the admin UI will not be affected until it is restarted. Type:array Properties:

ssh_intrusion__bantime

The amount of time in seconds to ban an offending host for.

ssh_intrusion__blacklist

The list of hosts to permanently ban, identified by IP address or DNS hostname in a space-separated list. Type:array Properties:

ssh_intrusion__enabled

Whether or not the SSH Intrusion Prevention tool is enabled.

ssh_intrusion__findtime

The window of time in seconds the maximum number of connection attempts applies to. More than (maxretry) failed attempts in this time span will trigger a ban.

ssh_intrusion__maxretry

The number of failed connection attempts a host can make before being banned.

ssh_intrusion__whitelist

The list of hosts to never ban, identified by IP address, DNS hostname or subnet mask, in a space-separated list. Type:array Properties:

Examples

class 

ensure => present,

Authors

Pulse Secure <puppet-vadc@pulsesecure.net>

Copyright 2018 Pulse Secure

Parameters:

  • ensure (Any) (defaults to: present)
  • basic__access (Any) (defaults to: '[]')
  • ssh_intrusion__bantime (Any) (defaults to: 600)
  • ssh_intrusion__blacklist (Any) (defaults to: '[]')
  • ssh_intrusion__enabled (Any) (defaults to: false)
  • ssh_intrusion__findtime (Any) (defaults to: 600)
  • ssh_intrusion__maxretry (Any) (defaults to: 6)
  • ssh_intrusion__whitelist (Any) (defaults to: '[]') 


62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
 
# File 'manifests/security.pp', line 62

class pulsevtm::security (
  $ensure                   = present,
  $basic__access            = '[]',
  $ssh_intrusion__bantime   = 600,
  $ssh_intrusion__blacklist = '[]',
  $ssh_intrusion__enabled   = false,
  $ssh_intrusion__findtime  = 600,
  $ssh_intrusion__maxretry  = 6,
  $ssh_intrusion__whitelist = '[]',
){
  include pulsevtm
  $ip              = $pulsevtm::rest_ip
  $port            = $pulsevtm::rest_port
  $user            = $pulsevtm::rest_user
  $pass            = $pulsevtm::rest_pass
  $purge           = $pulsevtm::purge
  $purge_state_dir = $pulsevtm::purge_state_dir

  info ("Configuring security ${name}")
  vtmrest { 'security':
    ensure   => $ensure,
    before   => Class[pulsevtm::purge],
    endpoint => "https://${ip}:${port}/api/tm/6.0/config/active",
    username => $user,
    password => $pass,
    content  => template('pulsevtm/security.erb'),
    type     => 'application/json',
    internal => 'security',
    failfast => $pulsevtm::failfast,
    debug    => $pulsevtm::debug,
  }

  if ( $purge ) {
    ensure_resource('file', "${purge_state_dir}/security", {ensure => present})
    file_line { 'security':
      line => 'security',
      path => "${purge_state_dir}/security",
    }
  }
}