base.pp 4.34 KB
Newer Older
1
class mod_security::base {
2
3
4
5
6
7

  include apache

  package { 'mod_security':
    alias   => 'mod_security',
    ensure  => installed,
mh's avatar
mh committed
8
9
    require => Package['apache'],
    notify  => Service['apache'],
10
11
12
13
14
15
16
17
18
19
20
  }

  $config_dir = $operatingsystem ? {
    centos  => "${apache::centos::config_dir}/modsecurity.d",
    debian  => "${apache::debian::config_dir}/modsecurity.d",
    default => '/etc/apache2/conf.d',
  }

  file { 'mod_security_config_dir':
    path    => $config_dir,
    ensure  => directory,
mh's avatar
mh committed
21
22
    require => Package['mod_security'],
    owner   => 'root', group => 0, mode => '0755';
23
24
25
26
27
  }

  # Use rule set from Atomic Secured Linux and update them every day
  # See : http://www.gotroot.com/mod_security+rules

mh's avatar
mh committed
28
  apache::config::file { 'mod_security_asl.conf': }
mh's avatar
mh committed
29
30
  file { 'mod_security_asl_config_dir':
    path    => "${config_dir}/asl",
mh's avatar
mh committed
31
    require => Package['mod_security'],
mh's avatar
mh committed
32
33
34
35
36
37
  }
  file { 'mod_security_asl_update_script':
    path    => '/usr/local/bin/mod_security_asl_update.sh',
    require => File['mod_security_asl_config_dir'],
  }
  cron { 'mod_security_asl_update':
mh's avatar
mh committed
38
    user => 'root',
mh's avatar
mh committed
39
40
    require => File['mod_security_asl_update_script'],
  }
41
42
  if ($mod_security_asl_ruleset == true) {

mh's avatar
mh committed
43
    File['mod_security_asl_config_dir']{
44
      ensure  => directory,
mh's avatar
mh committed
45
      owner   => 'root', group => 0, mode => '0755',
46
47
    }

mh's avatar
mh committed
48
    File['mod_security_asl_update_script']{
49
      ensure  => present,
50
51
52
53
      source  => [ "puppet:///modules/site-mod_security/scripts/$operatingsystem/mod_security_asl_update.sh",
                   "puppet:///modules/site-mod_security/scripts/mod_security_asl_update.sh",
                   "puppet:///modules/mod_security/scripts/$operatingsystem/mod_security_asl_update.sh",
                   "puppet:///modules/mod_security/scripts/mod_security_asl_update.sh" ],
54
55
56
      owner   => 'root',
      group   => 0,
      mode    => '0700',
57
58
    }

59
60
61
    exec { 'mod_security_asl_initialize':
      command => '/usr/local/bin/mod_security_asl_update.sh',
      creates => "${config_dir}/asl/sql.txt",
mh's avatar
mh committed
62
      require => File['mod_security_asl_update_script'],
63
64
    }

mh's avatar
mh committed
65
    Cron['mod_security_asl_update']{
66
      command => '/usr/local/bin/mod_security_asl_update.sh',
mh's avatar
mh committed
67
      ensure  => present,
68
69
      hour    => 3,
      minute  => 39,
70
    }
71

mh's avatar
mh committed
72
73
    Apache::Config::File['mod_security_asl.conf']{
      ensure  => present,
mh's avatar
mh committed
74
      content => "<IfModule mod_security2.c>\ninclude modsecurity.d/asl/*.conf\n</IfModule>",
mh's avatar
mh committed
75
76
    }

77
78
  }
  else {
mh's avatar
mh committed
79
    File['mod_security_asl_config_dir']{
80
81
82
      ensure  => absent,
      recurse => true,
      force   => true,
mh's avatar
mh committed
83
      purge   => true,
84
    }
85

mh's avatar
mh committed
86
    File['mod_security_asl_update_script']{
87
      ensure  => absent,
88
    }
89

mh's avatar
mh committed
90
    Cron['mod_security_asl_update']{
91
92
      ensure  => absent,
    }
mh's avatar
mh committed
93
94
95
    Apache::Config::File['mod_security_asl.conf']{
      ensure => absent,
    }
96
97
98
99
  }

  # Automatically clean vhost mod_security logs

mh's avatar
mh committed
100
101
102
103
104
105
106
  file{'mod_security_logclean_script':
      path    => '/usr/local/bin/mod_security_logclean.sh',
  }
  cron{'mod_security_logclean':
      user    => root,
      require => File['mod_security_logclean_script'],
  }
107
108
  if ($mod_security_logclean == true) {

mh's avatar
mh committed
109
    File['mod_security_logclean_script']{
110
      ensure  => present,
111
112
113
114
      source  => [ "puppet:///modules/site-mod_security/scripts/$operatingsystem/mod_security_logclean.sh",
                   "puppet:///modules/site-mod_security/scripts/mod_security_logclean.sh",
                   "puppet:///modules/mod_security/scripts/$operatingsystem/mod_security_logclean.sh",
                   "puppet:///modules/mod_security/scripts/mod_security_logclean.sh" ],
115
116
117
118
119
      owner   => 'root',
      group   => 0,
      mode    => '0700',
    }

mh's avatar
mh committed
120
    Cron['mod_security_logclean']{
121
122
123
124
125
126
127
128
129
      ensure  => present,
      command => '/usr/local/bin/mod_security_logclean.sh',
      hour    => 3,
      minute  => 23,
    }

  }
  else {

mh's avatar
mh committed
130
    File['mod_security_logclean_script']{
131
132
133
      ensure  => absent,
    }

mh's avatar
mh committed
134
135
    Cron['mod_security_logclean']{
      ensure  => absent,
136
137
138
139
    }

  }

140
141
142
143
144
145
146
147
148
149
150
151
152
  # since version 2.5 we need to define a SecDataDir
  file{'/var/www/modsecurity_data':
    ensure => directory,
    require => Package['mod_security'],
    owner => apache, group => apache, mode => 0640;
  }
  file{"${config_dir}/sec_data_dir.conf":
    content => "SecDataDir /var/www/modsecurity_data\n",
    require => File['/var/www/modsecurity_data'],
    notify => Service['apache'],
    owner => root, group => 0, mode => 0644;
  }

153
154
}