Commit bf0753a1 authored by Jerome Charaoui's avatar Jerome Charaoui
Browse files

introduce Debian support and make automatic update and log cleaning cronjobs...

introduce Debian support and make automatic update and log cleaning cronjobs optional; 'customrules' now known more precisely as 'asl ruleset'
parent 9b7775ad
......@@ -15,7 +15,7 @@
APACHEINITD="/etc/init.d/httpd"
APACHEPID="/var/run/httpd.pid"
MODSECPATH="/etc/httpd/modsecurity.d/customrules"
MODSECPATH="/etc/httpd/modsecurity.d/asl"
##########################################################################
######### you probably don't need to change anything below here ##########
......
#!/bin/sh
# Autoupdater for modsec rulesets.
#
# This script will attempt to update your rulefiles, and restart apache.
# If it apache does not start after changing rules, it will roll back to
# the old ruleset and restart apache again.
#
# Version: $Id: modsec.sh,v 2.0 2006/09/03 23:58:00 olei Exp $
# Based on a script by:
# URL: http://cs.evilnetwork.org/cycro
#
# Copyleft 2006, SkyHorse.Org, No Rights Reserved
# URL: http://www.skyhorse.org/web-server-administration/auto-update-modsecurity-rules-modsecsh/
APACHEINITD="/etc/init.d/apache2"
APACHEPID="/var/run/apache2.pid"
MODSECPATH="/etc/apache2/modsecurity.d/asl"
##########################################################################
######### you probably don't need to change anything below here ##########
##########################################################################
# internal
PID=`cat ${APACHEPID}`
UPDATED=0
#echo -n "Changing PWD: "
cd ${MODSECPATH}
#echo `pwd`
# generic by skyhorse
# updated by Puzzle ITC
listOfRules="20_asl_useragents.conf 60_asl_recons.conf domain-blacklist.txt malware-blacklist.txt 30_asl_antimalware.conf 98_asl_jitp.conf sql.txt 05_asl_exclude.conf 99_asl_exclude.conf domain-spam-whitelist.txt 05_asl_scanner.conf 99_asl_jitp.conf malware-blacklist-high.txt trusted-domains.txt 10_asl_antimalware.conf 40_asl_apache2-rules.conf Zour_excludes.conf malware-blacklist-local.txt whitelist.txt 10_asl_rules.conf 50_asl_rootkits.conf domain-blacklist-local.txt malware-blacklist-low.txt sql.txt"
baseUrl="http://downloads.prometheus-group.com/delayed/rules/modsec/"
for theRule in $listOfRules ; do
#echo -n "Updating $theRule: "
/usr/bin/wget -t 30 -O ${theRule}.1 -q ${baseUrl}${theRule}
if [ ! -e ${theRule} ]; then
mv ${theRule}.1 ${theRule}
else
if [ `md5sum ${theRule} | cut -d " " -f1` != `md5sum ${theRule}.1 | cut -d " " -f1` ] ; then
/bin/mv ${theRule} ${theRule}.bak
/bin/mv ${theRule}.1 ${theRule}
UPDATED=`expr $UPDATED + 1`
#echo "ok."
else
#echo "allready up to date."
/bin/rm -f ${theRule}.1
fi
fi
done
# try restart
if [ "$UPDATED" -gt "0" ]; then
#echo -n "Restarting apache: "
$APACHEINITD configtest
configtest=$?
if [ "$configtest" -eq "0" ]; then
$APACHEINITD restart
# did it work?
$APACHEINITD status
configtest=$?
if [ "$configtest" -eq "0" ]; then
#echo "Apache restarted ok."
exit 0
fi
echo "error. Apache not running."
fi
#roll back everything
for theRule in $listOfRules ; do
echo -n "Rolling back ${theRule}"
/bin/mv ${theRule} ${theRule}.new
/bin/mv ${theRule}.bak ${theRule}
echo "rolled back ok."
done
$APACHEINITD configtest
configtest=$?
if [ "$configtest" -eq "0" ]; then
# try starting httpd again
$APACHEINITD restart
# did that fix the problem?
$APACHEINITD status
configtest=$?
if [ "$configtest" -eq "0" ]; then
echo "That did the trick."
exit 0
fi
else
echo "Fatal: Apache configtest is till failing, Server needs attention!"
fi
echo "Fatal: Apache still not running! Run $APACHEINITD configtest to find the error."
exit 999
fi
# very centos stylish at the moment
class mod_security::base {
include apache
package{'mod_security':
ensure => installed,
notify => Service[apache],
include apache
package { 'mod_security':
alias => 'mod_security',
ensure => installed,
notify => Service[apache],
}
$config_dir = $operatingsystem ? {
centos => "${apache::centos::config_dir}/modsecurity.d",
debian => "${apache::debian::config_dir}/modsecurity.d",
default => '/etc/apache2/conf.d',
}
file { 'mod_security_config_dir':
path => $config_dir,
ensure => directory,
owner => 'root',
group => 0,
mode => '0755',
}
apache::config::file { 'mod_security.conf':
ensure => present,
content => 'include modsecurity.d/*.conf',
}
# Use rule set from Atomic Secured Linux and update them every day
# See : http://www.gotroot.com/mod_security+rules
if ($mod_security_asl_ruleset == true) {
file { 'mod_security_asl_config_dir':
path => "${config_dir}/asl",
ensure => directory,
owner => 'root',
group => 0,
mode => '0755',
}
file{'/etc/httpd/modsecurity.d/modsecurity_localrules.conf':
content => "Include modsecurity.d/customrules/*.conf\n",
require => Package['mod_security'],
owner => root, group => 0, mode => 0644;
file { 'mod_security_asl_update_script':
ensure => present,
path => '/usr/local/bin/mod_security_asl_update.sh',
source => [ "puppet://${server}/modules/site-mod_security/scripts/$operatingsystem/mod_security_asl_update.sh",
"puppet://${server}/modules/site-mod_security/scripts/mod_security_asl_update.sh",
"puppet://${server}/modules/mod_security/scripts/$operatingsystem/mod_security_asl_update.sh",
"puppet://${server}/modules/mod_security/scripts/mod_security_asl_update.sh" ],
owner => 'root',
group => 0,
mode => '0700',
}
file{'/etc/httpd/modsecurity.d/customrules':
ensure => directory,
require => Package[mod_security],
owner => root, group => 0, mode => 0755;
exec { 'mod_security_asl_initialize':
command => '/usr/local/bin/mod_security_asl_update.sh',
creates => "${config_dir}/asl/sql.txt",
require => File[ [ 'mod_security_asl_config_dir', 'mod_security_asl_update_script' ] ],
}
file{'/etc/cron.daily/modsec.sh':
source => "puppet://$server/modules/mod_security/cron/modsec.sh",
notify => Exec['update_modsec_rules'],
require => File['/etc/httpd/modsecurity.d/customrules'],
owner => root, group => 0, mode => 0700;
cron { 'mod_security_asl_update':
ensure => present,
command => '/usr/local/bin/mod_security_asl_update.sh',
user => 'root',
hour => 3,
minute => 39,
}
file{'/etc/cron.daily/cleanup_modsec_logs.sh':
source => "puppet://$server/modules/mod_security/cron/cleanup_modsec_logs.sh",
owner => root, group => 0, mode => 0700;
}
else {
file { 'mod_security_asl_config_dir':
path => "${config_dir}/asl",
ensure => absent,
recurse => true,
force => true,
}
exec{'update_modsec_rules':
command => '/etc/cron.daily/modsec.sh',
refreshonly => true,
file { 'mod_security_asl_update_script':
ensure => absent,
path => '/usr/local/bin/mod_security_asl_update.sh',
}
cron { 'mod_security_asl_update':
ensure => absent,
user => root,
}
}
# Automatically clean vhost mod_security logs
if ($mod_security_logclean == true) {
file { 'mod_security_logclean_script':
ensure => present,
path => '/usr/local/bin/mod_security_logclean.sh',
source => [ "puppet://${server}/modules/site-mod_security/scripts/$operatingsystem/mod_security_logclean.sh",
"puppet://${server}/modules/site-mod_security/scripts/mod_security_logclean.sh",
"puppet://${server}/modules/mod_security/scripts/$operatingsystem/mod_security_logclean.sh",
"puppet://${server}/modules/mod_security/scripts/mod_security_logclean.sh" ],
owner => 'root',
group => 0,
mode => '0700',
}
cron { 'mod_security_logclean':
ensure => present,
command => '/usr/local/bin/mod_security_logclean.sh',
user => 'root',
hour => 3,
minute => 23,
}
}
else {
file { 'mod_security_logclean_script':
ensure => absent,
path => '/usr/local/bin/mod_security_logclean.sh',
}
cron { 'mod_security_logclean':
ensure => absent,
user => root,
}
}
}
class mod_security::centos inherits mod_security::base {
}
class mod_security::debian inherits mod_security::base {
Package['mod_security'] {
name => 'libapache-mod-security'
}
}
......@@ -4,5 +4,9 @@
# License: GPLv3
class mod_security {
include mod_security::base
case $operatingsystem {
centos: { include mod_security::centos }
debian: { include mod_security::debian }
default: { include mod_security::base }
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment