From 1c20ce5f7017437226ff4f6de45750b6eec13f48 Mon Sep 17 00:00:00 2001 From: Niels Abspoel Date: Fri, 23 Sep 2016 11:12:37 +0200 Subject: [PATCH] add modsecurity rules state --- README.rst | 5 +++ .../init.sls} | 0 apache/mod_security/rules.sls | 45 +++++++++++++++++++ pillar.example | 16 +++++++ 4 files changed, 66 insertions(+) rename apache/{mod_security.sls => mod_security/init.sls} (100%) create mode 100644 apache/mod_security/rules.sls diff --git a/README.rst b/README.rst index 4fed9cb..bea57cb 100644 --- a/README.rst +++ b/README.rst @@ -93,6 +93,11 @@ using data from Pillar. (Debian and RedHat Only) Allows you to install the basic Core Rules (CRS) and some basic configuration for mod_security2 +``apache.mod_security.rules`` + +This state can create symlinks based on basic Core Rules package. (Debian only) +Or it can distribute a mod_security rule file and place it /etc/modsecurity/ + ``apache.mod_ssl`` ---------------------- diff --git a/apache/mod_security.sls b/apache/mod_security/init.sls similarity index 100% rename from apache/mod_security.sls rename to apache/mod_security/init.sls diff --git a/apache/mod_security/rules.sls b/apache/mod_security/rules.sls new file mode 100644 index 0000000..966a934 --- /dev/null +++ b/apache/mod_security/rules.sls @@ -0,0 +1,45 @@ +{%- set apache = pillar.get('apache', {}) %} +{%- set mod_security = apache.get('mod_security', {}) %} +{%- if mod_security.get('manage_config', False) %} + +include: + - apache.mod_security + +{%- for rule_name, rule_details in mod_security.get('rules', {}).items() %} + {% set rule_set = rule_details.get('rule_set', '') %} + {% set enabled = rule_details.get('enabled', False ) %} + {%- if enabled %} +/etc/modsecurity/{{ rule_name }}: + file.symlink: + - target: /usr/share/modsecurity-crs/{{ rule_set }}/{{ rule_name }} + - user: root + - group: root + - mode: 755 + {%- else %} +/etc/modsecurity/{{ rule_name }}: + file.absent: + - name: /etc/modsecurity/{{ rule_name }} + {%- endif %} + +{%- endfor %} + +{%- for custom_rule, custom_rule_details in mod_security.get('custom_rule_files', {}).items() %} + {% set file = custom_rule_details.get('file', None) %} + {% set path = custom_rule_details.get('path', None) %} + {% set enabled = custom_rule_details.get('enabled', False ) %} + + {%- if enabled %} +/etc/modsecurity/{{ file }}: + file.managed: + - source: {{ path }} + - user: root + - group: root + - mode: 755 + {%- else %} +/etc/modsecurity/{{ file }}: + file.absent: + - name: /etc/modsecurity/{{ file }} + {%- endif %} +{%- endfor %} + +{% endif %} diff --git a/pillar.example b/pillar.example index 43e6d4a..2dd1515 100644 --- a/pillar.example +++ b/pillar.example @@ -165,3 +165,19 @@ apache: sec_pcre_match_limit_recursion: '15000' sec_debug_log_level: '3' + rules: + enabled: + modsecurity_crs_10_setup.conf: + rule_set: '' + enabled: True + modsecurity_crs_20_protocol_violations.conf: + rule_set: 'base_rules' + enabled: False + + custom_rule_files: + # any name as an array index, and you can duplicate this section + UNIQUE_VALUE_HERE: + file: 'my name' + path: 'salt://path/to/modsecurity/custom/file' + enabled: True +