add modsecurity rules state
This commit is contained in:
Niels Abspoel
parent
ffec46e8d5
commit
1c20ce5f70
@ -93,6 +93,11 @@ using data from Pillar. (Debian and RedHat Only)
|
|||||||
|
|
||||||
Allows you to install the basic Core Rules (CRS) and some basic configuration for mod_security2
|
Allows you to install the basic Core Rules (CRS) and some basic configuration for mod_security2
|
||||||
|
|
||||||
|
``apache.mod_security.rules``
|
||||||
|
|
||||||
|
This state can create symlinks based on basic Core Rules package. (Debian only)
|
||||||
|
Or it can distribute a mod_security rule file and place it /etc/modsecurity/
|
||||||
|
|
||||||
``apache.mod_ssl``
|
``apache.mod_ssl``
|
||||||
----------------------
|
----------------------
|
||||||
|
|
||||||
|
|||||||
45
apache/mod_security/rules.sls
Normal file
45
apache/mod_security/rules.sls
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
{%- set apache = pillar.get('apache', {}) %}
|
||||||
|
{%- set mod_security = apache.get('mod_security', {}) %}
|
||||||
|
{%- if mod_security.get('manage_config', False) %}
|
||||||
|
|
||||||
|
include:
|
||||||
|
- apache.mod_security
|
||||||
|
|
||||||
|
{%- for rule_name, rule_details in mod_security.get('rules', {}).items() %}
|
||||||
|
{% set rule_set = rule_details.get('rule_set', '') %}
|
||||||
|
{% set enabled = rule_details.get('enabled', False ) %}
|
||||||
|
{%- if enabled %}
|
||||||
|
/etc/modsecurity/{{ rule_name }}:
|
||||||
|
file.symlink:
|
||||||
|
- target: /usr/share/modsecurity-crs/{{ rule_set }}/{{ rule_name }}
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- mode: 755
|
||||||
|
{%- else %}
|
||||||
|
/etc/modsecurity/{{ rule_name }}:
|
||||||
|
file.absent:
|
||||||
|
- name: /etc/modsecurity/{{ rule_name }}
|
||||||
|
{%- endif %}
|
||||||
|
|
||||||
|
{%- endfor %}
|
||||||
|
|
||||||
|
{%- for custom_rule, custom_rule_details in mod_security.get('custom_rule_files', {}).items() %}
|
||||||
|
{% set file = custom_rule_details.get('file', None) %}
|
||||||
|
{% set path = custom_rule_details.get('path', None) %}
|
||||||
|
{% set enabled = custom_rule_details.get('enabled', False ) %}
|
||||||
|
|
||||||
|
{%- if enabled %}
|
||||||
|
/etc/modsecurity/{{ file }}:
|
||||||
|
file.managed:
|
||||||
|
- source: {{ path }}
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- mode: 755
|
||||||
|
{%- else %}
|
||||||
|
/etc/modsecurity/{{ file }}:
|
||||||
|
file.absent:
|
||||||
|
- name: /etc/modsecurity/{{ file }}
|
||||||
|
{%- endif %}
|
||||||
|
{%- endfor %}
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
@ -165,3 +165,19 @@ apache:
|
|||||||
sec_pcre_match_limit_recursion: '15000'
|
sec_pcre_match_limit_recursion: '15000'
|
||||||
sec_debug_log_level: '3'
|
sec_debug_log_level: '3'
|
||||||
|
|
||||||
|
rules:
|
||||||
|
enabled:
|
||||||
|
modsecurity_crs_10_setup.conf:
|
||||||
|
rule_set: ''
|
||||||
|
enabled: True
|
||||||
|
modsecurity_crs_20_protocol_violations.conf:
|
||||||
|
rule_set: 'base_rules'
|
||||||
|
enabled: False
|
||||||
|
|
||||||
|
custom_rule_files:
|
||||||
|
# any name as an array index, and you can duplicate this section
|
||||||
|
UNIQUE_VALUE_HERE:
|
||||||
|
file: 'my name'
|
||||||
|
path: 'salt://path/to/modsecurity/custom/file'
|
||||||
|
enabled: True
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user