Merge pull request #157 from webscale-formulas/mod_security_rules

add modsecurity rules state
2017-02-01 23:47:14 +01:00 · 2017-02-01 23:47:14 +01:00 · 6d2ebe27db
commit 6d2ebe27db
parent cc9d81c3b1 1c20ce5f70
4 changed files with 66 additions and 0 deletions
--- a/README.rst
+++ b/README.rst
@ -93,6 +93,11 @@ using data from Pillar. (Debian and RedHat Only)

 Allows you to install the basic Core Rules (CRS) and some basic configuration for mod_security2

+``apache.mod_security.rules``
+
+This state can create symlinks based on basic Core Rules package. (Debian only)
+Or it can distribute a mod_security rule file and place it /etc/modsecurity/
+
 ``apache.mod_ssl``
 ----------------------

--- a/apache/mod_security/init.sls
+++ b/apache/mod_security/init.sls
--- a/apache/mod_security/rules.sls
+++ b/apache/mod_security/rules.sls
@ -0,0 +1,45 @@
+{%- set apache = pillar.get('apache', {}) %}
+{%- set mod_security = apache.get('mod_security', {}) %}
+{%- if mod_security.get('manage_config', False) %}
+
+include:
+  - apache.mod_security
+
+{%- for rule_name, rule_details in mod_security.get('rules', {}).items() %}
+  {% set rule_set = rule_details.get('rule_set', '') %}
+  {% set enabled = rule_details.get('enabled', False ) %}
+  {%- if enabled %}
+/etc/modsecurity/{{ rule_name }}:
+  file.symlink:
+    - target: /usr/share/modsecurity-crs/{{ rule_set }}/{{ rule_name }}
+    - user: root
+    - group: root
+    - mode: 755
+  {%- else %}
+/etc/modsecurity/{{ rule_name }}:
+  file.absent:
+    - name: /etc/modsecurity/{{ rule_name }}
+  {%- endif %}
+
+{%- endfor %}
+
+{%- for custom_rule, custom_rule_details in mod_security.get('custom_rule_files', {}).items() %}
+  {% set file = custom_rule_details.get('file', None) %}
+  {% set path = custom_rule_details.get('path', None) %}
+  {% set enabled = custom_rule_details.get('enabled', False ) %}
+
+  {%- if enabled %}
+/etc/modsecurity/{{ file }}:
+  file.managed:
+    - source: {{ path }}
+    - user: root
+    - group: root
+    - mode: 755
+  {%- else %}
+/etc/modsecurity/{{ file }}:
+  file.absent:
+    - name: /etc/modsecurity/{{ file }}
+  {%- endif %}
+{%- endfor %}
+
+{% endif %}
--- a/pillar.example
+++ b/pillar.example
@ -165,3 +165,19 @@ apache:
    sec_pcre_match_limit_recursion: '15000'
    sec_debug_log_level: '3'

+    rules:
+      enabled:
+      modsecurity_crs_10_setup.conf:
+        rule_set: ''
+        enabled: True
+      modsecurity_crs_20_protocol_violations.conf:
+        rule_set: 'base_rules'
+        enabled: False
+
+    custom_rule_files:
+      # any name as an array index, and you can duplicate this section
+      UNIQUE_VALUE_HERE:
+        file: 'my name'
+        path: 'salt://path/to/modsecurity/custom/file'
+        enabled: True
+