From 8584dbf2a11dcd5220c0a8b03348b6f0719ef183 Mon Sep 17 00:00:00 2001 From: Alexander Kozlov Date: Mon, 14 Dec 2015 17:12:20 +0300 Subject: [PATCH] Added ability to manage security settings By reassigning options with `blockreplace` at `/etc/apache2/conf-available/security.conf`, which is linked as conf-enabled by default on Debian packages --- apache/manage_security.sls | 33 +++++++++++++++++++++++++++++++++ pillar.example | 5 +++++ 2 files changed, 38 insertions(+) create mode 100644 apache/manage_security.sls diff --git a/apache/manage_security.sls b/apache/manage_security.sls new file mode 100644 index 0000000..6a57fe4 --- /dev/null +++ b/apache/manage_security.sls @@ -0,0 +1,33 @@ +{% if grains['os_family']=="Debian" %} + +{% from "apache/map.jinja" import apache with context %} + +include: + - apache + +{% if salt['file.file_exists' ]('/etc/apache2/conf-available/security.conf') %} +apache_security-block: + file.blockreplace: + - name: /etc/apache2/conf-available/security.conf + - marker_start: "# START managed zone -DO-NOT-EDIT-" + - marker_end: "# END managed zone --" + - append_if_not_found: True + - show_changes: True + - require: + - pkg: apache + - watch_in: + - module: apache-reload + +{% for option, value in salt['pillar.get']('apache:security', {}).items() %} +apache_manage-security-{{ option }}: + file.accumulated: + - filename: /etc/apache2/conf-available/security.conf + - name: apache_manage-security-add-{{ option }} + - text: "{{ option }} {{ value }}" + - require_in: + - file: apache_security-block +{% endfor %} + +{% endif %} + +{% endif %} \ No newline at end of file diff --git a/pillar.example b/pillar.example index 0dda7ac..0ddc9a0 100644 --- a/pillar.example +++ b/pillar.example @@ -115,3 +115,8 @@ apache: - ssl disabled: # List modules to disable - rewrite + + security: + # can be Full | OS | Minimal | Minor | Major | Prod + # where Full conveys the most information, and Prod the least. + ServerTokens: Prod