modules/fail2ban/manifests/init.pp - Issue 29364214: Issue 2487 - Introduce fail2ban module

Side by Side Diff: modules/fail2ban/manifests/init.pp

Issue 29364214: Issue 2487 - Introduce fail2ban module (Closed)

Patch Set: Issue 2487 - Introduce fail2ban module Created Nov. 29, 2016, 12:44 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 # == Class: fail2ban

	2 #

	3 # Create and maintain fail2ban (http://www.fail2ban.org/) setups.

	4 #

	5 # == Parameters:

	6 #

	7 # [jail_config]

	8 # Provisions a jail.local adjacent to the default configuration.

	9 # By default entries will have the following parameters:

	10 # 'enabled' => 'true',

	11 # 'port' => 'all',

	12 # 'maxretry' => 6,

	13 # 'banaction' => 'iptables-allports',

	14 # 'bantime' => 3600,

	15 #

	16 # For the default banaction iptables-allports, the port parameter

	17 # is not used and only set here for documentation purposes. Note

	18 # that if 'banaction' is set to iptables-multiport, it requires that

	19 # the 'port' parameter contains one or more comma-separated ports or protocols .

	20 #

	21 # [package]

	22 # Overwrite the default package options, to fine-tune the target version (i.e.

	23 # ensure => 'latest') or remove fail2ban (ensure => 'absent' or 'purged')

	24 #

	25 # [service]

	26 # Overwrite the default service options.

	27 #

	28 # [filters]

	29 # Adds adittional filters to the filters.d folder.
	mathias 2016/11/29 13:21:24 Another comment-line (hash-tag in the beginning, o Another comment-line (hash-tag in the beginning, otherwise empty) should follow here. f.lopez 2016/12/01 09:13:49 Acknowledged. Show quoted text On 2016/11/29 13:21:24, mathias wrote: > Another comment-line (hash-tag in the beginning, otherwise empty) should follow > here. Acknowledged.
	30 # === Examples:

	31 #

	32 # class {'fail2ban':

	33 # package => {ensure => 'present',},

	34 # service => {},

	35 # jail_config => {

	36 # 'CVE-2013-0235' => {

	37 # 'logpath' => '/var/log/nginx/access_log_hg',

	38 # 'banaction' => 'iptables-multiport',

	39 # 'port' => 'https, http',

	40 # }

	41 # },

	42 # filters => {

	43 # 'CVE-2013-0235' => {

	44 # failregex => [

	45 # '^<HOST>.\"WordPress\/.',

	46 # ],

	47 # }

	48 # },

	49 # }
	mathias 2016/11/29 13:21:25 Another comment-line (hash-tag in the beginning, o Another comment-line (hash-tag in the beginning, otherwise empty) should follow here. f.lopez 2016/12/01 09:13:50 Acknowledged. Show quoted text On 2016/11/29 13:21:25, mathias wrote: > Another comment-line (hash-tag in the beginning, otherwise empty) should follow > here. Acknowledged.
	50 class fail2ban (

	51 $package = {},

	52 $service = {},

	53 $jail_config = {},

	54 $filters = {},

	55 ) {

	56

	57 include stdlib

	58

	59 $jail_default = {

	60 'enabled' => 'true',

	61 'port' => 'all',

	62 'maxretry' => 6,

	63 'banaction' => 'iptables-allports',

	64 'bantime' => 3600,

	65 }

	66

	67 ensure_resource('package', $title, $package)

	68

	69 # Used as default $ensure parameter for most resources below

	70 $ensure = getparam(Package[$title], 'ensure') ? {

	71 /^(absent\|purged)$/ => 'absent',

	72 default => 'present',

	73 }

	74

	75 # Service resources don't properly support the concept of absence
	mathias 2016/11/29 13:21:25 There is more than just a service resource taken c There is more than just a service resource taken care of below, so this comment should either be more inclusive or more abstract or absent. f.lopez 2016/12/01 09:13:49 Acknowledged. Show quoted text On 2016/11/29 13:21:25, mathias wrote: > There is more than just a service resource taken care of below, so this comment > should either be more inclusive or more abstract or absent. Acknowledged.
	76 if ($ensure == 'present') {

	77

	78 ensure_resource('service', $title, $service)
	mathias 2016/11/29 13:21:25 What about the $hasrestart and $hasstatus paramete What about the $hasrestart and $hasstatus parameters? With fail2ban, can't we set those to true by default? f.lopez 2016/12/01 09:13:49 We can, indeed, set those params to true Show quoted text On 2016/11/29 13:21:25, mathias wrote: > What about the $hasrestart and $hasstatus parameters? With fail2ban, can't we > set those to true by default? We can, indeed, set those params to true
	79 # See modules/fail2ban/manifests/filter.pp

	80 create_resources('fail2ban::filter', $filters)

	81

	82 # Filters already present in the fail2ban distribution can

	83 # also be activated.

	84 # One can aslo decide not to configure any extra filters

	85 # so no configuration file would be created then.

	86 if jail_config != undef {
	mathias 2016/11/29 13:21:25 This condition should check for empty($jail_config This condition should check for empty($jail_config) instead; undef even being recognized/supported is rather hidden magic. And then this conditional is IMHO not necessary anyway: It should be no problem to have the template iterate through an empty hash, always creating a jail.local file. That would also obsolete the second phrase in the commend above, including the "aslo" typo. f.lopez 2016/12/01 09:13:50 You are right, if we iterate over an empty param i Show quoted text On 2016/11/29 13:21:25, mathias wrote: > This condition should check for empty($jail_config) instead; undef even being > recognized/supported is rather hidden magic. And then this conditional is IMHO > not necessary anyway: It should be no problem to have the template iterate > through an empty hash, always creating a jail.local file. That would also > obsolete the second phrase in the commend above, including the "aslo" typo. You are right, if we iterate over an empty param it won't matter since it just won't merge any configurations with the jail.conf file
	87 file {'/etc/fail2ban/jail.local':

	88 ensure => present,

	89 group => 'root',

	90 mode => '0644',

	91 owner => 'root',

	92 content => template("fail2ban/jail.erb"),

	93 notify => Service[$title],

	94 }

	95 }

	96

	97 Package[$title] -> File['/etc/fail2ban/jail.local']
	mathias 2016/11/29 13:21:25 A relationship declaring the Service[$title] being A relationship declaring the Service[$title] being dependent on the Package[$title] is missing here. f.lopez 2016/12/01 09:13:49 Acknowledged. Show quoted text On 2016/11/29 13:21:25, mathias wrote: > A relationship declaring the Service[$title] being dependent on the > Package[$title] is missing here. Acknowledged.
	98 }

	99

	100 }

	101

OLD	NEW

« modules/fail2ban/manifests/filter.pp ('K') | « modules/fail2ban/manifests/filter.pp ('k') | modules/fail2ban/templates/filter.erb » ('j') | modules/fail2ban/templates/jail.erb » ('J')