modules/fail2ban/manifests/init.pp - Issue 29364214: Issue 2487 - Introduce fail2ban module

Delta Between Two Patch Sets: modules/fail2ban/manifests/init.pp

Issue 29364214: Issue 2487 - Introduce fail2ban module (Closed)

Left Patch Set: Created Nov. 28, 2016, 3:59 p.m.

Right Patch Set: For comment 22 and 23 Created Dec. 2, 2016, 2:22 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

Left: Side by side diff | Download
Right: Side by side diff | Download

LEFT	RIGHT
1 # == Class: fail2ban	1 # == Class: fail2ban

2 #	2 #

3 # Create and maintain fail2ban (http://www.fail2ban.org/) setups.	3 # Create and maintain fail2ban (http://www.fail2ban.org/) setups.

4 #	4 #

5 # == Parameters:	5 # == Parameters:

6 #	6 #

7 # [jail_config]	7 # [jails]

8 # Adds jail.local to the default configuration of fail2ban.	8 # Provisions a jail.local adjacent to the default configuration.
f.nicolaisen 2016/11/29 00:38:54 "Provisions a jail.local adjacent to the default f "Provisions a jail.local adjacent to the default fail2ban configuration." f.lopez 2016/11/29 10:46:58 Acknowledged. Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > "Provisions a jail.local adjacent to the default fail2ban configuration." Acknowledged.
9 # By default it will have the following parameters:	9 # By default entries will have the following parameters:
f.nicolaisen 2016/11/29 00:38:54 s/it/entries s/it/entries f.lopez 2016/11/29 10:46:57 Acknowledged. Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > s/it/entries Acknowledged.
10 # 'enabled' => 'true',	10 # 'enabled' => 'true',

11 # 'port' => 'all',	11 # 'port' => 'all',

12 # 'maxretry' => 6,	12 # 'maxretry' => 6,

13 # 'banaction' => 'iptables-allports',	13 # 'banaction' => 'iptables-allports',

14 # 'bantime' => 3600,	14 # 'bantime' => 3600,

15 #	15 #

16 # Note that 'port' parameter needs to be an actual port	16 # For the default banaction iptables-allports, the port parameter

17 # otherwise it will fail if there is no 'banaction' declared.	17 # is not used and only set here for documentation purposes. Note
f.nicolaisen 2016/11/29 00:38:54 I would formulate it like this: For the default ba I would formulate it like this: For the default banaction iptables-allports, the port parameter is not used and only set here for documentation purposes. Note that if 'banaction' is set to iptables-multiport, it requires that the 'port' parameter contains one or more comma-separated ports or protocols. f.lopez 2016/11/29 10:46:57 Like it, gonna use your instead :) Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > I would formulate it like this: > For the default banaction iptables-allports, the port parameter is not used and > only set here for documentation purposes. Note that if 'banaction' is set to > iptables-multiport, it requires that the 'port' parameter contains one or more > comma-separated ports or protocols. Like it, gonna use your instead :)
18 # Some options can be: http, https, ftp, etc.	18 # that if 'banaction' is set to iptables-multiport, it requires that

	19 # the 'port' parameter contains one or more comma-separated ports or protocols .

19 #	20 #

20 # [package]	21 # [package]

21 # Overwrite the default package options, to fine-tune the target version (i.e.	22 # Overwrite the default package options, to fine-tune the target version (i.e.

22 # ensure => 'latest') or remove fail2ban (ensure => 'absent' or 'purged')	23 # ensure => 'latest') or remove fail2ban (ensure => 'absent' or 'purged')

23 #	24 #

24 # [service]	25 # [service]

25 # Overwrite the default service options.	26 # Overwrite the default service options.

26 #	27 #

27 # [filters]	28 # [filters]

28 # Adds adittional filters to the filters.d folder.	29 # Adds adittional filters to the filters.d folder.

	30 #

29 # === Examples:	31 # === Examples:

30 #	32 #

31 # class {'fail2ban':	33 # class {'fail2ban':

32 # package => {ensure => 'present',},	34 # package => {ensure => 'present',},

33 # service => {},	35 # service => {},

34 # jail_config => {	36 # jails => {

35 # 'CVE-2013-0235' => {	37 # 'CVE-2013-0235' => {

36 # logpath => '/var/log/nginx/access_log_hg',	38 # 'logpath' => '/var/log/nginx/access_log_hg',
f.nicolaisen 2016/11/29 00:38:54 Remove trailing WS (white space) Remove trailing WS (white space) f.nicolaisen 2016/11/29 00:38:55 Maybe we should add banaction multiport: http,http Maybe we should add banaction multiport: http,https in this example. f.lopez 2016/11/29 10:46:58 Acknowledged. Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > Remove trailing WS (white space) Acknowledged. f.lopez 2016/11/29 10:46:58 Acknowledged. Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > Remove trailing WS (white space) Acknowledged.
	39 # 'banaction' => 'iptables-multiport',

	40 # 'port' => 'https, http',

37 # }	41 # }

38 # },	42 # },

39 # filters => {	43 # filters => {

40 # 'CVE-2013-0235' => {	44 # 'CVE-2013-0235' => {

41 # failregex => [	45 # regexes => [

42 # '^<HOST>.\"WordPress\/.',	46 # '^<HOST>.\"WordPress\/.',

43 # ],	47 # ],

44 # }	48 # }

45 # },	49 # },

46 # }	50 # }

	51 #

47 class fail2ban (	52 class fail2ban (

48 $package = {},	53 $package = hiera('fail2ban::package', {}),

49 $service = {},	54 $service = hiera('fail2ban::service', {}),

50 $jail_config = {},	55 $jails = hiera('fail2ban::jails', {}),
f.nicolaisen 2016/11/29 00:38:54 Now that I think about it, maybe we should call th Now that I think about it, maybe we should call this one 'jail_configs'? Not sure. f.lopez 2016/11/29 10:46:57 I think singular is ok since it is only one jail.l Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > Now that I think about it, maybe we should call this one 'jail_configs'? Not > sure. I think singular is ok since it is only one jail.local configuration file we are going to create, I tried using a jail.d folder in order to have more configurations but it doesn't work.
51 $filters = {},	56 $filters = hiera('fail2ban::filters', {}),

52 ) {	57 ) {

53	58

54 include stdlib	59 include stdlib

55	60

56 $jail_default = {	61 $jail_default = {

57 'enabled' => 'true',	62 'enabled' => 'true',

58 'port' => 'all',	63 'port' => 'all',

59 'maxretry' => 6,	64 'maxretry' => 6,

60 'banaction' => 'iptables-allports',	65 'banaction' => 'iptables-allports',

61 'bantime' => 3600,	66 'bantime' => 3600,

62 }	67 }

63	68

64 ensure_resource('package', $title, $package)	69 ensure_resource('package', $title, $package)

65	70

66 # Used as default $ensure parameter for most resources below

67 $ensure = getparam(Package[$title], 'ensure') ? {	71 $ensure = getparam(Package[$title], 'ensure') ? {

68 /^(absent\|purged)$/ => 'absent',»	72 /^(absent\|purged)$/ => 'absent',
f.nicolaisen 2016/11/29 00:38:54 WS WS f.lopez 2016/11/29 10:46:58 Acknowledged. Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > WS Acknowledged.
69 default => 'present',	73 default => 'present',

70 }	74 }

71	75

72 # Service resources don't properly support the concept of absence

73 if ($ensure == 'present') {	76 if ($ensure == 'present') {

74	77

75 ensure_resource('service', $title, $service)	78 ensure_resource('service', $title, merge({

	79 hasrestart => true,

	80 hasstatus => true,

	81 }, $service))

	82

76 # See modules/fail2ban/manifests/filter.pp	83 # See modules/fail2ban/manifests/filter.pp

77 create_resources('fail2ban::filter', $filters)	84 create_resources('fail2ban::filter', $filters)

78	85
f.nicolaisen 2016/11/29 00:38:54 WS WS f.lopez 2016/11/29 10:46:58 Acknowledged. Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > WS Acknowledged.
79 # According to the docs one can also enable filters that are	86 file {'/etc/fail2ban/jail.local':

80 # already in there, so the config file should be done separately	87 ensure => present,

81 # of the filters, another thing to conside is the possibility of	88 group => 'root',
f.nicolaisen 2016/11/29 00:38:54 Typo: 'conside'. Typo: 'conside'. f.nicolaisen 2016/11/29 00:38:54 Split the sentences: "... filters. Another thing t Split the sentences: "... filters. Another thing to..." f.lopez 2016/11/29 10:46:58 Acknowledged. Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > Typo: 'conside'. Acknowledged.
82 # having the filters configured but not activated, so no conf is	89 mode => '0644',

83 # passed.	90 owner => 'root',
f.nicolaisen 2016/11/29 00:38:55 The whole above comment is a bit "loose" and undec The whole above comment is a bit "loose" and undecided. Try instead to declare exactly how to do what. "Filters already present in the fail2ban distribution can also be activated. Configure deactivated filters so that ... (when is that a good idea?)." f.lopez 2016/11/29 10:46:58 Well you can have filters for specific situations Show quoted text On 2016/11/29 00:38:55, f.nicolaisen wrote: > The whole above comment is a bit "loose" and undecided. Try instead to declare > exactly how to do what. "Filters already present in the fail2ban distribution > can also be activated. Configure deactivated filters so that ... (when is that a > good idea?)." Well you can have filters for specific situations and then deactivate them.
84 if jail_config != undef {	91 content => template("fail2ban/jail.erb"),

85 file {'/etc/fail2ban/jail.local':	92 notify => Service['fail2ban'],

86 ensure => present,	93 require => Package['fail2ban'],

87 group => 'root',

88 mode => '0644',

89 owner => 'root',

90 content => template("fail2ban/jail.erb"),

91 notify => Service[$title],

92 }

93 }	94 }

94	95

95 Package[$title] -> File['/etc/fail2ban/jail.local']	96 Package[$title] -> File['/etc/fail2ban/jail.local']

	97 Service[$title] <~ Package[$title]

96 }	98 }

97	99

98 }	100 }
f.nicolaisen 2016/11/29 00:38:54 No empty line at end of file No empty line at end of file f.lopez 2016/11/29 10:46:57 Acknowledged. Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > No empty line at end of file Acknowledged.
	101

LEFT	RIGHT