Browse Source

Merge pull request #157 from webscale-formulas/mod_security_rules

add modsecurity rules state
tags/v0.37.4
alxwr 8 years ago
parent
commit
6d2ebe27db
4 changed files with 66 additions and 0 deletions
  1. +5
    -0
      README.rst
  2. +0
    -0
      apache/mod_security/init.sls
  3. +45
    -0
      apache/mod_security/rules.sls
  4. +16
    -0
      pillar.example

+ 5
- 0
README.rst View File

@@ -93,6 +93,11 @@ using data from Pillar. (Debian and RedHat Only)

Allows you to install the basic Core Rules (CRS) and some basic configuration for mod_security2

``apache.mod_security.rules``

This state can create symlinks based on basic Core Rules package. (Debian only)
Or it can distribute a mod_security rule file and place it /etc/modsecurity/

``apache.mod_ssl``
----------------------


apache/mod_security.sls → apache/mod_security/init.sls View File


+ 45
- 0
apache/mod_security/rules.sls View File

@@ -0,0 +1,45 @@
{%- set apache = pillar.get('apache', {}) %}
{%- set mod_security = apache.get('mod_security', {}) %}
{%- if mod_security.get('manage_config', False) %}

include:
- apache.mod_security

{%- for rule_name, rule_details in mod_security.get('rules', {}).items() %}
{% set rule_set = rule_details.get('rule_set', '') %}
{% set enabled = rule_details.get('enabled', False ) %}
{%- if enabled %}
/etc/modsecurity/{{ rule_name }}:
file.symlink:
- target: /usr/share/modsecurity-crs/{{ rule_set }}/{{ rule_name }}
- user: root
- group: root
- mode: 755
{%- else %}
/etc/modsecurity/{{ rule_name }}:
file.absent:
- name: /etc/modsecurity/{{ rule_name }}
{%- endif %}

{%- endfor %}

{%- for custom_rule, custom_rule_details in mod_security.get('custom_rule_files', {}).items() %}
{% set file = custom_rule_details.get('file', None) %}
{% set path = custom_rule_details.get('path', None) %}
{% set enabled = custom_rule_details.get('enabled', False ) %}

{%- if enabled %}
/etc/modsecurity/{{ file }}:
file.managed:
- source: {{ path }}
- user: root
- group: root
- mode: 755
{%- else %}
/etc/modsecurity/{{ file }}:
file.absent:
- name: /etc/modsecurity/{{ file }}
{%- endif %}
{%- endfor %}

{% endif %}

+ 16
- 0
pillar.example View File

@@ -165,3 +165,19 @@ apache:
sec_pcre_match_limit_recursion: '15000'
sec_debug_log_level: '3'

rules:
enabled:
modsecurity_crs_10_setup.conf:
rule_set: ''
enabled: True
modsecurity_crs_20_protocol_violations.conf:
rule_set: 'base_rules'
enabled: False

custom_rule_files:
# any name as an array index, and you can duplicate this section
UNIQUE_VALUE_HERE:
file: 'my name'
path: 'salt://path/to/modsecurity/custom/file'
enabled: True

Loading…
Cancel
Save