added controls for main conf/local files

README.md

@@ -1,6 +1,6 @@
 |Repo Name| version | Build Status|
 |---|---|---|---|
-|`cd_fail2ban`| 0.0.0.3 | [![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=cd_fail2ban)](https://jenkins.confdroid.com/job/cd_fail2ban/)|
+|`cd_fail2ban`| 0.0.0.4 | [![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=cd_fail2ban)](https://jenkins.confdroid.com/job/cd_fail2ban/)|
 
 ### Synopsis
 Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks.
@@ -34,6 +34,13 @@ Fail2Ban is an intrusion prevention software framework that protects computer se
 Installation
 * install required binaries
 
+Configuration
+* manage directory structure  (file system permissions, selinux context)
+* manage configration files   (file system permissions, selinux context, content based on parameters)
+
+Service
+* manage service status (running or stopped)
+
 
 ### Repo Structure
 Repostructure has moved to REPOSTRUCTURE.md in repo.

manifests/main/config.pp

@@ -25,7 +25,6 @@ class cd_fail2ban::main::config (
 
 ) inherits cd_fail2ban::params {
 
-  if $fn_enable_fail2ban == true {
     include cd_fail2ban::main::service
-  }
+
 }

manifests/main/dirs.pp

@@ -109,4 +109,20 @@ class cd_fail2ban::main::dirs (
     seltype   =>  fail2ban_var_lib_t,
     seluser   =>  system_u,
   }
+
+  # manage /var/run/fail2bam
+
+  file { $fn_var_run_dir:
+    ensure    =>  directory,
+    path      =>  $fn_var_run_dir,
+    owner     =>  'root',
+    group     =>  'root',
+    mode      =>  '0755',
+    selrange  =>  s0,
+    selrole   =>  object_r,
+    seltype   =>  fail2ban_var_run_t,
+    seluser   =>  system_u,
+  }
+
+
 }

manifests/main/files.pp

@@ -26,4 +26,39 @@ class cd_fail2ban::main::files (
 
   require cd_fail2ban::main::dirs
 
+  if $fn_manage_config == true {
+
+    # manage fail2ban.conf
+
+    file { $fn_fail2ban_conf_file:
+      ensure    =>  present,
+      path      =>  $fn_fail2ban_conf_file,
+      owner     =>  'root',
+      group     =>  'root',
+      mode      =>  '0640',
+      selrange  =>  s0,
+      selrole   =>  object_r,
+      seltype   =>  etc_t,
+      seluser   =>  system_u,
+      content   =>  template($fn_fail2ban_conf_erb),
+      notify    =>  Service[$fn_service],
+    }
+
+    # manage fail2ban.local
+
+    file { $fn_fail2ban_local_file:
+      ensure    =>  present,
+      path      =>  $fn_fail2ban_local_file,
+      owner     =>  'root',
+      group     =>  'root',
+      mode      =>  '0640',
+      selrange  =>  s0,
+      selrole   =>  object_r,
+      seltype   =>  etc_t,
+      seluser   =>  system_u,
+      content   =>  template($fn_fail2ban_conf_erb),
+      notify    =>  Service[$fn_service],
+    }
+
+  }
 }

manifests/main/service.pp

@@ -27,9 +27,10 @@ class cd_fail2ban::main::service (
   require cd_fail2ban::main::files
 
   service { $fn_service:
-    ensure      => running,
+    ensure      => $fn_enable_service,
     hasstatus   => true,
     hasrestart  => true,
     enable      => true,
   }
+
 }

manifests/params.pp

@@ -23,12 +23,42 @@
 # @param  [string] pkg_ensure
 #   which [package type](https://confdroid.com/2017/05/puppet-type-package/)
 #   to choose, i.e. `latest` or `present`.
+# @param  [boolean] fn_manage_config Whether to manage the fail2ban
+#   configuration files. If set to false, fail2ban will be installed, but the
+#   configuration will not be managed.
+# @param  [string] fn_enable_service Whether to enable/start or disable/stop
+#    the fail2ban service. Valid options are `running` or `stopped`.
+# @param  [string]  fn_loglevel Set the log level output. Valid options are
+# `CRITICAL`,`ERROR`,`WARNING`,`NOTICE`,`INFO` and `DEBUG`.
+# @param  [string]  fn_logtarget Set the log target. This could be a file,
+#   SYSLOG, STDERR or STDOUT. Only one log target can be specified.
+# @param  [string] fn_syslogsocket Set the syslog socket file. Only used when
+#   logtarget is SYSLOG.  auto uses platform.system() to determine predefined
+#   paths Valid options: [ auto | FILE ].
+# @param  [string] fn_socket Set the socket file to communicate with the daemon.
+# @param  [string]  fn_pidfile Set the PID file to store the process ID of the
+#   fail2ban server.
+# @param  [string] fn_dbfile file for the fail2ban persistent data to be stored.
+#   A value of ":memory:" means database is only stored in memory
+#   and data is lost when fail2ban is stopped.
+#   A value of "None" disables the database.
+# @param  [string] fn_dbpurgeage age in seconds at which bans should be purged
+#   from the database.
 ##############################################################################
 class cd_fail2ban::params (
 
 $pkg_ensure             = 'latest',
 
-$fn_enable_fail2ban   =  true,
+$fn_manage_config       = true,
+$fn_enable_service      = 'running',
+$fn_loglevel            = 'INFO',
+$fn_logtarget           = 'SYSLOG',
+$fn_syslogsocket        = 'auto',
+$fn_socket              = '/var/run/fail2ban/fail2ban.sock',
+$fn_pidfile             = '/var/run/fail2ban/fail2ban.pid',
+$fn_dbfile              = '/var/lib/fail2ban/fail2ban.sqlite3',
+$fn_dbpurgeage          = '86400',
+
 
 ) {
 
@@ -51,9 +81,13 @@ $fn_fail2ban_d_dir    = "${fn_main_dir}/fail2ban.d"
 $fn_filter_d_dir        = "${fn_main_dir}/filter.d"
 $fn_jail_d_dir          = "${fn_main_dir}/jail.d"
 $fn_var_lib_dir         = '/var/lib/fail2ban'
-
+$fn_var_run_dir         = '/var/run/fail2ban'
 
 # files
+$fn_fail2ban_conf_file  = "${fn_main_dir}fail2ban.conf"
+$fn_fail2ban_conf_erb   = 'cd_fail2ban/fail2ban_conf.erb'
+$fn_fail2ban_local_file = "${fn_main_dir}fail2ban.local"
+$fn_fail2ban_local_erb  = 'cd_fail2ban/fail2ban_local.erb'
 
 # includes must be last
 

templates/fail2ban_conf.erb

@@ -0,0 +1,77 @@
+################################################################################
+##########              fail2ban.conf managed by Puppet               ##########
+##########            manual changes will be overwritten !!!          ##########
+################################################################################
+##########              full reference available under                ##########
+##########   https://confdroid.com/2017/08/fail2ban-fail2ban-conf/    ##########
+################################################################################
+
+# Fail2Ban main configuration file
+#
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+#
+# Changes:  in most of the cases you should not modify this
+#           file, but provide customizations in fail2ban.local file, e.g.:
+#
+# [Definition]
+# loglevel = DEBUG
+#
+
+[Definition]
+
+# Option: loglevel
+# Notes.: Set the log level output.
+#         CRITICAL
+#         ERROR
+#         WARNING
+#         NOTICE
+#         INFO
+#         DEBUG
+# Values: [ LEVEL ]  Default: ERROR
+#
+loglevel = INFO
+
+# Option: logtarget
+# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
+#         Only one log target can be specified.
+#         If you change logtarget from the default value and you are
+#         using logrotate -- also adjust or disable rotation in the
+#         corresponding configuration file
+#         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
+# Values: [ STDOUT | STDERR | SYSLOG | FILE ]  Default: STDERR
+#
+logtarget = /var/log/fail2ban.log
+
+# Option: syslogsocket
+# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
+#        auto uses platform.system() to determine predefined paths
+# Values: [ auto | FILE ]  Default: auto
+syslogsocket = auto
+
+# Option: socket
+# Notes.: Set the socket file. This is used to communicate with the daemon. Do
+#         not remove this file when Fail2ban runs. It will not be possible to
+#         communicate with the server afterwards.
+# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.sock
+#
+socket = /var/run/fail2ban/fail2ban.sock
+
+# Option: pidfile
+# Notes.: Set the PID file. This is used to store the process ID of the
+#         fail2ban server.
+# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
+#
+pidfile = /var/run/fail2ban/fail2ban.pid
+
+# Options: dbfile
+# Notes.: Set the file for the fail2ban persistent data to be stored.
+#         A value of ":memory:" means database is only stored in memory
+#         and data is lost when fail2ban is stopped.
+#         A value of "None" disables the database.
+# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
+dbfile = /var/lib/fail2ban/fail2ban.sqlite3
+
+# Options: dbpurgeage
+# Notes.: Sets age at which bans should be purged from the database
+# Values: [ SECONDS ] Default: 86400 (24hours)
+dbpurgeage = 86400

templates/fail2ban_local.erb

@@ -0,0 +1,16 @@
+################################################################################
+##########              fail2ban.local managed by Puppet              ##########
+##########            manual changes will be overwritten !!!          ##########
+################################################################################
+##########              full reference available under                ##########
+##########   https://confdroid.com/2017/08/fail2ban-fail2ban-conf/    ##########
+################################################################################
+
+[Definition]
+loglevel      = <%= @fn_loglevel %>
+logtarget     = <%= @fn_logtarget %>
+syslogsocket  = <%= @fn_syslogsocket %>
+socket        = <%= @fn_socket %>
+pidfile       = <%= @fn_pidfile %>
+dbfile        = <%= @fn_dbfile %>
+dbpurgeage    = <%= @fn_dbpurgeage %>