confdroid/confdroid_fail2ban
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

added control for common-paths-file

Browse Source
This commit is contained in:
Arne Teuke
2017-08-13 14:55:59 +01:00
parent 7e856636a1
commit ca25f72ef3
3 changed files with 104 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
manifests/main/files.pp
View File

@@ -31,7 +31,7 @@ class cd_fail2ban::main::files (
# manage fail2ban.conf # manage fail2ban.conf
file { $fn_fail2ban_conf_file: file { $fn_fail2ban_conf_file:
ensure => present, ensure => file,
path => $fn_fail2ban_conf_file, path => $fn_fail2ban_conf_file,
owner => 'root', owner => 'root',
group => 'root', group => 'root',
@@ -47,7 +47,7 @@ class cd_fail2ban::main::files (
# manage fail2ban.local # manage fail2ban.local
file { $fn_fail2ban_local_file: file { $fn_fail2ban_local_file:
ensure => present, ensure => file,
path => $fn_fail2ban_local_file, path => $fn_fail2ban_local_file,
owner => 'root', owner => 'root',
group => 'root', group => 'root',
@@ -60,10 +60,10 @@ class cd_fail2ban::main::files (
notify => Service[$fn_service], notify => Service[$fn_service],
} }
# manage jail.conf # manage jail.conf
file { $fn_jail_conf_file: file { $fn_jail_conf_file:
ensure => present, ensure => file,
path => $fn_jail_conf_file, path => $fn_jail_conf_file,
owner => 'root', owner => 'root',
group => 'root', group => 'root',
@@ -76,10 +76,10 @@ class cd_fail2ban::main::files (
notify => Service[$fn_service], notify => Service[$fn_service],
} }
# manage jail.local # manage jail.local
file { $fn_jail_local_file: file { $fn_jail_local_file:
ensure => present, ensure => file,
path => $fn_jail_local_file, path => $fn_jail_local_file,
owner => 'root', owner => 'root',
group => 'root', group => 'root',
@@ -92,5 +92,20 @@ class cd_fail2ban::main::files (
notify => Service[$fn_service], notify => Service[$fn_service],
} }
# manage paths-common.conf
file { $fn_paths_common_file:
ensure => file,
path => $fn_paths_common_file,
owner => 'root',
group => 'root',
mode => '0640',
selrange => s0,
selrole => object_r,
seltype => etc_t,
seluser => system_u,
content => template($fn_paths_common_erb),
notify => Service[$fn_service],
}
} }
} }

3
manifests/params.pp
View File

@@ -206,7 +206,8 @@ $fn_jail_conf_file = "${fn_main_dir}/jail.conf"
$fn_jail_conf_erb = 'cd_fail2ban/jail_conf.erb' $fn_jail_conf_erb = 'cd_fail2ban/jail_conf.erb'
$fn_jail_local_file = "${fn_main_dir}/jail.local" $fn_jail_local_file = "${fn_main_dir}/jail.local"
$fn_jail_local_erb = 'cd_fail2ban/jail_local.erb' $fn_jail_local_erb = 'cd_fail2ban/jail_local.erb'
$fn_paths_common_file = "${fn_main_dir}/paths-common.conf"
$fn_paths_common_erb = 'cd_fail2ban/paths_common_conf.erb'
# includes must be last # includes must be last

81
templates/paths_common_conf.erb Normal file
View File

@@ -0,0 +1,81 @@
# Common
#
[INCLUDES]
after = paths-overrides.local
[DEFAULT]
default_backend = auto
sshd_log = %(syslog_authpriv)s
sshd_backend = %(default_backend)s
dropbear_log = %(syslog_authpriv)s
dropbear_backend = %(default_backend)s
# There is no sensible generic defaults for syslog log targets, thus
# leaving them empty here so that no errors while parsing/interpolating configs
syslog_daemon =
syslog_ftp =
syslog_local0 =
syslog_mail_warn =
syslog_user =
# Set the default syslog backend target to default_backend
syslog_backend = %(default_backend)s
# from /etc/audit/auditd.conf
auditd_log = /var/log/audit/audit.log
exim_main_log = /var/log/exim/mainlog
nginx_error_log = /var/log/nginx/*error.log
nginx_access_log = /var/log/nginx/*access.log
lighttpd_error_log = /var/log/lighttpd/error.log
# http://www.hardened-php.net/suhosin/configuration.html#suhosin.log.syslog.facility
# syslog_user is the default. Lighttpd also hooks errors into its log.
suhosin_log = %(syslog_user)s
%(lighttpd_error_log)s
# defaults to ftp or local2 if ftp doesn't exist
proftpd_log = %(syslog_ftp)s
proftpd_backend = %(default_backend)s
# http://svnweb.freebsd.org/ports/head/ftp/proftpd/files/patch-src_proftpd.8.in?view=markup
# defaults to ftp but can be overwritten.
pureftpd_log = %(syslog_ftp)s
pureftpd_backend = %(default_backend)s
# ftp, daemon and then local7 are tried at configure time however it is overwriteable at configure time
#
wuftpd_log = %(syslog_ftp)s
wuftpd_backend = %(default_backend)s
# syslog_enable defaults to no. so it defaults to vsftpd_log_file setting of /var/log/vsftpd.log
# No distro seems to set it to syslog by default
# If syslog set it defaults to ftp facility if exists at compile time otherwise falls back to daemonlog.
vsftpd_log = /var/log/vsftpd.log
# Technically syslog_facility in main.cf can overwrite but no-one sane does this.
postfix_log = %(syslog_mail_warn)s
postfix_backend = %(default_backend)s
dovecot_log = %(syslog_mail_warn)s
dovecot_backend = %(default_backend)s
# Seems to be set at compile time only to LOG_LOCAL0 (src/const.h) at Notice level
solidpop3d_log = %(syslog_local0)s
mysql_log = %(syslog_daemon)s
mysql_backend = %(default_backend)s
roundcube_errors_log = /var/log/roundcube/errors
# Directory with ignorecommand scripts
ignorecommands_dir = /etc/fail2ban/filter.d/ignorecommands