OP#490 add jail

manifests/main/config.pp

@@ -13,4 +13,8 @@ class confdroid_nagios::main::config (
   if $ng_enable_target == true {
     include confdroid_nagios::client::target
   }
+
+  if $ng_enable_fail2ban == true {
+    include confdroid_nagios::monitoring::fail2ban
+  }
 }

manifests/monitoring/fail2ban.pp

@@ -7,4 +7,35 @@ class confdroid_nagios::monitoring::fail2ban (
 
 ) inherits confdroid_nagios::params {
   # we want to  create a nagios jail here
+  if ($ng_nagios_host == $fqdn)  and ($ng_enable_fail2ban == true) {
+    require confdroid_fail2ban
+
+    # create the jail file
+    file { $fn_jail_file:
+      ensure   => file,
+      user     => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => etc_t,
+      seluser  => system_u,
+      content  => template('confdroid_nagios/fail2ban/jail.conf.erb'),
+      notify   => Service['fail2ban'],
+    }
+
+    # create the filter rule
+    file { $fn_filter_file:
+      ensure   => file,
+      user     => 'root',
+      group    => 'root',
+      mode     => '0644',
+      selrange => s0,
+      selrole  => object_r,
+      seltype  => etc_t,
+      seluser  => system_u,
+      content  => template('confdroid_nagios/fail2ban/filter.conf.erb'),
+      notify   => Service['fail2ban'],
+    }
+  }
 }

manifests/params.pp

@@ -427,6 +427,20 @@
 #   Default is 'linux-services'.
 # @param [String] ng_servicegroup_alias The alias of the default service group. 
 #   Default is 'Linux Services'.
+# @param [Boolean] ng_enable_fail2ban Whether to enable fail2ban monitoring in 
+#   Nagios. Default is false.
+# @param [String] ng_jail_order The order number of jails in the jail.d directory.
+#   Default is '10'.
+# @param [String] ng_jail_enable Whether to enable the monitoring of a specific 
+#   jail in Nagios. Default is 'true'.
+# @param [String] ng_fail2ban_logpath The path to the nagios access log to 
+#   monitor. Default is '/var/log/httpd/access.log'.
+# @param [String] ng_fail2ban_maxretry The maximum number of retries before a
+#   host is considered banned in fail2ban. Default is '5'.
+# @param [String] ng_fail2ban_bantime The time in seconds that a host is banned 
+#   in fail2ban. Default is '3600'.
+# @param [String] ng_fail2ban_ignoreip A comma-separated list of IP addresses 
+#   to ignore in fail2ban. Default is '127.0.0.1/8 ::1 192.168.1.0/24'.
 ################################################################################
 class confdroid_nagios::params (
 
@@ -671,13 +685,16 @@ class confdroid_nagios::params (
   Boolean $ng_enable_swap_check         = true,
 
 # fail2ban
-  Boolean $ng_enable_fail2ban          = false,
+  Boolean $ng_enable_fail2ban           = false,
+  String $ng_jail_order                 = '10',
+  Boolean $ng_jail_enable               = true,
   #String $ng_fail2ban_jail             = 'httpd',
-  #String $ng_fail2ban_log              = '/var/log/secure',
+  String $ng_fail2ban_logpath           = '/var/log/httpd/access.log',
   #String $ng_fail2ban_regex            = 'sshd.*Failed password for',
-  #String $ng_fail2ban_maxretry         = '5',
+  String $ng_fail2ban_maxretry          = '5',
   #String $ng_fail2ban_findtime         = '600',
-  #String $ng_fail2ban_bantime          = '3600',
+  String $ng_fail2ban_bantime           = '3600',
+  String $ng_fail2ban_ignoreip          = '127.0.0.1/8 ::1 192.168.1.0/24'
 
 ) {
 # Default facts
@@ -761,6 +778,12 @@ class confdroid_nagios::params (
   $ng_svc_perfdata_file       = "${ng_log_dir}/service-perfdata"
   $ng_debug_file              = "${ng_log_dir}/nagios.debug"
 
+# fail2ban
+  $fn_jail_path               = '/etc/fail2ban/jail.d'
+  $fn_jail_file               = "${fn_jail_path}/${ng_jail_order}-nagios.conf"
+  $fn_filter_path             = '/etc/fail2ban/filter.d'
+  $fn_filter_file             = "${fn_filter_path}/${ng_jail_order}-nagios.conf"
+
 # includes must be last
   include confdroid_nagios::main::config
 }