cloud-mu 3.5.0 → 3.6.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (245) hide show
  1. checksums.yaml +4 -4
  2. data/Berksfile +5 -2
  3. data/Berksfile.lock +135 -0
  4. data/ansible/roles/mu-base/README.md +33 -0
  5. data/ansible/roles/mu-base/defaults/main.yml +2 -0
  6. data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
  7. data/ansible/roles/mu-base/files/check_apm.sh +18 -0
  8. data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
  9. data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
  10. data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
  11. data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
  12. data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
  13. data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
  14. data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
  15. data/ansible/roles/mu-base/files/logrotate.conf +35 -0
  16. data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
  17. data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
  18. data/ansible/roles/mu-base/handlers/main.yml +5 -0
  19. data/ansible/roles/mu-base/meta/main.yml +53 -0
  20. data/ansible/roles/mu-base/tasks/main.yml +113 -0
  21. data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
  22. data/ansible/roles/mu-base/tests/inventory +2 -0
  23. data/ansible/roles/mu-base/tests/test.yml +5 -0
  24. data/ansible/roles/mu-base/vars/main.yml +1 -0
  25. data/ansible/roles/mu-compliance/README.md +33 -0
  26. data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
  27. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
  28. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
  29. data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
  30. data/ansible/roles/mu-compliance/meta/main.yml +53 -0
  31. data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
  32. data/ansible/roles/mu-compliance/tests/inventory +2 -0
  33. data/ansible/roles/mu-compliance/tests/test.yml +5 -0
  34. data/ansible/roles/mu-compliance/vars/main.yml +4 -0
  35. data/ansible/roles/mu-elastic/README.md +51 -0
  36. data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
  37. data/ansible/roles/mu-elastic/files/jvm.options +93 -0
  38. data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
  39. data/ansible/roles/mu-elastic/meta/main.yml +52 -0
  40. data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
  41. data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
  42. data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
  43. data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
  44. data/ansible/roles/mu-elastic/tests/inventory +2 -0
  45. data/ansible/roles/mu-elastic/tests/test.yml +5 -0
  46. data/ansible/roles/mu-elastic/vars/main.yml +2 -0
  47. data/ansible/roles/mu-logstash/README.md +51 -0
  48. data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
  49. data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
  50. data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
  51. data/ansible/roles/mu-logstash/files/jvm.options +84 -0
  52. data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
  53. data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
  54. data/ansible/roles/mu-logstash/meta/main.yml +52 -0
  55. data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
  56. data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
  57. data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
  58. data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
  59. data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
  60. data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
  61. data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
  62. data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
  63. data/ansible/roles/mu-logstash/tests/inventory +2 -0
  64. data/ansible/roles/mu-logstash/tests/test.yml +5 -0
  65. data/ansible/roles/mu-logstash/vars/main.yml +2 -0
  66. data/ansible/roles/mu-rdp/README.md +33 -0
  67. data/ansible/roles/mu-rdp/meta/main.yml +53 -0
  68. data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
  69. data/ansible/roles/mu-rdp/tests/inventory +2 -0
  70. data/ansible/roles/mu-rdp/tests/test.yml +5 -0
  71. data/ansible/roles/mu-windows/tasks/main.yml +3 -0
  72. data/bin/mu-ansible-secret +1 -1
  73. data/bin/mu-aws-setup +4 -3
  74. data/bin/mu-azure-setup +5 -5
  75. data/bin/mu-configure +25 -17
  76. data/bin/mu-firewall-allow-clients +1 -0
  77. data/bin/mu-gcp-setup +3 -3
  78. data/bin/mu-load-config.rb +1 -0
  79. data/bin/mu-node-manage +66 -33
  80. data/bin/mu-self-update +2 -2
  81. data/bin/mu-upload-chef-artifacts +6 -1
  82. data/bin/mu-user-manage +1 -1
  83. data/cloud-mu.gemspec +25 -23
  84. data/cookbooks/firewall/CHANGELOG.md +417 -224
  85. data/cookbooks/firewall/LICENSE +202 -0
  86. data/cookbooks/firewall/README.md +153 -126
  87. data/cookbooks/firewall/TODO.md +6 -0
  88. data/cookbooks/firewall/attributes/firewalld.rb +7 -0
  89. data/cookbooks/firewall/attributes/iptables.rb +3 -3
  90. data/cookbooks/firewall/chefignore +115 -0
  91. data/cookbooks/firewall/libraries/helpers.rb +5 -0
  92. data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
  93. data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
  94. data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
  95. data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
  96. data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
  97. data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
  98. data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
  99. data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
  100. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
  101. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
  102. data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
  103. data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
  104. data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
  105. data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
  106. data/cookbooks/firewall/metadata.json +40 -1
  107. data/cookbooks/firewall/metadata.rb +15 -0
  108. data/cookbooks/firewall/recipes/default.rb +7 -7
  109. data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
  110. data/cookbooks/firewall/recipes/firewalld.rb +87 -0
  111. data/cookbooks/firewall/renovate.json +18 -0
  112. data/cookbooks/firewall/resources/firewalld.rb +28 -0
  113. data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
  114. data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
  115. data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
  116. data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
  117. data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
  118. data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
  119. data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
  120. data/cookbooks/firewall/resources/nftables.rb +71 -0
  121. data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
  122. data/cookbooks/mu-activedirectory/Berksfile +1 -1
  123. data/cookbooks/mu-activedirectory/metadata.rb +1 -1
  124. data/cookbooks/mu-firewall/metadata.rb +2 -2
  125. data/cookbooks/mu-master/Berksfile +4 -3
  126. data/cookbooks/mu-master/attributes/default.rb +5 -2
  127. data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
  128. data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
  129. data/cookbooks/mu-master/libraries/mu.rb +24 -0
  130. data/cookbooks/mu-master/metadata.rb +5 -5
  131. data/cookbooks/mu-master/recipes/default.rb +31 -20
  132. data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
  133. data/cookbooks/mu-master/recipes/init.rb +58 -19
  134. data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
  135. data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
  136. data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
  137. data/cookbooks/mu-php54/Berksfile +1 -1
  138. data/cookbooks/mu-php54/metadata.rb +2 -2
  139. data/cookbooks/mu-tools/Berksfile +2 -3
  140. data/cookbooks/mu-tools/attributes/default.rb +3 -4
  141. data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
  142. data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
  143. data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
  144. data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
  145. data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
  146. data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
  147. data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
  148. data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
  149. data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
  150. data/cookbooks/mu-tools/libraries/helper.rb +21 -9
  151. data/cookbooks/mu-tools/metadata.rb +4 -4
  152. data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
  153. data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
  154. data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
  155. data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
  156. data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
  157. data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
  158. data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
  159. data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
  160. data/data_bags/nagios_services/apm_backend_connect.json +5 -0
  161. data/data_bags/nagios_services/apm_listen.json +5 -0
  162. data/data_bags/nagios_services/elastic_shards.json +5 -0
  163. data/data_bags/nagios_services/logstash.json +5 -0
  164. data/data_bags/nagios_services/rhel7_updates.json +8 -0
  165. data/extras/image-generators/AWS/centos7.yaml +1 -0
  166. data/extras/image-generators/AWS/rhel7.yaml +21 -0
  167. data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
  168. data/extras/image-generators/AWS/win2k16.yaml +1 -0
  169. data/extras/image-generators/AWS/win2k19.yaml +1 -0
  170. data/extras/list-stock-amis +0 -0
  171. data/extras/ruby_rpm/muby.spec +8 -5
  172. data/extras/vault_tools/export_vaults.sh +1 -1
  173. data/extras/vault_tools/recreate_vaults.sh +0 -0
  174. data/extras/vault_tools/test_vaults.sh +0 -0
  175. data/install/deprecated-bash-library.sh +1 -1
  176. data/install/installer +4 -2
  177. data/modules/mommacat.ru +3 -1
  178. data/modules/mu/adoption.rb +1 -1
  179. data/modules/mu/cloud/dnszone.rb +2 -2
  180. data/modules/mu/cloud/machine_images.rb +26 -25
  181. data/modules/mu/cloud/resource_base.rb +213 -182
  182. data/modules/mu/cloud/server_pool.rb +1 -1
  183. data/modules/mu/cloud/ssh_sessions.rb +7 -5
  184. data/modules/mu/cloud/wrappers.rb +2 -2
  185. data/modules/mu/cloud.rb +1 -1
  186. data/modules/mu/config/bucket.rb +1 -1
  187. data/modules/mu/config/function.rb +6 -1
  188. data/modules/mu/config/loadbalancer.rb +24 -2
  189. data/modules/mu/config/ref.rb +12 -0
  190. data/modules/mu/config/role.rb +1 -1
  191. data/modules/mu/config/schema_helpers.rb +42 -9
  192. data/modules/mu/config/server.rb +43 -27
  193. data/modules/mu/config/tail.rb +19 -10
  194. data/modules/mu/config.rb +6 -5
  195. data/modules/mu/defaults/AWS.yaml +78 -114
  196. data/modules/mu/deploy.rb +9 -2
  197. data/modules/mu/groomer.rb +12 -4
  198. data/modules/mu/groomers/ansible.rb +104 -20
  199. data/modules/mu/groomers/chef.rb +15 -6
  200. data/modules/mu/master.rb +9 -4
  201. data/modules/mu/mommacat/daemon.rb +4 -2
  202. data/modules/mu/mommacat/naming.rb +1 -2
  203. data/modules/mu/mommacat/storage.rb +7 -2
  204. data/modules/mu/mommacat.rb +33 -6
  205. data/modules/mu/providers/aws/database.rb +161 -8
  206. data/modules/mu/providers/aws/dnszone.rb +11 -6
  207. data/modules/mu/providers/aws/endpoint.rb +81 -6
  208. data/modules/mu/providers/aws/firewall_rule.rb +254 -172
  209. data/modules/mu/providers/aws/function.rb +65 -3
  210. data/modules/mu/providers/aws/loadbalancer.rb +39 -28
  211. data/modules/mu/providers/aws/log.rb +2 -1
  212. data/modules/mu/providers/aws/role.rb +25 -7
  213. data/modules/mu/providers/aws/server.rb +36 -12
  214. data/modules/mu/providers/aws/server_pool.rb +237 -127
  215. data/modules/mu/providers/aws/storage_pool.rb +7 -1
  216. data/modules/mu/providers/aws/user.rb +1 -1
  217. data/modules/mu/providers/aws/userdata/linux.erb +6 -2
  218. data/modules/mu/providers/aws/userdata/windows.erb +7 -5
  219. data/modules/mu/providers/aws/vpc.rb +49 -25
  220. data/modules/mu/providers/aws.rb +13 -8
  221. data/modules/mu/providers/azure/container_cluster.rb +1 -1
  222. data/modules/mu/providers/azure/loadbalancer.rb +2 -2
  223. data/modules/mu/providers/azure/server.rb +5 -2
  224. data/modules/mu/providers/azure/userdata/linux.erb +1 -1
  225. data/modules/mu/providers/azure.rb +11 -8
  226. data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
  227. data/modules/mu/providers/google/container_cluster.rb +15 -2
  228. data/modules/mu/providers/google/folder.rb +2 -1
  229. data/modules/mu/providers/google/function.rb +130 -4
  230. data/modules/mu/providers/google/habitat.rb +2 -1
  231. data/modules/mu/providers/google/loadbalancer.rb +407 -160
  232. data/modules/mu/providers/google/role.rb +16 -3
  233. data/modules/mu/providers/google/server.rb +5 -1
  234. data/modules/mu/providers/google/user.rb +25 -18
  235. data/modules/mu/providers/google/userdata/linux.erb +1 -1
  236. data/modules/mu/providers/google/vpc.rb +53 -7
  237. data/modules/mu/providers/google.rb +39 -39
  238. data/modules/mu.rb +8 -8
  239. data/modules/tests/elk.yaml +46 -0
  240. data/test/mu-master-test/controls/all_in_one.rb +1 -1
  241. metadata +207 -112
  242. data/cookbooks/firewall/CONTRIBUTING.md +0 -2
  243. data/cookbooks/firewall/MAINTAINERS.md +0 -19
  244. data/cookbooks/firewall/libraries/matchers.rb +0 -30
  245. data/extras/image-generators/AWS/rhel71.yaml +0 -17
@@ -0,0 +1,115 @@
1
+ # Put files/directories that should be ignored in this file when uploading
2
+ # to a Chef Infra Server or Supermarket.
3
+ # Lines that start with '# ' are comments.
4
+
5
+ # OS generated files #
6
+ ######################
7
+ .DS_Store
8
+ ehthumbs.db
9
+ Icon?
10
+ nohup.out
11
+ Thumbs.db
12
+ .envrc
13
+
14
+ # EDITORS #
15
+ ###########
16
+ .#*
17
+ .project
18
+ .settings
19
+ *_flymake
20
+ *_flymake.*
21
+ *.bak
22
+ *.sw[a-z]
23
+ *.tmproj
24
+ *~
25
+ \#*
26
+ REVISION
27
+ TAGS*
28
+ tmtags
29
+ .vscode
30
+ .editorconfig
31
+
32
+ ## COMPILED ##
33
+ ##############
34
+ *.class
35
+ *.com
36
+ *.dll
37
+ *.exe
38
+ *.o
39
+ *.pyc
40
+ *.so
41
+ */rdoc/
42
+ a.out
43
+ mkmf.log
44
+
45
+ # Testing #
46
+ ###########
47
+ .circleci/*
48
+ .codeclimate.yml
49
+ .delivery/*
50
+ .foodcritic
51
+ .kitchen*
52
+ .mdlrc
53
+ .overcommit.yml
54
+ .rspec
55
+ .rubocop.yml
56
+ .travis.yml
57
+ .watchr
58
+ .yamllint
59
+ azure-pipelines.yml
60
+ Dangerfile
61
+ examples/*
62
+ features/*
63
+ Guardfile
64
+ kitchen*.yml
65
+ mlc_config.json
66
+ Procfile
67
+ Rakefile
68
+ spec/*
69
+ test/*
70
+
71
+ # SCM #
72
+ #######
73
+ .git
74
+ .gitattributes
75
+ .gitconfig
76
+ .github/*
77
+ .gitignore
78
+ .gitkeep
79
+ .gitmodules
80
+ .svn
81
+ */.bzr/*
82
+ */.git
83
+ */.hg/*
84
+ */.svn/*
85
+
86
+ # Berkshelf #
87
+ #############
88
+ Berksfile
89
+ Berksfile.lock
90
+ cookbooks/*
91
+ tmp
92
+
93
+ # Bundler #
94
+ ###########
95
+ vendor/*
96
+ Gemfile
97
+ Gemfile.lock
98
+
99
+ # Policyfile #
100
+ ##############
101
+ Policyfile.rb
102
+ Policyfile.lock.json
103
+
104
+ # Documentation #
105
+ #############
106
+ CODE_OF_CONDUCT*
107
+ CONTRIBUTING*
108
+ documentation/*
109
+ TESTING*
110
+ UPGRADING*
111
+
112
+ # Vagrant #
113
+ ###########
114
+ .vagrant
115
+ Vagrantfile
@@ -96,5 +96,10 @@ module FirewallCookbook
96
96
 
97
97
  false
98
98
  end
99
+
100
+ def default_description(new_resource)
101
+ new_resource.description ||
102
+ "Generated by chef from #{cookbook_name}[#{recipe_name}] by #{new_resource}"
103
+ end
99
104
  end
100
105
  end
@@ -21,7 +21,7 @@ module FirewallCookbook
21
21
  return false unless firewalld_active?
22
22
 
23
23
  cmd = shell_out('firewall-cmd', '--get-default-zone')
24
- cmd.stdout =~ /^#{z.to_s}$/
24
+ cmd.stdout =~ /^#{z}$/
25
25
  end
26
26
 
27
27
  def firewalld_default_zone!(z)
@@ -0,0 +1,72 @@
1
+ module FirewallCookbook
2
+ module Helpers
3
+ module FirewalldDBus
4
+ def firewalld(system_bus)
5
+ system_bus['org.fedoraproject.FirewallD1']
6
+ end
7
+
8
+ def firewalld_object(system_bus)
9
+ firewalld(system_bus)['/org/fedoraproject/FirewallD1']
10
+ end
11
+
12
+ def firewalld_interface(system_bus)
13
+ firewalld_object(system_bus)['org.fedoraproject.FirewallD1']
14
+ end
15
+
16
+ def config_object(system_bus)
17
+ firewalld(system_bus)['/org/fedoraproject/FirewallD1/config']
18
+ end
19
+
20
+ def config_interface(system_bus)
21
+ config_object(system_bus)['org.fedoraproject.FirewallD1.config']
22
+ end
23
+
24
+ def icmptype_interface(dbus, icmptype_path)
25
+ icmptype_object = firewalld(dbus)[icmptype_path]
26
+ icmptype_object['org.fedoraproject.FirewallD1.config.icmptype']
27
+ end
28
+
29
+ def ipset_interface(dbus, ipset_path)
30
+ ipset_object = firewalld(dbus)[ipset_path]
31
+ ipset_object['org.fedoraproject.FirewallD1.config.ipset']
32
+ end
33
+
34
+ def helper_interface(dbus, helper_path)
35
+ helper_object = firewalld(dbus)[helper_path]
36
+ helper_object['org.fedoraproject.FirewallD1.config.helper']
37
+ end
38
+
39
+ def service_interface(dbus, service_path)
40
+ service_object = firewalld(dbus)[service_path]
41
+ service_object['org.fedoraproject.FirewallD1.config.service']
42
+ end
43
+
44
+ def policy_interface(dbus, policy_path)
45
+ policy_object = firewalld(dbus)[policy_path]
46
+ policy_object['org.fedoraproject.FirewallD1.config.policy']
47
+ end
48
+
49
+ def zone_interface(dbus, zone_path)
50
+ zone_object = firewalld(dbus)[zone_path]
51
+ zone_object['org.fedoraproject.FirewallD1.config.zone']
52
+ end
53
+
54
+ # port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
55
+ def parse_forward_ports(forward_ports)
56
+ port_regex = %r{port=([\w-]+):proto=([\w]+)(:toport=([\w-]+)|)(:toaddr=([\d\./]+)|)}
57
+ captures = forward_ports.match(port_regex).captures
58
+ captures.delete_at(4)
59
+ captures.delete_at(2)
60
+ captures.map { |e| e || '' }
61
+ end
62
+
63
+ def forward_ports_to_dbus(new_resource)
64
+ fwp = new_resource.forward_ports.map do |e|
65
+ parse_forward_ports(e)
66
+ end
67
+ new_resource.forward_ports = fwp
68
+ DBus.variant('a(ssss)', new_resource.forward_ports)
69
+ end
70
+ end
71
+ end
72
+ end
@@ -49,14 +49,14 @@ module FirewallCookbook
49
49
  end
50
50
 
51
51
  def iptables_packages(new_resource)
52
- packages = if ipv6_enabled?(new_resource)
52
+ packages = if ipv6_enabled?(new_resource) && !amazon_linux? && node['platform_version'].to_i < 8
53
53
  %w(iptables iptables-ipv6)
54
54
  else
55
55
  %w(iptables)
56
56
  end
57
57
 
58
- # centos 7 and AzL2 requires extra service
59
- if !debian?(node) && (node['platform_version'].to_i >= 7 || node['platform_version'].to_i == 2)
58
+ # centos 7 requires extra service
59
+ if (!debian?(node) && node['platform_version'].to_i >= 7) || amazon_linux?
60
60
  packages << %w(iptables-services)
61
61
  end
62
62
 
@@ -0,0 +1,170 @@
1
+ module FirewallCookbook
2
+ module Helpers
3
+ module Nftables
4
+ include FirewallCookbook::Helpers
5
+
6
+ CHAIN ||= {
7
+ in: 'INPUT',
8
+ out: 'OUTPUT',
9
+ pre: 'PREROUTING',
10
+ post: 'POSTROUTING',
11
+ forward: 'FORWARD',
12
+ }.freeze
13
+
14
+ TARGET ||= {
15
+ accept: 'accept',
16
+ allow: 'accept',
17
+ counter: 'counter',
18
+ deny: 'drop',
19
+ drop: 'drop',
20
+ log: 'log',
21
+ masquerade: 'masquerade',
22
+ redirect: 'redirect',
23
+ reject: 'reject',
24
+ }.freeze
25
+
26
+ def port_to_s(ports)
27
+ case ports
28
+ when String
29
+ ports
30
+ when Integer
31
+ ports.to_s
32
+ when Array
33
+ p_strings = ports.map { |o| port_to_s(o) }
34
+ "{#{p_strings.sort.join(',')}}"
35
+ when Range
36
+ "#{ports.first}-#{ports.last}"
37
+ else
38
+ raise "unknown class of port definition: #{ports.class}"
39
+ end
40
+ end
41
+
42
+ def nftables_command_log(rule_resource)
43
+ log_prefix = 'prefix '
44
+ log_prefix << if rule_resource.log_prefix.nil?
45
+ "\"#{CHAIN[rule_resource.direction]}:\""
46
+ else
47
+ "\"#{rule_resource.log_prefix}\""
48
+ end
49
+ log_group = if rule_resource.log_group.nil?
50
+ nil
51
+ else
52
+ "group #{rule_resource.log_group} "
53
+ end
54
+ "log #{log_prefix} #{log_group}"
55
+ end
56
+
57
+ def nftables_command_redirect(rule_resource)
58
+ if rule_resource.redirect_port.nil?
59
+ raise 'Specify redirect_port when using :redirect as commmand'
60
+ end
61
+
62
+ "redirect to #{rule_resource.redirect_port} "
63
+ end
64
+
65
+ def nftables_commands(rule_resource)
66
+ firewall_rule = ''
67
+ Array(rule_resource.command).each do |command|
68
+ begin
69
+ target = TARGET.fetch(command)
70
+ rescue KeyError
71
+ raise "Invalid command: #{command.inspect}. Use one of #{TARGET.keys}"
72
+ end
73
+ firewall_rule << case target
74
+ when 'log'
75
+ nftables_command_log(rule_resource)
76
+ when 'redirect'
77
+ nftables_command_redirect(rule_resource)
78
+ else
79
+ "#{TARGET[command.to_sym]} "
80
+ end
81
+ end
82
+ firewall_rule
83
+ end
84
+
85
+ def build_firewall_rule(rule_resource)
86
+ return rule_resource.raw.strip if rule_resource.raw
87
+
88
+ ip = ipv6_rule?(rule_resource) ? 'ip6' : 'ip'
89
+ table = if [:pre, :post].include?(rule_resource.direction)
90
+ 'nat'
91
+ else
92
+ 'filter'
93
+ end
94
+ firewall_rule = if table == 'nat'
95
+ "add rule #{ip} #{table} "
96
+ else
97
+ "add rule inet #{table} "
98
+ end
99
+ firewall_rule << "#{CHAIN.fetch(rule_resource.direction.to_sym, 'FORWARD')} "
100
+
101
+ firewall_rule << "iif #{rule_resource.interface} " if rule_resource.interface
102
+ firewall_rule << "oif #{rule_resource.outerface} " if rule_resource.outerface
103
+
104
+ if rule_resource.source
105
+ source_with_mask = ip_with_mask(rule_resource, rule_resource.source)
106
+ if source_with_mask != '0.0.0.0/0' && source_with_mask != '::/128'
107
+ firewall_rule << "#{ip} saddr #{source_with_mask} "
108
+ end
109
+ end
110
+ firewall_rule << "#{ip} daddr #{rule_resource.destination} " if rule_resource.destination
111
+
112
+ case rule_resource.protocol
113
+ when :icmp
114
+ firewall_rule << 'icmp type echo-request '
115
+ when :'ipv6-icmp', :icmpv6
116
+ firewall_rule << 'icmpv6 type { echo-request, nd-router-solicit, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } '
117
+ when :tcp, :udp
118
+ firewall_rule << "#{rule_resource.protocol} sport #{port_to_s(rule_resource.sport)} " if rule_resource.sport
119
+ firewall_rule << "#{rule_resource.protocol} dport #{port_to_s(rule_resource.dport)} " if rule_resource.dport
120
+ when :esp, :ah
121
+ firewall_rule << "#{ip} #{ip == 'ip6' ? 'nexthdr' : 'protocol'} #{rule_resource.protocol} "
122
+ when :ipv6, :none
123
+ # nothing to do
124
+ end
125
+
126
+ firewall_rule << "ct state #{Array(rule_resource.stateful).join(',').downcase} " if rule_resource.stateful
127
+ firewall_rule << nftables_commands(rule_resource)
128
+ firewall_rule << "comment \"#{rule_resource.description}\" " if rule_resource.include_comment
129
+ firewall_rule.strip!
130
+ firewall_rule
131
+ end
132
+
133
+ def default_ruleset(new_resource)
134
+ rules = {
135
+ 'add table inet filter' => 1,
136
+ "add chain inet filter INPUT { type filter hook input priority 0 ; policy #{new_resource.input_policy}; }" => 2,
137
+ "add chain inet filter OUTPUT { type filter hook output priority 0 ; policy #{new_resource.output_policy}; }" => 2,
138
+ "add chain inet filter FORWARD { type filter hook forward priority 0 ; policy #{new_resource.forward_policy}; }" => 2,
139
+ }
140
+ if new_resource.table_ip_nat
141
+ rules['add table ip nat'] = 1
142
+ rules['add chain ip nat POSTROUTING { type nat hook postrouting priority 100 ;}'] = 2
143
+ rules['add chain ip nat PREROUTING { type nat hook prerouting priority -100 ;}'] = 2
144
+ end
145
+ if new_resource.table_ip6_nat
146
+ rules['add table ip6 nat'] = 1
147
+ rules['add chain ip6 nat POSTROUTING { type nat hook postrouting priority 100 ;}'] = 2
148
+ rules['add chain ip6 nat PREROUTING { type nat hook prerouting priority -100 ;}'] = 2
149
+ end
150
+ rules
151
+ end
152
+
153
+ def ensure_default_rules_exist(new_resource)
154
+ input = new_resource.rules || {}
155
+ input.merge!(default_ruleset(new_resource))
156
+ end
157
+
158
+ def default_nftables_conf_path
159
+ case node['platform_family']
160
+ when 'rhel'
161
+ '/etc/sysconfig/nftables.conf'
162
+ when 'debian'
163
+ '/etc/nftables.conf'
164
+ else
165
+ raise "default_nftables_conf_path: Unsupported platform_family #{node['platform_family']}."
166
+ end
167
+ end
168
+ end
169
+ end
170
+ end
@@ -74,6 +74,7 @@ module FirewallCookbook
74
74
  rule << rule_proto(new_resource)
75
75
  rule << rule_dest_port(new_resource)
76
76
  rule << rule_source_port(new_resource)
77
+ rule << rule_description(new_resource)
77
78
  rule = rule.strip
78
79
 
79
80
  if rule == 'ufw allow in proto tcp to any from any'
@@ -97,6 +98,12 @@ module FirewallCookbook
97
98
  rule
98
99
  end
99
100
 
101
+ def rule_description(new_resource)
102
+ rule = ''
103
+ rule << "comment \"#{new_resource.description}\" " if new_resource.description && new_resource.include_comment
104
+ rule
105
+ end
106
+
100
107
  def rule_dest_port(new_resource)
101
108
  rule = if new_resource.destination
102
109
  "to #{new_resource.destination} "
@@ -44,12 +44,11 @@ module FirewallCookbook
44
44
 
45
45
  def to_type(new_resource)
46
46
  cmd = new_resource.command
47
- type = if cmd == :reject || cmd == :deny
48
- :block
49
- else
50
- :allow
51
- end
52
- type
47
+ if cmd == :reject || cmd == :deny
48
+ :block
49
+ else
50
+ :allow
51
+ end
53
52
  end
54
53
 
55
54
  def build_rule(new_resource)
@@ -66,13 +65,13 @@ module FirewallCookbook
66
65
  if new_resource.direction.to_sym == :out
67
66
  parameters['localip'] = new_resource.source ? fixup_cidr(new_resource.source) : 'any'
68
67
  parameters['localport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any'
69
- parameters['interfacetype'] = new_resource.interface ? new_resource.interface : 'any'
68
+ parameters['interfacetype'] = new_resource.interface || 'any'
70
69
  parameters['remoteip'] = new_resource.destination ? fixup_cidr(new_resource.destination) : 'any'
71
70
  parameters['remoteport'] = new_resource.dest_port ? port_to_s(new_resource.dest_port) : 'any'
72
71
  else
73
- parameters['localip'] = new_resource.destination ? new_resource.destination : 'any'
72
+ parameters['localip'] = new_resource.destination || 'any'
74
73
  parameters['localport'] = dport_calc(new_resource) ? port_to_s(dport_calc(new_resource)) : 'any'
75
- parameters['interfacetype'] = new_resource.dest_interface ? new_resource.dest_interface : 'any'
74
+ parameters['interfacetype'] = new_resource.dest_interface || 'any'
76
75
  parameters['remoteip'] = new_resource.source ? fixup_cidr(new_resource.source) : 'any'
77
76
  parameters['remoteport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any'
78
77
  end
@@ -19,15 +19,15 @@ class Chef
19
19
  class Provider::FirewallFirewalld < Chef::Provider::LWRPBase
20
20
  include FirewallCookbook::Helpers::Firewalld
21
21
 
22
- provides :firewall, os: 'linux', platform_family: %w(rhel fedora) do |node|
23
- node['platform_version'].to_f >= 7.0 && !node['firewall']['redhat7_iptables']
22
+ provides :firewall, os: 'linux', platform_family: %w(rhel fedora amazon) do |node|
23
+ (node['platform_version'].to_i >= 7 && !node['firewall']['redhat7_iptables']) || (amazon_linux? && !node['firewall']['redhat7_iptables'])
24
24
  end
25
25
 
26
26
  def whyrun_supported?
27
27
  false
28
28
  end
29
29
 
30
- def action_install
30
+ action :install do
31
31
  return if disabled?(new_resource)
32
32
 
33
33
  firewalld_package = package 'firewalld' do
@@ -51,7 +51,7 @@ class Chef
51
51
  end
52
52
  end
53
53
 
54
- def action_restart
54
+ action :restart do
55
55
  return if disabled?(new_resource)
56
56
 
57
57
  # ensure it's initialized
@@ -65,7 +65,7 @@ class Chef
65
65
 
66
66
  ip_versions(firewall_rule).each do |ip_version|
67
67
  # build rules to apply with weight
68
- k = "firewall-cmd --direct --add-rule #{build_firewall_rule(firewall_rule, ip_version)}"
68
+ k = "firewall-cmd --zone=#{firewall_rule.zone} --direct --add-rule #{build_firewall_rule(firewall_rule, ip_version)}"
69
69
  v = firewall_rule.position
70
70
 
71
71
  # unless we're adding them for the first time.... bail out.
@@ -75,7 +75,7 @@ class Chef
75
75
  # If persistent rules is enabled (default) make sure we add a permanent rule at the same time
76
76
  perm_rules = node && node['firewall'] && node['firewall']['firewalld'] && node['firewall']['firewalld']['permanent']
77
77
  if firewall_rule.permanent || perm_rules
78
- k = "firewall-cmd --permanent --direct --add-rule #{build_firewall_rule(firewall_rule, ip_version)}"
78
+ k = "firewall-cmd --zone=#{firewall_rule.zone} --permanent --direct --add-rule #{build_firewall_rule(firewall_rule, ip_version)}"
79
79
  new_resource.rules['firewalld'][k] = v
80
80
  end
81
81
  end
@@ -111,7 +111,7 @@ class Chef
111
111
  new_resource.updated_by_last_action(true)
112
112
  end
113
113
 
114
- def action_disable
114
+ action :disable do
115
115
  return if disabled?(new_resource)
116
116
 
117
117
  if firewalld_active?
@@ -133,7 +133,7 @@ class Chef
133
133
  new_resource.updated_by_last_action(rules_file.updated_by_last_action?)
134
134
  end
135
135
 
136
- def action_flush
136
+ action :flush do
137
137
  return if disabled?(new_resource)
138
138
  return unless firewalld_active?
139
139
 
@@ -146,7 +146,7 @@ class Chef
146
146
  new_resource.updated_by_last_action(rules_file.updated_by_last_action?)
147
147
  end
148
148
 
149
- def action_save
149
+ action :save do
150
150
  return if disabled?(new_resource)
151
151
  return if firewalld_all_rules_permanent!
152
152
 
@@ -3,7 +3,7 @@
3
3
  # Cookbook:: firewall
4
4
  # Resource:: default
5
5
  #
6
- # Copyright:: 2011-2016, Chef Software, Inc.
6
+ # Copyright:: 2011-2019, Chef Software, Inc.
7
7
  #
8
8
  # Licensed under the Apache License, Version 2.0 (the "License");
9
9
  # you may not use this file except in compliance with the License.
@@ -23,14 +23,14 @@ class Chef
23
23
  include FirewallCookbook::Helpers::Iptables
24
24
 
25
25
  provides :firewall, os: 'linux', platform_family: %w(rhel fedora amazon) do |node|
26
- node['platform_version'].to_f < 7.0 || node['firewall']['redhat7_iptables']
26
+ (node['platform_version'].to_i < 7 && !amazon_linux?) || node['platform_version'].to_i >= 8 || node['firewall']['redhat7_iptables']
27
27
  end
28
28
 
29
29
  def whyrun_supported?
30
30
  false
31
31
  end
32
32
 
33
- def action_install
33
+ action :install do
34
34
  return if disabled?(new_resource)
35
35
 
36
36
  # Ensure the package is installed
@@ -60,7 +60,7 @@ class Chef
60
60
  end
61
61
  end
62
62
 
63
- def action_restart
63
+ action :restart do
64
64
  return if disabled?(new_resource)
65
65
 
66
66
  # prints all the firewall rules
@@ -104,12 +104,12 @@ class Chef
104
104
  next unless iptables_file.updated_by_last_action?
105
105
 
106
106
  iptables_service = lookup_or_create_service(iptables_type)
107
- new_resource.notifies(:restart, iptables_service, :delayed)
107
+ iptables_service.run_action(:restart)
108
108
  new_resource.updated_by_last_action(true)
109
109
  end
110
110
  end
111
111
 
112
- def action_disable
112
+ action :disable do
113
113
  return if disabled?(new_resource)
114
114
 
115
115
  iptables_flush!(new_resource)
@@ -131,7 +131,7 @@ class Chef
131
131
  end
132
132
  end
133
133
 
134
- def action_flush
134
+ action :flush do
135
135
  return if disabled?(new_resource)
136
136
 
137
137
  iptables_flush!(new_resource)
@@ -3,7 +3,7 @@
3
3
  # Cookbook:: firewall
4
4
  # Resource:: default
5
5
  #
6
- # Copyright:: 2011-2016, Chef Software, Inc.
6
+ # Copyright:: 2011-2019, Chef Software, Inc.
7
7
  #
8
8
  # Licensed under the Apache License, Version 2.0 (the "License");
9
9
  # you may not use this file except in compliance with the License.
@@ -31,7 +31,7 @@ class Chef
31
31
  false
32
32
  end
33
33
 
34
- def action_install
34
+ action :install do
35
35
  return if disabled?(new_resource)
36
36
 
37
37
  # Ensure the package is installed
@@ -64,7 +64,7 @@ class Chef
64
64
  end
65
65
  end
66
66
 
67
- def action_restart
67
+ action :restart do
68
68
  return if disabled?(new_resource)
69
69
 
70
70
  # prints all the firewall rules
@@ -98,6 +98,8 @@ class Chef
98
98
  end
99
99
  end
100
100
 
101
+ restart_service = false
102
+
101
103
  rule_files = %w(iptables)
102
104
  rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
103
105
 
@@ -120,17 +122,19 @@ class Chef
120
122
  iptables_file.run_action(:create)
121
123
 
122
124
  # if the file was changed, restart iptables
123
- next unless iptables_file.updated_by_last_action?
125
+ restart_service = true if iptables_file.updated_by_last_action?
126
+ end
127
+
128
+ if restart_service
124
129
  service_affected = service 'netfilter-persistent' do
125
130
  action :nothing
126
131
  end
127
-
128
- new_resource.notifies(:restart, service_affected, :delayed)
132
+ service_affected.run_action(:restart)
129
133
  new_resource.updated_by_last_action(true)
130
134
  end
131
135
  end
132
136
 
133
- def action_disable
137
+ action :disable do
134
138
  return if disabled?(new_resource)
135
139
 
136
140
  iptables_flush!(new_resource)
@@ -153,7 +157,7 @@ class Chef
153
157
  end
154
158
  end
155
159
 
156
- def action_flush
160
+ action :flush do
157
161
  return if disabled?(new_resource)
158
162
 
159
163
  iptables_flush!(new_resource)