cloud-mu 3.5.0 → 3.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Berksfile +5 -2
- data/Berksfile.lock +135 -0
- data/ansible/roles/mu-base/README.md +33 -0
- data/ansible/roles/mu-base/defaults/main.yml +2 -0
- data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
- data/ansible/roles/mu-base/files/check_apm.sh +18 -0
- data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
- data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
- data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
- data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
- data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
- data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
- data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
- data/ansible/roles/mu-base/files/logrotate.conf +35 -0
- data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
- data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
- data/ansible/roles/mu-base/handlers/main.yml +5 -0
- data/ansible/roles/mu-base/meta/main.yml +53 -0
- data/ansible/roles/mu-base/tasks/main.yml +113 -0
- data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
- data/ansible/roles/mu-base/tests/inventory +2 -0
- data/ansible/roles/mu-base/tests/test.yml +5 -0
- data/ansible/roles/mu-base/vars/main.yml +1 -0
- data/ansible/roles/mu-compliance/README.md +33 -0
- data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
- data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
- data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
- data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
- data/ansible/roles/mu-compliance/meta/main.yml +53 -0
- data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
- data/ansible/roles/mu-compliance/tests/inventory +2 -0
- data/ansible/roles/mu-compliance/tests/test.yml +5 -0
- data/ansible/roles/mu-compliance/vars/main.yml +4 -0
- data/ansible/roles/mu-elastic/README.md +51 -0
- data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
- data/ansible/roles/mu-elastic/files/jvm.options +93 -0
- data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
- data/ansible/roles/mu-elastic/meta/main.yml +52 -0
- data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
- data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
- data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
- data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
- data/ansible/roles/mu-elastic/tests/inventory +2 -0
- data/ansible/roles/mu-elastic/tests/test.yml +5 -0
- data/ansible/roles/mu-elastic/vars/main.yml +2 -0
- data/ansible/roles/mu-logstash/README.md +51 -0
- data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
- data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
- data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
- data/ansible/roles/mu-logstash/files/jvm.options +84 -0
- data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
- data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
- data/ansible/roles/mu-logstash/meta/main.yml +52 -0
- data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
- data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
- data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
- data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
- data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
- data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
- data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
- data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
- data/ansible/roles/mu-logstash/tests/inventory +2 -0
- data/ansible/roles/mu-logstash/tests/test.yml +5 -0
- data/ansible/roles/mu-logstash/vars/main.yml +2 -0
- data/ansible/roles/mu-rdp/README.md +33 -0
- data/ansible/roles/mu-rdp/meta/main.yml +53 -0
- data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
- data/ansible/roles/mu-rdp/tests/inventory +2 -0
- data/ansible/roles/mu-rdp/tests/test.yml +5 -0
- data/ansible/roles/mu-windows/tasks/main.yml +3 -0
- data/bin/mu-ansible-secret +1 -1
- data/bin/mu-aws-setup +4 -3
- data/bin/mu-azure-setup +5 -5
- data/bin/mu-configure +25 -17
- data/bin/mu-firewall-allow-clients +1 -0
- data/bin/mu-gcp-setup +3 -3
- data/bin/mu-load-config.rb +1 -0
- data/bin/mu-node-manage +66 -33
- data/bin/mu-self-update +2 -2
- data/bin/mu-upload-chef-artifacts +6 -1
- data/bin/mu-user-manage +1 -1
- data/cloud-mu.gemspec +25 -23
- data/cookbooks/firewall/CHANGELOG.md +417 -224
- data/cookbooks/firewall/LICENSE +202 -0
- data/cookbooks/firewall/README.md +153 -126
- data/cookbooks/firewall/TODO.md +6 -0
- data/cookbooks/firewall/attributes/firewalld.rb +7 -0
- data/cookbooks/firewall/attributes/iptables.rb +3 -3
- data/cookbooks/firewall/chefignore +115 -0
- data/cookbooks/firewall/libraries/helpers.rb +5 -0
- data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
- data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
- data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
- data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
- data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
- data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
- data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
- data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
- data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
- data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
- data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
- data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
- data/cookbooks/firewall/metadata.json +40 -1
- data/cookbooks/firewall/metadata.rb +15 -0
- data/cookbooks/firewall/recipes/default.rb +7 -7
- data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
- data/cookbooks/firewall/recipes/firewalld.rb +87 -0
- data/cookbooks/firewall/renovate.json +18 -0
- data/cookbooks/firewall/resources/firewalld.rb +28 -0
- data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
- data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
- data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
- data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
- data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
- data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
- data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
- data/cookbooks/firewall/resources/nftables.rb +71 -0
- data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
- data/cookbooks/mu-activedirectory/Berksfile +1 -1
- data/cookbooks/mu-activedirectory/metadata.rb +1 -1
- data/cookbooks/mu-firewall/metadata.rb +2 -2
- data/cookbooks/mu-master/Berksfile +4 -3
- data/cookbooks/mu-master/attributes/default.rb +5 -2
- data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
- data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
- data/cookbooks/mu-master/libraries/mu.rb +24 -0
- data/cookbooks/mu-master/metadata.rb +5 -5
- data/cookbooks/mu-master/recipes/default.rb +31 -20
- data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
- data/cookbooks/mu-master/recipes/init.rb +58 -19
- data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
- data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
- data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
- data/cookbooks/mu-php54/Berksfile +1 -1
- data/cookbooks/mu-php54/metadata.rb +2 -2
- data/cookbooks/mu-tools/Berksfile +2 -3
- data/cookbooks/mu-tools/attributes/default.rb +3 -4
- data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
- data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
- data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
- data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
- data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
- data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
- data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
- data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
- data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
- data/cookbooks/mu-tools/libraries/helper.rb +21 -9
- data/cookbooks/mu-tools/metadata.rb +4 -4
- data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
- data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
- data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
- data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
- data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
- data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
- data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
- data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
- data/data_bags/nagios_services/apm_backend_connect.json +5 -0
- data/data_bags/nagios_services/apm_listen.json +5 -0
- data/data_bags/nagios_services/elastic_shards.json +5 -0
- data/data_bags/nagios_services/logstash.json +5 -0
- data/data_bags/nagios_services/rhel7_updates.json +8 -0
- data/extras/image-generators/AWS/centos7.yaml +1 -0
- data/extras/image-generators/AWS/rhel7.yaml +21 -0
- data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
- data/extras/image-generators/AWS/win2k16.yaml +1 -0
- data/extras/image-generators/AWS/win2k19.yaml +1 -0
- data/extras/list-stock-amis +0 -0
- data/extras/ruby_rpm/muby.spec +8 -5
- data/extras/vault_tools/export_vaults.sh +1 -1
- data/extras/vault_tools/recreate_vaults.sh +0 -0
- data/extras/vault_tools/test_vaults.sh +0 -0
- data/install/deprecated-bash-library.sh +1 -1
- data/install/installer +4 -2
- data/modules/mommacat.ru +3 -1
- data/modules/mu/adoption.rb +1 -1
- data/modules/mu/cloud/dnszone.rb +2 -2
- data/modules/mu/cloud/machine_images.rb +26 -25
- data/modules/mu/cloud/resource_base.rb +213 -182
- data/modules/mu/cloud/server_pool.rb +1 -1
- data/modules/mu/cloud/ssh_sessions.rb +7 -5
- data/modules/mu/cloud/wrappers.rb +2 -2
- data/modules/mu/cloud.rb +1 -1
- data/modules/mu/config/bucket.rb +1 -1
- data/modules/mu/config/function.rb +6 -1
- data/modules/mu/config/loadbalancer.rb +24 -2
- data/modules/mu/config/ref.rb +12 -0
- data/modules/mu/config/role.rb +1 -1
- data/modules/mu/config/schema_helpers.rb +42 -9
- data/modules/mu/config/server.rb +43 -27
- data/modules/mu/config/tail.rb +19 -10
- data/modules/mu/config.rb +6 -5
- data/modules/mu/defaults/AWS.yaml +78 -114
- data/modules/mu/deploy.rb +9 -2
- data/modules/mu/groomer.rb +12 -4
- data/modules/mu/groomers/ansible.rb +104 -20
- data/modules/mu/groomers/chef.rb +15 -6
- data/modules/mu/master.rb +9 -4
- data/modules/mu/mommacat/daemon.rb +4 -2
- data/modules/mu/mommacat/naming.rb +1 -2
- data/modules/mu/mommacat/storage.rb +7 -2
- data/modules/mu/mommacat.rb +33 -6
- data/modules/mu/providers/aws/database.rb +161 -8
- data/modules/mu/providers/aws/dnszone.rb +11 -6
- data/modules/mu/providers/aws/endpoint.rb +81 -6
- data/modules/mu/providers/aws/firewall_rule.rb +254 -172
- data/modules/mu/providers/aws/function.rb +65 -3
- data/modules/mu/providers/aws/loadbalancer.rb +39 -28
- data/modules/mu/providers/aws/log.rb +2 -1
- data/modules/mu/providers/aws/role.rb +25 -7
- data/modules/mu/providers/aws/server.rb +36 -12
- data/modules/mu/providers/aws/server_pool.rb +237 -127
- data/modules/mu/providers/aws/storage_pool.rb +7 -1
- data/modules/mu/providers/aws/user.rb +1 -1
- data/modules/mu/providers/aws/userdata/linux.erb +6 -2
- data/modules/mu/providers/aws/userdata/windows.erb +7 -5
- data/modules/mu/providers/aws/vpc.rb +49 -25
- data/modules/mu/providers/aws.rb +13 -8
- data/modules/mu/providers/azure/container_cluster.rb +1 -1
- data/modules/mu/providers/azure/loadbalancer.rb +2 -2
- data/modules/mu/providers/azure/server.rb +5 -2
- data/modules/mu/providers/azure/userdata/linux.erb +1 -1
- data/modules/mu/providers/azure.rb +11 -8
- data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
- data/modules/mu/providers/google/container_cluster.rb +15 -2
- data/modules/mu/providers/google/folder.rb +2 -1
- data/modules/mu/providers/google/function.rb +130 -4
- data/modules/mu/providers/google/habitat.rb +2 -1
- data/modules/mu/providers/google/loadbalancer.rb +407 -160
- data/modules/mu/providers/google/role.rb +16 -3
- data/modules/mu/providers/google/server.rb +5 -1
- data/modules/mu/providers/google/user.rb +25 -18
- data/modules/mu/providers/google/userdata/linux.erb +1 -1
- data/modules/mu/providers/google/vpc.rb +53 -7
- data/modules/mu/providers/google.rb +39 -39
- data/modules/mu.rb +8 -8
- data/modules/tests/elk.yaml +46 -0
- data/test/mu-master-test/controls/all_in_one.rb +1 -1
- metadata +207 -112
- data/cookbooks/firewall/CONTRIBUTING.md +0 -2
- data/cookbooks/firewall/MAINTAINERS.md +0 -19
- data/cookbooks/firewall/libraries/matchers.rb +0 -30
- data/extras/image-generators/AWS/rhel71.yaml +0 -17
@@ -0,0 +1,115 @@
|
|
1
|
+
# Put files/directories that should be ignored in this file when uploading
|
2
|
+
# to a Chef Infra Server or Supermarket.
|
3
|
+
# Lines that start with '# ' are comments.
|
4
|
+
|
5
|
+
# OS generated files #
|
6
|
+
######################
|
7
|
+
.DS_Store
|
8
|
+
ehthumbs.db
|
9
|
+
Icon?
|
10
|
+
nohup.out
|
11
|
+
Thumbs.db
|
12
|
+
.envrc
|
13
|
+
|
14
|
+
# EDITORS #
|
15
|
+
###########
|
16
|
+
.#*
|
17
|
+
.project
|
18
|
+
.settings
|
19
|
+
*_flymake
|
20
|
+
*_flymake.*
|
21
|
+
*.bak
|
22
|
+
*.sw[a-z]
|
23
|
+
*.tmproj
|
24
|
+
*~
|
25
|
+
\#*
|
26
|
+
REVISION
|
27
|
+
TAGS*
|
28
|
+
tmtags
|
29
|
+
.vscode
|
30
|
+
.editorconfig
|
31
|
+
|
32
|
+
## COMPILED ##
|
33
|
+
##############
|
34
|
+
*.class
|
35
|
+
*.com
|
36
|
+
*.dll
|
37
|
+
*.exe
|
38
|
+
*.o
|
39
|
+
*.pyc
|
40
|
+
*.so
|
41
|
+
*/rdoc/
|
42
|
+
a.out
|
43
|
+
mkmf.log
|
44
|
+
|
45
|
+
# Testing #
|
46
|
+
###########
|
47
|
+
.circleci/*
|
48
|
+
.codeclimate.yml
|
49
|
+
.delivery/*
|
50
|
+
.foodcritic
|
51
|
+
.kitchen*
|
52
|
+
.mdlrc
|
53
|
+
.overcommit.yml
|
54
|
+
.rspec
|
55
|
+
.rubocop.yml
|
56
|
+
.travis.yml
|
57
|
+
.watchr
|
58
|
+
.yamllint
|
59
|
+
azure-pipelines.yml
|
60
|
+
Dangerfile
|
61
|
+
examples/*
|
62
|
+
features/*
|
63
|
+
Guardfile
|
64
|
+
kitchen*.yml
|
65
|
+
mlc_config.json
|
66
|
+
Procfile
|
67
|
+
Rakefile
|
68
|
+
spec/*
|
69
|
+
test/*
|
70
|
+
|
71
|
+
# SCM #
|
72
|
+
#######
|
73
|
+
.git
|
74
|
+
.gitattributes
|
75
|
+
.gitconfig
|
76
|
+
.github/*
|
77
|
+
.gitignore
|
78
|
+
.gitkeep
|
79
|
+
.gitmodules
|
80
|
+
.svn
|
81
|
+
*/.bzr/*
|
82
|
+
*/.git
|
83
|
+
*/.hg/*
|
84
|
+
*/.svn/*
|
85
|
+
|
86
|
+
# Berkshelf #
|
87
|
+
#############
|
88
|
+
Berksfile
|
89
|
+
Berksfile.lock
|
90
|
+
cookbooks/*
|
91
|
+
tmp
|
92
|
+
|
93
|
+
# Bundler #
|
94
|
+
###########
|
95
|
+
vendor/*
|
96
|
+
Gemfile
|
97
|
+
Gemfile.lock
|
98
|
+
|
99
|
+
# Policyfile #
|
100
|
+
##############
|
101
|
+
Policyfile.rb
|
102
|
+
Policyfile.lock.json
|
103
|
+
|
104
|
+
# Documentation #
|
105
|
+
#############
|
106
|
+
CODE_OF_CONDUCT*
|
107
|
+
CONTRIBUTING*
|
108
|
+
documentation/*
|
109
|
+
TESTING*
|
110
|
+
UPGRADING*
|
111
|
+
|
112
|
+
# Vagrant #
|
113
|
+
###########
|
114
|
+
.vagrant
|
115
|
+
Vagrantfile
|
@@ -0,0 +1,72 @@
|
|
1
|
+
module FirewallCookbook
|
2
|
+
module Helpers
|
3
|
+
module FirewalldDBus
|
4
|
+
def firewalld(system_bus)
|
5
|
+
system_bus['org.fedoraproject.FirewallD1']
|
6
|
+
end
|
7
|
+
|
8
|
+
def firewalld_object(system_bus)
|
9
|
+
firewalld(system_bus)['/org/fedoraproject/FirewallD1']
|
10
|
+
end
|
11
|
+
|
12
|
+
def firewalld_interface(system_bus)
|
13
|
+
firewalld_object(system_bus)['org.fedoraproject.FirewallD1']
|
14
|
+
end
|
15
|
+
|
16
|
+
def config_object(system_bus)
|
17
|
+
firewalld(system_bus)['/org/fedoraproject/FirewallD1/config']
|
18
|
+
end
|
19
|
+
|
20
|
+
def config_interface(system_bus)
|
21
|
+
config_object(system_bus)['org.fedoraproject.FirewallD1.config']
|
22
|
+
end
|
23
|
+
|
24
|
+
def icmptype_interface(dbus, icmptype_path)
|
25
|
+
icmptype_object = firewalld(dbus)[icmptype_path]
|
26
|
+
icmptype_object['org.fedoraproject.FirewallD1.config.icmptype']
|
27
|
+
end
|
28
|
+
|
29
|
+
def ipset_interface(dbus, ipset_path)
|
30
|
+
ipset_object = firewalld(dbus)[ipset_path]
|
31
|
+
ipset_object['org.fedoraproject.FirewallD1.config.ipset']
|
32
|
+
end
|
33
|
+
|
34
|
+
def helper_interface(dbus, helper_path)
|
35
|
+
helper_object = firewalld(dbus)[helper_path]
|
36
|
+
helper_object['org.fedoraproject.FirewallD1.config.helper']
|
37
|
+
end
|
38
|
+
|
39
|
+
def service_interface(dbus, service_path)
|
40
|
+
service_object = firewalld(dbus)[service_path]
|
41
|
+
service_object['org.fedoraproject.FirewallD1.config.service']
|
42
|
+
end
|
43
|
+
|
44
|
+
def policy_interface(dbus, policy_path)
|
45
|
+
policy_object = firewalld(dbus)[policy_path]
|
46
|
+
policy_object['org.fedoraproject.FirewallD1.config.policy']
|
47
|
+
end
|
48
|
+
|
49
|
+
def zone_interface(dbus, zone_path)
|
50
|
+
zone_object = firewalld(dbus)[zone_path]
|
51
|
+
zone_object['org.fedoraproject.FirewallD1.config.zone']
|
52
|
+
end
|
53
|
+
|
54
|
+
# port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
|
55
|
+
def parse_forward_ports(forward_ports)
|
56
|
+
port_regex = %r{port=([\w-]+):proto=([\w]+)(:toport=([\w-]+)|)(:toaddr=([\d\./]+)|)}
|
57
|
+
captures = forward_ports.match(port_regex).captures
|
58
|
+
captures.delete_at(4)
|
59
|
+
captures.delete_at(2)
|
60
|
+
captures.map { |e| e || '' }
|
61
|
+
end
|
62
|
+
|
63
|
+
def forward_ports_to_dbus(new_resource)
|
64
|
+
fwp = new_resource.forward_ports.map do |e|
|
65
|
+
parse_forward_ports(e)
|
66
|
+
end
|
67
|
+
new_resource.forward_ports = fwp
|
68
|
+
DBus.variant('a(ssss)', new_resource.forward_ports)
|
69
|
+
end
|
70
|
+
end
|
71
|
+
end
|
72
|
+
end
|
@@ -49,14 +49,14 @@ module FirewallCookbook
|
|
49
49
|
end
|
50
50
|
|
51
51
|
def iptables_packages(new_resource)
|
52
|
-
packages = if ipv6_enabled?(new_resource)
|
52
|
+
packages = if ipv6_enabled?(new_resource) && !amazon_linux? && node['platform_version'].to_i < 8
|
53
53
|
%w(iptables iptables-ipv6)
|
54
54
|
else
|
55
55
|
%w(iptables)
|
56
56
|
end
|
57
57
|
|
58
|
-
# centos 7
|
59
|
-
if !debian?(node) &&
|
58
|
+
# centos 7 requires extra service
|
59
|
+
if (!debian?(node) && node['platform_version'].to_i >= 7) || amazon_linux?
|
60
60
|
packages << %w(iptables-services)
|
61
61
|
end
|
62
62
|
|
@@ -0,0 +1,170 @@
|
|
1
|
+
module FirewallCookbook
|
2
|
+
module Helpers
|
3
|
+
module Nftables
|
4
|
+
include FirewallCookbook::Helpers
|
5
|
+
|
6
|
+
CHAIN ||= {
|
7
|
+
in: 'INPUT',
|
8
|
+
out: 'OUTPUT',
|
9
|
+
pre: 'PREROUTING',
|
10
|
+
post: 'POSTROUTING',
|
11
|
+
forward: 'FORWARD',
|
12
|
+
}.freeze
|
13
|
+
|
14
|
+
TARGET ||= {
|
15
|
+
accept: 'accept',
|
16
|
+
allow: 'accept',
|
17
|
+
counter: 'counter',
|
18
|
+
deny: 'drop',
|
19
|
+
drop: 'drop',
|
20
|
+
log: 'log',
|
21
|
+
masquerade: 'masquerade',
|
22
|
+
redirect: 'redirect',
|
23
|
+
reject: 'reject',
|
24
|
+
}.freeze
|
25
|
+
|
26
|
+
def port_to_s(ports)
|
27
|
+
case ports
|
28
|
+
when String
|
29
|
+
ports
|
30
|
+
when Integer
|
31
|
+
ports.to_s
|
32
|
+
when Array
|
33
|
+
p_strings = ports.map { |o| port_to_s(o) }
|
34
|
+
"{#{p_strings.sort.join(',')}}"
|
35
|
+
when Range
|
36
|
+
"#{ports.first}-#{ports.last}"
|
37
|
+
else
|
38
|
+
raise "unknown class of port definition: #{ports.class}"
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
def nftables_command_log(rule_resource)
|
43
|
+
log_prefix = 'prefix '
|
44
|
+
log_prefix << if rule_resource.log_prefix.nil?
|
45
|
+
"\"#{CHAIN[rule_resource.direction]}:\""
|
46
|
+
else
|
47
|
+
"\"#{rule_resource.log_prefix}\""
|
48
|
+
end
|
49
|
+
log_group = if rule_resource.log_group.nil?
|
50
|
+
nil
|
51
|
+
else
|
52
|
+
"group #{rule_resource.log_group} "
|
53
|
+
end
|
54
|
+
"log #{log_prefix} #{log_group}"
|
55
|
+
end
|
56
|
+
|
57
|
+
def nftables_command_redirect(rule_resource)
|
58
|
+
if rule_resource.redirect_port.nil?
|
59
|
+
raise 'Specify redirect_port when using :redirect as commmand'
|
60
|
+
end
|
61
|
+
|
62
|
+
"redirect to #{rule_resource.redirect_port} "
|
63
|
+
end
|
64
|
+
|
65
|
+
def nftables_commands(rule_resource)
|
66
|
+
firewall_rule = ''
|
67
|
+
Array(rule_resource.command).each do |command|
|
68
|
+
begin
|
69
|
+
target = TARGET.fetch(command)
|
70
|
+
rescue KeyError
|
71
|
+
raise "Invalid command: #{command.inspect}. Use one of #{TARGET.keys}"
|
72
|
+
end
|
73
|
+
firewall_rule << case target
|
74
|
+
when 'log'
|
75
|
+
nftables_command_log(rule_resource)
|
76
|
+
when 'redirect'
|
77
|
+
nftables_command_redirect(rule_resource)
|
78
|
+
else
|
79
|
+
"#{TARGET[command.to_sym]} "
|
80
|
+
end
|
81
|
+
end
|
82
|
+
firewall_rule
|
83
|
+
end
|
84
|
+
|
85
|
+
def build_firewall_rule(rule_resource)
|
86
|
+
return rule_resource.raw.strip if rule_resource.raw
|
87
|
+
|
88
|
+
ip = ipv6_rule?(rule_resource) ? 'ip6' : 'ip'
|
89
|
+
table = if [:pre, :post].include?(rule_resource.direction)
|
90
|
+
'nat'
|
91
|
+
else
|
92
|
+
'filter'
|
93
|
+
end
|
94
|
+
firewall_rule = if table == 'nat'
|
95
|
+
"add rule #{ip} #{table} "
|
96
|
+
else
|
97
|
+
"add rule inet #{table} "
|
98
|
+
end
|
99
|
+
firewall_rule << "#{CHAIN.fetch(rule_resource.direction.to_sym, 'FORWARD')} "
|
100
|
+
|
101
|
+
firewall_rule << "iif #{rule_resource.interface} " if rule_resource.interface
|
102
|
+
firewall_rule << "oif #{rule_resource.outerface} " if rule_resource.outerface
|
103
|
+
|
104
|
+
if rule_resource.source
|
105
|
+
source_with_mask = ip_with_mask(rule_resource, rule_resource.source)
|
106
|
+
if source_with_mask != '0.0.0.0/0' && source_with_mask != '::/128'
|
107
|
+
firewall_rule << "#{ip} saddr #{source_with_mask} "
|
108
|
+
end
|
109
|
+
end
|
110
|
+
firewall_rule << "#{ip} daddr #{rule_resource.destination} " if rule_resource.destination
|
111
|
+
|
112
|
+
case rule_resource.protocol
|
113
|
+
when :icmp
|
114
|
+
firewall_rule << 'icmp type echo-request '
|
115
|
+
when :'ipv6-icmp', :icmpv6
|
116
|
+
firewall_rule << 'icmpv6 type { echo-request, nd-router-solicit, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } '
|
117
|
+
when :tcp, :udp
|
118
|
+
firewall_rule << "#{rule_resource.protocol} sport #{port_to_s(rule_resource.sport)} " if rule_resource.sport
|
119
|
+
firewall_rule << "#{rule_resource.protocol} dport #{port_to_s(rule_resource.dport)} " if rule_resource.dport
|
120
|
+
when :esp, :ah
|
121
|
+
firewall_rule << "#{ip} #{ip == 'ip6' ? 'nexthdr' : 'protocol'} #{rule_resource.protocol} "
|
122
|
+
when :ipv6, :none
|
123
|
+
# nothing to do
|
124
|
+
end
|
125
|
+
|
126
|
+
firewall_rule << "ct state #{Array(rule_resource.stateful).join(',').downcase} " if rule_resource.stateful
|
127
|
+
firewall_rule << nftables_commands(rule_resource)
|
128
|
+
firewall_rule << "comment \"#{rule_resource.description}\" " if rule_resource.include_comment
|
129
|
+
firewall_rule.strip!
|
130
|
+
firewall_rule
|
131
|
+
end
|
132
|
+
|
133
|
+
def default_ruleset(new_resource)
|
134
|
+
rules = {
|
135
|
+
'add table inet filter' => 1,
|
136
|
+
"add chain inet filter INPUT { type filter hook input priority 0 ; policy #{new_resource.input_policy}; }" => 2,
|
137
|
+
"add chain inet filter OUTPUT { type filter hook output priority 0 ; policy #{new_resource.output_policy}; }" => 2,
|
138
|
+
"add chain inet filter FORWARD { type filter hook forward priority 0 ; policy #{new_resource.forward_policy}; }" => 2,
|
139
|
+
}
|
140
|
+
if new_resource.table_ip_nat
|
141
|
+
rules['add table ip nat'] = 1
|
142
|
+
rules['add chain ip nat POSTROUTING { type nat hook postrouting priority 100 ;}'] = 2
|
143
|
+
rules['add chain ip nat PREROUTING { type nat hook prerouting priority -100 ;}'] = 2
|
144
|
+
end
|
145
|
+
if new_resource.table_ip6_nat
|
146
|
+
rules['add table ip6 nat'] = 1
|
147
|
+
rules['add chain ip6 nat POSTROUTING { type nat hook postrouting priority 100 ;}'] = 2
|
148
|
+
rules['add chain ip6 nat PREROUTING { type nat hook prerouting priority -100 ;}'] = 2
|
149
|
+
end
|
150
|
+
rules
|
151
|
+
end
|
152
|
+
|
153
|
+
def ensure_default_rules_exist(new_resource)
|
154
|
+
input = new_resource.rules || {}
|
155
|
+
input.merge!(default_ruleset(new_resource))
|
156
|
+
end
|
157
|
+
|
158
|
+
def default_nftables_conf_path
|
159
|
+
case node['platform_family']
|
160
|
+
when 'rhel'
|
161
|
+
'/etc/sysconfig/nftables.conf'
|
162
|
+
when 'debian'
|
163
|
+
'/etc/nftables.conf'
|
164
|
+
else
|
165
|
+
raise "default_nftables_conf_path: Unsupported platform_family #{node['platform_family']}."
|
166
|
+
end
|
167
|
+
end
|
168
|
+
end
|
169
|
+
end
|
170
|
+
end
|
@@ -74,6 +74,7 @@ module FirewallCookbook
|
|
74
74
|
rule << rule_proto(new_resource)
|
75
75
|
rule << rule_dest_port(new_resource)
|
76
76
|
rule << rule_source_port(new_resource)
|
77
|
+
rule << rule_description(new_resource)
|
77
78
|
rule = rule.strip
|
78
79
|
|
79
80
|
if rule == 'ufw allow in proto tcp to any from any'
|
@@ -97,6 +98,12 @@ module FirewallCookbook
|
|
97
98
|
rule
|
98
99
|
end
|
99
100
|
|
101
|
+
def rule_description(new_resource)
|
102
|
+
rule = ''
|
103
|
+
rule << "comment \"#{new_resource.description}\" " if new_resource.description && new_resource.include_comment
|
104
|
+
rule
|
105
|
+
end
|
106
|
+
|
100
107
|
def rule_dest_port(new_resource)
|
101
108
|
rule = if new_resource.destination
|
102
109
|
"to #{new_resource.destination} "
|
@@ -44,12 +44,11 @@ module FirewallCookbook
|
|
44
44
|
|
45
45
|
def to_type(new_resource)
|
46
46
|
cmd = new_resource.command
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
type
|
47
|
+
if cmd == :reject || cmd == :deny
|
48
|
+
:block
|
49
|
+
else
|
50
|
+
:allow
|
51
|
+
end
|
53
52
|
end
|
54
53
|
|
55
54
|
def build_rule(new_resource)
|
@@ -66,13 +65,13 @@ module FirewallCookbook
|
|
66
65
|
if new_resource.direction.to_sym == :out
|
67
66
|
parameters['localip'] = new_resource.source ? fixup_cidr(new_resource.source) : 'any'
|
68
67
|
parameters['localport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any'
|
69
|
-
parameters['interfacetype'] = new_resource.interface
|
68
|
+
parameters['interfacetype'] = new_resource.interface || 'any'
|
70
69
|
parameters['remoteip'] = new_resource.destination ? fixup_cidr(new_resource.destination) : 'any'
|
71
70
|
parameters['remoteport'] = new_resource.dest_port ? port_to_s(new_resource.dest_port) : 'any'
|
72
71
|
else
|
73
|
-
parameters['localip'] = new_resource.destination
|
72
|
+
parameters['localip'] = new_resource.destination || 'any'
|
74
73
|
parameters['localport'] = dport_calc(new_resource) ? port_to_s(dport_calc(new_resource)) : 'any'
|
75
|
-
parameters['interfacetype'] = new_resource.dest_interface
|
74
|
+
parameters['interfacetype'] = new_resource.dest_interface || 'any'
|
76
75
|
parameters['remoteip'] = new_resource.source ? fixup_cidr(new_resource.source) : 'any'
|
77
76
|
parameters['remoteport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any'
|
78
77
|
end
|
@@ -19,15 +19,15 @@ class Chef
|
|
19
19
|
class Provider::FirewallFirewalld < Chef::Provider::LWRPBase
|
20
20
|
include FirewallCookbook::Helpers::Firewalld
|
21
21
|
|
22
|
-
provides :firewall, os: 'linux', platform_family: %w(rhel fedora) do |node|
|
23
|
-
node['platform_version'].
|
22
|
+
provides :firewall, os: 'linux', platform_family: %w(rhel fedora amazon) do |node|
|
23
|
+
(node['platform_version'].to_i >= 7 && !node['firewall']['redhat7_iptables']) || (amazon_linux? && !node['firewall']['redhat7_iptables'])
|
24
24
|
end
|
25
25
|
|
26
26
|
def whyrun_supported?
|
27
27
|
false
|
28
28
|
end
|
29
29
|
|
30
|
-
|
30
|
+
action :install do
|
31
31
|
return if disabled?(new_resource)
|
32
32
|
|
33
33
|
firewalld_package = package 'firewalld' do
|
@@ -51,7 +51,7 @@ class Chef
|
|
51
51
|
end
|
52
52
|
end
|
53
53
|
|
54
|
-
|
54
|
+
action :restart do
|
55
55
|
return if disabled?(new_resource)
|
56
56
|
|
57
57
|
# ensure it's initialized
|
@@ -65,7 +65,7 @@ class Chef
|
|
65
65
|
|
66
66
|
ip_versions(firewall_rule).each do |ip_version|
|
67
67
|
# build rules to apply with weight
|
68
|
-
k = "firewall-cmd --direct --add-rule #{build_firewall_rule(firewall_rule, ip_version)}"
|
68
|
+
k = "firewall-cmd --zone=#{firewall_rule.zone} --direct --add-rule #{build_firewall_rule(firewall_rule, ip_version)}"
|
69
69
|
v = firewall_rule.position
|
70
70
|
|
71
71
|
# unless we're adding them for the first time.... bail out.
|
@@ -75,7 +75,7 @@ class Chef
|
|
75
75
|
# If persistent rules is enabled (default) make sure we add a permanent rule at the same time
|
76
76
|
perm_rules = node && node['firewall'] && node['firewall']['firewalld'] && node['firewall']['firewalld']['permanent']
|
77
77
|
if firewall_rule.permanent || perm_rules
|
78
|
-
k = "firewall-cmd --permanent --direct --add-rule #{build_firewall_rule(firewall_rule, ip_version)}"
|
78
|
+
k = "firewall-cmd --zone=#{firewall_rule.zone} --permanent --direct --add-rule #{build_firewall_rule(firewall_rule, ip_version)}"
|
79
79
|
new_resource.rules['firewalld'][k] = v
|
80
80
|
end
|
81
81
|
end
|
@@ -111,7 +111,7 @@ class Chef
|
|
111
111
|
new_resource.updated_by_last_action(true)
|
112
112
|
end
|
113
113
|
|
114
|
-
|
114
|
+
action :disable do
|
115
115
|
return if disabled?(new_resource)
|
116
116
|
|
117
117
|
if firewalld_active?
|
@@ -133,7 +133,7 @@ class Chef
|
|
133
133
|
new_resource.updated_by_last_action(rules_file.updated_by_last_action?)
|
134
134
|
end
|
135
135
|
|
136
|
-
|
136
|
+
action :flush do
|
137
137
|
return if disabled?(new_resource)
|
138
138
|
return unless firewalld_active?
|
139
139
|
|
@@ -146,7 +146,7 @@ class Chef
|
|
146
146
|
new_resource.updated_by_last_action(rules_file.updated_by_last_action?)
|
147
147
|
end
|
148
148
|
|
149
|
-
|
149
|
+
action :save do
|
150
150
|
return if disabled?(new_resource)
|
151
151
|
return if firewalld_all_rules_permanent!
|
152
152
|
|
@@ -3,7 +3,7 @@
|
|
3
3
|
# Cookbook:: firewall
|
4
4
|
# Resource:: default
|
5
5
|
#
|
6
|
-
# Copyright:: 2011-
|
6
|
+
# Copyright:: 2011-2019, Chef Software, Inc.
|
7
7
|
#
|
8
8
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
9
9
|
# you may not use this file except in compliance with the License.
|
@@ -23,14 +23,14 @@ class Chef
|
|
23
23
|
include FirewallCookbook::Helpers::Iptables
|
24
24
|
|
25
25
|
provides :firewall, os: 'linux', platform_family: %w(rhel fedora amazon) do |node|
|
26
|
-
node['platform_version'].
|
26
|
+
(node['platform_version'].to_i < 7 && !amazon_linux?) || node['platform_version'].to_i >= 8 || node['firewall']['redhat7_iptables']
|
27
27
|
end
|
28
28
|
|
29
29
|
def whyrun_supported?
|
30
30
|
false
|
31
31
|
end
|
32
32
|
|
33
|
-
|
33
|
+
action :install do
|
34
34
|
return if disabled?(new_resource)
|
35
35
|
|
36
36
|
# Ensure the package is installed
|
@@ -60,7 +60,7 @@ class Chef
|
|
60
60
|
end
|
61
61
|
end
|
62
62
|
|
63
|
-
|
63
|
+
action :restart do
|
64
64
|
return if disabled?(new_resource)
|
65
65
|
|
66
66
|
# prints all the firewall rules
|
@@ -104,12 +104,12 @@ class Chef
|
|
104
104
|
next unless iptables_file.updated_by_last_action?
|
105
105
|
|
106
106
|
iptables_service = lookup_or_create_service(iptables_type)
|
107
|
-
|
107
|
+
iptables_service.run_action(:restart)
|
108
108
|
new_resource.updated_by_last_action(true)
|
109
109
|
end
|
110
110
|
end
|
111
111
|
|
112
|
-
|
112
|
+
action :disable do
|
113
113
|
return if disabled?(new_resource)
|
114
114
|
|
115
115
|
iptables_flush!(new_resource)
|
@@ -131,7 +131,7 @@ class Chef
|
|
131
131
|
end
|
132
132
|
end
|
133
133
|
|
134
|
-
|
134
|
+
action :flush do
|
135
135
|
return if disabled?(new_resource)
|
136
136
|
|
137
137
|
iptables_flush!(new_resource)
|
@@ -3,7 +3,7 @@
|
|
3
3
|
# Cookbook:: firewall
|
4
4
|
# Resource:: default
|
5
5
|
#
|
6
|
-
# Copyright:: 2011-
|
6
|
+
# Copyright:: 2011-2019, Chef Software, Inc.
|
7
7
|
#
|
8
8
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
9
9
|
# you may not use this file except in compliance with the License.
|
@@ -31,7 +31,7 @@ class Chef
|
|
31
31
|
false
|
32
32
|
end
|
33
33
|
|
34
|
-
|
34
|
+
action :install do
|
35
35
|
return if disabled?(new_resource)
|
36
36
|
|
37
37
|
# Ensure the package is installed
|
@@ -64,7 +64,7 @@ class Chef
|
|
64
64
|
end
|
65
65
|
end
|
66
66
|
|
67
|
-
|
67
|
+
action :restart do
|
68
68
|
return if disabled?(new_resource)
|
69
69
|
|
70
70
|
# prints all the firewall rules
|
@@ -98,6 +98,8 @@ class Chef
|
|
98
98
|
end
|
99
99
|
end
|
100
100
|
|
101
|
+
restart_service = false
|
102
|
+
|
101
103
|
rule_files = %w(iptables)
|
102
104
|
rule_files << 'ip6tables' if ipv6_enabled?(new_resource)
|
103
105
|
|
@@ -120,17 +122,19 @@ class Chef
|
|
120
122
|
iptables_file.run_action(:create)
|
121
123
|
|
122
124
|
# if the file was changed, restart iptables
|
123
|
-
|
125
|
+
restart_service = true if iptables_file.updated_by_last_action?
|
126
|
+
end
|
127
|
+
|
128
|
+
if restart_service
|
124
129
|
service_affected = service 'netfilter-persistent' do
|
125
130
|
action :nothing
|
126
131
|
end
|
127
|
-
|
128
|
-
new_resource.notifies(:restart, service_affected, :delayed)
|
132
|
+
service_affected.run_action(:restart)
|
129
133
|
new_resource.updated_by_last_action(true)
|
130
134
|
end
|
131
135
|
end
|
132
136
|
|
133
|
-
|
137
|
+
action :disable do
|
134
138
|
return if disabled?(new_resource)
|
135
139
|
|
136
140
|
iptables_flush!(new_resource)
|
@@ -153,7 +157,7 @@ class Chef
|
|
153
157
|
end
|
154
158
|
end
|
155
159
|
|
156
|
-
|
160
|
+
action :flush do
|
157
161
|
return if disabled?(new_resource)
|
158
162
|
|
159
163
|
iptables_flush!(new_resource)
|