cloud-mu 3.5.0 → 3.6.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Berksfile +5 -2
- data/Berksfile.lock +135 -0
- data/ansible/roles/mu-base/README.md +33 -0
- data/ansible/roles/mu-base/defaults/main.yml +2 -0
- data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
- data/ansible/roles/mu-base/files/check_apm.sh +18 -0
- data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
- data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
- data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
- data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
- data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
- data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
- data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
- data/ansible/roles/mu-base/files/logrotate.conf +35 -0
- data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
- data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
- data/ansible/roles/mu-base/handlers/main.yml +5 -0
- data/ansible/roles/mu-base/meta/main.yml +53 -0
- data/ansible/roles/mu-base/tasks/main.yml +113 -0
- data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
- data/ansible/roles/mu-base/tests/inventory +2 -0
- data/ansible/roles/mu-base/tests/test.yml +5 -0
- data/ansible/roles/mu-base/vars/main.yml +1 -0
- data/ansible/roles/mu-compliance/README.md +33 -0
- data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
- data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
- data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
- data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
- data/ansible/roles/mu-compliance/meta/main.yml +53 -0
- data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
- data/ansible/roles/mu-compliance/tests/inventory +2 -0
- data/ansible/roles/mu-compliance/tests/test.yml +5 -0
- data/ansible/roles/mu-compliance/vars/main.yml +4 -0
- data/ansible/roles/mu-elastic/README.md +51 -0
- data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
- data/ansible/roles/mu-elastic/files/jvm.options +93 -0
- data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
- data/ansible/roles/mu-elastic/meta/main.yml +52 -0
- data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
- data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
- data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
- data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
- data/ansible/roles/mu-elastic/tests/inventory +2 -0
- data/ansible/roles/mu-elastic/tests/test.yml +5 -0
- data/ansible/roles/mu-elastic/vars/main.yml +2 -0
- data/ansible/roles/mu-logstash/README.md +51 -0
- data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
- data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
- data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
- data/ansible/roles/mu-logstash/files/jvm.options +84 -0
- data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
- data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
- data/ansible/roles/mu-logstash/meta/main.yml +52 -0
- data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
- data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
- data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
- data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
- data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
- data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
- data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
- data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
- data/ansible/roles/mu-logstash/tests/inventory +2 -0
- data/ansible/roles/mu-logstash/tests/test.yml +5 -0
- data/ansible/roles/mu-logstash/vars/main.yml +2 -0
- data/ansible/roles/mu-rdp/README.md +33 -0
- data/ansible/roles/mu-rdp/meta/main.yml +53 -0
- data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
- data/ansible/roles/mu-rdp/tests/inventory +2 -0
- data/ansible/roles/mu-rdp/tests/test.yml +5 -0
- data/ansible/roles/mu-windows/tasks/main.yml +3 -0
- data/bin/mu-ansible-secret +1 -1
- data/bin/mu-aws-setup +4 -3
- data/bin/mu-azure-setup +5 -5
- data/bin/mu-configure +25 -17
- data/bin/mu-firewall-allow-clients +1 -0
- data/bin/mu-gcp-setup +3 -3
- data/bin/mu-load-config.rb +1 -0
- data/bin/mu-node-manage +66 -33
- data/bin/mu-self-update +2 -2
- data/bin/mu-upload-chef-artifacts +6 -1
- data/bin/mu-user-manage +1 -1
- data/cloud-mu.gemspec +25 -23
- data/cookbooks/firewall/CHANGELOG.md +417 -224
- data/cookbooks/firewall/LICENSE +202 -0
- data/cookbooks/firewall/README.md +153 -126
- data/cookbooks/firewall/TODO.md +6 -0
- data/cookbooks/firewall/attributes/firewalld.rb +7 -0
- data/cookbooks/firewall/attributes/iptables.rb +3 -3
- data/cookbooks/firewall/chefignore +115 -0
- data/cookbooks/firewall/libraries/helpers.rb +5 -0
- data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
- data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
- data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
- data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
- data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
- data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
- data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
- data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
- data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
- data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
- data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
- data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
- data/cookbooks/firewall/metadata.json +40 -1
- data/cookbooks/firewall/metadata.rb +15 -0
- data/cookbooks/firewall/recipes/default.rb +7 -7
- data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
- data/cookbooks/firewall/recipes/firewalld.rb +87 -0
- data/cookbooks/firewall/renovate.json +18 -0
- data/cookbooks/firewall/resources/firewalld.rb +28 -0
- data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
- data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
- data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
- data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
- data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
- data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
- data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
- data/cookbooks/firewall/resources/nftables.rb +71 -0
- data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
- data/cookbooks/mu-activedirectory/Berksfile +1 -1
- data/cookbooks/mu-activedirectory/metadata.rb +1 -1
- data/cookbooks/mu-firewall/metadata.rb +2 -2
- data/cookbooks/mu-master/Berksfile +4 -3
- data/cookbooks/mu-master/attributes/default.rb +5 -2
- data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
- data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
- data/cookbooks/mu-master/libraries/mu.rb +24 -0
- data/cookbooks/mu-master/metadata.rb +5 -5
- data/cookbooks/mu-master/recipes/default.rb +31 -20
- data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
- data/cookbooks/mu-master/recipes/init.rb +58 -19
- data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
- data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
- data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
- data/cookbooks/mu-php54/Berksfile +1 -1
- data/cookbooks/mu-php54/metadata.rb +2 -2
- data/cookbooks/mu-tools/Berksfile +2 -3
- data/cookbooks/mu-tools/attributes/default.rb +3 -4
- data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
- data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
- data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
- data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
- data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
- data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
- data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
- data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
- data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
- data/cookbooks/mu-tools/libraries/helper.rb +21 -9
- data/cookbooks/mu-tools/metadata.rb +4 -4
- data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
- data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
- data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
- data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
- data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
- data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
- data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
- data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
- data/data_bags/nagios_services/apm_backend_connect.json +5 -0
- data/data_bags/nagios_services/apm_listen.json +5 -0
- data/data_bags/nagios_services/elastic_shards.json +5 -0
- data/data_bags/nagios_services/logstash.json +5 -0
- data/data_bags/nagios_services/rhel7_updates.json +8 -0
- data/extras/image-generators/AWS/centos7.yaml +1 -0
- data/extras/image-generators/AWS/rhel7.yaml +21 -0
- data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
- data/extras/image-generators/AWS/win2k16.yaml +1 -0
- data/extras/image-generators/AWS/win2k19.yaml +1 -0
- data/extras/list-stock-amis +0 -0
- data/extras/ruby_rpm/muby.spec +8 -5
- data/extras/vault_tools/export_vaults.sh +1 -1
- data/extras/vault_tools/recreate_vaults.sh +0 -0
- data/extras/vault_tools/test_vaults.sh +0 -0
- data/install/deprecated-bash-library.sh +1 -1
- data/install/installer +4 -2
- data/modules/mommacat.ru +3 -1
- data/modules/mu/adoption.rb +1 -1
- data/modules/mu/cloud/dnszone.rb +2 -2
- data/modules/mu/cloud/machine_images.rb +26 -25
- data/modules/mu/cloud/resource_base.rb +213 -182
- data/modules/mu/cloud/server_pool.rb +1 -1
- data/modules/mu/cloud/ssh_sessions.rb +7 -5
- data/modules/mu/cloud/wrappers.rb +2 -2
- data/modules/mu/cloud.rb +1 -1
- data/modules/mu/config/bucket.rb +1 -1
- data/modules/mu/config/function.rb +6 -1
- data/modules/mu/config/loadbalancer.rb +24 -2
- data/modules/mu/config/ref.rb +12 -0
- data/modules/mu/config/role.rb +1 -1
- data/modules/mu/config/schema_helpers.rb +42 -9
- data/modules/mu/config/server.rb +43 -27
- data/modules/mu/config/tail.rb +19 -10
- data/modules/mu/config.rb +6 -5
- data/modules/mu/defaults/AWS.yaml +78 -114
- data/modules/mu/deploy.rb +9 -2
- data/modules/mu/groomer.rb +12 -4
- data/modules/mu/groomers/ansible.rb +104 -20
- data/modules/mu/groomers/chef.rb +15 -6
- data/modules/mu/master.rb +9 -4
- data/modules/mu/mommacat/daemon.rb +4 -2
- data/modules/mu/mommacat/naming.rb +1 -2
- data/modules/mu/mommacat/storage.rb +7 -2
- data/modules/mu/mommacat.rb +33 -6
- data/modules/mu/providers/aws/database.rb +161 -8
- data/modules/mu/providers/aws/dnszone.rb +11 -6
- data/modules/mu/providers/aws/endpoint.rb +81 -6
- data/modules/mu/providers/aws/firewall_rule.rb +254 -172
- data/modules/mu/providers/aws/function.rb +65 -3
- data/modules/mu/providers/aws/loadbalancer.rb +39 -28
- data/modules/mu/providers/aws/log.rb +2 -1
- data/modules/mu/providers/aws/role.rb +25 -7
- data/modules/mu/providers/aws/server.rb +36 -12
- data/modules/mu/providers/aws/server_pool.rb +237 -127
- data/modules/mu/providers/aws/storage_pool.rb +7 -1
- data/modules/mu/providers/aws/user.rb +1 -1
- data/modules/mu/providers/aws/userdata/linux.erb +6 -2
- data/modules/mu/providers/aws/userdata/windows.erb +7 -5
- data/modules/mu/providers/aws/vpc.rb +49 -25
- data/modules/mu/providers/aws.rb +13 -8
- data/modules/mu/providers/azure/container_cluster.rb +1 -1
- data/modules/mu/providers/azure/loadbalancer.rb +2 -2
- data/modules/mu/providers/azure/server.rb +5 -2
- data/modules/mu/providers/azure/userdata/linux.erb +1 -1
- data/modules/mu/providers/azure.rb +11 -8
- data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
- data/modules/mu/providers/google/container_cluster.rb +15 -2
- data/modules/mu/providers/google/folder.rb +2 -1
- data/modules/mu/providers/google/function.rb +130 -4
- data/modules/mu/providers/google/habitat.rb +2 -1
- data/modules/mu/providers/google/loadbalancer.rb +407 -160
- data/modules/mu/providers/google/role.rb +16 -3
- data/modules/mu/providers/google/server.rb +5 -1
- data/modules/mu/providers/google/user.rb +25 -18
- data/modules/mu/providers/google/userdata/linux.erb +1 -1
- data/modules/mu/providers/google/vpc.rb +53 -7
- data/modules/mu/providers/google.rb +39 -39
- data/modules/mu.rb +8 -8
- data/modules/tests/elk.yaml +46 -0
- data/test/mu-master-test/controls/all_in_one.rb +1 -1
- metadata +207 -112
- data/cookbooks/firewall/CONTRIBUTING.md +0 -2
- data/cookbooks/firewall/MAINTAINERS.md +0 -19
- data/cookbooks/firewall/libraries/matchers.rb +0 -30
- data/extras/image-generators/AWS/rhel71.yaml +0 -17
|
@@ -0,0 +1,88 @@
|
|
|
1
|
+
unified_mode true
|
|
2
|
+
|
|
3
|
+
provides :firewalld_icmptype,
|
|
4
|
+
os: 'linux'
|
|
5
|
+
|
|
6
|
+
property :version,
|
|
7
|
+
String,
|
|
8
|
+
default: '',
|
|
9
|
+
description: 'see version attribute of icmptype tag in firewalld.icmptype(5).'
|
|
10
|
+
property :short,
|
|
11
|
+
String,
|
|
12
|
+
name_property: true,
|
|
13
|
+
description: 'see short tag in firewalld.icmptype(5).'
|
|
14
|
+
property :description,
|
|
15
|
+
String,
|
|
16
|
+
description: 'see description tag in firewalld.icmptype(5).'
|
|
17
|
+
property :destinations,
|
|
18
|
+
Array,
|
|
19
|
+
equal_to: [['ipv4'], ['ipv6'], %w(ipv4 ipv6)],
|
|
20
|
+
default: 'ipv4',
|
|
21
|
+
description: 'array, either empty or containing strings \'ipv4\' and/or \'ipv6\', see destination tag in firewalld.icmptype(5).',
|
|
22
|
+
coerce: proc { |o| Array(o) }
|
|
23
|
+
|
|
24
|
+
load_current_value do |new_resource|
|
|
25
|
+
sysbus = DBus.system_bus
|
|
26
|
+
firewalld_service = sysbus['org.fedoraproject.FirewallD1']
|
|
27
|
+
firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
|
|
28
|
+
fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
|
|
29
|
+
if fw_config.getIcmpTypeNames.include?(new_resource.short)
|
|
30
|
+
icmptype_path = fw_config.getIcmpTypeByName(new_resource.short)
|
|
31
|
+
object = firewalld_service[icmptype_path]
|
|
32
|
+
config_icmptype = object['org.fedoraproject.FirewallD1.config.icmptype']
|
|
33
|
+
settings = config_icmptype.getSettings
|
|
34
|
+
version settings[0]
|
|
35
|
+
# short settings[1]
|
|
36
|
+
description settings[2]
|
|
37
|
+
destinations settings[3]
|
|
38
|
+
else
|
|
39
|
+
Chef::Log.info "IcmpType #{new_resource.short} does not exist. Will be created."
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
action :update do
|
|
44
|
+
dbus = DBus.system_bus
|
|
45
|
+
fw_config = config_interface(dbus)
|
|
46
|
+
fw = firewalld_interface(dbus)
|
|
47
|
+
reload = false
|
|
48
|
+
icmptype_names = fw_config.getIcmpTypeNames
|
|
49
|
+
if !icmptype_names.include?(new_resource.short)
|
|
50
|
+
values = [
|
|
51
|
+
new_resource.version,
|
|
52
|
+
new_resource.short,
|
|
53
|
+
default_description(new_resource),
|
|
54
|
+
new_resource.destinations,
|
|
55
|
+
]
|
|
56
|
+
|
|
57
|
+
converge_by "Add IcmpType #{new_resource.short}" do
|
|
58
|
+
fw_config.addIcmpType(new_resource.short, values)
|
|
59
|
+
end
|
|
60
|
+
reload = true
|
|
61
|
+
else
|
|
62
|
+
icmptype_path = fw_config.getIcmpTypeByName(new_resource.short)
|
|
63
|
+
icmptype = icmptype_interface(dbus, icmptype_path)
|
|
64
|
+
converge_if_changed :version do
|
|
65
|
+
icmptype.setVersion new_resource.version
|
|
66
|
+
reload = true
|
|
67
|
+
end
|
|
68
|
+
converge_if_changed :description do
|
|
69
|
+
icmptype.setDescription default_description(new_resource)
|
|
70
|
+
reload = true
|
|
71
|
+
end
|
|
72
|
+
converge_if_changed :destinations do
|
|
73
|
+
icmptype.setDestinations new_resource.destinations
|
|
74
|
+
reload = true
|
|
75
|
+
end
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
if reload
|
|
79
|
+
converge_by ['reload permanent configuration of firewalld'] do
|
|
80
|
+
fw.reload
|
|
81
|
+
end
|
|
82
|
+
end
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
action_class do
|
|
86
|
+
include FirewallCookbook::Helpers
|
|
87
|
+
include FirewallCookbook::Helpers::FirewalldDBus
|
|
88
|
+
end
|
|
@@ -0,0 +1,104 @@
|
|
|
1
|
+
unified_mode true
|
|
2
|
+
|
|
3
|
+
provides :firewalld_ipset,
|
|
4
|
+
os: 'linux'
|
|
5
|
+
|
|
6
|
+
property :version,
|
|
7
|
+
String,
|
|
8
|
+
description: 'see version attribute of ipset tag in firewalld.ipset(5).'
|
|
9
|
+
property :short,
|
|
10
|
+
String,
|
|
11
|
+
name_property: true,
|
|
12
|
+
description: 'see short tag in firewalld.ipset(5).'
|
|
13
|
+
property :description,
|
|
14
|
+
String,
|
|
15
|
+
description: 'see description tag in firewalld.ipset(5).'
|
|
16
|
+
property :type,
|
|
17
|
+
String,
|
|
18
|
+
default: 'hash:ip',
|
|
19
|
+
description: 'see type attribute of ipset tag in firewalld.ipset(5).',
|
|
20
|
+
equal_to:
|
|
21
|
+
%w(hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net)
|
|
22
|
+
property :options,
|
|
23
|
+
Hash,
|
|
24
|
+
description: 'hash of {option : value} . See options tag in firewalld.ipset(5).'
|
|
25
|
+
property :entries,
|
|
26
|
+
[Array, String],
|
|
27
|
+
description: 'array of entries, see entry tag in firewalld.ipset(5).',
|
|
28
|
+
coerce: proc { |o| Array(o) }
|
|
29
|
+
|
|
30
|
+
load_current_value do |new_resource|
|
|
31
|
+
sysbus = DBus.system_bus
|
|
32
|
+
firewalld_service = sysbus['org.fedoraproject.FirewallD1']
|
|
33
|
+
firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
|
|
34
|
+
fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
|
|
35
|
+
if fw_config.getIPSetNames.include?(new_resource.short)
|
|
36
|
+
ipset_path = fw_config.getIPSetByName(new_resource.short)
|
|
37
|
+
object = firewalld_service[ipset_path]
|
|
38
|
+
config_ipset = object['org.fedoraproject.FirewallD1.config.ipset']
|
|
39
|
+
settings = config_ipset.getSettings
|
|
40
|
+
version settings[0]
|
|
41
|
+
# short settings[1]
|
|
42
|
+
description settings[2]
|
|
43
|
+
type settings[3]
|
|
44
|
+
options settings[4]
|
|
45
|
+
entries settings[5]
|
|
46
|
+
else
|
|
47
|
+
Chef::Log.info "Ipset #{new_resource.short} does not exist. Will be created."
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
action :update do
|
|
52
|
+
dbus = DBus.system_bus
|
|
53
|
+
fw = firewalld_interface(dbus)
|
|
54
|
+
fw_config = config_interface(dbus)
|
|
55
|
+
reload = false
|
|
56
|
+
if !fw_config.getIPSetNames.include?(new_resource.short)
|
|
57
|
+
values = [
|
|
58
|
+
new_resource.version || '',
|
|
59
|
+
new_resource.short,
|
|
60
|
+
default_description(new_resource),
|
|
61
|
+
new_resource.type,
|
|
62
|
+
new_resource.options || {},
|
|
63
|
+
new_resource.entries,
|
|
64
|
+
]
|
|
65
|
+
converge_by "Add ipset #{new_resource.short}" do
|
|
66
|
+
fw_config.addIPSet(new_resource.short, values)
|
|
67
|
+
end
|
|
68
|
+
reload = true
|
|
69
|
+
else
|
|
70
|
+
ipset_path = fw_config.getIPSetByName(new_resource.short)
|
|
71
|
+
ipset = ipset_interface(dbus, ipset_path)
|
|
72
|
+
converge_if_changed :version do
|
|
73
|
+
ipset.setVersion new_resource.version
|
|
74
|
+
reload = true
|
|
75
|
+
end
|
|
76
|
+
converge_if_changed :description do
|
|
77
|
+
ipset.setDescriptions default_description(new_resource)
|
|
78
|
+
reload = true
|
|
79
|
+
end
|
|
80
|
+
converge_if_changed :type do
|
|
81
|
+
ipset.setType new_resource.type
|
|
82
|
+
reload = true
|
|
83
|
+
end
|
|
84
|
+
converge_if_changed :options do
|
|
85
|
+
ipset.setOptions(new_resource.options || {})
|
|
86
|
+
reload = true
|
|
87
|
+
end
|
|
88
|
+
converge_if_changed :entries do
|
|
89
|
+
ipset.setEntries new_resource.entries
|
|
90
|
+
reload = true
|
|
91
|
+
end
|
|
92
|
+
end
|
|
93
|
+
|
|
94
|
+
if reload
|
|
95
|
+
converge_by ['reload permanent configuration of firewalld'] do
|
|
96
|
+
fw.reload
|
|
97
|
+
end
|
|
98
|
+
end
|
|
99
|
+
end
|
|
100
|
+
|
|
101
|
+
action_class do
|
|
102
|
+
include FirewallCookbook::Helpers
|
|
103
|
+
include FirewallCookbook::Helpers::FirewalldDBus
|
|
104
|
+
end
|
|
@@ -0,0 +1,115 @@
|
|
|
1
|
+
unified_mode true
|
|
2
|
+
|
|
3
|
+
provides :firewalld_policy,
|
|
4
|
+
os: 'linux'
|
|
5
|
+
|
|
6
|
+
property :description,
|
|
7
|
+
String,
|
|
8
|
+
description: 'see description tag in firewalld.policy(5).'
|
|
9
|
+
property :egress_zones,
|
|
10
|
+
[Array, String],
|
|
11
|
+
description: 'array of zone names. See egress-zone tag in firewalld.policy(5).',
|
|
12
|
+
coerce: proc { |o| Array(o) }
|
|
13
|
+
property :forward_ports,
|
|
14
|
+
[Array, String],
|
|
15
|
+
description: 'array of `portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]`. See forward-port tag in firewalld.policy(5).',
|
|
16
|
+
coerce: proc { |o| Array(o) }
|
|
17
|
+
property :icmp_blocks,
|
|
18
|
+
[Array, String],
|
|
19
|
+
description: 'array of icmp-blocks. See icmp-block tag in firewalld.policy(5).'
|
|
20
|
+
property :ingress_zones,
|
|
21
|
+
[Array, String],
|
|
22
|
+
description: 'array of zone names. See ingress-zone tag in firewalld.policy(5).',
|
|
23
|
+
coerce: proc { |o| Array(o) }
|
|
24
|
+
property :masquerade,
|
|
25
|
+
[true, false],
|
|
26
|
+
description: 'see masquerade tag in firewalld.policy(5).'
|
|
27
|
+
property :ports,
|
|
28
|
+
[Array, String],
|
|
29
|
+
description: 'array of port and protocol pairs. See port tag in firewalld.policy(5).',
|
|
30
|
+
coerce: proc { |o| Array(o) }
|
|
31
|
+
property :priority,
|
|
32
|
+
Integer,
|
|
33
|
+
description: 'see priority tag in firewalld.policy(5).'
|
|
34
|
+
property :protocols,
|
|
35
|
+
[Array, String],
|
|
36
|
+
description: 'array of protocols, see protocol tag in firewalld.policy(5).',
|
|
37
|
+
coerce: proc { |o| Array(o) }
|
|
38
|
+
property :rich_rules,
|
|
39
|
+
[Array, String],
|
|
40
|
+
description: 'array of rich-language rules. See rule tag in firewalld.policy(5).',
|
|
41
|
+
coerce: proc { |o| Array(o) }
|
|
42
|
+
property :services,
|
|
43
|
+
[Array, String],
|
|
44
|
+
description: 'array of service names, see service tag in firewalld.policy(5).',
|
|
45
|
+
coerce: proc { |o| Array(o) }
|
|
46
|
+
property :short,
|
|
47
|
+
String,
|
|
48
|
+
description: 'see short tag in firewalld.policy(5).',
|
|
49
|
+
name_property: true
|
|
50
|
+
property :source_ports,
|
|
51
|
+
[Array, String],
|
|
52
|
+
description: 'array of port and protocol pairs. See source-port tag in firewalld.policy(5).',
|
|
53
|
+
coerce: proc { |o| Array(o) }
|
|
54
|
+
property :target,
|
|
55
|
+
String,
|
|
56
|
+
description: 'see target attribute of policy tag in firewalld.policy(5).'
|
|
57
|
+
property :version,
|
|
58
|
+
String,
|
|
59
|
+
description: 'see version attribute of policy tag in firewalld.policy(5).'
|
|
60
|
+
|
|
61
|
+
load_current_value do |new_resource|
|
|
62
|
+
sysbus = DBus.system_bus
|
|
63
|
+
firewalld_service = sysbus['org.fedoraproject.FirewallD1']
|
|
64
|
+
firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
|
|
65
|
+
fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
|
|
66
|
+
if fw_config.getPolicyNames.include?(new_resource.short)
|
|
67
|
+
policy_path = fw_config.getPolicyByName(new_resource.short)
|
|
68
|
+
object = firewalld_service[policy_path]
|
|
69
|
+
config_policy = object['org.fedoraproject.FirewallD1.config.policy']
|
|
70
|
+
config_policy.getSettings.each do |k, v|
|
|
71
|
+
send(k, v)
|
|
72
|
+
end
|
|
73
|
+
else
|
|
74
|
+
Chef::Log.info "Zone #{new_resource.short} does not exist. Will be created."
|
|
75
|
+
end
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
action :update do
|
|
79
|
+
dbus = DBus.system_bus
|
|
80
|
+
fw = firewalld_interface(dbus)
|
|
81
|
+
fw_config = config_interface(dbus)
|
|
82
|
+
reload = false
|
|
83
|
+
|
|
84
|
+
unless fw_config.getPolicyNames.include?(new_resource.short)
|
|
85
|
+
fw_config.addPolicy(new_resource.short, {})
|
|
86
|
+
end
|
|
87
|
+
policy_path = fw_config.getPolicyByName(new_resource.short)
|
|
88
|
+
policy = policy_interface(dbus, policy_path)
|
|
89
|
+
properties = new_resource.class.state_properties.map(&:name)
|
|
90
|
+
properties.each do |property|
|
|
91
|
+
new_value = new_resource.send(property)
|
|
92
|
+
next if new_value.nil?
|
|
93
|
+
if [:ports, :source_ports].include?(property)
|
|
94
|
+
new_value = DBus.variant('a(ss)', new_value.map { |e| e.split('/') })
|
|
95
|
+
elsif [:forward_ports].include?(property)
|
|
96
|
+
new_value = forward_ports_to_dbus(new_resource)
|
|
97
|
+
elsif [:priority].include?(property)
|
|
98
|
+
new_value = DBus.variant('i', new_value)
|
|
99
|
+
end
|
|
100
|
+
converge_if_changed property do
|
|
101
|
+
policy.update({ property.to_s => new_value })
|
|
102
|
+
reload = true
|
|
103
|
+
end
|
|
104
|
+
end
|
|
105
|
+
|
|
106
|
+
if reload
|
|
107
|
+
converge_by ['reload permanent configuration of firewalld'] do
|
|
108
|
+
fw.reload
|
|
109
|
+
end
|
|
110
|
+
end
|
|
111
|
+
end
|
|
112
|
+
|
|
113
|
+
action_class do
|
|
114
|
+
include FirewallCookbook::Helpers::FirewalldDBus
|
|
115
|
+
end
|
|
@@ -0,0 +1,98 @@
|
|
|
1
|
+
unified_mode true
|
|
2
|
+
|
|
3
|
+
provides :firewalld_service,
|
|
4
|
+
os: 'linux'
|
|
5
|
+
|
|
6
|
+
property :version,
|
|
7
|
+
String,
|
|
8
|
+
description: 'see version attribute of service tag in firewalld.service(5).'
|
|
9
|
+
property :short,
|
|
10
|
+
String,
|
|
11
|
+
name_property: true,
|
|
12
|
+
description: 'see short tag in firewalld.service(5).'
|
|
13
|
+
property :description,
|
|
14
|
+
String,
|
|
15
|
+
description: 'see description tag in firewalld.service(5).'
|
|
16
|
+
property :ports,
|
|
17
|
+
[Array, String],
|
|
18
|
+
description: 'array of port and protocol pairs. See port tag in firewalld.service(5).',
|
|
19
|
+
coerce: proc { |o| Array(o) }
|
|
20
|
+
property :module_names,
|
|
21
|
+
[Array, String],
|
|
22
|
+
description: 'array of kernel netfilter helpers, see module tag in firewalld.service(5).',
|
|
23
|
+
coerce: proc { |o| Array(o) }
|
|
24
|
+
property :destination,
|
|
25
|
+
Hash,
|
|
26
|
+
description: 'hash of {IP family : IP address} where \'IP family\' key can be either \'ipv4\' or \'ipv6\'. See destination tag in firewalld.service(5).'
|
|
27
|
+
property :protocols,
|
|
28
|
+
[Array, String],
|
|
29
|
+
description: 'array of protocols, see protocol tag in firewalld.service(5).',
|
|
30
|
+
coerce: proc { |o| Array(o) }
|
|
31
|
+
property :source_ports,
|
|
32
|
+
[Array, String],
|
|
33
|
+
description: 'array of port and protocol pairs. See source-port tag in firewalld.service(5).',
|
|
34
|
+
coerce: proc { |o| Array(o) }
|
|
35
|
+
property :includes,
|
|
36
|
+
[Array, String],
|
|
37
|
+
description: 'array of service includes, see include tag in firewalld.service(5).',
|
|
38
|
+
coerce: proc { |o| Array(o) }
|
|
39
|
+
property :helpers,
|
|
40
|
+
[Array, String],
|
|
41
|
+
description: 'array of service helpers, see helper tag in firewalld.service(5).',
|
|
42
|
+
coerce: proc { |o| Array(o) }
|
|
43
|
+
|
|
44
|
+
load_current_value do |new_resource|
|
|
45
|
+
sysbus = DBus.system_bus
|
|
46
|
+
firewalld_service = sysbus['org.fedoraproject.FirewallD1']
|
|
47
|
+
firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
|
|
48
|
+
fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
|
|
49
|
+
if fw_config.getServiceNames.include?(new_resource.short)
|
|
50
|
+
service_path = fw_config.getServiceByName(new_resource.short)
|
|
51
|
+
object = firewalld_service[service_path]
|
|
52
|
+
config_service = object['org.fedoraproject.FirewallD1.config.service']
|
|
53
|
+
config_service.getSettings2.each do |k, v|
|
|
54
|
+
send(k, v)
|
|
55
|
+
end
|
|
56
|
+
else
|
|
57
|
+
Chef::Log.info "Service #{new_resource.short} does not exist. Will be created."
|
|
58
|
+
end
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
action :update do
|
|
62
|
+
dbus = DBus.system_bus
|
|
63
|
+
fw = firewalld_interface(dbus)
|
|
64
|
+
fw_config = config_interface(dbus)
|
|
65
|
+
reload = false
|
|
66
|
+
unless fw_config.getServiceNames.include?(new_resource.short)
|
|
67
|
+
fw_config.addService2(new_resource.short, {})
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
service_path = fw_config.getServiceByName(new_resource.short)
|
|
71
|
+
service = service_interface(dbus, service_path)
|
|
72
|
+
properties = new_resource.class.state_properties.map(&:name)
|
|
73
|
+
properties.each do |property|
|
|
74
|
+
new_value = new_resource.send(property)
|
|
75
|
+
next unless new_value
|
|
76
|
+
if [:ports, :source_ports].include?(property)
|
|
77
|
+
new_value = DBus.variant('a(ss)', new_value.map { |e| e.split('/') })
|
|
78
|
+
elsif property == :description
|
|
79
|
+
new_value = default_description(new_resource)
|
|
80
|
+
end
|
|
81
|
+
converge_if_changed property do
|
|
82
|
+
key = property == :short ? 'name' : property.to_s
|
|
83
|
+
service.update2({ key => new_value })
|
|
84
|
+
reload = true
|
|
85
|
+
end
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
if reload
|
|
89
|
+
converge_by ['reload permanent configuration of firewalld'] do
|
|
90
|
+
fw.reload
|
|
91
|
+
end
|
|
92
|
+
end
|
|
93
|
+
end
|
|
94
|
+
|
|
95
|
+
action_class do
|
|
96
|
+
include FirewallCookbook::Helpers
|
|
97
|
+
include FirewallCookbook::Helpers::FirewalldDBus
|
|
98
|
+
end
|
|
@@ -0,0 +1,118 @@
|
|
|
1
|
+
unified_mode true
|
|
2
|
+
|
|
3
|
+
provides :firewalld_zone,
|
|
4
|
+
os: 'linux'
|
|
5
|
+
|
|
6
|
+
property :description,
|
|
7
|
+
String,
|
|
8
|
+
description: 'see description tag in firewalld.zone(5).'
|
|
9
|
+
property :forward,
|
|
10
|
+
[true, false],
|
|
11
|
+
description: 'see forward tag in firewalld.zone(5).'
|
|
12
|
+
property :forward_ports,
|
|
13
|
+
[Array, String],
|
|
14
|
+
description: 'array of (port, protocol, to-port, to-addr). See forward-port tag in firewalld.zone(5).',
|
|
15
|
+
coerce: proc { |o| Array(o) }
|
|
16
|
+
property :icmp_block_inversion,
|
|
17
|
+
[true, false],
|
|
18
|
+
description: 'see icmp-block-inversion tag in firewalld.zone(5).'
|
|
19
|
+
property :icmp_blocks,
|
|
20
|
+
[Array, String],
|
|
21
|
+
description: 'array of icmp-blocks. See icmp-block tag in firewalld.zone(5).',
|
|
22
|
+
coerce: proc { |o| Array(o) }
|
|
23
|
+
property :interfaces,
|
|
24
|
+
[Array, String],
|
|
25
|
+
description: 'array of interfaces. See interface tag in firewalld.zone(5).',
|
|
26
|
+
coerce: proc { |o| Array(o) }
|
|
27
|
+
property :masquerade,
|
|
28
|
+
[true, false],
|
|
29
|
+
description: 'see masquerade tag in firewalld.zone(5).'
|
|
30
|
+
property :ports,
|
|
31
|
+
[Array, String],
|
|
32
|
+
description: 'array of port and protocol pairs. See port tag in firewalld.zone(5).',
|
|
33
|
+
coerce: proc { |o| Array(o) }
|
|
34
|
+
property :protocols,
|
|
35
|
+
[Array, String],
|
|
36
|
+
description: 'array of protocols, see protocol tag in firewalld.zone(5).',
|
|
37
|
+
coerce: proc { |o| Array(o) }
|
|
38
|
+
property :rules_str,
|
|
39
|
+
[Array, String],
|
|
40
|
+
description: 'array of rich-language rules. See rule tag in firewalld.zone(5).',
|
|
41
|
+
coerce: proc { |o| Array(o) }
|
|
42
|
+
property :services,
|
|
43
|
+
[Array, String],
|
|
44
|
+
description: 'array of service names, see service tag in firewalld.zone(5).',
|
|
45
|
+
coerce: proc { |o| Array(o) }
|
|
46
|
+
property :short,
|
|
47
|
+
String,
|
|
48
|
+
name_property: true,
|
|
49
|
+
description: 'see short tag in firewalld.zone(5).'
|
|
50
|
+
property :source_ports,
|
|
51
|
+
[Array, String],
|
|
52
|
+
description: 'array of port and protocol pairs. See source-port tag in firewalld.zone(5).',
|
|
53
|
+
coerce: proc { |o| Array(o) }
|
|
54
|
+
property :sources,
|
|
55
|
+
[Array, String],
|
|
56
|
+
description: 'array of source addresses. See source tag in firewalld.zone(5).',
|
|
57
|
+
coerce: proc { |o| Array(o) }
|
|
58
|
+
property :target,
|
|
59
|
+
String,
|
|
60
|
+
description: 'see target attribute of zone tag in firewalld.zone(5).'
|
|
61
|
+
property :version,
|
|
62
|
+
String,
|
|
63
|
+
description: 'see version attribute of zone tag in firewalld.zone(5).'
|
|
64
|
+
|
|
65
|
+
load_current_value do |new_resource|
|
|
66
|
+
sysbus = DBus.system_bus
|
|
67
|
+
firewalld_service = sysbus['org.fedoraproject.FirewallD1']
|
|
68
|
+
firewalld_object = firewalld_service['/org/fedoraproject/FirewallD1/config']
|
|
69
|
+
fw_config = firewalld_object['org.fedoraproject.FirewallD1.config']
|
|
70
|
+
if fw_config.getZoneNames.include?(new_resource.short)
|
|
71
|
+
zone_path = fw_config.getZoneByName(new_resource.short)
|
|
72
|
+
object = firewalld_service[zone_path]
|
|
73
|
+
config_zone = object['org.fedoraproject.FirewallD1.config.zone']
|
|
74
|
+
config_zone.getSettings2.each do |k, v|
|
|
75
|
+
send(k, v)
|
|
76
|
+
end
|
|
77
|
+
else
|
|
78
|
+
Chef::Log.info "Zone #{new_resource.short} does not exist. Will be created."
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
|
|
82
|
+
action :update do
|
|
83
|
+
dbus = DBus.system_bus
|
|
84
|
+
fw = firewalld_interface(dbus)
|
|
85
|
+
fw_config = config_interface(dbus)
|
|
86
|
+
|
|
87
|
+
unless fw_config.getZoneNames.include?(new_resource.short)
|
|
88
|
+
fw_config.addZone2(new_resource.short, {})
|
|
89
|
+
end
|
|
90
|
+
zone_path = fw_config.getZoneByName(new_resource.short)
|
|
91
|
+
zone = zone_interface(dbus, zone_path)
|
|
92
|
+
|
|
93
|
+
reload = false
|
|
94
|
+
properties = new_resource.class.state_properties.map(&:name)
|
|
95
|
+
properties.each do |property|
|
|
96
|
+
new_value = new_resource.send(property)
|
|
97
|
+
next unless new_value
|
|
98
|
+
if [:ports, :source_ports].include?(property)
|
|
99
|
+
new_value = DBus.variant('a(ss)', new_value.map { |e| e.split('/') })
|
|
100
|
+
elsif [:forward_ports].include?(property)
|
|
101
|
+
new_value = forward_ports_to_dbus(new_resource)
|
|
102
|
+
end
|
|
103
|
+
converge_if_changed property do
|
|
104
|
+
zone.update2({ property.to_s => new_value })
|
|
105
|
+
reload = true
|
|
106
|
+
end
|
|
107
|
+
end
|
|
108
|
+
|
|
109
|
+
if reload
|
|
110
|
+
converge_by ['reload permanent configuration of firewalld'] do
|
|
111
|
+
fw.reload
|
|
112
|
+
end
|
|
113
|
+
end
|
|
114
|
+
end
|
|
115
|
+
|
|
116
|
+
action_class do
|
|
117
|
+
include FirewallCookbook::Helpers::FirewalldDBus
|
|
118
|
+
end
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
unified_mode true
|
|
2
|
+
|
|
3
|
+
include FirewallCookbook::Helpers
|
|
4
|
+
include FirewallCookbook::Helpers::Nftables
|
|
5
|
+
|
|
6
|
+
provides :nftables,
|
|
7
|
+
os: 'linux'
|
|
8
|
+
|
|
9
|
+
property :rules,
|
|
10
|
+
Hash,
|
|
11
|
+
default: {}
|
|
12
|
+
property :input_policy,
|
|
13
|
+
String,
|
|
14
|
+
equal_to: %w(drop accept),
|
|
15
|
+
default: 'accept'
|
|
16
|
+
property :output_policy,
|
|
17
|
+
String,
|
|
18
|
+
equal_to: %w(drop accept),
|
|
19
|
+
default: 'accept'
|
|
20
|
+
property :forward_policy,
|
|
21
|
+
String,
|
|
22
|
+
equal_to: %w(drop accept),
|
|
23
|
+
default: 'accept'
|
|
24
|
+
property :table_ip_nat,
|
|
25
|
+
[true, false],
|
|
26
|
+
default: false
|
|
27
|
+
property :table_ip6_nat,
|
|
28
|
+
[true, false],
|
|
29
|
+
default: false
|
|
30
|
+
property :nftables_conf_path, String,
|
|
31
|
+
description: 'nftables.conf filepath',
|
|
32
|
+
default: lazy { default_nftables_conf_path }
|
|
33
|
+
|
|
34
|
+
action :install do
|
|
35
|
+
package 'nftables' do
|
|
36
|
+
action :install
|
|
37
|
+
notifies :rebuild, "nftables[#{new_resource.name}]"
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
action :rebuild do
|
|
42
|
+
ensure_default_rules_exist(new_resource)
|
|
43
|
+
|
|
44
|
+
file new_resource.nftables_conf_path do
|
|
45
|
+
content <<~NFT
|
|
46
|
+
#!/usr/sbin/nft -f
|
|
47
|
+
flush ruleset
|
|
48
|
+
#{build_rule_file(new_resource.rules)}
|
|
49
|
+
NFT
|
|
50
|
+
mode '0750'
|
|
51
|
+
owner 'root'
|
|
52
|
+
group 'root'
|
|
53
|
+
notifies :restart, 'service[nftables]'
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
service 'nftables' do
|
|
57
|
+
action [:enable, :start]
|
|
58
|
+
end
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
action :restart do
|
|
62
|
+
service 'nftables' do
|
|
63
|
+
action :restart
|
|
64
|
+
end
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
action :disable do
|
|
68
|
+
service 'nftables' do
|
|
69
|
+
action [:disable, :stop]
|
|
70
|
+
end
|
|
71
|
+
end
|