cloud-mu 3.5.0 → 3.6.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (245) hide show
  1. checksums.yaml +4 -4
  2. data/Berksfile +5 -2
  3. data/Berksfile.lock +135 -0
  4. data/ansible/roles/mu-base/README.md +33 -0
  5. data/ansible/roles/mu-base/defaults/main.yml +2 -0
  6. data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
  7. data/ansible/roles/mu-base/files/check_apm.sh +18 -0
  8. data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
  9. data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
  10. data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
  11. data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
  12. data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
  13. data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
  14. data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
  15. data/ansible/roles/mu-base/files/logrotate.conf +35 -0
  16. data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
  17. data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
  18. data/ansible/roles/mu-base/handlers/main.yml +5 -0
  19. data/ansible/roles/mu-base/meta/main.yml +53 -0
  20. data/ansible/roles/mu-base/tasks/main.yml +113 -0
  21. data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
  22. data/ansible/roles/mu-base/tests/inventory +2 -0
  23. data/ansible/roles/mu-base/tests/test.yml +5 -0
  24. data/ansible/roles/mu-base/vars/main.yml +1 -0
  25. data/ansible/roles/mu-compliance/README.md +33 -0
  26. data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
  27. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
  28. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
  29. data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
  30. data/ansible/roles/mu-compliance/meta/main.yml +53 -0
  31. data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
  32. data/ansible/roles/mu-compliance/tests/inventory +2 -0
  33. data/ansible/roles/mu-compliance/tests/test.yml +5 -0
  34. data/ansible/roles/mu-compliance/vars/main.yml +4 -0
  35. data/ansible/roles/mu-elastic/README.md +51 -0
  36. data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
  37. data/ansible/roles/mu-elastic/files/jvm.options +93 -0
  38. data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
  39. data/ansible/roles/mu-elastic/meta/main.yml +52 -0
  40. data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
  41. data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
  42. data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
  43. data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
  44. data/ansible/roles/mu-elastic/tests/inventory +2 -0
  45. data/ansible/roles/mu-elastic/tests/test.yml +5 -0
  46. data/ansible/roles/mu-elastic/vars/main.yml +2 -0
  47. data/ansible/roles/mu-logstash/README.md +51 -0
  48. data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
  49. data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
  50. data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
  51. data/ansible/roles/mu-logstash/files/jvm.options +84 -0
  52. data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
  53. data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
  54. data/ansible/roles/mu-logstash/meta/main.yml +52 -0
  55. data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
  56. data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
  57. data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
  58. data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
  59. data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
  60. data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
  61. data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
  62. data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
  63. data/ansible/roles/mu-logstash/tests/inventory +2 -0
  64. data/ansible/roles/mu-logstash/tests/test.yml +5 -0
  65. data/ansible/roles/mu-logstash/vars/main.yml +2 -0
  66. data/ansible/roles/mu-rdp/README.md +33 -0
  67. data/ansible/roles/mu-rdp/meta/main.yml +53 -0
  68. data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
  69. data/ansible/roles/mu-rdp/tests/inventory +2 -0
  70. data/ansible/roles/mu-rdp/tests/test.yml +5 -0
  71. data/ansible/roles/mu-windows/tasks/main.yml +3 -0
  72. data/bin/mu-ansible-secret +1 -1
  73. data/bin/mu-aws-setup +4 -3
  74. data/bin/mu-azure-setup +5 -5
  75. data/bin/mu-configure +25 -17
  76. data/bin/mu-firewall-allow-clients +1 -0
  77. data/bin/mu-gcp-setup +3 -3
  78. data/bin/mu-load-config.rb +1 -0
  79. data/bin/mu-node-manage +66 -33
  80. data/bin/mu-self-update +2 -2
  81. data/bin/mu-upload-chef-artifacts +6 -1
  82. data/bin/mu-user-manage +1 -1
  83. data/cloud-mu.gemspec +25 -23
  84. data/cookbooks/firewall/CHANGELOG.md +417 -224
  85. data/cookbooks/firewall/LICENSE +202 -0
  86. data/cookbooks/firewall/README.md +153 -126
  87. data/cookbooks/firewall/TODO.md +6 -0
  88. data/cookbooks/firewall/attributes/firewalld.rb +7 -0
  89. data/cookbooks/firewall/attributes/iptables.rb +3 -3
  90. data/cookbooks/firewall/chefignore +115 -0
  91. data/cookbooks/firewall/libraries/helpers.rb +5 -0
  92. data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
  93. data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
  94. data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
  95. data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
  96. data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
  97. data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
  98. data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
  99. data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
  100. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
  101. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
  102. data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
  103. data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
  104. data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
  105. data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
  106. data/cookbooks/firewall/metadata.json +40 -1
  107. data/cookbooks/firewall/metadata.rb +15 -0
  108. data/cookbooks/firewall/recipes/default.rb +7 -7
  109. data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
  110. data/cookbooks/firewall/recipes/firewalld.rb +87 -0
  111. data/cookbooks/firewall/renovate.json +18 -0
  112. data/cookbooks/firewall/resources/firewalld.rb +28 -0
  113. data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
  114. data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
  115. data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
  116. data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
  117. data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
  118. data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
  119. data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
  120. data/cookbooks/firewall/resources/nftables.rb +71 -0
  121. data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
  122. data/cookbooks/mu-activedirectory/Berksfile +1 -1
  123. data/cookbooks/mu-activedirectory/metadata.rb +1 -1
  124. data/cookbooks/mu-firewall/metadata.rb +2 -2
  125. data/cookbooks/mu-master/Berksfile +4 -3
  126. data/cookbooks/mu-master/attributes/default.rb +5 -2
  127. data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
  128. data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
  129. data/cookbooks/mu-master/libraries/mu.rb +24 -0
  130. data/cookbooks/mu-master/metadata.rb +5 -5
  131. data/cookbooks/mu-master/recipes/default.rb +31 -20
  132. data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
  133. data/cookbooks/mu-master/recipes/init.rb +58 -19
  134. data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
  135. data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
  136. data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
  137. data/cookbooks/mu-php54/Berksfile +1 -1
  138. data/cookbooks/mu-php54/metadata.rb +2 -2
  139. data/cookbooks/mu-tools/Berksfile +2 -3
  140. data/cookbooks/mu-tools/attributes/default.rb +3 -4
  141. data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
  142. data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
  143. data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
  144. data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
  145. data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
  146. data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
  147. data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
  148. data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
  149. data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
  150. data/cookbooks/mu-tools/libraries/helper.rb +21 -9
  151. data/cookbooks/mu-tools/metadata.rb +4 -4
  152. data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
  153. data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
  154. data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
  155. data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
  156. data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
  157. data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
  158. data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
  159. data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
  160. data/data_bags/nagios_services/apm_backend_connect.json +5 -0
  161. data/data_bags/nagios_services/apm_listen.json +5 -0
  162. data/data_bags/nagios_services/elastic_shards.json +5 -0
  163. data/data_bags/nagios_services/logstash.json +5 -0
  164. data/data_bags/nagios_services/rhel7_updates.json +8 -0
  165. data/extras/image-generators/AWS/centos7.yaml +1 -0
  166. data/extras/image-generators/AWS/rhel7.yaml +21 -0
  167. data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
  168. data/extras/image-generators/AWS/win2k16.yaml +1 -0
  169. data/extras/image-generators/AWS/win2k19.yaml +1 -0
  170. data/extras/list-stock-amis +0 -0
  171. data/extras/ruby_rpm/muby.spec +8 -5
  172. data/extras/vault_tools/export_vaults.sh +1 -1
  173. data/extras/vault_tools/recreate_vaults.sh +0 -0
  174. data/extras/vault_tools/test_vaults.sh +0 -0
  175. data/install/deprecated-bash-library.sh +1 -1
  176. data/install/installer +4 -2
  177. data/modules/mommacat.ru +3 -1
  178. data/modules/mu/adoption.rb +1 -1
  179. data/modules/mu/cloud/dnszone.rb +2 -2
  180. data/modules/mu/cloud/machine_images.rb +26 -25
  181. data/modules/mu/cloud/resource_base.rb +213 -182
  182. data/modules/mu/cloud/server_pool.rb +1 -1
  183. data/modules/mu/cloud/ssh_sessions.rb +7 -5
  184. data/modules/mu/cloud/wrappers.rb +2 -2
  185. data/modules/mu/cloud.rb +1 -1
  186. data/modules/mu/config/bucket.rb +1 -1
  187. data/modules/mu/config/function.rb +6 -1
  188. data/modules/mu/config/loadbalancer.rb +24 -2
  189. data/modules/mu/config/ref.rb +12 -0
  190. data/modules/mu/config/role.rb +1 -1
  191. data/modules/mu/config/schema_helpers.rb +42 -9
  192. data/modules/mu/config/server.rb +43 -27
  193. data/modules/mu/config/tail.rb +19 -10
  194. data/modules/mu/config.rb +6 -5
  195. data/modules/mu/defaults/AWS.yaml +78 -114
  196. data/modules/mu/deploy.rb +9 -2
  197. data/modules/mu/groomer.rb +12 -4
  198. data/modules/mu/groomers/ansible.rb +104 -20
  199. data/modules/mu/groomers/chef.rb +15 -6
  200. data/modules/mu/master.rb +9 -4
  201. data/modules/mu/mommacat/daemon.rb +4 -2
  202. data/modules/mu/mommacat/naming.rb +1 -2
  203. data/modules/mu/mommacat/storage.rb +7 -2
  204. data/modules/mu/mommacat.rb +33 -6
  205. data/modules/mu/providers/aws/database.rb +161 -8
  206. data/modules/mu/providers/aws/dnszone.rb +11 -6
  207. data/modules/mu/providers/aws/endpoint.rb +81 -6
  208. data/modules/mu/providers/aws/firewall_rule.rb +254 -172
  209. data/modules/mu/providers/aws/function.rb +65 -3
  210. data/modules/mu/providers/aws/loadbalancer.rb +39 -28
  211. data/modules/mu/providers/aws/log.rb +2 -1
  212. data/modules/mu/providers/aws/role.rb +25 -7
  213. data/modules/mu/providers/aws/server.rb +36 -12
  214. data/modules/mu/providers/aws/server_pool.rb +237 -127
  215. data/modules/mu/providers/aws/storage_pool.rb +7 -1
  216. data/modules/mu/providers/aws/user.rb +1 -1
  217. data/modules/mu/providers/aws/userdata/linux.erb +6 -2
  218. data/modules/mu/providers/aws/userdata/windows.erb +7 -5
  219. data/modules/mu/providers/aws/vpc.rb +49 -25
  220. data/modules/mu/providers/aws.rb +13 -8
  221. data/modules/mu/providers/azure/container_cluster.rb +1 -1
  222. data/modules/mu/providers/azure/loadbalancer.rb +2 -2
  223. data/modules/mu/providers/azure/server.rb +5 -2
  224. data/modules/mu/providers/azure/userdata/linux.erb +1 -1
  225. data/modules/mu/providers/azure.rb +11 -8
  226. data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
  227. data/modules/mu/providers/google/container_cluster.rb +15 -2
  228. data/modules/mu/providers/google/folder.rb +2 -1
  229. data/modules/mu/providers/google/function.rb +130 -4
  230. data/modules/mu/providers/google/habitat.rb +2 -1
  231. data/modules/mu/providers/google/loadbalancer.rb +407 -160
  232. data/modules/mu/providers/google/role.rb +16 -3
  233. data/modules/mu/providers/google/server.rb +5 -1
  234. data/modules/mu/providers/google/user.rb +25 -18
  235. data/modules/mu/providers/google/userdata/linux.erb +1 -1
  236. data/modules/mu/providers/google/vpc.rb +53 -7
  237. data/modules/mu/providers/google.rb +39 -39
  238. data/modules/mu.rb +8 -8
  239. data/modules/tests/elk.yaml +46 -0
  240. data/test/mu-master-test/controls/all_in_one.rb +1 -1
  241. metadata +207 -112
  242. data/cookbooks/firewall/CONTRIBUTING.md +0 -2
  243. data/cookbooks/firewall/MAINTAINERS.md +0 -19
  244. data/cookbooks/firewall/libraries/matchers.rb +0 -30
  245. data/extras/image-generators/AWS/rhel71.yaml +0 -17
@@ -16,227 +16,300 @@
16
16
  # See the License for the specific language governing permissions and
17
17
  # limitations under the License.
18
18
 
19
- include_recipe "mu-nagios::server_source"
20
- include_recipe "mu-nagios"
19
+ include_recipe "nagios::server_source"
20
+ include_recipe "nagios"
21
21
  include_recipe 'mu-master::firewall-holes'
22
22
 
23
- if $MU_CFG.has_key?('ldap')
24
- include_recipe 'chef-vault'
25
- bind_creds = chef_vault_item($MU_CFG['ldap']['bind_creds']['vault'], $MU_CFG['ldap']['bind_creds']['item'])
26
- node.normal['nagios']['server_auth_method'] = "ldap"
27
- node.normal['nagios']['ldap_bind_dn'] = bind_creds[$MU_CFG['ldap']['bind_creds']['username_field']]
28
- node.normal['nagios']['ldap_bind_password'] = bind_creds[$MU_CFG['ldap']['bind_creds']['password_field']]
29
- if $MU_CFG['ldap']['type'] == "Active Directory"
30
- node.normal['nagios']['ldap_url'] = "ldap://#{$MU_CFG['ldap']['dcs'].first}/#{$MU_CFG['ldap']['base_dn']}?sAMAccountName?sub?(objectClass=*)"
31
- else
32
- node.normal['nagios']['ldap_url'] = "ldap://#{$MU_CFG['ldap']['dcs'].first}/#{$MU_CFG['ldap']['base_dn']}?uid?sub?(objectClass=*)"
33
- node.normal['nagios']['ldap_group_attribute'] = "memberUid"
34
- node.normal['nagios']['ldap_group_attribute_is_dn'] = "Off"
35
- # Trying to use SSL seems to cause mod_ldap to die without logging any errors,
36
- # currently. Probably an Apache bug? XXX
37
- # node.normal['nagios'][:ldap_trusted_global_cert] = "CA_BASE64 #{$MU_CFG['ssl']['chain']}"
38
- # node.normal['nagios'][:ldap_trusted_mode] = "SSL"
39
- end
40
- node.normal['nagios']['server_auth_require'] = "ldap-group #{$MU_CFG['ldap']['user_group_dn']}"
41
- node.normal['nagios']['ldap_authoritative'] = "On"
42
- node.save
43
- end
23
+ log "#{node['recipes']}"
44
24
 
45
- # XXX The Nagios init script from source is buggy; config test always fails
46
- # when invoked via "service nagios start," which is what the cookbook does.
47
- # This at least keeps it from trashing our Chef runs.
48
- file "/etc/sysconfig/nagios" do
49
- content "checkconfig=\"false\"\n"
50
- mode 0600
25
+ # Define this so it's present for solo runs of this recipe
26
+ if !node['recipes'].include?("mu-master::default") or node['update_nagios_only']
27
+ service 'apache2' do
28
+ extend Apache2::Cookbook::Helpers
29
+ service_name lazy { apache_platform_service_name }
30
+ supports restart: true, status: true, reload: true
31
+ action :enable
32
+ end
51
33
  end
52
- include_recipe "mu-nagios"
53
34
 
54
- # scrub our old stuff if it's around
55
- ["nagios_fifo", "nagios_more_selinux"].each { |policy|
56
- execute "/usr/sbin/semodule -r #{policy}" do
57
- only_if "/usr/sbin/semodule -l | egrep '^#{policy}(\t|$)'"
35
+ if $MU_CFG['disable_nagios']
36
+ log "Ignoring Nagios setup per Mu config"
37
+ else
38
+ if $MU_CFG.has_key?('ldap')
39
+ include_recipe 'chef-vault'
40
+ bind_creds = chef_vault_item($MU_CFG['ldap']['bind_creds']['vault'], $MU_CFG['ldap']['bind_creds']['item'])
41
+ node.normal['nagios']['server_auth_method'] = "ldap"
42
+ node.normal['nagios']['ldap_bind_dn'] = bind_creds[$MU_CFG['ldap']['bind_creds']['username_field']]
43
+ node.normal['nagios']['ldap_bind_password'] = bind_creds[$MU_CFG['ldap']['bind_creds']['password_field']]
44
+ if $MU_CFG['ldap']['type'] == "Active Directory"
45
+ node.normal['nagios']['ldap_url'] = "ldap://#{$MU_CFG['ldap']['dcs'].first}/#{$MU_CFG['ldap']['base_dn']}?sAMAccountName?sub?(objectClass=*)"
46
+ else
47
+ node.normal['nagios']['ldap_url'] = "ldap://#{$MU_CFG['ldap']['dcs'].first}/#{$MU_CFG['ldap']['base_dn']}?uid?sub?(objectClass=*)"
48
+ node.normal['nagios']['ldap_group_attribute'] = "memberUid"
49
+ node.normal['nagios']['ldap_group_attribute_is_dn'] = "Off"
50
+ # Trying to use SSL seems to cause mod_ldap to die without logging any errors,
51
+ # currently. Probably an Apache bug? XXX
52
+ # node.normal['nagios'][:ldap_trusted_global_cert] = "CA_BASE64 #{$MU_CFG['ssl']['chain']}"
53
+ # node.normal['nagios'][:ldap_trusted_mode] = "SSL"
54
+ end
55
+ node.normal['nagios']['server_auth_require'] = "ldap-group #{$MU_CFG['ldap']['user_group_dn']}"
56
+ node.normal['nagios']['ldap_authoritative'] = "On"
57
+ node.save
58
+ end
59
+
60
+ # XXX The Nagios init script from source is buggy; config test always fails
61
+ # when invoked via "service nagios start," which is what the cookbook does.
62
+ # This at least keeps it from trashing our Chef runs.
63
+ file "/etc/sysconfig/nagios" do
64
+ content "checkconfig=\"false\"\n"
65
+ mode 0600
58
66
  end
59
- }
67
+ include_recipe "nagios"
60
68
 
61
- nagios_policies = ["nagios_selinux"]
69
+ # scrub our old stuff if it's around
70
+ ["nagios_fifo", "nagios_more_selinux"].each { |policy|
71
+ execute "/usr/sbin/semodule -r #{policy}" do
72
+ only_if "/usr/sbin/semodule -l | egrep '^#{policy}(\t|$)'"
73
+ end
74
+ }
62
75
 
63
- if platform_family?("rhel") and node['platform_version'].to_i == 7
64
- nagios_policies << "nagios_selinux_7"
65
- end
76
+ nagios_policies = ["nagios_selinux"]
66
77
 
67
- # Restart Nagios inelegantly, because the standard service resource doesn't
68
- # seem to work reliably on CentOS 7 or RHEL 7. May be an issue with the nagios
69
- # community cookbook? Maybe it doesn't do systemctl correctly?
70
- bash "RHEL7-family Nagios restart" do
71
- code <<-EOH
72
- /bin/systemctl stop nagios.service
73
- /bin/pkill -u nagios
74
- /bin/rm -f /var/run/nagios/nagios.pid
75
- /bin/systemctl start nagios.service
76
- EOH
77
- action :nothing
78
- end
78
+ if platform_family?("rhel") and node['platform_version'].to_i == 7
79
+ nagios_policies << "nagios_selinux_7"
80
+ end
79
81
 
80
- nagios_policies.each { |policy|
81
- execute "/usr/sbin/semodule -r #{policy}" do
82
+ # Restart Nagios inelegantly, because the standard service resource doesn't
83
+ # seem to work reliably on CentOS 7 or RHEL 7. May be an issue with the nagios
84
+ # community cookbook? Maybe it doesn't do systemctl correctly?
85
+ bash "RHEL7-family Nagios restart" do
86
+ code <<-EOH
87
+ /bin/systemctl stop nagios.service
88
+ /bin/pkill -u nagios
89
+ /bin/rm -f /var/run/nagios/nagios.pid
90
+ /bin/systemctl start nagios.service
91
+ EOH
82
92
  action :nothing
83
- only_if "/usr/sbin/semodule -l | egrep '^#{policy}(\t|$)'"
84
93
  end
85
- cookbook_file "#{policy}.pp" do
86
- path "#{Chef::Config[:file_cache_path]}/#{policy}.pp"
87
- notifies :run, "execute[/usr/sbin/semodule -r #{policy}]", :immediately
94
+
95
+ nagios_policies.each { |policy|
96
+ execute "/usr/sbin/semodule -r #{policy}" do
97
+ action :nothing
98
+ only_if "/usr/sbin/semodule -l | egrep '^#{policy}(\t|$)'"
99
+ end
100
+ cookbook_file "#{policy}.pp" do
101
+ path "#{Chef::Config[:file_cache_path]}/#{policy}.pp"
102
+ notifies :run, "execute[/usr/sbin/semodule -r #{policy}]", :immediately
103
+ end
104
+ execute "Add Nagios-related SELinux policies: #{policy}" do
105
+ command "/usr/sbin/semodule -i #{policy}.pp"
106
+ cwd Chef::Config[:file_cache_path]
107
+ not_if "/usr/sbin/semodule -l | egrep '^#{policy}(\t|$)'"
108
+ notifies :reload, "service[apache2]", :delayed
109
+ notifies :restart, "service[nrpe]", :delayed
110
+ if platform_family?("rhel") and node['platform_version'].to_i >= 7
111
+ notifies :run, "bash[RHEL7-family Nagios restart]", :delayed
112
+ else
113
+ notifies :reload, "service[nagios]", :delayed
114
+ end
115
+ end
116
+ }
117
+
118
+ # Workaround for minor Nagios (cookbook?) bug. It looks for this at the wrong
119
+ # URL at the moment, so copy it where it's actually looking.
120
+ if File.exist?("/usr/lib/cgi-bin/nagios/statusjson.cgi")
121
+ remote_file "/usr/lib/cgi-bin/statusjson.cgi" do
122
+ source "file:///usr/lib/cgi-bin/nagios/statusjson.cgi"
123
+ mode 0755
124
+ owner "root"
125
+ group "nagios"
126
+ end
88
127
  end
89
- execute "Add Nagios-related SELinux policies: #{policy}" do
90
- command "/usr/sbin/semodule -i #{policy}.pp"
91
- cwd Chef::Config[:file_cache_path]
92
- not_if "/usr/sbin/semodule -l | egrep '^#{policy}(\t|$)'"
93
- notifies :reload, "service[apache2]", :delayed
94
- notifies :restart, "service[nrpe]", :delayed
128
+
129
+ # ... the nagios cookbook is bafflingly inconsistent
130
+ directory "/usr/lib/cgi-bin/nagios" do
131
+ mode 0755
132
+ owner "root"
133
+ group "nagios"
134
+ end
135
+ Dir.glob("/usr/lib/cgi-bin/*.cgi").each { |script|
136
+ shortname = script.gsub(/.*?\/([^\/]+)$/, '\1')
137
+ remote_file "/usr/lib/cgi-bin/nagios/#{shortname}" do
138
+ source "file:///#{script}"
139
+ mode 0755
140
+ owner "root"
141
+ group "nagios"
142
+ end
143
+ }
144
+
145
+ # Fish up any non-Chef hosts, which otherwise won't appear in Chef's
146
+ # inventory, and tell Nagios about them.
147
+ non_chef = {}
148
+ baskets.each_pair { |deploy_id, basket|
149
+ if basket["servers"]
150
+ basket["servers"].each { |server|
151
+ next if server["groomer"] == "Chef"
152
+ next if server.has_key?("monitor") and !server["monitor"]
153
+ non_chef[deploy_id] ||= []
154
+ non_chef[deploy_id] << server
155
+ }
156
+ end
157
+ if basket["server_pools"]
158
+ basket["server_pools"].each { |pool|
159
+ next if pool["groomer"] == "Chef"
160
+ next if pool.has_key?("monitor") and !pool["monitor"]
161
+ non_chef[deploy_id] ||= []
162
+ non_chef[deploy_id] << pool
163
+ }
164
+ end
165
+ }
166
+ deploy_metadata = deployments()
167
+ non_chef.each_pair { |deploy_id, servers|
168
+ servers.each { |server_blob|
169
+ servername = server_blob["name"]
170
+ platform = server_blob["platform"] =~ /^win/ ? "windows" : "linux"
171
+ deploy_metadata[deploy_id]['servers'][servername].each_pair { |mu_name, server|
172
+ nagios_host mu_name do
173
+ options(
174
+ "hostgroups" => ([platform] + server["run_list"] + ["mu-node"] + [deploy_metadata[deploy_id]["environment"]]).join(","),
175
+ "address" => server["private_ip_address"]
176
+ )
177
+ end
178
+ }
179
+ }
180
+ }
181
+
182
+ ["/usr/lib/nagios", "/etc/nagios", "/etc/nagios3", "/var/www/html/docs"].each { |dir|
183
+ if Dir.exist?(dir)
184
+ execute "chcon -R -h -t httpd_sys_content_t #{dir}" do
185
+ not_if "ls -aZ #{dir} | grep ':httpd_sys_content_t:'"
186
+ returns [0, 1]
187
+ notifies :reload, "service[apache2]", :delayed
188
+ end
189
+ end
190
+ }
191
+
192
+ ["/usr/lib/cgi-bin"].each { |cgidir|
193
+ if Dir.exist?(cgidir)
194
+ execute "chcon -R -t httpd_sys_script_exec_t #{cgidir}" do
195
+ not_if "ls -aZ #{cgidir} | grep ':httpd_sys_script_exec_t:'"
196
+ notifies :reload, "service[apache2]", :delayed
197
+ end
198
+ end
199
+ }
200
+ if File.exist?("/usr/lib64/nagios/plugins/check_nagios")
201
+ execute "chcon -R -h system_u:object_r:nagios_unconfined_plugin_exec_t /usr/lib64/nagios/plugins/check_nagios" do
202
+ not_if "ls -aZ /usr/lib64/nagios/plugins/check_nagios | grep 'object_r:nagios_'"
203
+ end
204
+ end
205
+
206
+ # execute "chgrp apache /var/log/nagios"
207
+ ["/etc/nagios/conf.d/", "/etc/nagios/*.cfg", "/var/run/nagios.pid"].each { |dir|
208
+ execute "/sbin/restorecon -R #{dir}" do
209
+ not_if "ls -aZ #{dir} | grep ':nagios_etc_t:'"
210
+ only_if { ::File.exist?(dir) }
211
+ end
212
+ }
213
+
214
+ execute "/sbin/restorecon -R /var/log/nagios"
215
+
216
+ # The Nagios cookbook currently screws up this setting, so work around it.
217
+ execute "sed -i s/^interval_length=.*/interval_length=1/ || echo 'interval_length=1' >> /etc/nagios/nagios.cfg" do
218
+ not_if "grep '^interval_length=1$' /etc/nagios/nagios.cfg"
95
219
  if platform_family?("rhel") and node['platform_version'].to_i >= 7
96
220
  notifies :run, "bash[RHEL7-family Nagios restart]", :delayed
97
221
  else
98
222
  notifies :reload, "service[nagios]", :delayed
99
223
  end
100
224
  end
101
- }
102
225
 
103
- # Workaround for minor Nagios (cookbook?) bug. It looks for this at the wrong
104
- # URL at the moment, so copy it where it's actually looking.
105
- if File.exist?("/usr/lib/cgi-bin/nagios/statusjson.cgi")
106
- remote_file "/usr/lib/cgi-bin/statusjson.cgi" do
107
- source "file:///usr/lib/cgi-bin/nagios/statusjson.cgi"
226
+ package "nagios-plugins-nrpe"
227
+ package "nagios-plugins-disk"
228
+ include_recipe "mu-tools::nrpe"
229
+
230
+ cookbook_file "/usr/lib64/nagios/plugins/check_mem" do
231
+ source "check_mem.pl"
108
232
  mode 0755
109
233
  owner "root"
110
- group "nagios"
234
+ notifies :restart, "service[nrpe]", :delayed
111
235
  end
112
- end
113
236
 
114
- # ... the nagios cookbook is bafflingly inconsistent
115
- directory "/usr/lib/cgi-bin/nagios" do
116
- mode 0755
117
- owner "root"
118
- group "nagios"
119
- end
120
- Dir.glob("/usr/lib/cgi-bin/*.cgi").each { |script|
121
- shortname = script.gsub(/.*?\/([^\/]+)$/, '\1')
122
- remote_file "/usr/lib/cgi-bin/nagios/#{shortname}" do
123
- source "file:///#{script}"
237
+ cookbook_file "/usr/lib64/nagios/plugins/check_elastic" do
238
+ source "check_elastic.sh"
124
239
  mode 0755
125
240
  owner "root"
126
- group "nagios"
127
241
  end
128
- }
129
242
 
130
- ["/usr/lib/nagios", "/etc/nagios", "/etc/nagios3", "/var/www/html/docs"].each { |dir|
131
- if Dir.exist?(dir)
132
- execute "chcon -R -h -t httpd_sys_content_t #{dir}" do
133
- not_if "ls -aZ #{dir} | grep ':httpd_sys_content_t:'"
134
- returns [0, 1]
135
- notifies :reload, "service[apache2]", :delayed
136
- end
243
+ cookbook_file "/usr/lib64/nagios/plugins/check_kibana" do
244
+ source "check_kibana.rb"
245
+ mode 0755
246
+ owner "root"
137
247
  end
138
- }
139
248
 
140
- ["/usr/lib/cgi-bin"].each { |cgidir|
141
- if Dir.exist?(cgidir)
142
- execute "chcon -R -t httpd_sys_script_exec_t #{cgidir}" do
143
- not_if "ls -aZ #{cgidir} | grep ':httpd_sys_script_exec_t:'"
144
- notifies :reload, "service[apache2]", :delayed
145
- end
146
- end
147
- }
148
- if File.exist?("/usr/lib64/nagios/plugins/check_nagios")
149
- execute "chcon -R -h system_u:object_r:nagios_unconfined_plugin_exec_t /usr/lib64/nagios/plugins/check_nagios" do
150
- not_if "ls -aZ /usr/lib64/nagios/plugins/check_nagios | grep 'object_r:nagios_'"
249
+ nagios_command "check_elastic" do
250
+ options 'command_line' => %Q{$USER1$/check_elastic -H $HOSTADDRESS$ -t master -S -u $ARG1$ -p $ARG2$}
151
251
  end
152
- end
153
252
 
154
- # execute "chgrp apache /var/log/nagios"
155
- ["/etc/nagios/conf.d/", "/etc/nagios/*.cfg", "/var/run/nagios.pid"].each { |dir|
156
- execute "/sbin/restorecon -R #{dir}" do
157
- not_if "ls -aZ #{dir} | grep ':nagios_etc_t:'"
158
- only_if { ::File.exist?(dir) }
253
+ nagios_command "check_kibana" do
254
+ options 'command_line' => %Q{$USER1$/check_kibana -h $HOSTADDRESS$ -u $ARG1$ -p $ARG2$ --port $ARG3$ --basepath $ARG4$}
159
255
  end
160
- }
161
-
162
- execute "/sbin/restorecon -R /var/log/nagios"
163
256
 
164
- # The Nagios cookbook currently screws up this setting, so work around it.
165
- execute "sed -i s/^interval_length=.*/interval_length=1/ || echo 'interval_length=1' >> /etc/nagios/nagios.cfg" do
166
- not_if "grep '^interval_length=1$' /etc/nagios/nagios.cfg"
167
- if platform_family?("rhel") and node['platform_version'].to_i >= 7
168
- notifies :run, "bash[RHEL7-family Nagios restart]", :delayed
169
- else
170
- notifies :reload, "service[nagios]", :delayed
257
+ file "/etc/sysconfig/nrpe" do
258
+ content "NRPE_SSL_OPT=\"\"\n"
171
259
  end
172
- end
173
-
174
- package "nagios-plugins-nrpe"
175
- package "nagios-plugins-disk"
176
- include_recipe "mu-tools::nrpe"
177
-
178
- cookbook_file "/usr/lib64/nagios/plugins/check_mem" do
179
- source "check_mem.pl"
180
- mode 0755
181
- owner "root"
182
- notifies :restart, "service[nrpe]", :delayed
183
- end
184
-
185
- file "/etc/sysconfig/nrpe" do
186
- content "NRPE_SSL_OPT=\"\"\n"
187
- end
188
260
 
189
- #Sometimes doesnt exist on the first run
190
- directory "/opt/mu/var/nagios_user_home" do
191
- owner "nagios"
192
- group "nagios"
193
- mode 0700
194
- end
261
+ # Sometimes doesn't exist on the first run
262
+ directory "/opt/mu/var/nagios_user_home" do
263
+ owner "nagios"
264
+ group "nagios"
265
+ mode 0700
266
+ end
195
267
 
196
- directory "/opt/mu/var/nagios_user_home/.ssh" do
197
- owner "nagios"
198
- group "nagios"
199
- mode 0711
200
- end
201
- file "/opt/mu/var/nagios_user_home/.ssh/known_hosts" do
202
- owner "nagios"
203
- group "nagios"
204
- mode 0600
205
- end
206
- file "/opt/mu/var/nagios_user_home/.ssh/known_hosts2" do
207
- owner "nagios"
208
- group "nagios"
209
- mode 0600
210
- end
268
+ directory "/opt/mu/var/nagios_user_home/.ssh" do
269
+ owner "nagios"
270
+ group "nagios"
271
+ mode 0711
272
+ end
273
+ file "/opt/mu/var/nagios_user_home/.ssh/known_hosts" do
274
+ owner "nagios"
275
+ group "nagios"
276
+ mode 0600
277
+ end
278
+ file "/opt/mu/var/nagios_user_home/.ssh/known_hosts2" do
279
+ owner "nagios"
280
+ group "nagios"
281
+ mode 0600
282
+ end
211
283
 
212
284
 
213
- nrpe_check "check_mem" do
214
- command "#{node['nrpe']['plugin_dir']}/check_mem"
215
- warning_condition '80'
216
- critical_condition '95'
217
- action :add
218
- end
285
+ nrpe_check "check_mem" do
286
+ command "#{node['nrpe']['plugin_dir']}/check_mem"
287
+ warning_condition '80'
288
+ critical_condition '95'
289
+ action :add
290
+ end
219
291
 
220
- nagios_command 'host_notify_by_email' do
221
- options 'command_line' => '/usr/bin/printf "%b" "$LONGDATETIME$\n\n$HOSTALIAS$ $NOTIFICATIONTYPE$ $HOSTSTATE$ ('+$MU_CFG['hostname']+')\n\n$HOSTOUTPUT$\n\nLogin: ssh://$HOSTNAME$" | ' + node['nagios']['server']['mail_command'] + ' -s "$NOTIFICATIONTYPE$ - $HOSTALIAS$ $HOSTSTATE$! ('+$MU_CFG['hostname']+')" $CONTACTEMAIL$'
222
- end
292
+ nagios_command 'host_notify_by_email' do
293
+ options 'command_line' => '/usr/bin/printf "%b" "$LONGDATETIME$\n\n$HOSTALIAS$ $NOTIFICATIONTYPE$ $HOSTSTATE$ ('+$MU_CFG['hostname']+')\n\n$HOSTOUTPUT$\n\nLogin: ssh://$HOSTNAME$" | ' + node['nagios']['server']['mail_command'] + ' -s "$NOTIFICATIONTYPE$ - $HOSTALIAS$ $HOSTSTATE$! ('+$MU_CFG['hostname']+')" $CONTACTEMAIL$'
294
+ end
223
295
 
224
- nagios_command 'service_notify_by_email' do
225
- options 'command_line' => '/usr/bin/printf "%b" "$LONGDATETIME$ - $SERVICEDESC$ $SERVICESTATE$ ('+$MU_CFG['hostname']+')\n\n$HOSTALIAS$ $NOTIFICATIONTYPE$\n\n$SERVICEOUTPUT$\n\nLogin: ssh://$HOSTNAME$" | ' + node['nagios']['server']['mail_command'] + ' -s "** $NOTIFICATIONTYPE$ - $HOSTALIAS$ - $SERVICEDESC$ - $SERVICESTATE$ ('+$MU_CFG['hostname']+')" $CONTACTEMAIL$'
226
- end
296
+ nagios_command 'service_notify_by_email' do
297
+ options 'command_line' => '/usr/bin/printf "%b" "$LONGDATETIME$ - $SERVICEDESC$ $SERVICESTATE$ ('+$MU_CFG['hostname']+')\n\n$HOSTALIAS$ $NOTIFICATIONTYPE$\n\n$SERVICEOUTPUT$\n\nLogin: ssh://$HOSTNAME$" | ' + node['nagios']['server']['mail_command'] + ' -s "** $NOTIFICATIONTYPE$ - $HOSTALIAS$ - $SERVICEDESC$ - $SERVICESTATE$ ('+$MU_CFG['hostname']+')" $CONTACTEMAIL$'
298
+ end
227
299
 
228
- nagios_command 'host_notify_by_sms_email' do
229
- options 'command_line' => '/usr/bin/printf "%b" "$HOSTALIAS$ $NOTIFICATIONTYPE$ $HOSTSTATE$ ('+$MU_CFG['hostname']+')\n\n$HOSTOUTPUT$" | ' + node['nagios']['server']['mail_command'] + ' -s "$HOSTALIAS$ $HOSTSTATE$! ('+$MU_CFG['hostname']+')" $CONTACTPAGER$'
230
- end
300
+ nagios_command 'host_notify_by_sms_email' do
301
+ options 'command_line' => '/usr/bin/printf "%b" "$HOSTALIAS$ $NOTIFICATIONTYPE$ $HOSTSTATE$ ('+$MU_CFG['hostname']+')\n\n$HOSTOUTPUT$" | ' + node['nagios']['server']['mail_command'] + ' -s "$HOSTALIAS$ $HOSTSTATE$! ('+$MU_CFG['hostname']+')" $CONTACTPAGER$'
302
+ end
231
303
 
232
- nagios_command 'service_notify_by_sms_email' do
233
- options 'command_line' => '/usr/bin/printf "%b" "$SERVICEDESC$ $NOTIFICATIONTYPE$ $SERVICESTATE$ ('+$MU_CFG['hostname']+')\n\n$SERVICEOUTPUT$" | ' + node['nagios']['server']['mail_command'] + ' -s "$HOSTALIAS$ $SERVICEDESC$ $SERVICESTATE$! ('+$MU_CFG['hostname']+')" $CONTACTPAGER$'
234
- end
304
+ nagios_command 'service_notify_by_sms_email' do
305
+ options 'command_line' => '/usr/bin/printf "%b" "$SERVICEDESC$ $NOTIFICATIONTYPE$ $SERVICESTATE$ ('+$MU_CFG['hostname']+')\n\n$SERVICEOUTPUT$" | ' + node['nagios']['server']['mail_command'] + ' -s "$HOSTALIAS$ $SERVICEDESC$ $SERVICESTATE$! ('+$MU_CFG['hostname']+')" $CONTACTPAGER$'
306
+ end
235
307
 
236
- execute "chgrp nrpe /etc/nagios/nrpe.d/*"
237
- execute "/sbin/restorecon /etc/nagios/nrpe.cfg" do
238
- if platform_family?("rhel") and node['platform_version'].to_i >= 7
239
- notifies :run, "bash[RHEL7-family Nagios restart]", :delayed
308
+ execute "chgrp nrpe /etc/nagios/nrpe.d/*"
309
+ execute "/sbin/restorecon /etc/nagios/nrpe.cfg" do
310
+ if platform_family?("rhel") and node['platform_version'].to_i >= 7
311
+ notifies :run, "bash[RHEL7-family Nagios restart]", :delayed
312
+ end
240
313
  end
314
+ include_recipe "mu-master::init" # gem permission fixes, mainly
241
315
  end
242
- include_recipe "mu-master::init" # gem permission fixes, mainly
@@ -35,19 +35,13 @@
35
35
  SetHandler application/x-httpd-php
36
36
  </FilesMatch>
37
37
 
38
- <% if @https -%>
39
38
  SSLEngine On
40
- SSLProtocol <%= node['nagios']['ssl_protocols'] %>
41
- <% if node['nagios']['ssl_ciphers'] != nil -%>
42
- SSLCipherSuite <%= node['nagios']['ssl_ciphers'] %>
43
- <% end -%>
44
- SSLCertificateFile <%= @ssl_cert_file %>
45
- <% if node['nagios']['ssl_cert_chain_file'] %>
46
- SSLCertificateChainFile <%= node['nagios']['ssl_cert_chain_file'] %>
47
- <% end -%>
48
- SSLCertificateKeyFile <%= @ssl_cert_key %>
39
+ SSLCertificateFile <%= $MU_CFG['ssl']['cert'] %>
40
+ SSLCertificateKeyFile <%= $MU_CFG['ssl']['key'] %>
41
+ <% if $MU_CFG['ssl'].has_key?("chain") and !$MU_CFG['ssl']['chain'].empty? %>
42
+ SSLCertificateChainFile <%= $MU_CFG['ssl']['chain'] %>
43
+ <% end %>
49
44
 
50
- <% end -%>
51
45
  <% case node['nagios']['server_auth_method'] -%>
52
46
  <% when "openid" -%>
53
47
  <Location />
@@ -20,6 +20,9 @@
20
20
 
21
21
  ProxyPreserveHost on
22
22
  AllowEncodedSlashes off
23
+ SSLProxyCheckPeerName off
24
+ SSLProxyCheckPeerCN off
25
+ ProxyAddHeaders off
23
26
 
24
27
  # Scratchpad, the Mu secret-sharer
25
28
  ProxyPass /scratchpad https://localhost:<%= MU.mommaCatPort.to_s %>/scratchpad
@@ -9,4 +9,4 @@ cookbook 'mu-utility'
9
9
  # Supermarket Cookbooks
10
10
  cookbook 'simple_iptables', '~> 0.8.0'
11
11
  cookbook 'mysql', '~> 8.5.1'
12
- cookbook 'yum-epel', '~> 3.2.0'
12
+ cookbook 'yum-epel', '~> 5.0.8'
@@ -16,5 +16,5 @@ end
16
16
  depends 'mu-utility'
17
17
  depends 'simple_iptables', '~> 0.8.0'
18
18
  depends 'mysql', '~> 8.5.1'
19
- depends 'yum-epel', '~> 3.2.0'
20
- depends 'apache2', '< 6.0.0'
19
+ depends 'yum-epel', '~> 5.0.8'
20
+ depends 'apache2', '~> 9.0.3'
@@ -4,19 +4,18 @@ source chef_repo: ".."
4
4
  metadata
5
5
 
6
6
  # Mu Cookbooks
7
- cookbook 'mu-nagios' , '~> 8.2.0', git: "https://github.com/cloudamatic/mu-nagios.git"
8
7
  cookbook "mu-utility"
9
8
  cookbook "mu-splunk"
10
9
  cookbook "mu-firewall"
11
10
  cookbook "mu-activedirectory"
12
11
 
13
12
  # Supermarket Cookbooks
13
+ cookbook "nagios"
14
14
  cookbook "oracle-instantclient", '~> 1.1.0'
15
15
  cookbook "database", '~> 6.1.1'
16
16
  cookbook "postgresql", '~> 7.1.0'
17
17
  cookbook "java", '~> 2.2.0'
18
18
  cookbook "windows", '~> 5.1.1'
19
19
  cookbook "chef-vault", '~> 3.1.1'
20
- cookbook "poise-python", '~> 1.7.0'
21
- cookbook "yum-epel", '~> 3.2.0'
20
+ cookbook "yum-epel", '~> 5.0.8'
22
21
  cookbook 'selinux', '~> 3.0.0'
@@ -141,10 +141,9 @@ default['application_attributes']['var_log_audit']['mount_directory'] = "/var/lo
141
141
 
142
142
  default['banner']['path'] = "etc/BANNER-FEDERAL"
143
143
  # firewalld support in the firewall cookbook is too stupid to breathe
144
- default['firewall']['redhat7_iptables'] = true
145
- #if node['platform'] == 'amazon'
146
- # override['firewall']['redhat7_iptables'] = true
147
- #end
144
+ if !(node['platform_family'] == 'amazon' and node['platform_version'].to_i == 2023)
145
+ default['firewall']['redhat7_iptables'] = true
146
+ end
148
147
 
149
148
  # We probably don't want to set java defaults here. This may cause issues with attribute precedence when other cookbooks try to install a different version of Java (JDK 7 is not supported/patched)
150
149
  # if platform_family?("windows")