forked from Normation/rudder-techniques
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
156 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
-- Alexis Mousset <alexis.mousset@rudder.io> Mon, 26 Sep 2020 17:19:00 +0100 | ||
* Version 1.0 |
94 changes: 94 additions & 0 deletions
94
techniques/systemSettings/networking/firewall/1.0/firewall.st
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
# Here we have our firewall configuration (iptables or nftables) | ||
# But format may not be exactly what the output of iptables-save or nft export. | ||
# What we will do it to maintain an export from a previous run to be able to compare | ||
# with current export and detect changes. | ||
# This way we will be able to report config diffs and fix the config when necessary. | ||
|
||
bundle agent firewall_RudderUniqueID { | ||
vars: | ||
"config" string => "&FIREWALL_CONF&"; | ||
"firewall" string => "rudder_&FIREWALL_IMPL&"; | ||
"posthook" string => "&FIREWALL_POST_HOOK_COMMAND&"; | ||
"reference" string => "/var/rudder/tmp/firewall.ref"; | ||
|
||
methods: | ||
"any" usebundle => enable_reporting; | ||
# Package | ||
"any" usebundle => _method_reporting_context("Installation", "None"); | ||
"any" usebundle => package_present("${${firewall}.package}", "", "", ""); | ||
# Service | ||
"any" usebundle => _method_reporting_context("Service activation", "None"); | ||
"any" usebundle => service_enabled("${${firewall}.service}"); | ||
"any" usebundle => _method_reporting_context("Service start", "None"); | ||
"any" usebundle => service_started("${${firewall}.service}"); | ||
# Configuration | ||
"any" usebundle => _method_reporting_context("Firewall configuration", "None"); | ||
"any" usebundle => file_from_string_mustache("${${firewall}.conf_pre}${config}", "${${firewall}.file}"); | ||
# Changes | ||
"any" usebundle => _method_reporting_context("Firewall changes", "None"); | ||
"any" usebundle => variable_string_from_file("firewall_technique", "firewall_conf_ref", "${reference}"); | ||
"any" usebundle => disable_reporting; | ||
"any" usebundle => variable_string_from_command("firewall_technique", "firewall_conf", "${${firewall}.dump_cmd}"); | ||
"any" usebundle => enable_reporting; | ||
"any" usebundle => rudder_condition_from_string_compare("firewall_technique_conf", "${firewall_technique.firewall_conf_ref}", "${firewall_technique.firewall_conf}"); | ||
"any" usebundle => enable_reporting; | ||
"any" usebundle => rudder_common_report("firewall", "log_warn", "&TRACKINGKEY&", "Load configuration", "None", "Firewall configuration was modified since previous agent run"), | ||
if => canonify("variable_string_from_file_${reference}_ok.firewall_technique_conf_false"); | ||
"any" usebundle => condition_from_expression("rudder_firewall_conf_repaired", "true"), | ||
# needed because we cannot use the expression in a canonify directly | ||
if => canonify("file_from_string_mustache_${${firewall}.file}_repaired"); | ||
"any" usebundle => condition_from_expression("rudder_firewall_reload", "rudder_firewall_conf_repaired_true|firewall_technique_conf_false"); | ||
# Reload | ||
rudder_firewall_reload_true:: | ||
"any" usebundle => _method_reporting_context("Load configuration", "None"); | ||
"any" usebundle => enable_reporting; | ||
"any" usebundle => service_reload("${${firewall}.service}"); | ||
"any" usebundle => disable_reporting; | ||
# Dump just after change (not totally atomic here) | ||
"any" usebundle => variable_string_from_command("firewall_technique", "current_config_new", "${${firewall}.dump_cmd}"); | ||
"any" usebundle => file_content("${reference}", "${firewall_technique.current_config_new}", "true"); | ||
"any" usebundle => enable_reporting; | ||
rudder_firewall_reload_false:: | ||
"any" usebundle => rudder_common_report("firewall", "result_na", "&TRACKINGKEY&", "Load configuration", "None", "Firewall configuration did not require modification"); | ||
# Post-hook | ||
"any" usebundle => rudder_condition_from_string_compare("rudder_firewall_disable_posthook", "${posthook}", ""); | ||
rudder_firewall_reload_true.rudder_firewall_disable_posthook_false:: | ||
"any" usebundle => _method_reporting_context("Post-modification script", "None"); | ||
"any" usebundle => command_execution("${posthook}"); | ||
rudder_firewall_reload_false|rudder_firewall_disable_posthook_true:: | ||
"any" usebundle => rudder_common_report("firewall", "result_na", "&TRACKINGKEY&", "Post-modification script", "None", "Post-hook command was not applicable"); | ||
|
||
|
||
reports: | ||
"${firewall_technique.firewall_conf} vs. ${firewall_technique.firewall_conf_ref}"; | ||
} | ||
|
||
# Uses the systemd service, compatible with recent debian, rhel and derivatives | ||
bundle common rudder_nftables { | ||
vars: | ||
"package" string => "nftables"; | ||
"service" string => "nftables"; | ||
"dump_cmd" string => "nft --stateless list ruleset"; | ||
redhat:: | ||
"file" string => "/etc/sysconfig/nftables.conf"; | ||
# integrated to the systemd service | ||
"conf_pre" string => ""; | ||
debian:: | ||
"file" string => "/etc/nftables.conf"; | ||
# in the beginning of the conf | ||
"conf_pre" string => "flush ruleset\n"; | ||
} | ||
|
||
# TODO create generic method | ||
bundle agent rudder_condition_from_string_compare(condition_prefix, string1, string2) { | ||
classes: | ||
"${condition_prefix}_reached" scope => "namespace"; | ||
"${condition_prefix}_true" expression => strcmp("${string1}", "${string2}"), scope => "namespace"; | ||
"${condition_prefix}_false" not => "${condition_prefix}_true", scope => "namespace"; | ||
} | ||
|
||
bundle agent rudder_variable_string_canonify(prefix, name, string) { | ||
vars: | ||
"${prefix}.${name}" string => canonify("${string}"); | ||
} | ||
|
59 changes: 59 additions & 0 deletions
59
techniques/systemSettings/networking/firewall/1.0/metadata.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
<TECHNIQUE name="Firewall"> | ||
<DESCRIPTION>Configures a simple firewall. | ||
|
||
TODO</DESCRIPTION> | ||
|
||
<MULTIINSTANCE>false</MULTIINSTANCE> | ||
<POLICYGENERATION>separated</POLICYGENERATION> | ||
|
||
<COMPATIBLE> | ||
<OS version=">= 9">RHEL / CentOS</OS> | ||
<OS version=">= 7">Debian / Ubuntu</OS> | ||
<AGENT version=">= 3.12">cfengine-community</AGENT> | ||
</COMPATIBLE> | ||
|
||
<BUNDLES> | ||
<NAME>firewall_RudderUniqueID</NAME> | ||
</BUNDLES> | ||
|
||
<TMLS> | ||
<TML name="firewall" /> | ||
</TMLS> | ||
|
||
<SECTIONS> | ||
<SECTION name="Installation" component="true" /> | ||
<SECTION name="Service activation" component="true" /> | ||
<SECTION name="Service start" component="true" /> | ||
<SECTION name="Firewall changes" component="true" /> | ||
<SECTION name="Firewall configuration" component="true"> | ||
<SELECT1> | ||
<NAME>FIREWALL_IMPL</NAME> | ||
<DESCRIPTION>Firewall to use</DESCRIPTION> | ||
<ITEM> | ||
<LABEL>nftables</LABEL> | ||
<VALUE>nftables</VALUE> | ||
</ITEM> | ||
<CONSTRAINT> | ||
<DEFAULT>nftables</DEFAULT> | ||
</CONSTRAINT> | ||
</SELECT1> | ||
<INPUT> | ||
<NAME>FIREWALL_CONF</NAME> | ||
<DESCRIPTION>Firewall configuration</DESCRIPTION> | ||
<LONGDESCRIPTION>Output of "iptables-save" or "nft list ruleset". It will be templated as mustache.</LONGDESCRIPTION> | ||
</INPUT> | ||
</SECTION> | ||
<SECTION name="Load configuration" component="true" /> | ||
<SECTION name="Post-modification script" component="true"> | ||
<INPUT> | ||
<NAME>FIREWALL_POST_HOOK_COMMAND</NAME> | ||
<DESCRIPTION>Command to run after changes the firewall configuration</DESCRIPTION> | ||
<CONSTRAINT> | ||
<TYPE>textarea</TYPE> | ||
<MAYBEEMPTY>true</MAYBEEMPTY> | ||
</CONSTRAINT> | ||
</INPUT> | ||
</SECTION> | ||
</SECTIONS> | ||
</TECHNIQUE> | ||
|