Merge pull request #5 from ehaselwanter/fix-to-meet-new-testing-requirements

arlimus · arlimus · commit 5e6cd4291490 · 2015-01-14T15:14:18.000+01:00
fix puppet hardening to pass all requirements (this requires the latest tests-apache too)
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -21,10 +21,10 @@ platforms:
   driver_config:
     box: opscode-centos-6.5
     box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box
-- name: oracle-6.4
-  driver_config:
-    box: oracle-6.4
-    box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box
+# - name: oracle-6.4
+#   driver_config:
+#     box: oracle-6.4
+#     box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box
 - name: oracle-6.5
   driver_config:
     box: oracle-6.5
diff --git a/Gemfile b/Gemfile
@@ -25,7 +25,7 @@ end
 group :integration do
   gem 'test-kitchen'
   gem 'kitchen-vagrant'
-  gem 'kitchen-puppet', '= 0.0.11'
+  gem 'kitchen-puppet'
   gem 'librarian-puppet'
   gem 'kitchen-sharedtests', '~> 0.2.0'
 end
diff --git a/manifests/puppetlabs.pp b/manifests/puppetlabs.pp
@@ -30,6 +30,7 @@
   $apache_version = $apache::apache_version
   $confd_dir = $apache::confd_dir
   $conf_dir = $apache::conf_dir
+  $mod_dir = $apache::mod_dir
 
   file { "${confd_dir}/90.hardening.conf":
     ensure  => file,
@@ -50,4 +51,10 @@
     path   => ['/bin','/usr/bin', '/usr/sbin'],
     unless => "find ${conf_dir} -perm -o+r -type f -o -perm -o+w -type f | wc -l | egrep '^0$'"
   }
+
+  File['alias.conf'] {
+    content => template('apache_hardening/mod/alias.conf.erb'),
+    mode   => '0640',
+  }
+
 }
diff --git a/manifests/puppetlabs_override.pp b/manifests/puppetlabs_override.pp
@@ -17,12 +17,12 @@
 
     $server_signature    = 'Off',
     $server_tokens       = 'Prod',
-    $trace_enable        = 'Off'
+    $trace_enable        = 'Off',
 
 ) inherits ::apache {
 
   File["${::apache::conf_dir}/${::apache::params::conf_file}"]{
-    content => template($::apache::params::conf_template),
+    content => template('apache_hardening/httpd.conf.erb'),
     mode   => '0640',
   }
 }
diff --git a/metadata.json b/metadata.json
@@ -1,5 +1,5 @@
 {
-  "name": "hardening/apache_hardening",
+  "name": "hardening-apache_hardening",
   "version": "0.1.0",
   "source": "https://github.com/TelekomLabs/puppet-apache-hardening",
   "author": "Markus Schmall",
diff --git a/templates/httpd.conf.erb b/templates/httpd.conf.erb
@@ -0,0 +1,116 @@
+# Security
+ServerTokens <%= @server_tokens %>
+ServerSignature <%= @server_signature %>
+TraceEnable <%= @trace_enable %>
+
+ServerName "<%= @servername %>"
+ServerRoot "<%= @server_root %>"
+PidFile <%= @pidfile %>
+Timeout <%= @timeout %>
+KeepAlive <%= @keepalive %>
+MaxKeepAliveRequests <%= @max_keepalive_requests %>
+KeepAliveTimeout <%= @keepalive_timeout %>
+
+User <%= @user %>
+Group <%= @group %>
+
+AccessFileName .htaccess
+<FilesMatch "^\.ht">
+<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
+    Require all denied
+<%- else -%>
+     Order allow,deny
+     Deny from all
+     Satisfy all
+<%- end -%>
+</FilesMatch>
+
+<Directory />
+  Options -Indexes -FollowSymLinks
+  AllowOverride None
+</Directory>
+
+DefaultType none
+HostnameLookups Off
+ErrorLog "<%= @logroot %>/<%= @error_log %>"
+LogLevel <%= @log_level %>
+EnableSendfile <%= @sendfile %>
+<%- if @allow_encoded_slashes -%>
+AllowEncodedSlashes <%= @allow_encoded_slashes %>
+<%- end -%>
+
+#Listen 80
+
+<% if @apxs_workaround -%>
+# Workaround: without this hack apxs would be confused about where to put
+# LoadModule directives and fail entire procedure of apache package
+# installation/reinstallation. This problem was observed on FreeBSD (apache22).
+#LoadModule fake_module libexec/apache22/mod_fake.so
+<% end -%>
+
+Include "<%= @mod_load_dir %>/*.load"
+<% if @mod_load_dir != @confd_dir and @mod_load_dir != @vhost_load_dir -%>
+Include "<%= @mod_load_dir %>/*.conf"
+<% end -%>
+Include "<%= @ports_file %>"
+
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %b" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+<% if @log_formats and !@log_formats.empty? -%>
+  <%- @log_formats.sort.each do |nickname,format| -%>
+LogFormat "<%= format -%>" <%= nickname %>
+  <%- end -%>
+<% end -%>
+
+<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
+IncludeOptional "<%= @confd_dir %>/*.conf"
+<%- else -%>
+Include "<%= @confd_dir %>/*.conf"
+<%- end -%>
+<% if @vhost_load_dir != @confd_dir -%>
+<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
+IncludeOptional "<%= @vhost_load_dir %>/*"
+<%- else -%>
+Include "<%= @vhost_load_dir %>/*"
+<%- end -%>
+<% end -%>
+
+<% if @error_documents -%>
+# /usr/share/apache2/error on debian
+Alias /error/ "<%= @error_documents_path %>/"
+
+<Directory "<%= @error_documents_path %>">
+  AllowOverride None
+  Options IncludesNoExec
+  AddOutputFilter Includes html
+  AddHandler type-map var
+<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
+  Require all granted
+<%- else -%>
+  Order allow,deny
+  Allow from all
+<%- end -%>
+  LanguagePriority en cs de es fr it nl sv pt-br ro
+  ForceLanguagePriority Prefer Fallback
+</Directory>
+
+ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
+ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
+ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
+ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
+ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
+ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
+ErrorDocument 410 /error/HTTP_GONE.html.var
+ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
+ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
+ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
+ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
+ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
+ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
+ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
+ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
+ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
+ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
+<% end -%>
diff --git a/templates/mod/alias.conf.erb b/templates/mod/alias.conf.erb
@@ -0,0 +1,13 @@
+<IfModule alias_module>
+Alias /icons/ "<%= @icons_path %>/"
+<Directory "<%= @icons_path %>">
+    Options -Indexes +MultiViews -FollowSymLinks
+    AllowOverride None
+<%- if scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
+    Require all granted
+<%- else -%>
+     Order allow,deny
+     Allow from all
+<%- end -%>
+</Directory>
+</IfModule>

Original file line number	Diff line number	Diff line change
`@@ -17,12 +17,12 @@`
`17`	`17`
`18`	`18`	`$server_signature = 'Off',`
`19`	`19`	`$server_tokens = 'Prod',`
`20`		`- $trace_enable = 'Off'`
	`20`	`+ $trace_enable = 'Off',`
`21`	`21`
`22`	`22`	`) inherits ::apache {`
`23`	`23`
`24`	`24`	`File["${::apache::conf_dir}/${::apache::params::conf_file}"]{`
`25`		`- content => template($::apache::params::conf_template),`
	`25`	`+ content => template('apache_hardening/httpd.conf.erb'),`
`26`	`26`	`mode => '0640',`
`27`	`27`	`}`
`28`	`28`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`		`- "name": "hardening/apache_hardening",`
	`2`	`+ "name": "hardening-apache_hardening",`
`3`	`3`	`"version": "0.1.0",`
`4`	`4`	`"source": "https://github.com/TelekomLabs/puppet-apache-hardening",`
`5`	`5`	`"author": "Markus Schmall",`