From 3dd5c7f78eafad9b3cb2b4a895ba251794da1276 Mon Sep 17 00:00:00 2001 From: Fabien COMBERNOUS Date: Fri, 20 Sep 2024 10:22:17 +0200 Subject: [PATCH] jail logpath can handle several files --- REFERENCE.md | 25 ++++++++++++-------- manifests/jail.pp | 4 +++- spec/defines/fail2ban_jail_spec.rb | 33 ++++++++++++++++++++------- spec/type_aliases/logpath_spec.rb | 13 +++++++++++ templates/common/custom_jail.conf.epp | 6 +++++ types/logpath.pp | 5 ++++ 6 files changed, 68 insertions(+), 18 deletions(-) create mode 100644 spec/type_aliases/logpath_spec.rb create mode 100644 types/logpath.pp diff --git a/REFERENCE.md b/REFERENCE.md index 1bd6d8aa..d7ce80e2 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -23,6 +23,7 @@ ### Data types +* [`Fail2ban::Logpath`](#Fail2ban--Logpath): Describes logpath format allowed * [`Fail2ban::Time`](#Fail2ban--Time): Describes time format allowed for bantime and findtime The time entries in fail2ban configuration (like findtime or bantime) can be provided ### Tasks @@ -496,6 +497,7 @@ Handles the jails. The following parameters are available in the `fail2ban::jail` defined type: +* [`logpath`](#-fail2ban--jail--logpath) * [`filter_includes`](#-fail2ban--jail--filter_includes) * [`filter_failregex`](#-fail2ban--jail--filter_failregex) * [`filter_ignoreregex`](#-fail2ban--jail--filter_ignoreregex) @@ -505,7 +507,6 @@ The following parameters are available in the `fail2ban::jail` defined type: * [`enabled`](#-fail2ban--jail--enabled) * [`action`](#-fail2ban--jail--action) * [`filter`](#-fail2ban--jail--filter) -* [`logpath`](#-fail2ban--jail--logpath) * [`maxretry`](#-fail2ban--jail--maxretry) * [`findtime`](#-fail2ban--jail--findtime) * [`bantime`](#-fail2ban--jail--bantime) @@ -521,6 +522,14 @@ The following parameters are available in the `fail2ban::jail` defined type: * [`config_file_notify`](#-fail2ban--jail--config_file_notify) * [`config_file_require`](#-fail2ban--jail--config_file_require) +##### `logpath` + +Data type: `Optional[Fail2ban::Logpath]` + +Filename(s) of the log files to be monitored + +Default value: `undef` + ##### `filter_includes` Data type: `Optional[String]` @@ -593,14 +602,6 @@ Data type: `String` Default value: `$title` -##### `logpath` - -Data type: `Optional[String[1]]` - - - -Default value: `undef` - ##### `maxretry` Data type: `Integer` @@ -715,6 +716,12 @@ Default value: `$fail2ban::config_file_require` ## Data types +### `Fail2ban::Logpath` + +Describes logpath format allowed + +Alias of `Variant[String[1], Array[String[1]]]` + ### `Fail2ban::Time` Describes time format allowed for bantime and findtime diff --git a/manifests/jail.pp b/manifests/jail.pp index 2aa5c311..7b14eafe 100644 --- a/manifests/jail.pp +++ b/manifests/jail.pp @@ -1,5 +1,7 @@ # @summary Handles the jails. # +# @param logpath Filename(s) of the log files to be monitored +# define fail2ban::jail ( Optional[String] $filter_includes = undef, Optional[String] $filter_failregex = undef, @@ -10,7 +12,7 @@ Boolean $enabled = true, Optional[String] $action = undef, String $filter = $title, - Optional[String[1]] $logpath = undef, + Optional[Fail2ban::Logpath] $logpath = undef, Integer $maxretry = $fail2ban::maxretry, Optional[Fail2ban::Time] $findtime = undef, Fail2ban::Time $bantime = $fail2ban::bantime, diff --git a/spec/defines/fail2ban_jail_spec.rb b/spec/defines/fail2ban_jail_spec.rb index c1be3e18..de4b6550 100644 --- a/spec/defines/fail2ban_jail_spec.rb +++ b/spec/defines/fail2ban_jail_spec.rb @@ -5,6 +5,14 @@ describe 'fail2ban::jail' do let(:title) { 'spec_test_jail' } let(:pre_condition) { 'include fail2ban' } + let(:common_params) do + { + 'logpath' => '/var/log/syslog', + 'filter_failregex' => 'Login failed for user .* from ', + 'filter_maxlines' => 10, + 'filter_datepattern' => '%%Y-%%m-%%d %%H:%%M(?::%%S)?' + } + end on_supported_os.each do |os, facts| context "on #{os}" do @@ -12,14 +20,7 @@ facts end - let(:params) do - { - 'logpath' => '/var/log/syslog', - 'filter_failregex' => 'Login failed for user .* from ', - 'filter_maxlines' => 10, - 'filter_datepattern' => '%%Y-%%m-%%d %%H:%%M(?::%%S)?' - } - end + let(:params) { common_params } it do is_expected.to compile.with_all_deps @@ -33,6 +34,22 @@ ) end + context 'with jail using several files in logpath' do + let(:params) do + common_params.merge( + 'logpath' => ['/var/log/syslog', '/var/log/syslog.1'] + ) + end + + it do + is_expected.to contain_file('custom_jail_spec_test_jail').with( + 'ensure' => 'file', + 'notify' => 'Service[fail2ban]', + 'content' => %r{logpath = /var/log/syslog\n /var/log/syslog\.1\n} + ) + end + end + it do is_expected.to contain_file('custom_filter_spec_test_jail').with( 'ensure' => 'file', diff --git a/spec/type_aliases/logpath_spec.rb b/spec/type_aliases/logpath_spec.rb new file mode 100644 index 00000000..4d67d4f3 --- /dev/null +++ b/spec/type_aliases/logpath_spec.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'Fail2ban::Logpath' do + [ + '/var/log/file.log', + '/var/log/file.log[1-9]', + ['/var/log/file.log', '/var/log/file.log.1'], + ].each do |allowed_value| + it { is_expected.to allow_value(allowed_value) } + end +end diff --git a/templates/common/custom_jail.conf.epp b/templates/common/custom_jail.conf.epp index d909e631..fa0286df 100644 --- a/templates/common/custom_jail.conf.epp +++ b/templates/common/custom_jail.conf.epp @@ -9,7 +9,13 @@ enabled = <%= $enabled %> action = <%= $action %> <% } -%> filter = <%= $filter %> +<% if $logpath =~ Array[String[1]] { -%> +logpath = <%- $logpath.each |$l| { -%> + <%= $l %> +<%- } -%> +<% } else { -%> logpath = <%= $logpath %> +<%- } -%> maxretry = <%= $maxretry %> <% if $findtime { -%> findtime = <%= $findtime %> diff --git a/types/logpath.pp b/types/logpath.pp new file mode 100644 index 00000000..a1b5d3c3 --- /dev/null +++ b/types/logpath.pp @@ -0,0 +1,5 @@ +# Describes logpath format allowed +type Fail2ban::Logpath = Variant[ + String[1], + Array[String[1]], +]