diff --git a/.fixtures.yml b/.fixtures.yml
new file mode 100644
index 0000000..fa0ff7b
--- /dev/null
+++ b/.fixtures.yml
@@ -0,0 +1,7 @@
+fixtures:
+ repositories:
+ stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib.git"
+ concat: "git://github.com/puppetlabs/puppetlabs-concat.git"
+ eyplib: "git://github.com/NTTCom-MS/eyp-eyplib.git"
+ symlinks:
+ audit: "#{source_dir}"
diff --git a/.travis.yml b/.travis.yml
index 3a305d0..aa723d5 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -8,8 +8,38 @@ script:
bundler_args: --without system_tests
matrix:
include:
+ - rvm: default
+ env: LINT=puppetcode
+ dist: trusty
+ bundler_args:
+ script: bundle exec rake lint
- rvm: default
env: LINT=metadata
dist: trusty
bundler_args:
script: bundle exec rake metadata_lint
+ - rvm: default
+ env: JOB=validate
+ dist: trusty
+ bundler_args:
+ script: bundle exec rake validate
+ - rvm: default
+ env: BEAKER_set="centos5-docker" TEST=base
+ dist: trusty
+ bundler_args:
+ script: sudo service docker restart ; sleep 10 && bundle exec rspec spec/acceptance/*_spec.rb
+ - rvm: default
+ env: BEAKER_set="centos6-docker" TEST=base
+ dist: trusty
+ bundler_args:
+ script: sudo service docker restart ; sleep 10 && bundle exec rspec spec/acceptance/*_spec.rb
+ - rvm: default
+ env: BEAKER_set="centos7-docker"
+ dist: trusty
+ bundler_args:
+ script: sudo service docker restart ; sleep 10 && bundle exec rspec spec/acceptance/*_spec.rb
+ - rvm: default
+ env: BEAKER_set="ubuntu14-docker" TEST=base
+ dist: trusty
+ bundler_args:
+ script: sudo service docker restart ; sleep 10 && bundle exec rspec spec/acceptance/*_spec.rb
diff --git a/manifests/init.pp b/manifests/init.pp
index d2ce76e..893a641 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,6 +1,9 @@
# == Class: audit
#
-class audit inherits audit::params {
+class audit (
+ $buffers='320',
+ $add_default_rules=true
+ ) inherits audit::params {
package { $pkg_audit:
ensure => 'installed',
@@ -12,5 +15,29 @@
require => Package[$pkg_audit],
}
+ concat { '/etc/audit/audit.rules':
+ ensure => 'present',
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ notify => Service['auditd'],
+ }
+
+ concat::fragment{ '/etc/audit/audit.rules base':
+ target => '/etc/audit/audit.rules',
+ order => '00',
+ content => template("${module_name}/base_audit.erb"),
+ }
+
+ if($add_default_rules)
+ {
+ concat::fragment{ '/etc/audit/audit.rules default rules':
+ target => '/etc/audit/audit.rules',
+ order => '01',
+ content => template("${module_name}/default_rules.erb"),
+ }
+ }
+
+
}
diff --git a/manifests/params.pp b/manifests/params.pp
index 853a385..2068635 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -8,9 +8,10 @@
{
case $::operatingsystemrelease
{
- /^6.*$/:
+ /^[5-7].*$/:
{
$pkg_audit='audit'
+ $sysconfig=true
}
default: { fail("Unsupported RHEL/CentOS version! - $::operatingsystemrelease") }
}
@@ -27,6 +28,7 @@
/^14.*$/:
{
$pkg_audit='auditd'
+ $sysconfig=false
}
default: { fail("Unsupported Ubuntu version! - $::operatingsystemrelease") }
}
diff --git a/metadata.json b/metadata.json
index 5f65eb4..85b3fdd 100644
--- a/metadata.json
+++ b/metadata.json
@@ -1,6 +1,6 @@
{
"name": "eyp-audit",
- "version": "0.1.0",
+ "version": "0.1.1",
"author": "eyp",
"summary": "auditd",
"license": "Apache-2.0",
@@ -8,28 +8,29 @@
"project_page": null,
"issues_url": null,
"dependencies": [
- {"name":"puppetlabs/stdlib","version_requirement":">= 1.0.0"}
+ {"name":"puppetlabs/stdlib","version_requirement":">= 1.0.0"},
+ {"name":"puppetlabs/concat","version_requirement":">= 1.2.3"}
],
"operatingsystem_support": [
{
"operatingsystem": "RedHat",
- "operatingsystemrelease": [ "6", "7" ]
+ "operatingsystemrelease": [ "5", "6", "7" ]
},
{
"operatingsystem": "CentOS",
- "operatingsystemrelease": [ "6", "7" ]
+ "operatingsystemrelease": [ "5", "6", "7" ]
},
{
"operatingsystem": "Scientific",
- "operatingsystemrelease": [ "6", "7" ]
+ "operatingsystemrelease": [ "5", "6", "7" ]
},
{
"operatingsystem": "OEL",
- "operatingsystemrelease": [ "6", "7" ]
+ "operatingsystemrelease": [ "5", "6", "7" ]
},
{
"operatingsystem": "OracleLinux",
- "operatingsystemrelease": [ "6", "7" ]
+ "operatingsystemrelease": [ "5", "6", "7" ]
},
{
"operatingsystem": "Ubuntu",
diff --git a/spec/acceptance/base_deflate_spec.rb b/spec/acceptance/base_deflate_spec.rb
new file mode 100644
index 0000000..e510a23
--- /dev/null
+++ b/spec/acceptance/base_deflate_spec.rb
@@ -0,0 +1,66 @@
+require 'spec_helper_acceptance'
+require_relative './version.rb'
+
+describe 'apache class' do
+
+ context 'mod_deflate' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ server_admin=> 'webmaster@localhost',
+ maxclients=> '150',
+ maxrequestsperchild=>'1000',
+ customlog_type=>'vhost_combined',
+ logformats=>{ 'vhost_combined' => '%v:%p %h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"' },
+ add_defult_logformats=>true,
+ manage_docker_service => true,
+ }
+
+ class { 'apache::mod::deflate':
+ }
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure apache is started" do
+ expect(shell("sleep 10").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ # general conf
+ describe file($modulesconf) do
+ it { should be_file }
+ its(:content) { should match 'deflate_module' }
+ end
+
+ #default vhost
+ describe file($deflateconf) do
+ it { should be_file }
+ its(:content) { should match 'DEFLATE' }
+ end
+
+ end
+
+end
diff --git a/spec/acceptance/base_modnss_spec.rb b/spec/acceptance/base_modnss_spec.rb
new file mode 100644
index 0000000..52caaa4
--- /dev/null
+++ b/spec/acceptance/base_modnss_spec.rb
@@ -0,0 +1,134 @@
+require 'spec_helper_acceptance'
+require_relative './version.rb'
+
+describe 'apache class' do
+
+ context 'basic SSL setup' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ listen => [ '80', '443' ],
+ ssl => false,
+ manage_docker_service => true,
+ }
+
+ class { 'apache::mod::nss':
+ certdbpassword => '123lestresbesones',
+ }
+
+ apache::vhost {'default':
+ defaultvh=>true,
+ documentroot => '/var/www/void',
+ }
+
+ apache::vhost {'et2blog':
+ documentroot => '/var/www/et2blog',
+ }
+
+ file { '/var/www/et2blog/check.rspec':
+ ensure => 'present',
+ content => "\nOK\n",
+ require => Apache::Vhost[['et2blog','ssl ZnVja3RoYXRiaXRjaAo.com']],
+ }
+
+ apache::nss::cert { 'ZnVja3RoYXRiaXRjaAo':
+ aliasname => 'ZnVja3RoYXRiaXRjaAo',
+ selfsigned => true,
+ cn => 'www.ZnVja3RoYXRiaXRjaAo.com',
+ organization => 'systemadmin.es',
+ organization_unit => 'shitty apache modules team',
+ locality => 'barcelona',
+ state => 'barcelona',
+ country => 'RC', # Republica Catalana
+ }
+
+ apache::vhost {'ssl ZnVja3RoYXRiaXRjaAo.com':
+ servername => 'ZnVja3RoYXRiaXRjaAo.com',
+ order => '11',
+ port => '443',
+ documentroot => '/var/www/et2blog',
+ }
+
+ apache::nss {'ZnVja3RoYXRiaXRjaAo':
+ servername => 'ZnVja3RoYXRiaXRjaAo.com',
+ vhost_order => '11',
+ port => '443',
+ enforce_validcerts => false,
+ }
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "apache configtest mod_nss" do
+ expect(shell("apachectl -M 2>&1 | grep nss_module").exit_code).to be_zero
+ end
+
+ it "sleep 60 to make sure apache is started" do
+ expect(shell("sleep 60").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe port(443) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ #default vhost
+ describe file($defaultsiteconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/void' }
+ end
+
+ #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf
+ describe file($et2blogconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/et2blog' }
+ end
+
+ #test vhost - /etc/httpd/conf.d/sites/00-et2blog-443.conf
+ describe file($nssvhostconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/et2blog' }
+ its(:content) { should_not match 'SSLEngine on' }
+ end
+
+ it "HTTP 200 SSL ZnVja3RoYXRiaXRjaAo" do
+ expect(shell("curl -I https://localhost/check.rspec --insecure 2>/dev/null | head -n1 | grep 'HTTP/1.1 200 OK'").exit_code).to be_zero
+ end
+
+ it "cname SSL cert ZnVja3RoYXRiaXRjaAo" do
+ expect(shell("echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -subject | grep 'CN=www.ZnVja3RoYXRiaXRjaAo.com'").exit_code).to be_zero
+ end
+
+ it "TLSv1 supported" do
+ expect(shell("echo | openssl s_client -connect localhost:443 -tls1 2>&1 | grep 'Session-ID:' | awk '{ print $NF }' | grep -v 'Session-ID:'").exit_code).to be_zero
+ end
+
+ it "key size: 2048" do
+ expect(shell("echo | openssl s_client -connect localhost:443 2>&1 | grep 'Server public key' | grep 2048").exit_code).to be_zero
+ end
+
+ end
+
+end
diff --git a/spec/acceptance/base_modproxy_spec.rb b/spec/acceptance/base_modproxy_spec.rb
new file mode 100644
index 0000000..7bc626b
--- /dev/null
+++ b/spec/acceptance/base_modproxy_spec.rb
@@ -0,0 +1,98 @@
+require 'spec_helper_acceptance'
+require_relative './version.rb'
+
+describe 'apache class' do
+
+ context 'mod_proxy and co' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ listen => [ '80' ],
+ manage_docker_service => true,
+ }
+
+ class { 'apache::mod::proxy': }
+ class { 'apache::mod::proxyajp': }
+ class { 'apache::mod::proxybalancer': }
+ class { 'apache::mod::proxyconnect': }
+ class { 'apache::mod::proxyhttp': }
+ class { 'apache::mod::proxyftp': }
+
+ apache::vhost {'default':
+ defaultvh=>true,
+ documentroot => '/var/www/void',
+ }
+
+ apache::vhost {'et2blog':
+ documentroot => '/var/www/et2blog',
+ }
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure apache is started" do
+ expect(shell("sleep 10").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ #default vhost
+ describe file($defaultsiteconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/void' }
+ end
+
+ #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf
+ describe file($et2blogconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/et2blog' }
+ end
+
+ it "sleep 10 to make sure mod_proxy is started" do
+ expect(shell("apachectl -M 2>&1 | grep proxy_module").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure mod_proxy_ajp is started" do
+ expect(shell("apachectl -M 2>&1 | grep proxy_ajp_module").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure mod_proxy_balancer is started" do
+ expect(shell("apachectl -M 2>&1 | grep proxy_balancer_module").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure mod_proxy_connect is started" do
+ expect(shell("apachectl -M 2>&1 | grep proxy_connect_module").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure mod_proxy_http is started" do
+ expect(shell("apachectl -M 2>&1 | grep proxy_http_module").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure mod_proxy_ftp is started" do
+ expect(shell("apachectl -M 2>&1 | grep proxy_ftp_module").exit_code).to be_zero
+ end
+
+ end
+
+end
diff --git a/spec/acceptance/base_redirect_spec.rb b/spec/acceptance/base_redirect_spec.rb
new file mode 100644
index 0000000..8654af4
--- /dev/null
+++ b/spec/acceptance/base_redirect_spec.rb
@@ -0,0 +1,150 @@
+require 'spec_helper_acceptance'
+require_relative './version.rb'
+
+describe 'apache class' do
+
+ context 'redirect' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ server_admin=> 'webmaster@localhost',
+ maxclients=> '150',
+ maxrequestsperchild=>'1000',
+ add_defult_logformats=>true,
+ manage_docker_service => true,
+ }
+
+ apache::vhost {'default':
+ defaultvh=>true,
+ documentroot => '/var/www/void',
+ }
+
+ apache::vhost {'et2blog':
+ documentroot => '/var/www/et2blog',
+ }
+
+ apache::redirect { 'et2blog':
+ path => '/',
+ url => 'http://systemadmin.es/',
+ }
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure apache is started" do
+ expect(shell("sleep 10").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ describe file($et2blogconf) do
+ it { should be_file }
+ its(:content) { should match 'Redirect' }
+ its(:content) { should match 'http://systemadmin.es/' }
+ end
+
+ it "redirect 301" do
+ expect(shell("curl -I localhost -H 'Host: et2blog' 2>/dev/null | grep '^HTTP' | head -n1 | grep 301").exit_code).to be_zero
+ end
+
+ it "redirect url" do
+ expect(shell("curl -I localhost -H 'Host: et2blog' 2>/dev/null | grep '^Location' | head -n1 | grep systemadmin.es").exit_code).to be_zero
+ end
+
+ end
+
+ context 'redirectmatch' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ server_admin=> 'webmaster@localhost',
+ maxclients=> '150',
+ maxrequestsperchild=>'1000',
+ customlog_type=>'vhost_combined',
+ logformats=>{ 'vhost_combined' => '%v:%p %h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"' },
+ add_defult_logformats=>true,
+ manage_docker_service => true,
+ }
+
+ apache::vhost {'default':
+ defaultvh=>true,
+ documentroot => '/var/www/void',
+ }
+
+ apache::vhost {'et2blog':
+ documentroot => '/var/www/et2blog',
+ }
+
+ apache::redirect { 'et2blog':
+ match => '/lol',
+ url => 'http://systemadmin.es/',
+ }
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure apache is started" do
+ expect(shell("sleep 10").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ describe file($et2blogconf) do
+ it { should be_file }
+ its(:content) { should match 'RedirectMatch' }
+ its(:content) { should match 'http://systemadmin.es/' }
+ end
+
+ it "redirect 301" do
+ expect(shell("curl -I localhost/lol -H 'Host: et2blog' 2>/dev/null | grep '^HTTP' | head -n1 | grep 301").exit_code).to be_zero
+ end
+
+ it "redirect url" do
+ expect(shell("curl -I localhost/lol -H 'Host: et2blog' 2>/dev/null | grep '^Location' | head -n1 | grep systemadmin.es").exit_code).to be_zero
+ end
+
+ end
+
+end
diff --git a/spec/acceptance/base_serverstatus_spec.rb b/spec/acceptance/base_serverstatus_spec.rb
new file mode 100644
index 0000000..9accd9c
--- /dev/null
+++ b/spec/acceptance/base_serverstatus_spec.rb
@@ -0,0 +1,229 @@
+require 'spec_helper_acceptance'
+require_relative './version.rb'
+
+describe 'apache class' do
+
+ context 'basic setup' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ listen => [ '80', '81' ],
+ manage_docker_service => true,
+ }
+
+ apache::vhost {'default':
+ defaultvh => true,
+ documentroot => '/var/www/void',
+ }
+
+ apache::vhost {'et2blog':
+ documentroot => '/var/www/et2blog',
+ }
+
+ apache::serverstatus {'et2blog':
+ allowedip => undef,
+ }
+
+ apache::vhost {'systemadmin.es':
+ order => '10',
+ port => '81',
+ documentroot => '/var/www/systemadmin',
+ }
+
+ apache::serverstatus {'systemadmin.es':
+ order => '10',
+ port => '81',
+ allowedip => [ '1.1.1.1','2.2.2.2','4.4.4.4 5.5.5.5','127.','::1' ],
+ }
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure apache is started" do
+ expect(shell("sleep 10").exit_code).to be_zero
+ end
+
+ it "curl defaultvh http://localhost:80/server-status" do
+ expect(shell("curl http://localhost:80/server-status 2>/dev/null | grep -i 'Apache Server Status for' >/dev/null").exit_code).to be_zero
+ end
+
+ it "curl et2blog http://localhost:80/server-status" do
+ expect(shell("curl http://localhost:80/server-status -H 'Host: et2blog' 2>/dev/null | grep -i 'Apache Server Status for' >/dev/null").exit_code).to be_zero
+ end
+
+ it "curl port 81 http://localhost:81/server-status" do
+ expect(shell("curl http://localhost:81/server-status 2>/dev/null | grep -i 'Apache Server Status for' >/dev/null").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ #default vhost
+ describe file($defaultvhconf) do
+ it { should be_file }
+ its(:content) { should match '' }
+ its(:content) { should match 'SetHandler server-status' }
+ its(:content) { should match '' }
+ end
+
+ describe file($et2blogconf) do
+ it { should be_file }
+ its(:content) { should match '' }
+ its(:content) { should match 'SetHandler server-status' }
+ its(:content) { should match '' }
+ end
+
+ describe file($systemadminconf) do
+ it { should be_file }
+ its(:content) { should match '' }
+ its(:content) { should match 'SetHandler server-status' }
+ its(:content) { should match '' }
+ end
+
+ #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf
+
+ end
+
+ context 'custom url' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ listen => [ '80', '81' ],
+ manage_docker_service => true,
+ }
+
+ apache::vhost {'default':
+ defaultvh=>true,
+ documentroot => '/var/www/void',
+ }
+
+ apache::vhost {'et2blog':
+ documentroot => '/var/www/et2blog',
+ }
+
+ apache::serverstatus {'et2blog':
+ serverstatus_url => '/random_status',
+ allowedip => undef,
+ }
+
+ apache::vhost {'systemadmin.es':
+ order => '10',
+ port => '81',
+ documentroot => '/var/www/systemadmin',
+ }
+
+ apache::serverstatus {'systemadmin.es':
+ serverstatus_url => '/random_status',
+ order => '10',
+ port => '81',
+ allowedip => ['1.1.1.1','2.2.2.2','4.4.4.4 5.5.5.5','127.','::1'],
+ }
+
+ apache::vhost {'awscli.com':
+ order => '11',
+ port => '81',
+ documentroot => '/var/www/void',
+ }
+
+ apache::serverstatus {'awscli.com':
+ serverstatus_url => '/fucker_status',
+ order => '11',
+ port => '81',
+ allowedip => [ '1.1.1.1' ],
+ }
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure apache is started" do
+ expect(shell("sleep 10").exit_code).to be_zero
+ end
+
+ it "curl defaultvh http://localhost:80/server-status" do
+ expect(shell("curl http://localhost:80/server-status 2>/dev/null | grep -i 'Apache Server Status for' >/dev/null").exit_code).to be_zero
+ end
+
+ it "curl et2blog http://localhost:80/random_status" do
+ expect(shell("curl http://localhost:80/random_status -H 'Host: et2blog' 2>/dev/null | grep -i 'Apache Server Status for' >/dev/null").exit_code).to be_zero
+ end
+
+ it "curl port 81 http://localhost:81/random_status" do
+ expect(shell("curl http://localhost:81/random_status 2>/dev/null | grep -i 'Apache Server Status for' >/dev/null").exit_code).to be_zero
+ end
+
+ it "403 forbidden curl port 81 http://awscli.com:81/random_status" do
+ expect(shell("curl -I localhost:81/fucker_status -H 'Host: awscli.com' 2>/dev/null | grep ^HTT | grep -i '403 Forbidden' > /dev/null").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe port(81) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ #default vhost
+ describe file($defaultvhconf) do
+ it { should be_file }
+ its(:content) { should match '' }
+ its(:content) { should match 'SetHandler server-status' }
+ its(:content) { should match '' }
+ end
+
+ describe file($et2blogconf) do
+ it { should be_file }
+ its(:content) { should match '' }
+ its(:content) { should match 'SetHandler server-status' }
+ its(:content) { should match '' }
+ end
+ describe file($systemadminconf) do
+ it { should be_file }
+ its(:content) { should match '' }
+ its(:content) { should match 'SetHandler server-status' }
+ its(:content) { should match '' }
+ end
+
+ #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf
+ end
+
+end
diff --git a/spec/acceptance/base_spec.rb b/spec/acceptance/base_spec.rb
new file mode 100644
index 0000000..abf41bc
--- /dev/null
+++ b/spec/acceptance/base_spec.rb
@@ -0,0 +1,133 @@
+require 'spec_helper_acceptance'
+require_relative './version.rb'
+
+describe 'apache class' do
+
+ context 'basic setup' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ server_admin=> 'webmaster@localhost',
+ maxclients=> '150',
+ maxrequestsperchild=>'1000',
+ customlog_type=>'vhost_combined',
+ logformats=>{ 'vhost_combined' => '%v:%p %h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"' },
+ add_defult_logformats=>true,
+ manage_docker_service => true,
+ }
+
+ apache::vhost {'default':
+ defaultvh=>true,
+ documentroot => '/var/www/void',
+ }
+
+ apache::vhost {'et2blog':
+ documentroot => '/var/www/et2blog',
+ }
+
+ apache::vhost {'testing.lol':
+ order => '77',
+ serveradmin => 'root@lolcathost.lol',
+ serveralias => [ '1.testing.lol', '2.testing.lol' ],
+ documentroot => '/var/www/testing/',
+ options => [ 'Indexes', 'FollowSymLinks', 'MultiViews' ],
+ rewrites => [ 'RewriteCond %{HTTP_HOST} !^testing\.lol', 'RewriteRule ^/(.*)$ http://www\.testing\.lol/$1 [R=301,L]' ],
+ aliasmatch => { 'RUC/lol' => '/var/www/testing/hc.php',
+ '(.*)' => '/var/www/testing/cc.php'},
+ scriptalias => { '/cgi-bin/' => '"/var/www/testing/cgi-bin/"' },
+ directoryindex => [ 'index.php', 'lolindex.php', 'lol.html' ],
+ }
+
+ apache::directory {'/var/www/testing/cgi-bin/':
+ vhost_order => '77',
+ servername => 'testing.lol',
+ options => [ '+ExecCGI', '-Includes' ],
+ allowoverride => 'None',
+ }
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure apache is started" do
+ expect(shell("sleep 10").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ # general conf
+ describe file($generalconf) do
+ it { should be_file }
+ its(:content) { should match 'MaxRequestsPerChild 1000' }
+ its(:content) { should match 'MaxClients 150' }
+ its(:content) { should match 'ServerLimit 150' }
+ its(:content) { should match 'ServerAdmin webmaster@localhost' }
+ its(:content) { should match 'access_log vhost_combined' }
+ its(:content) { should match 'LogFormat "%{User-agent}i" agent' }
+ #TODO: arreglar
+ #its(:content) { should match /LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined/ }
+ end
+
+ #default vhost
+ describe file($defaultsiteconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/void' }
+ end
+
+ #et2 vhost
+ describe file($et2blogconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/et2blog' }
+ end
+
+ #testing vhost
+ describe file($testingconf) do
+ it { should be_file }
+ #TODO: arreglar
+ #its(:content) { should match // }
+ its(:content) { should match 'DocumentRoot /var/www/testing' }
+ its(:content) { should match 'ServerName testing.lol' }
+ its(:content) { should match 'ServerAlias 1.testing.lol' }
+ its(:content) { should match 'ServerAlias 2.testing.lol' }
+ its(:content) { should match 'ServerAdmin root@lolcathost.lol' }
+ its(:content) { should match 'DirectoryIndex index.php lolindex.php lol.html' }
+ its(:content) { should match 'Options Indexes FollowSymLinks MultiViews' }
+ its(:content) { should match 'RewriteEngine On' }
+ #TODO: arreglar
+ #its(:content) { should match /RewriteCond %{HTTP_HOST} !^testing\.lol/ }
+ #its(:content) { should match /RewriteRule ^\/(.*)$ http:\/\/www\.testing\.lol\/$1 [R=301,L]/ }
+ its(:content) { should match 'AliasMatch RUC/lol /var/www/testing/hc.php' }
+ its(:content) { should match 'AliasMatch (.*) /var/www/testing/cc.php' }
+ its(:content) { should match 'ScriptAlias /cgi-bin/ "/var/www/testing/cgi-bin/"' }
+ its(:content) { should match 'Directory /var/www/testing' }
+ its(:content) { should match '' }
+ its(:content) { should match '' }
+ its(:content) { should match 'AllowOverride None' }
+ #TODO: arreglar
+ #its(:content) { should match /Options +ExecCGI -Includes/ }
+ its(:content) { should match '' }
+ end
+
+ end
+
+end
diff --git a/spec/acceptance/base_ssl_spec.rb b/spec/acceptance/base_ssl_spec.rb
new file mode 100644
index 0000000..2657663
--- /dev/null
+++ b/spec/acceptance/base_ssl_spec.rb
@@ -0,0 +1,130 @@
+require 'spec_helper_acceptance'
+require_relative './version.rb'
+
+describe 'apache class' do
+
+ context 'basic SSL setup' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ listen => [ '80', '443' ],
+ ssl => true,
+ manage_docker_service => true,
+ }
+
+ apache::vhost {'default':
+ defaultvh=>true,
+ documentroot => '/var/www/void',
+ }
+
+ apache::vhost {'et2blog':
+ documentroot => '/var/www/et2blog',
+ }
+
+ apache::vhost {'et2blog_ssl':
+ documentroot => '/var/www/et2blog',
+ port => 443,
+ certname => 'cert_et2blog_ssl',
+ use_intermediate => false,
+ }
+
+ apache::cert {'cert_et2blog_ssl':
+ pk_file => '/tmp/pk',
+ cert_file => '/tmp/cert',
+ require => File[['/tmp/cert','/tmp/pk']],
+ }
+
+ file { '/var/www/et2blog/check.rspec':
+ ensure => 'present',
+ content => "\nOK\n",
+ require => Apache::Vhost[['et2blog','et2blog_ssl']],
+ }
+
+ file { '/tmp/cert':
+ ensure => 'present',
+ content => "-----BEGIN CERTIFICATE-----\nMIIDPDCCAiQCCQCKavwUiENvADANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJD\nQTESMBAGA1UECAwJQmFyY2Vsb25hMRIwEAYDVQQHDAlCYXJjZWxvbmExFzAVBgNV\nBAoMDnN5c3RlbWFkbWluLmVzMRAwDgYDVQQDDAdldDJibG9nMB4XDTE2MDIyMzE0\nNTA0OFoXDTQzMDcxMTE0NTA0OFowYDELMAkGA1UEBhMCQ0ExEjAQBgNVBAgMCUJh\ncmNlbG9uYTESMBAGA1UEBwwJQmFyY2Vsb25hMRcwFQYDVQQKDA5zeXN0ZW1hZG1p\nbi5lczEQMA4GA1UEAwwHZXQyYmxvZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\nAQoCggEBAM80rpsjhS6H/zH7UaX0ByJMIDKC82a5cz+1R+ylVsqagmE5TuJkF9gx\nj8tNBRz+Pj3Ef/GbPNaDAICAm6eT5xOI4q789R6ONnE5IZkKghtQFzllWDDlT6Yz\n8YSFgeFLNZhIbd6/xzmSrigwK6VpX3J2Bdf5Kzu4dV0xgygxvlYaM87lNmKUfXa+\nYzTM/XyvsIV7Y5PSF9E5TgtKiUu4tdBscWXB/SR59WLAGBGK7lh/3Q0bZZ6aiXn3\n9atVIG0pX6+nOiwcfUwZU3iu1jZBT3AzR6a9HtWd4Kas9pbygWA4Rg/CMeebp9o/\n4SzbMQsGFs26KSgkXIO8QI3tvC1qRqkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA\nS+97Qm+rr9/hKo+uEDGUwrMOVE4ArOaacD65De5+7sk5Fj0qAz/RCYRnRFPf5j7j\ns1vaaslohxwwHIaP6oMCMLAFU1kpj3Nn12uPpqinLxJCUBSToCtA7vvg+TXYYcIV\n++rZJEaWZY4OIOaBn3q6vUvyaSQM2npN/xGe4StfOPTR72YkiXTGJqlJU/qxyKxz\nAoW4ov3rHBbRq4O0pxuGdlRloInLzV8echzTvefoMU/PI8jEKj6q76Bt5GsAL5ND\nfAuNWh6XaJSYTFzrycusCQ1cYlvYPZCCZIPLYaTbzBdfbj0Qe3EhYzeh3Q36DIYc\nBAZtMTRqjKRr7bBdyR1wHQ==\n-----END CERTIFICATE-----\n",
+ before => Apache::Vhost['et2blog_ssl'],
+ }
+
+ file { '/tmp/pk':
+ ensure => 'present',
+ content => "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEAzzSumyOFLof/MftRpfQHIkwgMoLzZrlzP7VH7KVWypqCYTlO\n4mQX2DGPy00FHP4+PcR/8Zs81oMAgICbp5PnE4jirvz1Ho42cTkhmQqCG1AXOWVY\nMOVPpjPxhIWB4Us1mEht3r/HOZKuKDArpWlfcnYF1/krO7h1XTGDKDG+VhozzuU2\nYpR9dr5jNMz9fK+whXtjk9IX0TlOC0qJS7i10GxxZcH9JHn1YsAYEYruWH/dDRtl\nnpqJeff1q1UgbSlfr6c6LBx9TBlTeK7WNkFPcDNHpr0e1Z3gpqz2lvKBYDhGD8Ix\n55un2j/hLNsxCwYWzbopKCRcg7xAje28LWpGqQIDAQABAoIBAHrhkVMr44XO3Ub0\n9lzmtXxfjRCnnFWlUXXMulTbUPdiXkPuSpv0JDfwXIiCqq+hD6Rt7jqIh7Hnitqq\naqUdD4MEQPrpxSxTxnGrIgOyuaoc+0jskzqcI3o7f9XJn1bO1X/0JERfk3TPSj1H\nI/s63IHzAFAu0rbeE6wq+s9RgMFqQ3Zg0VQn5t57AdtCuw72rQAz5QpXIcOxDnSh\nepyoOdipOhevbFJ1ZNyLG6MMOr7t5lrv8wyRgWYJrJzNjLd7N+DaqVToVDimn1+2\ncccgF6shkaS8Mc0nsoySqbqmAFjfMjLDmCXTRMNauzx/NhV738OIW59NDzJhY/Mk\nOY4sx+kCgYEA5rnpyim1NIQw7wIeyyILLV1a4yyfHxvmEXFin3WCTaA+aUS3aPyi\n9GHux6IYcTSVD0G+/aRVDTOvURWlA7oRLH+GGwnE+698u65+m8Pd90ZRaHoCPDVR\nIhfp87ePS2XTIXxVWbNHjXL2U4+Llm2ahbLjO7LBXX0ciH62IxVqYGcCgYEA5ecz\n1V3KEaSKQ4HPQo84PWW/HXgFPud/Wovqhtm2DfhvkJZGc7yLOLAXQD5+2M6Mg05b\nHYEtYNL0xr2JX0Ih6bt2KxXXqd0Jnctw6dP6XBuKmwof19rEVcYsr9GEhR5ZNr4K\n7u616Yn59IfckcVcxyjUOCri4YVgCUiWI7Btdm8CgYEAoDEobyJyG1pEl01DkAm8\n9OxCNERA3lqCbE3rCYeOxtKhQnlhVlVB1qdAH/8dNUwqygL91iEIpDfkW0nJ3kKL\ntfd8Zr1rtMtssOpAIWnmbM63qvA7KQ5jnGY6GuqxZMn3wuIOaE8fOMg+2llpszG5\n/WXsewBrXLuG2gYP81/lEbUCgYEAgS6FwJl/xqQXENGq/TJunolCdzOOdwcrV1yR\nPo6srnLvdWYLVlMWQ5cmqXG0YuzEpa9soUqJjgNbiSTNQNpvJd+xCYqvcQIDuker\nPahf4EuVeYKZ2/dQJQZC69Qly4r/BDSK/jDhxMVDzzRcKwikFkCJ5rmqXKBOE0lX\nG9yx1T8CgYEApqteiivtjqyzNl68OjJkdz4dQd32qDADphd6nVkvLBal9QlLH7tP\nFuE9sC1C7x4/dDzjy0zKJG1Cs6Ua7nnoZ+T149Q5DRRbCs2Csy8GaIsPc5oTjFx3\n6YoHI2TZzcP7Wk+hF1mKxqntXHZTYOtx0WtoZ6b6qlj+Obvy7UzJD4g=\n-----END RSA PRIVATE KEY-----\n",
+ before => Apache::Vhost['et2blog_ssl'],
+ }
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure apache is started" do
+ expect(shell("sleep 10").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe port(443) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ #default vhost
+ describe file($defaultsiteconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/void' }
+ end
+
+ #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf
+ describe file($et2blogconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/et2blog' }
+ end
+
+ #test vhost - /etc/httpd/conf.d/sites/00-et2blog-443.conf
+ describe file($et2blogconfssl) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/et2blog' }
+ its(:content) { should match 'SSLEngine on' }
+ end
+
+ it "HTTP 200 SSL et2blog" do
+ expect(shell("curl -I https://localhost/check.rspec --insecure 2>/dev/null | head -n1 | grep 'HTTP/1.1 200 OK'").exit_code).to be_zero
+ end
+
+ it "cname SSL cert et2blog" do
+ expect(shell("echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -subject | grep 'CN=et2blog'").exit_code).to be_zero
+ end
+
+ it "TLSv1 supported" do
+ expect(shell("echo | openssl s_client -connect localhost:443 -tls1 2>&1 | grep 'Session-ID:' | awk '{ print $NF }' | grep -v 'Session-ID:'").exit_code).to be_zero
+ end
+
+ it "SSLv3 disabled" do
+ expect(shell("echo | openssl s_client -connect localhost:443 -ssl3 2>&1 | grep 'alert handshake failure'").exit_code).to be_zero
+ end
+
+ it "key size: 2048" do
+ expect(shell("echo | openssl s_client -connect localhost:443 2>&1 | grep 'Server public key' | grep 2048").exit_code).to be_zero
+ end
+
+ end
+
+end
diff --git a/spec/acceptance/base_vhost_allowdeny_spec.rb b/spec/acceptance/base_vhost_allowdeny_spec.rb
new file mode 100644
index 0000000..7220cd2
--- /dev/null
+++ b/spec/acceptance/base_vhost_allowdeny_spec.rb
@@ -0,0 +1,298 @@
+require 'spec_helper_acceptance'
+require_relative './version.rb'
+
+describe 'apache class' do
+
+ context ' allowedip 127.0.0.1' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ manage_docker_service => true,
+ }
+
+ apache::vhost {'default':
+ defaultvh=>true,
+ documentroot => '/var/www/void',
+ }
+
+ apache::vhost {'et2blog':
+ documentroot => '/var/www/et2blog',
+ allowedip => [ '127.0.0.1' ],
+ }
+
+ file { '/var/www/et2blog/check.rspec':
+ ensure => 'present',
+ content => "\nOK\n",
+ require => Apache::Vhost['et2blog'],
+ }
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure apache is started" do
+ expect(shell("sleep 10").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ #default vhost
+ describe file($defaultsiteconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/void' }
+ end
+
+ #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf
+ describe file($et2blogconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/et2blog' }
+ end
+
+ it "check 200 et2blog" do
+ expect(shell("curl -I 127.0.0.1/check.rspec -H 'Host: et2blog' 2>/dev/null | head -n1 | grep 'HTTP/1.1 200 OK'").exit_code).to be_zero
+ end
+
+ it "check content et2blog" do
+ expect(shell("curl 127.0.0.1/check.rspec -H 'Host: et2blog' 2>/dev/null | grep OK").exit_code).to be_zero
+ end
+
+ end
+
+ context ' allowedip 1.1.1.1' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ manage_docker_service => true,
+ }
+
+ apache::vhost {'default':
+ defaultvh=>true,
+ documentroot => '/var/www/void',
+ }
+
+ apache::vhost {'et2blog':
+ documentroot => '/var/www/et2blog',
+ allowedip => [ '1.1.1.1' ],
+ }
+
+ file { '/var/www/et2blog/check.rspec':
+ ensure => 'present',
+ content => "\nOK\n",
+ require => Apache::Vhost['et2blog'],
+ }
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure apache is started" do
+ expect(shell("sleep 10").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ #default vhost
+ describe file($defaultsiteconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/void' }
+ end
+
+ #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf
+ describe file($et2blogconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/et2blog' }
+ end
+
+ it "et2blog should return 403 " do
+ expect(shell("curl -I 127.0.0.1/check.rspec -H 'Host: et2blog' 2>/dev/null | head -n1 | grep 'HTTP/1.1 403 Forbidden'").exit_code).to be_zero
+ end
+
+ end
+
+ context ' deniedip 127.0.0.1' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ manage_docker_service => true,
+ }
+
+ apache::vhost {'default':
+ defaultvh=>true,
+ documentroot => '/var/www/void',
+ }
+
+ apache::vhost {'et2blog':
+ documentroot => '/var/www/et2blog',
+ deniedip => [ '127.0.0.1' ],
+ }
+
+ file { '/var/www/et2blog/check.rspec':
+ ensure => 'present',
+ content => "\nOK\n",
+ require => Apache::Vhost['et2blog'],
+ }
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure apache is started" do
+ expect(shell("sleep 10").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ #default vhost
+ describe file($defaultsiteconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/void' }
+ end
+
+ #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf
+ describe file($et2blogconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/et2blog' }
+ end
+
+ it "et2blog should return 403 " do
+ expect(shell("curl -I 127.0.0.1/check.rspec -H 'Host: et2blog' 2>/dev/null | head -n1 | grep 'HTTP/1.1 403 Forbidden'").exit_code).to be_zero
+ end
+
+ end
+
+ context ' deniedip 1.1.1.1' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ manage_docker_service => true,
+ }
+
+ apache::vhost {'default':
+ defaultvh=>true,
+ documentroot => '/var/www/void',
+ }
+
+ apache::vhost {'et2blog':
+ documentroot => '/var/www/et2blog',
+ deniedip => [ '1.1.1.1' ],
+ }
+
+ file { '/var/www/et2blog/check.rspec':
+ ensure => 'present',
+ content => "\nOK\n",
+ require => Apache::Vhost['et2blog'],
+ }
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure apache is started" do
+ expect(shell("sleep 10").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ #default vhost
+ describe file($defaultsiteconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/void' }
+ end
+
+ #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf
+ describe file($et2blogconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/et2blog' }
+ end
+
+ it "check 200 et2blog" do
+ expect(shell("curl -I 127.0.0.1/check.rspec -H 'Host: et2blog' 2>/dev/null | head -n1 | grep 'HTTP/1.1 200 OK'").exit_code).to be_zero
+ end
+
+ it "check content et2blog" do
+ expect(shell("curl 127.0.0.1/check.rspec -H 'Host: et2blog' 2>/dev/null | grep OK").exit_code).to be_zero
+ end
+
+ end
+
+end
diff --git a/spec/acceptance/base_vhost_sorrypage_spec.rb b/spec/acceptance/base_vhost_sorrypage_spec.rb
new file mode 100644
index 0000000..bcba5af
--- /dev/null
+++ b/spec/acceptance/base_vhost_sorrypage_spec.rb
@@ -0,0 +1,180 @@
+require 'spec_helper_acceptance'
+require_relative './version.rb'
+
+describe 'apache class' do
+
+ context ' enabling sorrypage' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ manage_docker_service => true,
+ }
+
+ apache::vhost {'default':
+ defaultvh=>true,
+ documentroot => '/var/www/void',
+ }
+
+ apache::vhost {'et2blog':
+ documentroot => '/var/www/et2blog',
+ site_running => false,
+ custom_sorrypage => { 'path' => '/var/www/et2blog',
+ 'errordocument' => 'maintenance.html',
+ },
+ }
+
+ file { '/var/www/et2blog/maintenance.html':
+ ensure => 'present',
+ content => "\nSorryPage\n",
+ require => Apache::Vhost['et2blog'],
+ }
+
+
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure apache is started" do
+ expect(shell("sleep 10").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ #default vhost
+ describe file($defaultsiteconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/void' }
+ end
+
+ #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf
+ describe file($et2blogconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/et2blog' }
+ end
+
+ it "check 503 et2blog" do
+ expect(shell("curl -I 127.0.0.1/ -H 'Host: et2blog' 2>/dev/null | head -n1 | grep 'HTTP/1.1 503'").exit_code).to be_zero
+ end
+
+ it "check content et2blog" do
+ expect(shell("curl 127.0.0.1/ -H 'Host: et2blog' 2>/dev/null | grep SorryPage").exit_code).to be_zero
+ end
+
+ end
+
+ context ' enabling sorrypage and exclude healthcheck' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ manage_docker_service => true,
+ }
+
+ apache::vhost {'default':
+ defaultvh=>true,
+ documentroot => '/var/www/void',
+ }
+
+ apache::vhost {'et2blog':
+ documentroot => '/var/www/et2blog',
+ site_running => false,
+ custom_sorrypage => { 'path' => '/var/www/et2blog',
+ 'errordocument' => 'maintenance.html',
+ 'healthcheck' => 'healthcheck.html'
+ },
+ }
+
+ file { '/var/www/et2blog/maintenance.html':
+ ensure => 'present',
+ content => "\nSorryPage\n",
+ require => Apache::Vhost['et2blog'],
+ }
+
+
+ file { '/var/www/et2blog/healthcheck.html':
+ ensure => 'present',
+ content => "\nHealthCheck\n",
+ require => Apache::Vhost['et2blog'],
+ }
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "sleep 10 to make sure apache is started" do
+ expect(shell("sleep 10").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ #default vhost
+ describe file($defaultsiteconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/void' }
+ end
+
+ #test vhost - /etc/httpd/conf.d/sites/00-et2blog-80.conf
+ describe file($et2blogconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/et2blog' }
+ end
+
+ it "check 503 et2blog" do
+ expect(shell("curl -I 127.0.0.1/ -H 'Host: et2blog' 2>/dev/null | head -n1 | grep 'HTTP/1.1 503'").exit_code).to be_zero
+ end
+
+ it "check content et2blog" do
+ expect(shell("curl 127.0.0.1/ -H 'Host: et2blog' 2>/dev/null | grep SorryPage").exit_code).to be_zero
+ end
+
+ it "check content et2blog healthcheck" do
+ expect(shell("curl 127.0.0.1/healthcheck.html -H 'Host: et2blog' 2>/dev/null | grep HealthCheck").exit_code).to be_zero
+ end
+
+ it "check 200 et2blog healthcheck" do
+ expect(shell("curl -I 127.0.0.1/healthcheck.html -H 'Host: et2blog' 2>/dev/null | head -n1 | grep 'HTTP/1.1 200 OK'").exit_code).to be_zero
+ end
+
+ end
+
+end
diff --git a/spec/acceptance/modphp_spec.rb b/spec/acceptance/modphp_spec.rb
new file mode 100644
index 0000000..aa7d1e1
--- /dev/null
+++ b/spec/acceptance/modphp_spec.rb
@@ -0,0 +1,158 @@
+require 'spec_helper_acceptance'
+require_relative './version.rb'
+
+describe 'mod_php class' do
+
+ context 'basic setup' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ manage_docker_service => true,
+ }
+
+ apache::vhost {'default':
+ defaultvh=>true,
+ documentroot => '/var/www/void',
+ }
+
+ apache::vhost {'et2blog':
+ documentroot => '/var/www/et2blog',
+ }
+
+ class { 'apache::mod::php': }
+
+ file { '/var/www/void/phpinfo.php':
+ ensure=> 'present',
+ mode => '0666',
+ content => "\n",
+ }
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "sleep 10 to make sure apache is started" do
+ expect(shell("sleep 10").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ #default vhost
+ describe file($defaultsiteconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/void' }
+ end
+
+ #et2blog
+ describe file($et2blogconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/et2blog' }
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "php module loaded" do
+ expect(shell("apachectl -M | grep php").exit_code).to be_zero
+ end
+
+ it "phpinfo HTTP 200" do
+ expect(shell("curl -I localhost/phpinfo.php 2>/dev/null| grep ^HTTP | grep 200").exit_code).to be_zero
+ end
+
+ it "phpinfo" do
+ expect(shell("curl localhost/phpinfo.php 2>/dev/null| grep 'PHP License'").exit_code).to be_zero
+ end
+
+ end
+
+ context 'php uninstall' do
+ # Using puppet_apply as a helper
+ it 'should work with no errors' do
+ pp = <<-EOF
+
+ class { 'apache':
+ manage_docker_service => true,
+ }
+
+ apache::vhost {'default':
+ defaultvh=>true,
+ documentroot => '/var/www/void',
+ }
+
+ apache::vhost {'et2blog':
+ documentroot => '/var/www/et2blog',
+ }
+
+ class { 'apache::mod::php':
+ ensure => 'purged',
+ }
+
+ file { '/var/www/void/phpinfo.php':
+ ensure=> 'present',
+ mode => '0666',
+ content => "\n",
+ }
+
+ EOF
+
+ # Run it twice and test for idempotency
+ expect(apply_manifest(pp).exit_code).to_not eq(1)
+ expect(apply_manifest(pp).exit_code).to eq(0)
+ end
+
+ it "sleep 10 to make sure apache is started" do
+ expect(shell("sleep 10").exit_code).to be_zero
+ end
+
+ describe port(80) do
+ it { should be_listening }
+ end
+
+ describe package($packagename) do
+ it { is_expected.to be_installed }
+ end
+
+ describe service($servicename) do
+ it { should be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ #default vhost
+ describe file($defaultsiteconf) do
+ it { should be_file }
+ its(:content) { should match 'DocumentRoot /var/www/void' }
+ end
+
+ it "apache configtest" do
+ expect(shell("apachectl configtest").exit_code).to be_zero
+ end
+
+ it "phpinfo HTTP 200" do
+ expect(shell("curl -I localhost/phpinfo.php 2>/dev/null| grep ^HTTP | grep 200").exit_code).to be_zero
+ end
+
+ it "phpinfo contents" do
+ expect(shell("curl localhost/phpinfo.php 2>/dev/null| grep 'phpinfo()'").exit_code).to be_zero
+ end
+
+ end
+
+end
diff --git a/spec/acceptance/nodesets/centos5-docker.yml b/spec/acceptance/nodesets/centos5-docker.yml
new file mode 100644
index 0000000..a929d16
--- /dev/null
+++ b/spec/acceptance/nodesets/centos5-docker.yml
@@ -0,0 +1,20 @@
+HOSTS:
+ centos-5-x64:
+ default_apply_opts:
+ order: random
+ strict_variables:
+ platform: el-5-x86_64
+ hypervisor : docker
+ image: tianon/centos:5.10
+ docker_preserve_image: true
+ docker_cmd: '["/sbin/init"]'
+ docker_image_commands:
+ - 'rm -rf /var/run/network/*'
+ - 'yum clean all'
+ - 'yum install -y gcc make crontabs tar wget java-1.7.0-openjdk java-1.7.0-openjdk-devel'
+ - 'wget https://yum.puppetlabs.com/RPM-GPG-KEY-puppetlabs -O /tmp/RPM-GPG-KEY-puppetlabs'
+ - 'rpm --import /tmp/RPM-GPG-KEY-puppetlabs'
+ - 'rpm --replacepkgs -ivh http://yum.puppetlabs.com/puppetlabs-release-el-5.noarch.rpm'
+CONFIG:
+ type: foss
+ log_level: debug
diff --git a/spec/acceptance/nodesets/centos6-docker.yml b/spec/acceptance/nodesets/centos6-docker.yml
new file mode 100644
index 0000000..b54ef32
--- /dev/null
+++ b/spec/acceptance/nodesets/centos6-docker.yml
@@ -0,0 +1,16 @@
+HOSTS:
+ centos-6-x64:
+ default_apply_opts:
+ order: random
+ strict_variables:
+ platform: el-6-x86_64
+ hypervisor : docker
+ image: centos:6
+ docker_preserve_image: true
+ docker_cmd: '["/sbin/init"]'
+ docker_image_commands:
+ - 'rm -rf /var/run/network/*'
+ - 'yum install -y gcc make crontabs tar wget curl'
+CONFIG:
+ type: foss
+ log_level: debug
diff --git a/spec/acceptance/nodesets/centos7-docker.yml b/spec/acceptance/nodesets/centos7-docker.yml
new file mode 100644
index 0000000..e99b37c
--- /dev/null
+++ b/spec/acceptance/nodesets/centos7-docker.yml
@@ -0,0 +1,16 @@
+HOSTS:
+ centos-7-x64:
+ default_apply_opts:
+ order: random
+ strict_variables:
+ platform: el-7-x86_64
+ hypervisor : docker
+ image: centos:7
+ docker_preserve_image: true
+ docker_cmd: '["/usr/sbin/init"]'
+ docker_image_commands:
+ - 'rm -rf /var/run/network/*'
+ - 'yum install -y gcc make crontabs tar wget iproute java-1.7.0-openjdk java-1.7.0-openjdk-devel'
+CONFIG:
+ type: foss
+ log_level: debug
diff --git a/spec/acceptance/nodesets/ubuntu14-docker.yml b/spec/acceptance/nodesets/ubuntu14-docker.yml
new file mode 100644
index 0000000..82cf2a8
--- /dev/null
+++ b/spec/acceptance/nodesets/ubuntu14-docker.yml
@@ -0,0 +1,14 @@
+HOSTS:
+ ubuntu-14-04:
+ default_apply_opts:
+ order: random
+ strict_variables:
+ platform: ubuntu-14.04-x64
+ hypervisor : docker
+ image: ubuntu:14.04
+ docker_preserve_image: true
+ docker_image_commands:
+ - 'apt-get install gcc make tar wget openjdk-7-jdk openjdk-7-jre -y'
+CONFIG:
+ type: foss
+ log_level: debug
diff --git a/spec/acceptance/version.rb b/spec/acceptance/version.rb
new file mode 100644
index 0000000..2023912
--- /dev/null
+++ b/spec/acceptance/version.rb
@@ -0,0 +1,50 @@
+
+_osfamily = fact('osfamily')
+_operatingsystem = fact('operatingsystem')
+_operatingsystemrelease = fact('operatingsystemrelease').to_f
+
+case _osfamily
+when 'RedHat'
+ $packagename = 'httpd'
+ $servicename = 'httpd'
+ $baseconf = '/etc/httpd'
+ $generalconf = '/etc/httpd/conf/httpd.conf'
+ $defaultsiteconf = '/etc/httpd/conf.d/00_default.conf'
+ $et2blogconf = '/etc/httpd/conf.d/sites/00-et2blog-80.conf'
+ $et2blogconfssl = '/etc/httpd/conf.d/sites/00-et2blog_ssl-443.conf'
+ $systemadminconf = '/etc/httpd/conf.d/sites/10-systemadmin.es-81.conf'
+ $testingconf = '/etc/httpd/conf.d/sites/77-testing.lol-80.conf'
+ $defaultvhconf = '/etc/httpd/conf.d/00_default.conf'
+ $modulesconf = '/etc/httpd/conf.d/modules.conf'
+ $deflateconf = '/etc/httpd/conf.d/deflate.conf'
+ $nssvhostconf = '/etc/httpd/conf.d/sites/11-ZnVja3RoYXRiaXRjaAo.com-443.conf'
+
+when 'Debian'
+ $packagename = 'apache2'
+ $servicename = 'apache2'
+ $baseconf = '/etc/apache2'
+ $generalconf = '/etc/apache2/apache2.conf'
+ $defaultsiteconf = '/etc/apache2/conf.d/00_default.conf'
+ $et2blogconf = '/etc/apache2/conf.d/sites/00-et2blog-80.conf'
+ $et2blogconfssl = '/etc/apache2/conf.d/sites/00-et2blog_ssl-443.conf'
+ $systemadminconf = '/etc/apache2/conf.d/sites/10-systemadmin.es-81.conf'
+ $testingconf = '/etc/apache2/conf.d/sites/77-testing.lol-80.conf'
+ $defaultvhconf = '/etc/apache2/conf.d/00_default.conf'
+ $modulesconf = '/etc/apache2/conf.d/modules.conf'
+ $deflateconf = '/etc/apache2/conf.d/deflate.conf'
+ $nssvhostconf = '/etc/apache2/conf.d/sites/11-ZnVja3RoYXRiaXRjaAo.com-443.conf'
+
+else
+ $packagename = '-_-'
+ $servicename = '-_-'
+ $baseconf = '-_-'
+ $defaultsiteconf = '-_-'
+ $et2blogconf = '-_-'
+ $et2blogconfssl = '-_-'
+ $systemadminconf = '-_-'
+ $defaultvhconf = '-_-'
+ $modulesconf = '-_-'
+ $deflateconf = '-_-'
+ $nssvhostconf = '-_-'
+
+end
diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb
new file mode 100644
index 0000000..5aa0a1f
--- /dev/null
+++ b/spec/spec_helper_acceptance.rb
@@ -0,0 +1,47 @@
+require 'beaker-rspec'
+require 'beaker_spec_helper'
+#require 'beaker/puppet_install_helper'
+#run_puppet_install_helper
+
+include BeakerSpecHelper
+
+hosts.each do |host|
+
+ if host['platform'] =~ /^ubuntu-(15.04|15.10)-/
+ on host, "wget -O /tmp/puppet.deb http://apt.puppetlabs.com/puppetlabs-release-pc1-trusty.deb"
+ on host, "dpkg -i --force-all /tmp/puppet.deb"
+ on host, "apt-get update"
+ host.install_package('puppet-agent')
+ else
+ install_puppet_agent_on host, {}
+ end
+
+ # Install git so that we can install modules from github
+ if host['platform'] =~ /^el-5-/
+ # git is only available on EPEL for el-5
+ install_package host, 'epel-release'
+ end
+ install_package host, 'git'
+
+ on host, "puppet cert generate $(facter fqdn)"
+end
+
+RSpec.configure do |c|
+ # Project root
+ proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..'))
+
+ # Readable test descriptions
+ c.formatter = :documentation
+
+ # Configure all nodes in nodeset
+ c.before :suite do
+ # Install module and dependencies
+ puppet_module_install(:source => proj_root, :module_name => 'audit')
+ hosts.each do |host|
+ # dependencies
+ on host, puppet('module', 'install', 'puppetlabs-stdlib'), { :acceptable_exit_codes => [0,1] }
+ on host, puppet('module', 'install', 'puppetlabs-concat'), { :acceptable_exit_codes => [0,1] }
+ on host, puppet('module', 'install', 'eyp-eyplib'), { :acceptable_exit_codes => [0,1] }
+ end
+ end
+end
diff --git a/templates/base_audit.erb b/templates/base_audit.erb
new file mode 100644
index 0000000..488b57e
--- /dev/null
+++ b/templates/base_audit.erb
@@ -0,0 +1,5 @@
+#reset rules
+-D
+# Increase the buffers to survive stress events.
+# Make this bigger for busy systems
+-b <%= @buffers %>
diff --git a/templates/default_rules.erb b/templates/default_rules.erb
new file mode 100644
index 0000000..9cb59e6
--- /dev/null
+++ b/templates/default_rules.erb
@@ -0,0 +1,56 @@
+#audit rules
+-w /var/tmp -p x
+-w /tmp -p x
+-w /home -p x
+#Record Events That Modify Date and Time Information
+-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
+-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
+-a always,exit -F arch=b64 -S clock_settime -k time-change
+-a always,exit -F arch=b32 -S clock_settime -k time-change
+-w /etc/localtime -p wa -k time-change
+#Record Events That Modify User/Group Information
+-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/security/opasswd -p wa -k identity
+#Record Events That Modify the System\'s Network Environment
+-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
+-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
+-w /etc/issue -p wa -k system-locale
+-w /etc/issue.net -p wa -k system-locale
+-w /etc/hosts -p wa -k system-locale
+<% if(@sysconfig) -%>
+-w /etc/sysconfig/network -p wa -k system-locale
+<% end -%>
+#Collect Login and Logout Events
+-w /var/log/faillog -p wa -k logins
+-w /var/log/lastlog -p wa -k logins
+-w /var/log/btmp -p wa -k session
+#Collect Session Initiation Information
+-w /var/run/utmp -p wa -k session
+-w /var/log/wtmp -p wa -k session
+#Collect Discretionary Access Control Permission Modification Events
+-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
+#Collect Unsuccessful Unauthorized Access Attempts to Files
+-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
+-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
+-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
+-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
+#Collect mount system call by non-privileged user
+-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
+#Collect File Deletion Events by User
+-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
+-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
+#Collect Changes to System Administration Scope
+-w /etc/sudoers -p wa -k scope
+#Collect Kernel Module Loading and Unloading
+-w /sbin/insmod -p x -k modules
+-w /sbin/rmmod -p x -k modules
+-w /sbin/modprobe -p x -k modules