CU-cyk0dp Added more rules to modsecurity

ansible/roles/http/tasks/modsec.yml

@@ -8,39 +8,86 @@
     group: root
     mode: 0644
   with_items:
-    - "{{ nginx_conf_dir }}"
-    - "{{ modsec_rules_dir }}"
+    - "{{ nginx_conf_path }}"
+    - "{{ modsec_rules_path }}"
   tags: modsec
 
 - name: create modsec_includes.conf
   become: true
   copy:
     src: files/nginx/modsec_includes.conf
-    dest: "{{ nginx_dir }}/modsec_includes.conf"
+    dest: "{{ nginx_path }}/modsec_includes.conf"
     mode: 0644
   notify: restart_nginx
   tags: modsec
 
-- name: fetch core rule set files for mod-security
+- name: clone coreruleset and modsecurity
   become: true
-  get_url:
-    url: "{{ item.url }}"
+  git:
+    repo: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    mode: 0644
-  with_items:
-    - {"url": "{{ modsec_conf_url }}",
-       "dest": "{{ nginx_dir }}/modsecurity.conf"}
-    - {"url": "{{ modsec_unicode_url }}",
-       "dest": "{{ nginx_dir }}/unicode.mapping"}
-    - {"url": "{{ crs_setup_url }}",
-       "dest": "{{ nginx_conf_dir }}/crs-setup.conf"}
-    - {"url": "{{ crs_before_url }}",
-       "dest": "{{ modsec_crs_before_rule_conf }}"}
-    - {"url": "{{ crs_after_url }}",
-       "dest": "{{ modsec_crs_after_rule_conf }}"}
+    update: false
+    version: "{{ item.ver }}"
+  with_items: "{{ modsec_git_urls }}"
   notify: restart_nginx
   tags: modsec
 
+- name: setup modsec and coreruleset configs
+  become: true
+  file:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    state: link
+    force: true
+    mode: 0644
+  with_items: "{{ modsec_conf_links }}"
+  notify: restart_nginx
+  tags: modsec
+
+- name: setup coreruleset rules
+  become: true
+  file:
+    src: "{{ crs_rules_path }}/{{ item.name }}.conf"
+    dest: "{{ modsec_rules_path }}/{{ item.name }}.conf"
+    state: "{{ item.enabled | ternary('link', 'absent') }}"
+    force: true
+    mode: 0644
+  with_items: "{{ crs_rule_links }}"
+  notify: restart_nginx
+  tags: modsec, modsec_rules
+
+- name: setup coreruleset data
+  become: true
+  file:
+    src: "{{ crs_rules_path }}/{{ item }}.data"
+    dest: "{{ modsec_rules_path }}/{{ item }}.data"
+    state: link
+    force: true
+    mode: 0644
+  with_items: "{{ crs_data_links }}"
+  notify: restart_nginx
+  tags: modsec, modsec_rules
+
+# name: fetch core rule set files for mod-security
+# become: true
+# get_url:
+#   url: "{{ item.url }}"
+#   dest: "{{ item.dest }}"
+#   mode: 0644
+# with_items:
+#   - {"url": "{{ modsec_conf_url }}",
+#      "dest": "{{ nginx_path }}/modsecurity.conf"}
+#   - {"url": "{{ modsec_unicode_url }}",
+#      "dest": "{{ nginx_path }}/unicode.mapping"}
+#   - {"url": "{{ crs_setup_url }}",
+#      "dest": "{{ nginx_conf_path }}/crs-setup.conf"}
+#   - {"url": "{{ crs_before_url }}",
+#      "dest": "{{ modsec_crs_before_rule_conf }}"}
+#   - {"url": "{{ crs_after_url }}",
+#      "dest": "{{ modsec_crs_after_rule_conf }}"}
+# notify: restart_nginx
+# tags: modsec
+
 - name: activate mod-security
   become: true
   lineinfile: