mod_security: sync with rawhideHEADmaster

3 files changed, 87 insertions, 99 deletions

diff --git a/10-mod_security.conf b/10-mod_security.conf
new file mode 100644
index 0000000..dfe0955
--- /dev/null
+++ b/10-mod_security.conf
@@ -0,0 +1,5 @@
+LoadModule security2_module modules/mod_security2.so
+
+<IfModule !mod_unique_id.c>
+    LoadModule unique_id_module modules/mod_unique_id.so
+</IfModule>
diff --git a/mod_security.conf b/mod_security.conf
index 7468a05..809549e 100644
--- a/mod_security.conf
+++ b/mod_security.conf
@@ -1,92 +1,54 @@
-
-LoadModule security2_module modules/mod_security2.so
-LoadModule unique_id_module modules/mod_unique_id.so
-
 <IfModule mod_security2.c>
-	# This is the ModSecurity Core Rules Set.
-
-	# Basic configuration goes in here
+    # ModSecurity Core Rules Set configuration
 	Include modsecurity.d/*.conf
 	Include modsecurity.d/activated_rules/*.conf
-
-	# Additional items taken from new minimal modsecurity conf
-	# Basic configuration options
-	SecRuleEngine On
-	SecRequestBodyAccess On
-	SecResponseBodyAccess Off
-	
-	# Handling of file uploads
-	# TODO Choose a folder private to Apache.
-	# SecUploadDir /opt/apache-frontend/tmp/
-	SecUploadKeepFiles Off
-	SecUploadFileLimit 10
-
-	# Debug log
-	SecDebugLog /var/log/httpd/modsec_debug.log
-	SecDebugLogLevel 0
-
-	# Audit log
-	SecAuditEngine RelevantOnly
-	SecAuditLogRelevantStatus ^5
-	SecAuditLogType Serial
-	SecAuditLogParts ABIFHZ
-	SecAuditLog /var/log/httpd/modsec_audit.log
-
-	# Alternative mlogc configuration
-	#SecAuditLogType Concurrent
-	#SecAuditLogParts ABIDEFGHZ
-	#SecAuditLogStorageDir /var/log/mlogc/data
-	#SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"
-
-	# Set Data Directory
-	SecDataDir /var/log/httpd/
-
-	# Maximum request body size we will
-	# accept for buffering
-	SecRequestBodyLimit 131072
-
-	# Store up to 128 KB in memory
-	SecRequestBodyInMemoryLimit 131072
-
-	# Buffer response bodies of up to
-	# 512 KB in length
-	SecResponseBodyLimit 524288
-
-	# Verify that we've correctly processed the request body.
-	# As a rule of thumb, when failing to process a request body
-	# you should reject the request (when deployed in blocking mode)
-	# or log a high-severity alert (when deployed in detection-only mode).
-	SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
-	"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
-
-	# By default be strict with what we accept in the multipart/form-data
-	# request body. If the rule below proves to be too strict for your
-	# environment consider changing it to detection-only. You are encouraged
-	# _not_ to remove it altogether.
-	SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
-	"phase:2,t:none,log,deny,msg:'Multipart request body \
-	failed strict validation: \
-	PE %{REQBODY_PROCESSOR_ERROR}, \
-	BQ %{MULTIPART_BOUNDARY_QUOTED}, \
-	BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
-	DB %{MULTIPART_DATA_BEFORE}, \
-	DA %{MULTIPART_DATA_AFTER}, \
-	HF %{MULTIPART_HEADER_FOLDING}, \
-	LF %{MULTIPART_LF_LINE}, \
-	SM %{MULTIPART_SEMICOLON_MISSING}, \
-	IQ %{MULTIPART_INVALID_QUOTING}, \
-	IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
-	IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
-	
-	# Did we see anything that might be a boundary?
-	SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
-	"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
-	
-	# Some internal errors will set flags in TX and we will need to look for these.
-	# All of these are prefixed with "MSC_".  The following flags currently exist:
-	#
-	# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
-	#
-	SecRule TX:/^MSC_/ "!@streq 0" \
-	        "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+    
+    # Default recommended configuration
+    SecRuleEngine On
+    SecRequestBodyAccess On
+    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+    SecRequestBodyLimit 13107200
+    SecRequestBodyNoFilesLimit 131072
+    SecRequestBodyInMemoryLimit 131072
+    SecRequestBodyLimitAction Reject
+    SecRule REQBODY_ERROR "!@eq 0" \
+    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+    "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
+    failed strict validation: \
+    PE %{REQBODY_PROCESSOR_ERROR}, \
+    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+    DB %{MULTIPART_DATA_BEFORE}, \
+    DA %{MULTIPART_DATA_AFTER}, \
+    HF %{MULTIPART_HEADER_FOLDING}, \
+    LF %{MULTIPART_LF_LINE}, \
+    SM %{MULTIPART_MISSING_SEMICOLON}, \
+    IQ %{MULTIPART_INVALID_QUOTING}, \
+    IP %{MULTIPART_INVALID_PART}, \
+    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+    SecPcreMatchLimit 1000
+    SecPcreMatchLimitRecursion 1000
+
+    SecRule TX:/^MSC_/ "!@streq 0" \
+            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+    SecResponseBodyAccess Off
+    SecDebugLog /var/log/httpd/modsec_debug.log
+    SecDebugLogLevel 0
+    SecAuditEngine RelevantOnly
+    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+    SecAuditLogParts ABIJDEFHZ
+    SecAuditLogType Serial
+    SecAuditLog /var/log/httpd/modsec_audit.log
+    SecArgumentSeparator &
+    SecCookieFormat 0
+    SecTmpDir /var/lib/mod_security
+    SecDataDir /var/lib/mod_security
 </IfModule>
diff --git a/mod_security.spec b/mod_security.spec
index 60fc3c6..1496110 100644
--- a/mod_security.spec
+++ b/mod_security.spec
@@ -5,15 +5,18 @@
 %{!?_httpd_confdir:    %{expand: %%global _httpd_confdir    %%{_sysconfdir}/httpd/conf.d}}
 %{!?_httpd_moddir:    %{expand: %%global _httpd_moddir    %%{_libdir}/httpd/modules}}
 
+%global with_mlogc 0%{?fedora} || 0%{?rhel} <= 6
+
 Summary: Security module for the Apache HTTP Server
 Name: mod_security 
-Version: 2.7.1
-Release: 3%{?dist}
+Version: 2.7.2
+Release: 1%{?dist}
 License: ASL 2.0
 URL: http://www.modsecurity.org/
 Group: System Environment/Daemons
-Source: https://github.com/downloads/SpiderLabs/ModSecurity/modsecurity-apache_%{version}.tar.gz
+Source: http://www.modsecurity.org/tarball/%{version}/modsecurity-apache_%{version}.tar.gz
 Source1: mod_security.conf
+Source2: 10-mod_security.conf
 Requires: httpd httpd-mmn = %{_httpd_mmn}
 BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
 
@@ -22,6 +25,7 @@ ModSecurity is an open source intrusion detection and prevention engine
 for web applications. It operates embedded into the web server, acting
 as a powerful umbrella - shielding web applications from attacks.
 
+%if %with_mlogc
 %package -n     mlogc
 Summary:        ModSecurity Audit Log Collector
 Group:          System Environment/Daemons
@@ -29,6 +33,7 @@ Requires:       mod_security
 
 %description -n mlogc
 This package contains the ModSecurity Audit Log Collector.
+%endif
 
 %prep
 %setup -q -n modsecurity-apache_%{version}
@@ -56,24 +61,24 @@ install -m0755 apache2/.libs/mod_security2.so %{buildroot}%{_httpd_moddir}/mod_s
 
 %if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
 # 2.4-style
-sed -n /^LoadModule/p %{SOURCE1} > 10-mod_security.conf
-sed    /LoadModule/d  %{SOURCE1} > mod_security.conf
-touch -r %{SOURCE1} *.conf
-install -Dp -m0644 mod_security.conf %{buildroot}%{_httpd_confdir}/mod_security.conf
-install -Dp -m0644 10-mod_security.conf %{buildroot}%{_httpd_modconfdir}/10-mod_security.conf
+install -Dp -m0644 %{SOURCE2} %{buildroot}%{_httpd_modconfdir}/10-mod_security.conf
+install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf
+sed  -i 's/Include/IncludeOptional/'  %{buildroot}%{_httpd_confdir}/mod_security.conf
 %else
 # 2.2-style
-install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf
+install -d -m0755 %{buildroot}%{_httpd_confdir}
+cat %{SOURCE2} %{SOURCE1} > %{buildroot}%{_httpd_confdir}/mod_security.conf
 %endif
 install -m 700 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/%{name}
 
 # mlogc
+%if %with_mlogc
 install -d %{buildroot}%{_localstatedir}/log/mlogc
 install -d %{buildroot}%{_localstatedir}/log/mlogc/data
 install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc
 install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
 install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
-
+%endif
 
 %clean
 rm -rf %{buildroot}
@@ -90,6 +95,7 @@ rm -rf %{buildroot}
 %dir %{_sysconfdir}/httpd/modsecurity.d/activated_rules
 %attr(770,apache,root) %dir %{_localstatedir}/lib/%{name}
 
+%if %with_mlogc
 %files -n mlogc
 %defattr (-,root,root)
 %doc mlogc/INSTALL
@@ -98,9 +104,24 @@ rm -rf %{buildroot}
 %attr(0770,root,apache) %dir %{_localstatedir}/log/mlogc/data
 %attr(0755,root,root) %{_bindir}/mlogc
 %attr(0755,root,root) %{_bindir}/mlogc-batch-load
+%endif
 
 %changelog
-* Sat Nov 17 2012 Remi Collet <RPMS@FamilleCollet.com> - 2.67.1-3
+* Wed Feb 13 2013 Remi Collet <RPMS@FamilleCollet.com> - 2.7.2-1
+- Update to 2.7.1, backport for remi repo and httpd 2.4
+
+* Fri Jan 25 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.2-1
+- Update to 2.7.2
+- Update source url in the spec.
+
+* Thu Nov 22 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-5
+- Use conditional for loading mod_unique_id (rhbz #879264)
+- Fix syntax errors on httpd 2.4.x by using IncludeOptional (rhbz #879264, comment #2)
+
+* Mon Nov 19 2012 Peter Vrabec <pvrabec@redhat.com> 2.7.1-4
+- mlogc subpackage is not provided on RHEL7
+
+* Sat Nov 17 2012 Remi Collet <RPMS@FamilleCollet.com> - 2.7.1-3
 - Update to 2.7.1, backport for remi repo and httpd 2.4
 
 * Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-3