From 299677d1a552812c131fb1bde087ac556a17784d Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 13 Feb 2013 14:50:16 +0100 Subject: mod_security: sync with rawhide --- 10-mod_security.conf | 5 ++ mod_security.conf | 138 +++++++++++++++++++-------------------------------- mod_security.spec | 43 ++++++++++++---- 3 files changed, 87 insertions(+), 99 deletions(-) create mode 100644 10-mod_security.conf diff --git a/10-mod_security.conf b/10-mod_security.conf new file mode 100644 index 0000000..dfe0955 --- /dev/null +++ b/10-mod_security.conf @@ -0,0 +1,5 @@ +LoadModule security2_module modules/mod_security2.so + + + LoadModule unique_id_module modules/mod_unique_id.so + diff --git a/mod_security.conf b/mod_security.conf index 7468a05..809549e 100644 --- a/mod_security.conf +++ b/mod_security.conf @@ -1,92 +1,54 @@ - -LoadModule security2_module modules/mod_security2.so -LoadModule unique_id_module modules/mod_unique_id.so - - # This is the ModSecurity Core Rules Set. - - # Basic configuration goes in here + # ModSecurity Core Rules Set configuration Include modsecurity.d/*.conf Include modsecurity.d/activated_rules/*.conf - - # Additional items taken from new minimal modsecurity conf - # Basic configuration options - SecRuleEngine On - SecRequestBodyAccess On - SecResponseBodyAccess Off - - # Handling of file uploads - # TODO Choose a folder private to Apache. - # SecUploadDir /opt/apache-frontend/tmp/ - SecUploadKeepFiles Off - SecUploadFileLimit 10 - - # Debug log - SecDebugLog /var/log/httpd/modsec_debug.log - SecDebugLogLevel 0 - - # Audit log - SecAuditEngine RelevantOnly - SecAuditLogRelevantStatus ^5 - SecAuditLogType Serial - SecAuditLogParts ABIFHZ - SecAuditLog /var/log/httpd/modsec_audit.log - - # Alternative mlogc configuration - #SecAuditLogType Concurrent - #SecAuditLogParts ABIDEFGHZ - #SecAuditLogStorageDir /var/log/mlogc/data - #SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf" - - # Set Data Directory - SecDataDir /var/log/httpd/ - - # Maximum request body size we will - # accept for buffering - SecRequestBodyLimit 131072 - - # Store up to 128 KB in memory - SecRequestBodyInMemoryLimit 131072 - - # Buffer response bodies of up to - # 512 KB in length - SecResponseBodyLimit 524288 - - # Verify that we've correctly processed the request body. - # As a rule of thumb, when failing to process a request body - # you should reject the request (when deployed in blocking mode) - # or log a high-severity alert (when deployed in detection-only mode). - SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \ - "phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2" - - # By default be strict with what we accept in the multipart/form-data - # request body. If the rule below proves to be too strict for your - # environment consider changing it to detection-only. You are encouraged - # _not_ to remove it altogether. - SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ - "phase:2,t:none,log,deny,msg:'Multipart request body \ - failed strict validation: \ - PE %{REQBODY_PROCESSOR_ERROR}, \ - BQ %{MULTIPART_BOUNDARY_QUOTED}, \ - BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ - DB %{MULTIPART_DATA_BEFORE}, \ - DA %{MULTIPART_DATA_AFTER}, \ - HF %{MULTIPART_HEADER_FOLDING}, \ - LF %{MULTIPART_LF_LINE}, \ - SM %{MULTIPART_SEMICOLON_MISSING}, \ - IQ %{MULTIPART_INVALID_QUOTING}, \ - IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ - IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'" - - # Did we see anything that might be a boundary? - SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ - "phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" - - # Some internal errors will set flags in TX and we will need to look for these. - # All of these are prefixed with "MSC_". The following flags currently exist: - # - # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. - # - SecRule TX:/^MSC_/ "!@streq 0" \ - "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" + + # Default recommended configuration + SecRuleEngine On + SecRequestBodyAccess On + SecRule REQUEST_HEADERS:Content-Type "text/xml" \ + "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" + SecRequestBodyLimit 13107200 + SecRequestBodyNoFilesLimit 131072 + SecRequestBodyInMemoryLimit 131072 + SecRequestBodyLimitAction Reject + SecRule REQBODY_ERROR "!@eq 0" \ + "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" + SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ + "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \ + failed strict validation: \ + PE %{REQBODY_PROCESSOR_ERROR}, \ + BQ %{MULTIPART_BOUNDARY_QUOTED}, \ + BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ + DB %{MULTIPART_DATA_BEFORE}, \ + DA %{MULTIPART_DATA_AFTER}, \ + HF %{MULTIPART_HEADER_FOLDING}, \ + LF %{MULTIPART_LF_LINE}, \ + SM %{MULTIPART_MISSING_SEMICOLON}, \ + IQ %{MULTIPART_INVALID_QUOTING}, \ + IP %{MULTIPART_INVALID_PART}, \ + IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ + FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" + + SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ + "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" + + SecPcreMatchLimit 1000 + SecPcreMatchLimitRecursion 1000 + + SecRule TX:/^MSC_/ "!@streq 0" \ + "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" + + SecResponseBodyAccess Off + SecDebugLog /var/log/httpd/modsec_debug.log + SecDebugLogLevel 0 + SecAuditEngine RelevantOnly + SecAuditLogRelevantStatus "^(?:5|4(?!04))" + SecAuditLogParts ABIJDEFHZ + SecAuditLogType Serial + SecAuditLog /var/log/httpd/modsec_audit.log + SecArgumentSeparator & + SecCookieFormat 0 + SecTmpDir /var/lib/mod_security + SecDataDir /var/lib/mod_security diff --git a/mod_security.spec b/mod_security.spec index 60fc3c6..1496110 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -5,15 +5,18 @@ %{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}} %{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}} +%global with_mlogc 0%{?fedora} || 0%{?rhel} <= 6 + Summary: Security module for the Apache HTTP Server Name: mod_security -Version: 2.7.1 -Release: 3%{?dist} +Version: 2.7.2 +Release: 1%{?dist} License: ASL 2.0 URL: http://www.modsecurity.org/ Group: System Environment/Daemons -Source: https://github.com/downloads/SpiderLabs/ModSecurity/modsecurity-apache_%{version}.tar.gz +Source: http://www.modsecurity.org/tarball/%{version}/modsecurity-apache_%{version}.tar.gz Source1: mod_security.conf +Source2: 10-mod_security.conf Requires: httpd httpd-mmn = %{_httpd_mmn} BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel @@ -22,6 +25,7 @@ ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding web applications from attacks. +%if %with_mlogc %package -n mlogc Summary: ModSecurity Audit Log Collector Group: System Environment/Daemons @@ -29,6 +33,7 @@ Requires: mod_security %description -n mlogc This package contains the ModSecurity Audit Log Collector. +%endif %prep %setup -q -n modsecurity-apache_%{version} @@ -56,24 +61,24 @@ install -m0755 apache2/.libs/mod_security2.so %{buildroot}%{_httpd_moddir}/mod_s %if "%{_httpd_modconfdir}" != "%{_httpd_confdir}" # 2.4-style -sed -n /^LoadModule/p %{SOURCE1} > 10-mod_security.conf -sed /LoadModule/d %{SOURCE1} > mod_security.conf -touch -r %{SOURCE1} *.conf -install -Dp -m0644 mod_security.conf %{buildroot}%{_httpd_confdir}/mod_security.conf -install -Dp -m0644 10-mod_security.conf %{buildroot}%{_httpd_modconfdir}/10-mod_security.conf +install -Dp -m0644 %{SOURCE2} %{buildroot}%{_httpd_modconfdir}/10-mod_security.conf +install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf +sed -i 's/Include/IncludeOptional/' %{buildroot}%{_httpd_confdir}/mod_security.conf %else # 2.2-style -install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf +install -d -m0755 %{buildroot}%{_httpd_confdir} +cat %{SOURCE2} %{SOURCE1} > %{buildroot}%{_httpd_confdir}/mod_security.conf %endif install -m 700 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/%{name} # mlogc +%if %with_mlogc install -d %{buildroot}%{_localstatedir}/log/mlogc install -d %{buildroot}%{_localstatedir}/log/mlogc/data install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf - +%endif %clean rm -rf %{buildroot} @@ -90,6 +95,7 @@ rm -rf %{buildroot} %dir %{_sysconfdir}/httpd/modsecurity.d/activated_rules %attr(770,apache,root) %dir %{_localstatedir}/lib/%{name} +%if %with_mlogc %files -n mlogc %defattr (-,root,root) %doc mlogc/INSTALL @@ -98,9 +104,24 @@ rm -rf %{buildroot} %attr(0770,root,apache) %dir %{_localstatedir}/log/mlogc/data %attr(0755,root,root) %{_bindir}/mlogc %attr(0755,root,root) %{_bindir}/mlogc-batch-load +%endif %changelog -* Sat Nov 17 2012 Remi Collet - 2.67.1-3 +* Wed Feb 13 2013 Remi Collet - 2.7.2-1 +- Update to 2.7.1, backport for remi repo and httpd 2.4 + +* Fri Jan 25 2013 Athmane Madjoudj 2.7.2-1 +- Update to 2.7.2 +- Update source url in the spec. + +* Thu Nov 22 2012 Athmane Madjoudj 2.7.1-5 +- Use conditional for loading mod_unique_id (rhbz #879264) +- Fix syntax errors on httpd 2.4.x by using IncludeOptional (rhbz #879264, comment #2) + +* Mon Nov 19 2012 Peter Vrabec 2.7.1-4 +- mlogc subpackage is not provided on RHEL7 + +* Sat Nov 17 2012 Remi Collet - 2.7.1-3 - Update to 2.7.1, backport for remi repo and httpd 2.4 * Thu Nov 15 2012 Athmane Madjoudj 2.7.1-3 -- cgit