summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2013-02-13 14:50:16 +0100
committerRemi Collet <fedora@famillecollet.com>2013-02-13 14:50:16 +0100
commit299677d1a552812c131fb1bde087ac556a17784d (patch)
tree988019441bdbdbf8805d251a341546989def7e1f
parent99c0349216f19f513e1306a4e0f66d0566e637ad (diff)
mod_security: sync with rawhideHEADmaster
-rw-r--r--10-mod_security.conf5
-rw-r--r--mod_security.conf138
-rw-r--r--mod_security.spec43
3 files changed, 87 insertions, 99 deletions
diff --git a/10-mod_security.conf b/10-mod_security.conf
new file mode 100644
index 0000000..dfe0955
--- /dev/null
+++ b/10-mod_security.conf
@@ -0,0 +1,5 @@
+LoadModule security2_module modules/mod_security2.so
+
+<IfModule !mod_unique_id.c>
+ LoadModule unique_id_module modules/mod_unique_id.so
+</IfModule>
diff --git a/mod_security.conf b/mod_security.conf
index 7468a05..809549e 100644
--- a/mod_security.conf
+++ b/mod_security.conf
@@ -1,92 +1,54 @@
-
-LoadModule security2_module modules/mod_security2.so
-LoadModule unique_id_module modules/mod_unique_id.so
-
<IfModule mod_security2.c>
- # This is the ModSecurity Core Rules Set.
-
- # Basic configuration goes in here
+ # ModSecurity Core Rules Set configuration
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
-
- # Additional items taken from new minimal modsecurity conf
- # Basic configuration options
- SecRuleEngine On
- SecRequestBodyAccess On
- SecResponseBodyAccess Off
-
- # Handling of file uploads
- # TODO Choose a folder private to Apache.
- # SecUploadDir /opt/apache-frontend/tmp/
- SecUploadKeepFiles Off
- SecUploadFileLimit 10
-
- # Debug log
- SecDebugLog /var/log/httpd/modsec_debug.log
- SecDebugLogLevel 0
-
- # Audit log
- SecAuditEngine RelevantOnly
- SecAuditLogRelevantStatus ^5
- SecAuditLogType Serial
- SecAuditLogParts ABIFHZ
- SecAuditLog /var/log/httpd/modsec_audit.log
-
- # Alternative mlogc configuration
- #SecAuditLogType Concurrent
- #SecAuditLogParts ABIDEFGHZ
- #SecAuditLogStorageDir /var/log/mlogc/data
- #SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"
-
- # Set Data Directory
- SecDataDir /var/log/httpd/
-
- # Maximum request body size we will
- # accept for buffering
- SecRequestBodyLimit 131072
-
- # Store up to 128 KB in memory
- SecRequestBodyInMemoryLimit 131072
-
- # Buffer response bodies of up to
- # 512 KB in length
- SecResponseBodyLimit 524288
-
- # Verify that we've correctly processed the request body.
- # As a rule of thumb, when failing to process a request body
- # you should reject the request (when deployed in blocking mode)
- # or log a high-severity alert (when deployed in detection-only mode).
- SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
- "phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
-
- # By default be strict with what we accept in the multipart/form-data
- # request body. If the rule below proves to be too strict for your
- # environment consider changing it to detection-only. You are encouraged
- # _not_ to remove it altogether.
- SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
- "phase:2,t:none,log,deny,msg:'Multipart request body \
- failed strict validation: \
- PE %{REQBODY_PROCESSOR_ERROR}, \
- BQ %{MULTIPART_BOUNDARY_QUOTED}, \
- BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
- DB %{MULTIPART_DATA_BEFORE}, \
- DA %{MULTIPART_DATA_AFTER}, \
- HF %{MULTIPART_HEADER_FOLDING}, \
- LF %{MULTIPART_LF_LINE}, \
- SM %{MULTIPART_SEMICOLON_MISSING}, \
- IQ %{MULTIPART_INVALID_QUOTING}, \
- IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
- IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
-
- # Did we see anything that might be a boundary?
- SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
- "phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
-
- # Some internal errors will set flags in TX and we will need to look for these.
- # All of these are prefixed with "MSC_". The following flags currently exist:
- #
- # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
- #
- SecRule TX:/^MSC_/ "!@streq 0" \
- "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+ # Default recommended configuration
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+ SecRequestBodyLimit 13107200
+ SecRequestBodyNoFilesLimit 131072
+ SecRequestBodyInMemoryLimit 131072
+ SecRequestBodyLimitAction Reject
+ SecRule REQBODY_ERROR "!@eq 0" \
+ "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+ SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+ "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
+ failed strict validation: \
+ PE %{REQBODY_PROCESSOR_ERROR}, \
+ BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+ DB %{MULTIPART_DATA_BEFORE}, \
+ DA %{MULTIPART_DATA_AFTER}, \
+ HF %{MULTIPART_HEADER_FOLDING}, \
+ LF %{MULTIPART_LF_LINE}, \
+ SM %{MULTIPART_MISSING_SEMICOLON}, \
+ IQ %{MULTIPART_INVALID_QUOTING}, \
+ IP %{MULTIPART_INVALID_PART}, \
+ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+ SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+ "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+ SecPcreMatchLimit 1000
+ SecPcreMatchLimitRecursion 1000
+
+ SecRule TX:/^MSC_/ "!@streq 0" \
+ "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+ SecResponseBodyAccess Off
+ SecDebugLog /var/log/httpd/modsec_debug.log
+ SecDebugLogLevel 0
+ SecAuditEngine RelevantOnly
+ SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+ SecAuditLogParts ABIJDEFHZ
+ SecAuditLogType Serial
+ SecAuditLog /var/log/httpd/modsec_audit.log
+ SecArgumentSeparator &
+ SecCookieFormat 0
+ SecTmpDir /var/lib/mod_security
+ SecDataDir /var/lib/mod_security
</IfModule>
diff --git a/mod_security.spec b/mod_security.spec
index 60fc3c6..1496110 100644
--- a/mod_security.spec
+++ b/mod_security.spec
@@ -5,15 +5,18 @@
%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}}
%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}}
+%global with_mlogc 0%{?fedora} || 0%{?rhel} <= 6
+
Summary: Security module for the Apache HTTP Server
Name: mod_security
-Version: 2.7.1
-Release: 3%{?dist}
+Version: 2.7.2
+Release: 1%{?dist}
License: ASL 2.0
URL: http://www.modsecurity.org/
Group: System Environment/Daemons
-Source: https://github.com/downloads/SpiderLabs/ModSecurity/modsecurity-apache_%{version}.tar.gz
+Source: http://www.modsecurity.org/tarball/%{version}/modsecurity-apache_%{version}.tar.gz
Source1: mod_security.conf
+Source2: 10-mod_security.conf
Requires: httpd httpd-mmn = %{_httpd_mmn}
BuildRequires: httpd-devel libxml2-devel pcre-devel curl-devel lua-devel
@@ -22,6 +25,7 @@ ModSecurity is an open source intrusion detection and prevention engine
for web applications. It operates embedded into the web server, acting
as a powerful umbrella - shielding web applications from attacks.
+%if %with_mlogc
%package -n mlogc
Summary: ModSecurity Audit Log Collector
Group: System Environment/Daemons
@@ -29,6 +33,7 @@ Requires: mod_security
%description -n mlogc
This package contains the ModSecurity Audit Log Collector.
+%endif
%prep
%setup -q -n modsecurity-apache_%{version}
@@ -56,24 +61,24 @@ install -m0755 apache2/.libs/mod_security2.so %{buildroot}%{_httpd_moddir}/mod_s
%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
# 2.4-style
-sed -n /^LoadModule/p %{SOURCE1} > 10-mod_security.conf
-sed /LoadModule/d %{SOURCE1} > mod_security.conf
-touch -r %{SOURCE1} *.conf
-install -Dp -m0644 mod_security.conf %{buildroot}%{_httpd_confdir}/mod_security.conf
-install -Dp -m0644 10-mod_security.conf %{buildroot}%{_httpd_modconfdir}/10-mod_security.conf
+install -Dp -m0644 %{SOURCE2} %{buildroot}%{_httpd_modconfdir}/10-mod_security.conf
+install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf
+sed -i 's/Include/IncludeOptional/' %{buildroot}%{_httpd_confdir}/mod_security.conf
%else
# 2.2-style
-install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf
+install -d -m0755 %{buildroot}%{_httpd_confdir}
+cat %{SOURCE2} %{SOURCE1} > %{buildroot}%{_httpd_confdir}/mod_security.conf
%endif
install -m 700 -d $RPM_BUILD_ROOT%{_localstatedir}/lib/%{name}
# mlogc
+%if %with_mlogc
install -d %{buildroot}%{_localstatedir}/log/mlogc
install -d %{buildroot}%{_localstatedir}/log/mlogc/data
install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc
install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
-
+%endif
%clean
rm -rf %{buildroot}
@@ -90,6 +95,7 @@ rm -rf %{buildroot}
%dir %{_sysconfdir}/httpd/modsecurity.d/activated_rules
%attr(770,apache,root) %dir %{_localstatedir}/lib/%{name}
+%if %with_mlogc
%files -n mlogc
%defattr (-,root,root)
%doc mlogc/INSTALL
@@ -98,9 +104,24 @@ rm -rf %{buildroot}
%attr(0770,root,apache) %dir %{_localstatedir}/log/mlogc/data
%attr(0755,root,root) %{_bindir}/mlogc
%attr(0755,root,root) %{_bindir}/mlogc-batch-load
+%endif
%changelog
-* Sat Nov 17 2012 Remi Collet <RPMS@FamilleCollet.com> - 2.67.1-3
+* Wed Feb 13 2013 Remi Collet <RPMS@FamilleCollet.com> - 2.7.2-1
+- Update to 2.7.1, backport for remi repo and httpd 2.4
+
+* Fri Jan 25 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.2-1
+- Update to 2.7.2
+- Update source url in the spec.
+
+* Thu Nov 22 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-5
+- Use conditional for loading mod_unique_id (rhbz #879264)
+- Fix syntax errors on httpd 2.4.x by using IncludeOptional (rhbz #879264, comment #2)
+
+* Mon Nov 19 2012 Peter Vrabec <pvrabec@redhat.com> 2.7.1-4
+- mlogc subpackage is not provided on RHEL7
+
+* Sat Nov 17 2012 Remi Collet <RPMS@FamilleCollet.com> - 2.7.1-3
- Update to 2.7.1, backport for remi repo and httpd 2.4
* Thu Nov 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.1-3