summaryrefslogtreecommitdiffstats
path: root/mod_security.conf
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2013-02-13 14:50:16 +0100
committerRemi Collet <fedora@famillecollet.com>2013-02-13 14:50:16 +0100
commit299677d1a552812c131fb1bde087ac556a17784d (patch)
tree988019441bdbdbf8805d251a341546989def7e1f /mod_security.conf
parent99c0349216f19f513e1306a4e0f66d0566e637ad (diff)
mod_security: sync with rawhideHEADmaster
Diffstat (limited to 'mod_security.conf')
-rw-r--r--mod_security.conf138
1 files changed, 50 insertions, 88 deletions
diff --git a/mod_security.conf b/mod_security.conf
index 7468a05..809549e 100644
--- a/mod_security.conf
+++ b/mod_security.conf
@@ -1,92 +1,54 @@
-
-LoadModule security2_module modules/mod_security2.so
-LoadModule unique_id_module modules/mod_unique_id.so
-
<IfModule mod_security2.c>
- # This is the ModSecurity Core Rules Set.
-
- # Basic configuration goes in here
+ # ModSecurity Core Rules Set configuration
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
-
- # Additional items taken from new minimal modsecurity conf
- # Basic configuration options
- SecRuleEngine On
- SecRequestBodyAccess On
- SecResponseBodyAccess Off
-
- # Handling of file uploads
- # TODO Choose a folder private to Apache.
- # SecUploadDir /opt/apache-frontend/tmp/
- SecUploadKeepFiles Off
- SecUploadFileLimit 10
-
- # Debug log
- SecDebugLog /var/log/httpd/modsec_debug.log
- SecDebugLogLevel 0
-
- # Audit log
- SecAuditEngine RelevantOnly
- SecAuditLogRelevantStatus ^5
- SecAuditLogType Serial
- SecAuditLogParts ABIFHZ
- SecAuditLog /var/log/httpd/modsec_audit.log
-
- # Alternative mlogc configuration
- #SecAuditLogType Concurrent
- #SecAuditLogParts ABIDEFGHZ
- #SecAuditLogStorageDir /var/log/mlogc/data
- #SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"
-
- # Set Data Directory
- SecDataDir /var/log/httpd/
-
- # Maximum request body size we will
- # accept for buffering
- SecRequestBodyLimit 131072
-
- # Store up to 128 KB in memory
- SecRequestBodyInMemoryLimit 131072
-
- # Buffer response bodies of up to
- # 512 KB in length
- SecResponseBodyLimit 524288
-
- # Verify that we've correctly processed the request body.
- # As a rule of thumb, when failing to process a request body
- # you should reject the request (when deployed in blocking mode)
- # or log a high-severity alert (when deployed in detection-only mode).
- SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
- "phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
-
- # By default be strict with what we accept in the multipart/form-data
- # request body. If the rule below proves to be too strict for your
- # environment consider changing it to detection-only. You are encouraged
- # _not_ to remove it altogether.
- SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
- "phase:2,t:none,log,deny,msg:'Multipart request body \
- failed strict validation: \
- PE %{REQBODY_PROCESSOR_ERROR}, \
- BQ %{MULTIPART_BOUNDARY_QUOTED}, \
- BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
- DB %{MULTIPART_DATA_BEFORE}, \
- DA %{MULTIPART_DATA_AFTER}, \
- HF %{MULTIPART_HEADER_FOLDING}, \
- LF %{MULTIPART_LF_LINE}, \
- SM %{MULTIPART_SEMICOLON_MISSING}, \
- IQ %{MULTIPART_INVALID_QUOTING}, \
- IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
- IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
-
- # Did we see anything that might be a boundary?
- SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
- "phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
-
- # Some internal errors will set flags in TX and we will need to look for these.
- # All of these are prefixed with "MSC_". The following flags currently exist:
- #
- # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
- #
- SecRule TX:/^MSC_/ "!@streq 0" \
- "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+ # Default recommended configuration
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+ SecRequestBodyLimit 13107200
+ SecRequestBodyNoFilesLimit 131072
+ SecRequestBodyInMemoryLimit 131072
+ SecRequestBodyLimitAction Reject
+ SecRule REQBODY_ERROR "!@eq 0" \
+ "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+ SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+ "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
+ failed strict validation: \
+ PE %{REQBODY_PROCESSOR_ERROR}, \
+ BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+ DB %{MULTIPART_DATA_BEFORE}, \
+ DA %{MULTIPART_DATA_AFTER}, \
+ HF %{MULTIPART_HEADER_FOLDING}, \
+ LF %{MULTIPART_LF_LINE}, \
+ SM %{MULTIPART_MISSING_SEMICOLON}, \
+ IQ %{MULTIPART_INVALID_QUOTING}, \
+ IP %{MULTIPART_INVALID_PART}, \
+ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+ SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+ "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+ SecPcreMatchLimit 1000
+ SecPcreMatchLimitRecursion 1000
+
+ SecRule TX:/^MSC_/ "!@streq 0" \
+ "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+ SecResponseBodyAccess Off
+ SecDebugLog /var/log/httpd/modsec_debug.log
+ SecDebugLogLevel 0
+ SecAuditEngine RelevantOnly
+ SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+ SecAuditLogParts ABIJDEFHZ
+ SecAuditLogType Serial
+ SecAuditLog /var/log/httpd/modsec_audit.log
+ SecArgumentSeparator &
+ SecCookieFormat 0
+ SecTmpDir /var/lib/mod_security
+ SecDataDir /var/lib/mod_security
</IfModule>