mod_security-rpm/mod_security.conf

# Example configuration file for the mod_security Apache module

LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so

<IfModule mod_security2.c>
	# This is the ModSecurity Core Rules Set.
	
	# Basic configuration goes in here
	Include modsecurity.d/*.conf
	Include modsecurity.d/base_rules/*.conf

	# Additional items taken from new minimal modsecurity conf
	# Basic configuration options
	SecRuleEngine On
	SecRequestBodyAccess On
	SecResponseBodyAccess Off
	
	# PCRE Tuning
	SecPcreMatchLimit 1000
	SecPcreMatchLimitRecursion 1000

	# Handling of file uploads
	# TODO Choose a folder private to Apache.
	# SecUploadDir /opt/apache-frontend/tmp/
	SecUploadKeepFiles Off
	SecUploadFileLimit 10

	# Debug log
	SecDebugLog /var/log/httpd/modsec_debug.log
	SecDebugLogLevel 0

	# Serial audit log
	SecAuditEngine RelevantOnly
	SecAuditLogRelevantStatus ^5
	SecAuditLogParts ABIFHZ
	SecAuditLogType Serial
	SecAuditLog /var/log/httpd/modsec_audit.log

	# Set Data Directory
	SecDataDir /var/log/httpd/

	# Maximum request body size we will
	# accept for buffering
	SecRequestBodyLimit 131072

	# Store up to 128 KB in memory
	SecRequestBodyInMemoryLimit 131072

	# Buffer response bodies of up to
	# 512 KB in length
	SecResponseBodyLimit 524288

	# Verify that we've correctly processed the request body.
	# As a rule of thumb, when failing to process a request body
	# you should reject the request (when deployed in blocking mode)
	# or log a high-severity alert (when deployed in detection-only mode).
	SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
	"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"

	# By default be strict with what we accept in the multipart/form-data
	# request body. If the rule below proves to be too strict for your
	# environment consider changing it to detection-only. You are encouraged
	# _not_ to remove it altogether.
	SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
	"phase:2,t:none,log,deny,msg:'Multipart request body \
	failed strict validation: \
	PE %{REQBODY_PROCESSOR_ERROR}, \
	BQ %{MULTIPART_BOUNDARY_QUOTED}, \
	BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
	DB %{MULTIPART_DATA_BEFORE}, \
	DA %{MULTIPART_DATA_AFTER}, \
	HF %{MULTIPART_HEADER_FOLDING}, \
	LF %{MULTIPART_LF_LINE}, \
	SM %{MULTIPART_SEMICOLON_MISSING}, \
	IQ %{MULTIPART_INVALID_QUOTING}, \
	IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
	IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
	
	# Did we see anything that might be a boundary?
	SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
	"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
	
	# Some internal errors will set flags in TX and we will need to look for these.
	# All of these are prefixed with "MSC_".  The following flags currently exist:
	#
	# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
	#
	SecRule TX:/^MSC_/ "!@streq 0" \
	        "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

	# Local rules
	Include modsecurity.d/modsecurity_localrules.conf

</IfModule>
auto-import mod_security-1.8.7-1 on branch devel from mod_security-1.8.7-1.src.rpm 2005-05-19 03:39:17 +02:00			`# Example configuration file for the mod_security Apache module`

- New major release - 2.1.0 - Fix CVE-2007-1359 with a local rule courtesy of Ivan Ristic - Addition of core ruleset - (Build)Requires libxml2 and pcre added. 2007-03-13 10:20:35 +01:00			`LoadModule security2_module modules/mod_security2.so`
- Automagically configure correct library path for libxml2 library. - Add LoadModule for mod_unique_id as the logging wants this at runtime 2007-04-01 11:57:48 +02:00			`LoadModule unique_id_module modules/mod_unique_id.so`
- New major release - 2.1.0 - Fix CVE-2007-1359 with a local rule courtesy of Ivan Ristic - Addition of core ruleset - (Build)Requires libxml2 and pcre added. 2007-03-13 10:20:35 +01:00
			`<IfModule mod_security2.c>`
			`# This is the ModSecurity Core Rules Set.`

			`# Basic configuration goes in here`
- Fix rules and Apache configuration (bz#533124) 2009-11-06 10:38:11 +01:00			`Include modsecurity.d/*.conf`
			`Include modsecurity.d/base_rules/*.conf`
- Update to latest upstream release - SECURITY: Fix potential rules bypass and denial of service (bz#563576) 2010-04-29 13:22:27 +02:00
			`# Additional items taken from new minimal modsecurity conf`
			`# Basic configuration options`
			`SecRuleEngine On`
			`SecRequestBodyAccess On`
			`SecResponseBodyAccess Off`

			`# PCRE Tuning`
			`SecPcreMatchLimit 1000`
			`SecPcreMatchLimitRecursion 1000`

			`# Handling of file uploads`
			`# TODO Choose a folder private to Apache.`
			`# SecUploadDir /opt/apache-frontend/tmp/`
			`SecUploadKeepFiles Off`
			`SecUploadFileLimit 10`

			`# Debug log`
- Fix log dirs and files ordering per bz#569360 2010-06-30 11:45:47 +02:00			`SecDebugLog /var/log/httpd/modsec_debug.log`
- Update to latest upstream release - SECURITY: Fix potential rules bypass and denial of service (bz#563576) 2010-04-29 13:22:27 +02:00			`SecDebugLogLevel 0`

			`# Serial audit log`
			`SecAuditEngine RelevantOnly`
			`SecAuditLogRelevantStatus ^5`
			`SecAuditLogParts ABIFHZ`
			`SecAuditLogType Serial`
- Fix log dirs and files ordering per bz#569360 2010-06-30 11:45:47 +02:00			`SecAuditLog /var/log/httpd/modsec_audit.log`
- Update to latest upstream release - SECURITY: Fix potential rules bypass and denial of service (bz#563576) 2010-04-29 13:22:27 +02:00
			`# Set Data Directory`
- Fix log dirs and files ordering per bz#569360 2010-06-30 11:45:47 +02:00			`SecDataDir /var/log/httpd/`
- Update to latest upstream release - SECURITY: Fix potential rules bypass and denial of service (bz#563576) 2010-04-29 13:22:27 +02:00
			`# Maximum request body size we will`
			`# accept for buffering`
			`SecRequestBodyLimit 131072`

			`# Store up to 128 KB in memory`
			`SecRequestBodyInMemoryLimit 131072`

			`# Buffer response bodies of up to`
			`# 512 KB in length`
			`SecResponseBodyLimit 524288`

			`# Verify that we've correctly processed the request body.`
			`# As a rule of thumb, when failing to process a request body`
			`# you should reject the request (when deployed in blocking mode)`
			`# or log a high-severity alert (when deployed in detection-only mode).`
			`SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \`
			`"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"`

			`# By default be strict with what we accept in the multipart/form-data`
			`# request body. If the rule below proves to be too strict for your`
			`# environment consider changing it to detection-only. You are encouraged`
			`# _not_ to remove it altogether.`
			`SecRule MULTIPART_STRICT_ERROR "!@eq 0" \`
			`"phase:2,t:none,log,deny,msg:'Multipart request body \`
			`failed strict validation: \`
			`PE %{REQBODY_PROCESSOR_ERROR}, \`
			`BQ %{MULTIPART_BOUNDARY_QUOTED}, \`
			`BW %{MULTIPART_BOUNDARY_WHITESPACE}, \`
			`DB %{MULTIPART_DATA_BEFORE}, \`
			`DA %{MULTIPART_DATA_AFTER}, \`
			`HF %{MULTIPART_HEADER_FOLDING}, \`
			`LF %{MULTIPART_LF_LINE}, \`
			`SM %{MULTIPART_SEMICOLON_MISSING}, \`
			`IQ %{MULTIPART_INVALID_QUOTING}, \`
			`IH %{MULTIPART_INVALID_HEADER_FOLDING}, \`
			`IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"`

			`# Did we see anything that might be a boundary?`
			`SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \`
			`"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"`

			`# Some internal errors will set flags in TX and we will need to look for these.`
			`# All of these are prefixed with "MSC_". The following flags currently exist:`
			`#`
			`# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.`
			`#`
			`SecRule TX:/^MSC_/ "!@streq 0" \`
			`"phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"`

- Fix log dirs and files ordering per bz#569360 2010-06-30 11:45:47 +02:00			`# Local rules`
			`Include modsecurity.d/modsecurity_localrules.conf`

- Spec cleanup (from Oliver Falk) - Updated config with some safe-but-useful rulesets 2005-07-09 02:41:23 +02:00			`</IfModule>`