- Fix SecDatadir and minimal config per bz #569360
This commit is contained in:
Michael Fleming
parent
fef6f307f8
commit
32044b88ec
@ -10,4 +10,84 @@ LoadModule unique_id_module modules/mod_unique_id.so
|
||||
Include modsecurity.d/*.conf
|
||||
Include modsecurity.d/base_rules/*.conf
|
||||
Include modsecurity.d/modsecurity_localrules.conf
|
||||
|
||||
# Additional items taken from new minimal modsecurity conf
|
||||
# Basic configuration options
|
||||
SecRuleEngine On
|
||||
SecRequestBodyAccess On
|
||||
SecResponseBodyAccess Off
|
||||
|
||||
# PCRE Tuning
|
||||
SecPcreMatchLimit 1000
|
||||
SecPcreMatchLimitRecursion 1000
|
||||
|
||||
# Handling of file uploads
|
||||
# TODO Choose a folder private to Apache.
|
||||
# SecUploadDir /opt/apache-frontend/tmp/
|
||||
SecUploadKeepFiles Off
|
||||
SecUploadFileLimit 10
|
||||
|
||||
# Debug log
|
||||
SecDebugLog logs/modsec_debug.log
|
||||
SecDebugLogLevel 0
|
||||
|
||||
# Serial audit log
|
||||
SecAuditEngine RelevantOnly
|
||||
SecAuditLogRelevantStatus ^5
|
||||
SecAuditLogParts ABIFHZ
|
||||
SecAuditLogType Serial
|
||||
SecAuditLog logs/modsec_audit.log
|
||||
|
||||
# Set Data Directory
|
||||
SecDataDir logs/
|
||||
|
||||
# Maximum request body size we will
|
||||
# accept for buffering
|
||||
SecRequestBodyLimit 131072
|
||||
|
||||
# Store up to 128 KB in memory
|
||||
SecRequestBodyInMemoryLimit 131072
|
||||
|
||||
# Buffer response bodies of up to
|
||||
# 512 KB in length
|
||||
SecResponseBodyLimit 524288
|
||||
|
||||
# Verify that we've correctly processed the request body.
|
||||
# As a rule of thumb, when failing to process a request body
|
||||
# you should reject the request (when deployed in blocking mode)
|
||||
# or log a high-severity alert (when deployed in detection-only mode).
|
||||
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
|
||||
"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
|
||||
|
||||
# By default be strict with what we accept in the multipart/form-data
|
||||
# request body. If the rule below proves to be too strict for your
|
||||
# environment consider changing it to detection-only. You are encouraged
|
||||
# _not_ to remove it altogether.
|
||||
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
|
||||
"phase:2,t:none,log,deny,msg:'Multipart request body \
|
||||
failed strict validation: \
|
||||
PE %{REQBODY_PROCESSOR_ERROR}, \
|
||||
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
|
||||
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
|
||||
DB %{MULTIPART_DATA_BEFORE}, \
|
||||
DA %{MULTIPART_DATA_AFTER}, \
|
||||
HF %{MULTIPART_HEADER_FOLDING}, \
|
||||
LF %{MULTIPART_LF_LINE}, \
|
||||
SM %{MULTIPART_SEMICOLON_MISSING}, \
|
||||
IQ %{MULTIPART_INVALID_QUOTING}, \
|
||||
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
|
||||
IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
|
||||
|
||||
# Did we see anything that might be a boundary?
|
||||
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
|
||||
"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
|
||||
|
||||
# Some internal errors will set flags in TX and we will need to look for these.
|
||||
# All of these are prefixed with "MSC_". The following flags currently exist:
|
||||
#
|
||||
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
|
||||
#
|
||||
SecRule TX:/^MSC_/ "!@streq 0" \
|
||||
"phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
|
||||
|
||||
</IfModule>
|
||||
|
||||
@ -32,7 +32,7 @@ rm -rf %{buildroot}
|
||||
install -D -m755 apache2/.libs/mod_security2.so %{buildroot}/%{_libdir}/httpd/modules/mod_security2.so
|
||||
install -D -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/mod_security.conf
|
||||
install -d %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
|
||||
cp -R rules/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
|
||||
install -D -m644 rules/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
|
||||
cp -R rules/base_rules %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
|
||||
cp -R rules/optional_rules %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
|
||||
install -D -m644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/modsecurity_localrules.conf
|
||||
@ -55,10 +55,12 @@ rm -rf %{buildroot}
|
||||
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf
|
||||
|
||||
%changelog
|
||||
* Sat Feb 13 2010 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.12-2
|
||||
* Thu Apr 29 2010 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.12-2
|
||||
- Fix SecDatadir and minimal config per bz #569360
|
||||
|
||||
* Sat Feb 13 2010 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.12-1
|
||||
- Update to latest upstream release
|
||||
- SECURITY: Fix potential rules bypass and denial of service (bz#563576)
|
||||
- Trivial installer fix for EL4
|
||||
|
||||
* Fri Nov 6 2009 Michael Fleming <mfleming+rpm@thatfleminggent.com> - 2.5.10-2
|
||||
- Fix rules and Apache configuration (bz#533124)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user