Update to 2.7.0
This commit is contained in:
Athmane Madjoudj
parent
6abd27eb32
commit
ea35d25a17
1
.gitignore
vendored
1
.gitignore
vendored
@ -3,3 +3,4 @@ modsecurity-apache_2.5.12.tar.gz
|
||||
/modsecurity-apache_2.6.5.tar.gz
|
||||
/modsecurity-apache_2.6.6.tar.gz
|
||||
/modsecurity-apache_2.6.8.tar.gz
|
||||
/modsecurity-apache_2.7.0.tar.gz
|
||||
|
||||
@ -1,70 +1,19 @@
|
||||
|
||||
LoadModule security2_module modules/mod_security2.so
|
||||
LoadModule unique_id_module modules/mod_unique_id.so
|
||||
|
||||
<IfModule mod_security2.c>
|
||||
# This is the ModSecurity Core Rules Set.
|
||||
|
||||
# Basic configuration goes in here
|
||||
Include modsecurity.d/*.conf
|
||||
Include modsecurity.d/activated_rules/*.conf
|
||||
|
||||
# Additional items taken from new minimal modsecurity conf
|
||||
# Basic configuration options
|
||||
SecRuleEngine On
|
||||
SecRequestBodyAccess On
|
||||
SecResponseBodyAccess Off
|
||||
|
||||
# Handling of file uploads
|
||||
# TODO Choose a folder private to Apache.
|
||||
# SecUploadDir /opt/apache-frontend/tmp/
|
||||
SecUploadKeepFiles Off
|
||||
SecUploadFileLimit 10
|
||||
|
||||
# Debug log
|
||||
SecDebugLog /var/log/httpd/modsec_debug.log
|
||||
SecDebugLogLevel 0
|
||||
|
||||
# Audit log
|
||||
SecAuditEngine RelevantOnly
|
||||
SecAuditLogRelevantStatus ^5
|
||||
SecAuditLogType Serial
|
||||
SecAuditLogParts ABIFHZ
|
||||
SecAuditLog /var/log/httpd/modsec_audit.log
|
||||
|
||||
# Alternative mlogc configuration
|
||||
#SecAuditLogType Concurrent
|
||||
#SecAuditLogParts ABIDEFGHZ
|
||||
#SecAuditLogStorageDir /var/log/mlogc/data
|
||||
#SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"
|
||||
|
||||
# Set Data Directory
|
||||
SecDataDir /var/log/httpd/
|
||||
|
||||
# Maximum request body size we will
|
||||
# accept for buffering
|
||||
SecRequestBodyLimit 131072
|
||||
|
||||
# Store up to 128 KB in memory
|
||||
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
|
||||
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
|
||||
SecRequestBodyLimit 13107200
|
||||
SecRequestBodyNoFilesLimit 131072
|
||||
SecRequestBodyInMemoryLimit 131072
|
||||
|
||||
# Buffer response bodies of up to
|
||||
# 512 KB in length
|
||||
SecResponseBodyLimit 524288
|
||||
|
||||
# Verify that we've correctly processed the request body.
|
||||
# As a rule of thumb, when failing to process a request body
|
||||
# you should reject the request (when deployed in blocking mode)
|
||||
# or log a high-severity alert (when deployed in detection-only mode).
|
||||
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
|
||||
"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
|
||||
|
||||
# By default be strict with what we accept in the multipart/form-data
|
||||
# request body. If the rule below proves to be too strict for your
|
||||
# environment consider changing it to detection-only. You are encouraged
|
||||
# _not_ to remove it altogether.
|
||||
SecRequestBodyLimitAction Reject
|
||||
SecRule REQBODY_ERROR "!@eq 0" \
|
||||
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
|
||||
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
|
||||
"phase:2,t:none,log,deny,msg:'Multipart request body \
|
||||
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
|
||||
failed strict validation: \
|
||||
PE %{REQBODY_PROCESSOR_ERROR}, \
|
||||
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
|
||||
@ -73,20 +22,29 @@ LoadModule unique_id_module modules/mod_unique_id.so
|
||||
DA %{MULTIPART_DATA_AFTER}, \
|
||||
HF %{MULTIPART_HEADER_FOLDING}, \
|
||||
LF %{MULTIPART_LF_LINE}, \
|
||||
SM %{MULTIPART_SEMICOLON_MISSING}, \
|
||||
SM %{MULTIPART_MISSING_SEMICOLON}, \
|
||||
IQ %{MULTIPART_INVALID_QUOTING}, \
|
||||
IP %{MULTIPART_INVALID_PART}, \
|
||||
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
|
||||
IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
|
||||
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
|
||||
|
||||
# Did we see anything that might be a boundary?
|
||||
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
|
||||
"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
|
||||
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
|
||||
|
||||
SecPcreMatchLimit 1000
|
||||
SecPcreMatchLimitRecursion 1000
|
||||
|
||||
# Some internal errors will set flags in TX and we will need to look for these.
|
||||
# All of these are prefixed with "MSC_". The following flags currently exist:
|
||||
#
|
||||
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
|
||||
#
|
||||
SecRule TX:/^MSC_/ "!@streq 0" \
|
||||
"phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
|
||||
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
|
||||
|
||||
SecResponseBodyAccess Off
|
||||
SecDebugLog /var/log/httpd/modsec_debug.log
|
||||
SecDebugLogLevel 0
|
||||
SecAuditEngine RelevantOnly
|
||||
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
|
||||
SecAuditLogParts ABIJDEFHZ
|
||||
SecAuditLogType Serial
|
||||
SecAuditLog /var/log/httpd/modsec_audit.log
|
||||
SecArgumentSeparator &
|
||||
SecCookieFormat 0
|
||||
</IfModule>
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
|
||||
Summary: Security module for the Apache HTTP Server
|
||||
Name: mod_security
|
||||
Version: 2.6.8
|
||||
Version: 2.7.0
|
||||
Release: 1%{?dist}
|
||||
License: ASL 2.0
|
||||
URL: http://www.modsecurity.org/
|
||||
@ -22,7 +22,6 @@ ModSecurity is an open source intrusion detection and prevention engine
|
||||
for web applications. It operates embedded into the web server, acting
|
||||
as a powerful umbrella - shielding web applications from attacks.
|
||||
|
||||
%if 0%{?fedora}
|
||||
%package -n mlogc
|
||||
Summary: ModSecurity Audit Log Collector
|
||||
Group: System Environment/Daemons
|
||||
@ -30,7 +29,6 @@ Requires: mod_security
|
||||
|
||||
%description -n mlogc
|
||||
This package contains the ModSecurity Audit Log Collector.
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%setup -q -n modsecurity-apache_%{version}
|
||||
@ -68,14 +66,12 @@ install -Dp -m0644 10-mod_security.conf %{buildroot}%{_httpd_modconfdir}/10-mod_
|
||||
install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf
|
||||
%endif
|
||||
|
||||
%if 0%{?fedora}
|
||||
# mlogc
|
||||
install -d %{buildroot}%{_localstatedir}/log/mlogc
|
||||
install -d %{buildroot}%{_localstatedir}/log/mlogc/data
|
||||
install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc
|
||||
install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
|
||||
install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
|
||||
%endif
|
||||
|
||||
%clean
|
||||
rm -rf %{buildroot}
|
||||
@ -91,7 +87,6 @@ rm -rf %{buildroot}
|
||||
%dir %{_sysconfdir}/httpd/modsecurity.d
|
||||
%dir %{_sysconfdir}/httpd/modsecurity.d/activated_rules
|
||||
|
||||
%if 0%{?fedora}
|
||||
%files -n mlogc
|
||||
%defattr (-,root,root)
|
||||
%doc mlogc/INSTALL
|
||||
@ -100,12 +95,20 @@ rm -rf %{buildroot}
|
||||
%attr(0770,root,apache) %dir %{_localstatedir}/log/mlogc/data
|
||||
%attr(0755,root,root) %{_bindir}/mlogc
|
||||
%attr(0755,root,root) %{_bindir}/mlogc-batch-load
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Oct 17 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.0-1
|
||||
- Update to 2.7.0
|
||||
|
||||
* Fri Sep 28 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-1
|
||||
- Update to 2.6.8
|
||||
|
||||
* Wed Sep 12 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-2
|
||||
- Re-add mlogc sub-package for epel (#856525)
|
||||
|
||||
* Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
|
||||
- Update to 2.6.7
|
||||
|
||||
* Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
|
||||
- Update to 2.6.7
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user