Update to 2.7.0

2012-10-17 16:05:36 +01:00 · 2012-10-17 16:05:36 +01:00 · ea35d25a17
commit ea35d25a17
parent 6abd27eb32
4 changed files with 53 additions and 91 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,3 +3,4 @@ modsecurity-apache_2.5.12.tar.gz
 /modsecurity-apache_2.6.5.tar.gz
 /modsecurity-apache_2.6.6.tar.gz
 /modsecurity-apache_2.6.8.tar.gz
+/modsecurity-apache_2.7.0.tar.gz
--- a/mod_security.conf
+++ b/mod_security.conf
@ -1,92 +1,50 @@
-
 LoadModule security2_module modules/mod_security2.so
 LoadModule unique_id_module modules/mod_unique_id.so

 <IfModule mod_security2.c>
-	# This is the ModSecurity Core Rules Set.
+    SecRuleEngine On
+    SecRequestBodyAccess On
+    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+    SecRequestBodyLimit 13107200
+    SecRequestBodyNoFilesLimit 131072
+    SecRequestBodyInMemoryLimit 131072
+    SecRequestBodyLimitAction Reject
+    SecRule REQBODY_ERROR "!@eq 0" \
+    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+    "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
+    failed strict validation: \
+    PE %{REQBODY_PROCESSOR_ERROR}, \
+    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+    DB %{MULTIPART_DATA_BEFORE}, \
+    DA %{MULTIPART_DATA_AFTER}, \
+    HF %{MULTIPART_HEADER_FOLDING}, \
+    LF %{MULTIPART_LF_LINE}, \
+    SM %{MULTIPART_MISSING_SEMICOLON}, \
+    IQ %{MULTIPART_INVALID_QUOTING}, \
+    IP %{MULTIPART_INVALID_PART}, \
+    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

-	# Basic configuration goes in here
-	Include modsecurity.d/*.conf
-	Include modsecurity.d/activated_rules/*.conf
+    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

-	# Additional items taken from new minimal modsecurity conf
-	# Basic configuration options
-	SecRuleEngine On
-	SecRequestBodyAccess On
-	SecResponseBodyAccess Off
-	
-	# Handling of file uploads
-	# TODO Choose a folder private to Apache.
-	# SecUploadDir /opt/apache-frontend/tmp/
-	SecUploadKeepFiles Off
-	SecUploadFileLimit 10
+    SecPcreMatchLimit 1000
+    SecPcreMatchLimitRecursion 1000

-	# Debug log
-	SecDebugLog /var/log/httpd/modsec_debug.log
-	SecDebugLogLevel 0
+    SecRule TX:/^MSC_/ "!@streq 0" \
+            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

-	# Audit log
-	SecAuditEngine RelevantOnly
-	SecAuditLogRelevantStatus ^5
-	SecAuditLogType Serial
-	SecAuditLogParts ABIFHZ
-	SecAuditLog /var/log/httpd/modsec_audit.log
-
-	# Alternative mlogc configuration
-	#SecAuditLogType Concurrent
-	#SecAuditLogParts ABIDEFGHZ
-	#SecAuditLogStorageDir /var/log/mlogc/data
-	#SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"
-
-	# Set Data Directory
-	SecDataDir /var/log/httpd/
-
-	# Maximum request body size we will
-	# accept for buffering
-	SecRequestBodyLimit 131072
-
-	# Store up to 128 KB in memory
-	SecRequestBodyInMemoryLimit 131072
-
-	# Buffer response bodies of up to
-	# 512 KB in length
-	SecResponseBodyLimit 524288
-
-	# Verify that we've correctly processed the request body.
-	# As a rule of thumb, when failing to process a request body
-	# you should reject the request (when deployed in blocking mode)
-	# or log a high-severity alert (when deployed in detection-only mode).
-	SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
-	"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
-
-	# By default be strict with what we accept in the multipart/form-data
-	# request body. If the rule below proves to be too strict for your
-	# environment consider changing it to detection-only. You are encouraged
-	# _not_ to remove it altogether.
-	SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
-	"phase:2,t:none,log,deny,msg:'Multipart request body \
-	failed strict validation: \
-	PE %{REQBODY_PROCESSOR_ERROR}, \
-	BQ %{MULTIPART_BOUNDARY_QUOTED}, \
-	BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
-	DB %{MULTIPART_DATA_BEFORE}, \
-	DA %{MULTIPART_DATA_AFTER}, \
-	HF %{MULTIPART_HEADER_FOLDING}, \
-	LF %{MULTIPART_LF_LINE}, \
-	SM %{MULTIPART_SEMICOLON_MISSING}, \
-	IQ %{MULTIPART_INVALID_QUOTING}, \
-	IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
-	IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
-	
-	# Did we see anything that might be a boundary?
-	SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
-	"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
-	
-	# Some internal errors will set flags in TX and we will need to look for these.
-	# All of these are prefixed with "MSC_".  The following flags currently exist:
-	#
-	# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
-	#
-	SecRule TX:/^MSC_/ "!@streq 0" \
-	        "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+    SecResponseBodyAccess Off
+    SecDebugLog /var/log/httpd/modsec_debug.log
+    SecDebugLogLevel 0
+    SecAuditEngine RelevantOnly
+    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+    SecAuditLogParts ABIJDEFHZ
+    SecAuditLogType Serial
+    SecAuditLog /var/log/httpd/modsec_audit.log
+    SecArgumentSeparator &
+    SecCookieFormat 0
 </IfModule>
--- a/mod_security.spec
+++ b/mod_security.spec
@ -7,7 +7,7 @@

 Summary: Security module for the Apache HTTP Server
 Name: mod_security 
-Version: 2.6.8
+Version: 2.7.0
 Release: 1%{?dist}
 License: ASL 2.0
 URL: http://www.modsecurity.org/
@ -22,7 +22,6 @@ ModSecurity is an open source intrusion detection and prevention engine
 for web applications. It operates embedded into the web server, acting
 as a powerful umbrella - shielding web applications from attacks.

-%if 0%{?fedora}
 %package -n     mlogc
 Summary:        ModSecurity Audit Log Collector
 Group:          System Environment/Daemons
@ -30,7 +29,6 @@ Requires:       mod_security

 %description -n mlogc
 This package contains the ModSecurity Audit Log Collector.
-%endif

 %prep
 %setup -q -n modsecurity-apache_%{version}
@ -68,14 +66,12 @@ install -Dp -m0644 10-mod_security.conf %{buildroot}%{_httpd_modconfdir}/10-mod_
 install -Dp -m0644 %{SOURCE1} %{buildroot}%{_httpd_confdir}/mod_security.conf
 %endif

-%if 0%{?fedora}
 # mlogc
 install -d %{buildroot}%{_localstatedir}/log/mlogc
 install -d %{buildroot}%{_localstatedir}/log/mlogc/data
 install -m0755 mlogc/mlogc %{buildroot}%{_bindir}/mlogc
 install -m0755 mlogc/mlogc-batch-load.pl %{buildroot}%{_bindir}/mlogc-batch-load
 install -m0644 mlogc/mlogc-default.conf %{buildroot}%{_sysconfdir}/mlogc.conf
-%endif

 %clean
 rm -rf %{buildroot}
@ -91,7 +87,6 @@ rm -rf %{buildroot}
 %dir %{_sysconfdir}/httpd/modsecurity.d
 %dir %{_sysconfdir}/httpd/modsecurity.d/activated_rules

-%if 0%{?fedora}
 %files -n mlogc
 %defattr (-,root,root)
 %doc mlogc/INSTALL
@ -100,12 +95,20 @@ rm -rf %{buildroot}
 %attr(0770,root,apache) %dir %{_localstatedir}/log/mlogc/data
 %attr(0755,root,root) %{_bindir}/mlogc
 %attr(0755,root,root) %{_bindir}/mlogc-batch-load
-%endif

 %changelog
+* Wed Oct 17 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.7.0-1
+- Update to 2.7.0
+
 * Fri Sep 28 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.8-1
 - Update to 2.6.8

+* Wed Sep 12 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-2
+- Re-add mlogc sub-package for epel (#856525)
+ 
+* Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
+- Update to 2.6.7
+
 * Sat Aug 25 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.6.7-1
 - Update to 2.6.7

--- a/2
+++ b/2
@ -1 +1 @@
-430449ab9ee906c464aa70b79f9c2230  modsecurity-apache_2.6.8.tar.gz
+8e608bdc01a619219f35c6125f1d9860  modsecurity-apache_2.7.0.tar.gz