Fix post and preun to not run on upgrade

See https://coreruleset.org/20220112/crs-plugin-mechanism/

.gitignore

@@ -9,3 +9,4 @@
 /owasp-modsecurity-crs-3.2.0.tar.gz
 /v3.3.0.tar.gz
 /v3.3.4.tar.gz
+/v4.2.0.tar.gz

mod_security_crs-early-blocking.patch

@@ -1,280 +0,0 @@
-diff --git a/crs-setup.conf.example b/crs-setup.conf.example
-index b443e77..0fdd5cb 100644
---- a/crs-setup.conf.example
-+++ b/crs-setup.conf.example
-@@ -234,7 +234,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
- 
- 
- #
--# -- [[ Anomaly Mode Severity Levels ]] ----------------------------------------
-+# -- [[ Anomaly Scoring Mode Severity Levels ]] --------------------------------
- #
- # Each rule in the CRS has an associated severity level.
- # These are the default scoring points for each severity level.
-@@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
- 
- 
- #
--# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------
-+# -- [[ Anomaly Scoring Mode Blocking Threshold Levels ]] ----------------------
- #
- # Here, you can specify at which cumulative anomaly score an inbound request,
- # or outbound response, gets blocked.
-@@ -319,6 +319,35 @@ SecDefaultAction "phase:2,log,auditlog,pass"
- #  setvar:tx.outbound_anomaly_score_threshold=4"
- 
- #
-+# -- [[ Early Anomaly Scoring Mode Blocking ]] ------------------------------
-+#
-+# The anomaly scores for the request and the responses are generally summed up
-+# and evaluated at the end of phase:2 and at the end of phase:4 respectively.
-+# However, it is possible to enable an early evaluation of these anomaly scores
-+# at the end of phase:1 and at the end of phase:3.
-+#
-+# If a request (or a response) hits the anomaly threshold in this early
-+# evaluation, then blocking happens immediately (if blocking is enabled) and
-+# the phase 2 (and phase 4 respectively) will no longer be executed.
-+#
-+# Enable the rule 900120 that sets the variable tx.blocking_early to 1 in order
-+# to enable early blocking. The variable tx.blocking_early is set to 0 by
-+# default. Early blocking is thus disabled by default.
-+#
-+# Please note that blocking early will hide potential alerts from you. This 
-+# means that a payload that would appear in an alert in phase 2 (or phase 4)
-+# does not get evaluated if the request is being blocked early. So when you 
-+# disabled blocking early again at some point in the future, then new alerts 
-+# from phase 2 might pop up.
-+#SecAction \
-+#  "id:900120,\
-+#  phase:1,\
-+#  nolog,\
-+#  pass,\
-+#  t:none,\
-+#  setvar:tx.blocking_early=1"
-+
-+
- # -- [[ Application Specific Rule Exclusions ]] ----------------------------------------
- #
- # Some well-known applications may undertake actions that appear to be
-diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf
-index 5044abd..06a1bb3 100644
---- a/rules/REQUEST-901-INITIALIZATION.conf
-+++ b/rules/REQUEST-901-INITIALIZATION.conf
-@@ -89,6 +89,15 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
-     ver:'OWASP_CRS/3.3.4',\
-     setvar:'tx.outbound_anomaly_score_threshold=4'"
- 
-+# Default Blocking Early (rule 900120 in setup.conf)
-+SecRule &TX:blocking_early "@eq 0" \
-+    "id:901115,\
-+    phase:1,\
-+    pass,\
-+    nolog,\
-+    ver:'OWASP_CRS/3.3.0',\
-+    setvar:'tx.blocking_early=0'"
-+
- # Default Paranoia Level (rule 900000 in setup.conf)
- SecRule &TX:paranoia_level "@eq 0" \
-     "id:901120,\
-diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
-index 050eb04..755315f 100644
---- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf
-+++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
-@@ -12,7 +12,66 @@
- # -= Paranoia Level 0 (empty) =- (apply unconditionally)
- #
- 
--# Summing up the anomaly score.
-+# Skipping early blocking
-+
-+SecRule TX:BLOCKING_EARLY "!@eq 1" \
-+    "id:949050,\
-+    phase:1,\
-+    pass,\
-+    t:none,\
-+    nolog,\
-+    skipAfter:BLOCKING_EARLY_ANOMALY_SCORING"
-+
-+SecRule TX:BLOCKING_EARLY "!@eq 1" \
-+    "id:949051,\
-+    phase:2,\
-+    pass,\
-+    t:none,\
-+    nolog,\
-+    skipAfter:BLOCKING_EARLY_ANOMALY_SCORING"
-+
-+# Summing up the anomaly score for early blocking
-+
-+SecRule TX:PARANOIA_LEVEL "@ge 1" \
-+    "id:949052,\
-+    phase:1,\
-+    pass,\
-+    t:none,\
-+    nolog,\
-+    setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl1}'"
-+
-+SecRule TX:PARANOIA_LEVEL "@ge 2" \
-+    "id:949053,\
-+    phase:1,\
-+    pass,\
-+    t:none,\
-+    nolog,\
-+    setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl2}'"
-+
-+SecRule TX:PARANOIA_LEVEL "@ge 3" \
-+    "id:949054,\
-+    phase:1,\
-+    pass,\
-+    t:none,\
-+    nolog,\
-+    setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl3}'"
-+
-+SecRule TX:PARANOIA_LEVEL "@ge 4" \
-+    "id:949055,\
-+    phase:1,\
-+    pass,\
-+    t:none,\
-+    nolog,\
-+    setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl4}'"
-+
-+SecAction "id:949059,\
-+    phase:2,\
-+    pass,\
-+    t:none,\
-+    nolog,\
-+    setvar:'tx.anomaly_score=0'"
-+
-+SecMarker BLOCKING_EARLY_ANOMALY_SCORING
- 
- # NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
- # So we add to it.
-@@ -93,6 +152,21 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
-     severity:'CRITICAL',\
-     setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
- 
-+SecRule TX:BLOCKING_EARLY "@eq 1" \
-+    "id:949111,\
-+    phase:1,\
-+    deny,\
-+    t:none,\
-+    msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.ANOMALY_SCORE})',\
-+    tag:'application-multi',\
-+    tag:'language-multi',\
-+    tag:'platform-multi',\
-+    tag:'attack-generic',\
-+    ver:'OWASP_CRS/3.3.0',\
-+    severity:'CRITICAL',\
-+    chain"
-+    SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
-+        "setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
- 
- 
- SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
-diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf
-index 13013de..bf9b03d 100644
---- a/rules/RESPONSE-950-DATA-LEAKAGES.conf
-+++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf
-@@ -96,7 +96,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAf
- #
- SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
-     "id:950100,\
--    phase:4,\
-+    phase:3,\
-     block,\
-     capture,\
-     t:none,\
-diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
-index 24130eb..549c07c 100644
---- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
-+++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
-@@ -22,7 +22,67 @@
- # -= Paranoia Level 0 (empty) =- (apply unconditionally)
- #
- 
--# Summing up the anomaly score.
-+
-+# Skipping early blocking
-+
-+SecRule TX:BLOCKING_EARLY "!@eq 1" \
-+    "id:959050,\
-+    phase:3,\
-+    pass,\
-+    t:none,\
-+    nolog,\
-+    skipAfter:BLOCKING_EARLY_ANOMALY_SCORING"
-+
-+SecRule TX:BLOCKING_EARLY "!@eq 1" \
-+    "id:959051,\
-+    phase:4,\
-+    pass,\
-+    t:none,\
-+    nolog,\
-+    skipAfter:BLOCKING_EARLY_ANOMALY_SCORING"
-+
-+# Summing up the anomaly score for early blocking
-+
-+SecRule TX:PARANOIA_LEVEL "@ge 1" \
-+    "id:959052,\
-+    phase:3,\
-+    pass,\
-+    t:none,\
-+    nolog,\
-+    setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl1}'"
-+
-+SecRule TX:PARANOIA_LEVEL "@ge 2" \
-+    "id:959053,\
-+    phase:3,\
-+    pass,\
-+    t:none,\
-+    nolog,\
-+    setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl2}'"
-+
-+SecRule TX:PARANOIA_LEVEL "@ge 3" \
-+    "id:959054,\
-+    phase:3,\
-+    pass,\
-+    t:none,\
-+    nolog,\
-+    setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl3}'"
-+
-+SecRule TX:PARANOIA_LEVEL "@ge 4" \
-+    "id:959055,\
-+    phase:3,\
-+    pass,\
-+    t:none,\
-+    nolog,\
-+    setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl4}'"
-+
-+SecAction "id:959059,\
-+    phase:4,\
-+    pass,\
-+    t:none,\
-+    nolog,\
-+    setvar:'tx.outbound_anomaly_score=0'"
-+
-+SecMarker BLOCKING_EARLY_ANOMALY_SCORING
- 
- # NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
- # So we add to it.
-@@ -76,6 +136,21 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
-     ver:'OWASP_CRS/3.3.4',\
-     setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"
- 
-+SecRule TX:BLOCKING_EARLY "@eq 1" \
-+    "id:959101,\
-+    phase:3,\
-+    deny,\
-+    t:none,\
-+    msg:'Outbound Anomaly Score Exceeded in phase 3 (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
-+    tag:'application-multi',\
-+    tag:'language-multi',\
-+    tag:'platform-multi',\
-+    tag:'attack-generic',\
-+    ver:'OWASP_CRS/3.3.0',\
-+    severity:'CRITICAL',\
-+    chain"
-+    SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
-+        "setvar:'tx.anomaly_score=%{tx.outbound_anomaly_score}'"
- 
- 
- SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"

mod_security_crs.spec

@@ -1,53 +1,102 @@
-Summary: ModSecurity Rules
+%{!?_httpd_confdir:    %{expand: %%global _httpd_confdir    %%{_sysconfdir}/httpd/conf.d}}
+
+Summary: ModSecurity Core Ruleset
 Name: mod_security_crs
-Version: 3.3.4
-Release: 1%{?dist}
-License: ASL 2.0
-URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
+Version: 4.2.0
+Release: 2%{?dist}
+License: Apache-2.0
+URL: https://coreruleset.org/
 Source: https://github.com/coreruleset/coreruleset/archive/refs/tags/v%{version}.tar.gz
 BuildArch: noarch
 Requires: mod_security >= 2.9.6
 Obsoletes: mod_security_crs-extras < 3.0.0
 
-Patch0: mod_security_crs-early-blocking.patch
+# Patch0: mod_security_crs-XXX.patch
 
 %description
 This package provides the base rules for mod_security.
 
 %prep
-%setup -q -n coreruleset-%{version}
-#%patch0 -p1 -b.early_blocking
+%autosetup -p1 -S gendiff -n coreruleset-%{version}
 
 %build
 
 %install
-
-install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/
-install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules
-install -d %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules
+%{__install} -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/
+%{__install} -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules
+%{__install} -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/plugins
+%{__install} -d %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules
+%{__install} -d %{buildroot}%{_datarootdir}/mod_modsecurity_crs/plugins
 
 # To exclude rules (pre/post)
-mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
-mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
+%{__mv} rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
+%{__mv} rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
 
-install -m0644 rules/*.conf %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/
-install -m0644 rules/*.data %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/
-mv crs-setup.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf
+%{__install} -m0644 rules/*.conf %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/
+%{__install} -m0644 rules/*.data %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/
+%{__install} -m0644 plugins/* %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/plugins/
+%{__mv} crs-setup.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf
 
-# activate base_rules
-for f in `ls %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/` ; do 
-    ln -s %{_datarootdir}/mod_modsecurity_crs/rules/$f %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/$f; 
-done
+%post
+if [ $1 == 1 ]; then
+    # activate base_rules
+    for f in `ls %{_datarootdir}/mod_modsecurity_crs/rules/` ; do 
+        %{__ln_s} %{_datarootdir}/mod_modsecurity_crs/rules/$f %{_sysconfdir}/httpd/modsecurity.d/activated_rules/$f; 
+    done
+    %{__sed} -i '/IncludeOptional modsecurity\.d\/\*\.conf/ a\    IncludeOptional modsecurity.d\/plugins\/*-config.conf\n    IncludeOptional modsecurity.d\/plugins\/*-before.conf' %{_httpd_confdir}/mod_security.conf
+    %{__sed} -i '/Include modsecurity\.d\/\*\.conf/a\    Include modsecurity.d/plugins/*-config.conf\n    Include modsecurity.d/plugins/*-before.conf' %{_httpd_confdir}/mod_security.conf
+    %{__sed} -i '/IncludeOptional modsecurity\.d\/local_rules\/\*\.conf/a\    IncludeOptional modsecurity.d\/plugins\/*-after.conf' %{_httpd_confdir}/mod_security.conf
+    %{__sed} -i '/Include modsecurity\.d\/local_rules\/\*\.conf/a\    Include modsecurity.d\/plugins\/*-after.conf' %{_httpd_confdir}/mod_security.conf
+fi
+exit 0
 
+%preun
+if [ $1 == 0 ]; then
+    %{__sed} -i -E '/Include(Optional)? modsecurity\.d\/plugins/d' %{_httpd_confdir}/mod_security.conf
+    for f in `ls %{_datarootdir}/mod_modsecurity_crs/rules/` ; do 
+        %{__rm} %{_sysconfdir}/httpd/modsecurity.d/activated_rules/$f; 
+    done
+fi
+exit 0
 
 %files
 %license LICENSE
-%doc CHANGES README.md
+%doc CHANGES.md README.md
+%{_datarootdir}/mod_modsecurity_crs
+%{_sysconfdir}/httpd/modsecurity.d/plugins
 %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/activated_rules/*
 %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf
-%{_datarootdir}/mod_modsecurity_crs
+%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/plugins/*
 
 %changelog
+* Tue Jul 9 2024 Daniel Demus <daniel-fedoauth@demus.dk> - 4.2.0-2
+- Prepare for plugins (see https://coreruleset.org/20220112/crs-plugin-mechanism/)
+
+* Thu May 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 4.2.0-1
+- new version 4.2.0
+- switch to autosetup
+
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.4-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.4-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.4-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Jun 06 2023 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-5
+- SPDX migration
+
+* Mon Mar 20 2023 Mikel Olasagasti Uranga <mikel@olasagasti.info> - 3.3.4-4
+- Change URL to new official homepage
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Mon Dec 05 2022 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-2
+- Add Early blocking feature patch again
+
 * Fri Sep 30 2022 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-1
 - new version 3.3.4
 

sources

@@ -1 +1 @@
-SHA512 (v3.3.4.tar.gz) = a8b8b210054a9a4e3f8e45a5a9428110bb4075e40430e3fc16f4717e363af141265b1fb5c173ff96abeff0ac61ef5eef667a4b9cb703f8edc15e48deb3342827
+SHA512 (v4.2.0.tar.gz) = 041556b2071385c10a4b4a29ad4f926ee86f819f8b9c95f849e76b3d2724d5fc29c21a69f9eba6fd62e7f5709a109a95feca67a19d8c8d1f0410ee2987ac7a6b