demus/mod_security_crs-rpm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: demus:main
Branches Tags
demus:main
demus:copr-test
demus:copr
demus:f40
demus:rawhide
demus:f39
demus:f38
demus:f37
demus:f35
demus:f36
demus:f34
demus:f33
demus:f32
demus:f31
demus:f30
demus:f29
demus:f28
demus:f27
demus:f26
demus:f25
demus:f24
demus:f23
demus:f21
demus:f22
demus:f20
demus:f19
demus:f18
demus:el5
demus:el6
demus:f17
..
compare: demus:f37
Branches Tags
demus:copr-test
demus:copr
demus:main
demus:f40
demus:rawhide
demus:f39
demus:f38
demus:f37
demus:f35
demus:f36
demus:f34
demus:f33
demus:f32
demus:f31
demus:f30
demus:f29
demus:f28
demus:f27
demus:f26
demus:f25
demus:f24
demus:f23
demus:f21
demus:f22
demus:f20
demus:f19
demus:f18
demus:el5
demus:el6
demus:f17

No commits in common. "main" and "f37" have entirely different histories.
main ... f37

4 changed files with 303 additions and 70 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -9,4 +9,3 @@
/owasp-modsecurity-crs-3.2.0.tar.gz
/v3.3.0.tar.gz
/v3.3.4.tar.gz
/v4.2.0.tar.gz

280
mod_security_crs-early-blocking.patch Normal file
View File

@ -0,0 +1,280 @@
diff --git a/crs-setup.conf.example b/crs-setup.conf.example
index b443e77..0fdd5cb 100644
--- a/crs-setup.conf.example
+++ b/crs-setup.conf.example
@@ -234,7 +234,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
#
-# -- [[ Anomaly Mode Severity Levels ]] ----------------------------------------
+# -- [[ Anomaly Scoring Mode Severity Levels ]] --------------------------------
#
# Each rule in the CRS has an associated severity level.
# These are the default scoring points for each severity level.
@@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
#
-# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------
+# -- [[ Anomaly Scoring Mode Blocking Threshold Levels ]] ----------------------
#
# Here, you can specify at which cumulative anomaly score an inbound request,
# or outbound response, gets blocked.
@@ -319,6 +319,35 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# setvar:tx.outbound_anomaly_score_threshold=4"
#
+# -- [[ Early Anomaly Scoring Mode Blocking ]] ------------------------------
+#
+# The anomaly scores for the request and the responses are generally summed up
+# and evaluated at the end of phase:2 and at the end of phase:4 respectively.
+# However, it is possible to enable an early evaluation of these anomaly scores
+# at the end of phase:1 and at the end of phase:3.
+#
+# If a request (or a response) hits the anomaly threshold in this early
+# evaluation, then blocking happens immediately (if blocking is enabled) and
+# the phase 2 (and phase 4 respectively) will no longer be executed.
+#
+# Enable the rule 900120 that sets the variable tx.blocking_early to 1 in order
+# to enable early blocking. The variable tx.blocking_early is set to 0 by
+# default. Early blocking is thus disabled by default.
+#
+# Please note that blocking early will hide potential alerts from you. This
+# means that a payload that would appear in an alert in phase 2 (or phase 4)
+# does not get evaluated if the request is being blocked early. So when you
+# disabled blocking early again at some point in the future, then new alerts
+# from phase 2 might pop up.
+#SecAction \
+# "id:900120,\
+# phase:1,\
+# nolog,\
+# pass,\
+# t:none,\
+# setvar:tx.blocking_early=1"
+
+
# -- [[ Application Specific Rule Exclusions ]] ----------------------------------------
#
# Some well-known applications may undertake actions that appear to be
diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf
index 5044abd..06a1bb3 100644
--- a/rules/REQUEST-901-INITIALIZATION.conf
+++ b/rules/REQUEST-901-INITIALIZATION.conf
@@ -89,6 +89,15 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.outbound_anomaly_score_threshold=4'"
+# Default Blocking Early (rule 900120 in setup.conf)
+SecRule &TX:blocking_early "@eq 0" \
+ "id:901115,\
+ phase:1,\
+ pass,\
+ nolog,\
+ ver:'OWASP_CRS/3.3.0',\
+ setvar:'tx.blocking_early=0'"
+
# Default Paranoia Level (rule 900000 in setup.conf)
SecRule &TX:paranoia_level "@eq 0" \
"id:901120,\
diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
index 050eb04..755315f 100644
--- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf
+++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
@@ -12,7 +12,66 @@
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
-# Summing up the anomaly score.
+# Skipping early blocking
+
+SecRule TX:BLOCKING_EARLY "!@eq 1" \
+ "id:949050,\
+ phase:1,\
+ pass,\
+ t:none,\
+ nolog,\
+ skipAfter:BLOCKING_EARLY_ANOMALY_SCORING"
+
+SecRule TX:BLOCKING_EARLY "!@eq 1" \
+ "id:949051,\
+ phase:2,\
+ pass,\
+ t:none,\
+ nolog,\
+ skipAfter:BLOCKING_EARLY_ANOMALY_SCORING"
+
+# Summing up the anomaly score for early blocking
+
+SecRule TX:PARANOIA_LEVEL "@ge 1" \
+ "id:949052,\
+ phase:1,\
+ pass,\
+ t:none,\
+ nolog,\
+ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl1}'"
+
+SecRule TX:PARANOIA_LEVEL "@ge 2" \
+ "id:949053,\
+ phase:1,\
+ pass,\
+ t:none,\
+ nolog,\
+ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl2}'"
+
+SecRule TX:PARANOIA_LEVEL "@ge 3" \
+ "id:949054,\
+ phase:1,\
+ pass,\
+ t:none,\
+ nolog,\
+ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl3}'"
+
+SecRule TX:PARANOIA_LEVEL "@ge 4" \
+ "id:949055,\
+ phase:1,\
+ pass,\
+ t:none,\
+ nolog,\
+ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl4}'"
+
+SecAction "id:949059,\
+ phase:2,\
+ pass,\
+ t:none,\
+ nolog,\
+ setvar:'tx.anomaly_score=0'"
+
+SecMarker BLOCKING_EARLY_ANOMALY_SCORING
# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
# So we add to it.
@@ -93,6 +152,21 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
+SecRule TX:BLOCKING_EARLY "@eq 1" \
+ "id:949111,\
+ phase:1,\
+ deny,\
+ t:none,\
+ msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.ANOMALY_SCORE})',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-generic',\
+ ver:'OWASP_CRS/3.3.0',\
+ severity:'CRITICAL',\
+ chain"
+ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
+ "setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf
index 13013de..bf9b03d 100644
--- a/rules/RESPONSE-950-DATA-LEAKAGES.conf
+++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf
@@ -96,7 +96,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAf
#
SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
"id:950100,\
- phase:4,\
+ phase:3,\
block,\
capture,\
t:none,\
diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
index 24130eb..549c07c 100644
--- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
+++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
@@ -22,7 +22,67 @@
# -= Paranoia Level 0 (empty) =- (apply unconditionally)
#
-# Summing up the anomaly score.
+
+# Skipping early blocking
+
+SecRule TX:BLOCKING_EARLY "!@eq 1" \
+ "id:959050,\
+ phase:3,\
+ pass,\
+ t:none,\
+ nolog,\
+ skipAfter:BLOCKING_EARLY_ANOMALY_SCORING"
+
+SecRule TX:BLOCKING_EARLY "!@eq 1" \
+ "id:959051,\
+ phase:4,\
+ pass,\
+ t:none,\
+ nolog,\
+ skipAfter:BLOCKING_EARLY_ANOMALY_SCORING"
+
+# Summing up the anomaly score for early blocking
+
+SecRule TX:PARANOIA_LEVEL "@ge 1" \
+ "id:959052,\
+ phase:3,\
+ pass,\
+ t:none,\
+ nolog,\
+ setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl1}'"
+
+SecRule TX:PARANOIA_LEVEL "@ge 2" \
+ "id:959053,\
+ phase:3,\
+ pass,\
+ t:none,\
+ nolog,\
+ setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl2}'"
+
+SecRule TX:PARANOIA_LEVEL "@ge 3" \
+ "id:959054,\
+ phase:3,\
+ pass,\
+ t:none,\
+ nolog,\
+ setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl3}'"
+
+SecRule TX:PARANOIA_LEVEL "@ge 4" \
+ "id:959055,\
+ phase:3,\
+ pass,\
+ t:none,\
+ nolog,\
+ setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl4}'"
+
+SecAction "id:959059,\
+ phase:4,\
+ pass,\
+ t:none,\
+ nolog,\
+ setvar:'tx.outbound_anomaly_score=0'"
+
+SecMarker BLOCKING_EARLY_ANOMALY_SCORING
# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
# So we add to it.
@@ -76,6 +136,21 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
ver:'OWASP_CRS/3.3.4',\
setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"
+SecRule TX:BLOCKING_EARLY "@eq 1" \
+ "id:959101,\
+ phase:3,\
+ deny,\
+ t:none,\
+ msg:'Outbound Anomaly Score Exceeded in phase 3 (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
+ tag:'application-multi',\
+ tag:'language-multi',\
+ tag:'platform-multi',\
+ tag:'attack-generic',\
+ ver:'OWASP_CRS/3.3.0',\
+ severity:'CRITICAL',\
+ chain"
+ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
+ "setvar:'tx.anomaly_score=%{tx.outbound_anomaly_score}'"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"

90
mod_security_crs.spec
View File

@ -1,99 +1,53 @@
%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}}
Summary: ModSecurity Core Ruleset
Summary: ModSecurity Rules
Name: mod_security_crs
Version: 4.2.0
Version: 3.3.4
Release: 2%{?dist}
License: Apache-2.0
URL: https://coreruleset.org/
License: ASL 2.0
URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
Source: https://github.com/coreruleset/coreruleset/archive/refs/tags/v%{version}.tar.gz
BuildArch: noarch
Requires: mod_security >= 2.9.6
Obsoletes: mod_security_crs-extras < 3.0.0
# Patch0: mod_security_crs-XXX.patch
Patch0: mod_security_crs-early-blocking.patch
%description
This package provides the base rules for mod_security.
%prep
%autosetup -p1 -S gendiff -n coreruleset-%{version}
%setup -q -n coreruleset-%{version}
%patch0 -p1 -b.early_blocking
%build
%install
%{__install} -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/
%{__install} -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules
%{__install} -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/plugins
%{__install} -d %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules
%{__install} -d %{buildroot}%{_datarootdir}/mod_modsecurity_crs/plugins
install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/
install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules
install -d %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules
# To exclude rules (pre/post)
%{__mv} rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
%{__mv} rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
%{__install} -m0644 rules/*.conf %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/
%{__install} -m0644 rules/*.data %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/
%{__install} -m0644 plugins/* %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/plugins/
%{__mv} crs-setup.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf
install -m0644 rules/*.conf %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/
install -m0644 rules/*.data %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/
mv crs-setup.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf
%post
if [ $1 == 1 ]; then
# activate base_rules
for f in `ls %{_datarootdir}/mod_modsecurity_crs/rules/` ; do
%{__ln_s} %{_datarootdir}/mod_modsecurity_crs/rules/$f %{_sysconfdir}/httpd/modsecurity.d/activated_rules/$f;
done
%{__sed} -i '/IncludeOptional modsecurity\.d\/\*\.conf/ a\ IncludeOptional modsecurity.d\/plugins\/*-config.conf\n IncludeOptional modsecurity.d\/plugins\/*-before.conf' %{_httpd_confdir}/mod_security.conf
%{__sed} -i '/Include modsecurity\.d\/\*\.conf/a\ Include modsecurity.d/plugins/*-config.conf\n Include modsecurity.d/plugins/*-before.conf' %{_httpd_confdir}/mod_security.conf
%{__sed} -i '/IncludeOptional modsecurity\.d\/local_rules\/\*\.conf/a\ IncludeOptional modsecurity.d\/plugins\/*-after.conf' %{_httpd_confdir}/mod_security.conf
%{__sed} -i '/Include modsecurity\.d\/local_rules\/\*\.conf/a\ Include modsecurity.d\/plugins\/*-after.conf' %{_httpd_confdir}/mod_security.conf
fi
exit 0
# activate base_rules
for f in `ls %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/` ; do
ln -s %{_datarootdir}/mod_modsecurity_crs/rules/$f %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/$f;
done
%preun
if [ $1 == 0 ]; then
%{__sed} -i -E '/Include(Optional)? modsecurity\.d\/plugins/d' %{_httpd_confdir}/mod_security.conf
for f in `ls %{_datarootdir}/mod_modsecurity_crs/rules/` ; do
%{__rm} %{_sysconfdir}/httpd/modsecurity.d/activated_rules/$f;
done
fi
exit 0
%files
%license LICENSE
%doc CHANGES.md README.md
%{_datarootdir}/mod_modsecurity_crs
%{_sysconfdir}/httpd/modsecurity.d/plugins
%doc CHANGES README.md
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/activated_rules/*
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/plugins/*
%{_datarootdir}/mod_modsecurity_crs
%changelog
* Tue Jul 9 2024 Daniel Demus <daniel-fedoauth@demus.dk> - 4.2.0-2
- Prepare for plugins (see https://coreruleset.org/20220112/crs-plugin-mechanism/)
* Thu May 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 4.2.0-1
- new version 4.2.0
- switch to autosetup
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.4-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.4-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.4-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Tue Jun 06 2023 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-5
- SPDX migration
* Mon Mar 20 2023 Mikel Olasagasti Uranga <mikel@olasagasti.info> - 3.3.4-4
- Change URL to new official homepage
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon Dec 05 2022 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-2
- Add Early blocking feature patch again

2
sources
View File

@ -1 +1 @@
SHA512 (v4.2.0.tar.gz) = 041556b2071385c10a4b4a29ad4f926ee86f819f8b9c95f849e76b3d2724d5fc29c21a69f9eba6fd62e7f5709a109a95feca67a19d8c8d1f0410ee2987ac7a6b
SHA512 (v3.3.4.tar.gz) = a8b8b210054a9a4e3f8e45a5a9428110bb4075e40430e3fc16f4717e363af141265b1fb5c173ff96abeff0ac61ef5eef667a4b9cb703f8edc15e48deb3342827