[packages/apache-mod_security] - updated config - package private state dir - rel 2
baggins
baggins at pld-linux.org
Tue May 7 19:56:40 CEST 2013
commit 8c29b7459dc13614ce453e86c36b8a3061c7648a
Author: Jan Rękorajski <baggins at pld-linux.org>
Date: Tue May 7 19:56:23 2013 +0200
- updated config
- package private state dir
- rel 2
apache-mod_security.conf | 108 +++++++++++++++++++++++------------------------
apache-mod_security.spec | 9 ++--
2 files changed, 58 insertions(+), 59 deletions(-)
---
diff --git a/apache-mod_security.spec b/apache-mod_security.spec
index 3b2f486..e0c50f1 100644
--- a/apache-mod_security.spec
+++ b/apache-mod_security.spec
@@ -4,7 +4,7 @@ Summary: Apache module: securing web applications
Summary(pl.UTF-8): Moduł do apache: ochrona aplikacji WWW
Name: apache-mod_%{mod_name}
Version: 2.7.3
-Release: 1
+Release: 2
License: GPL v2
Group: Networking/Daemons/HTTP
Source0: http://www.modsecurity.org/tarball/%{version}//modsecurity-apache_%{version}.tar.gz
@@ -57,13 +57,13 @@ This package contains the ModSecurity Audit Log Collector.
%install
rm -rf $RPM_BUILD_ROOT
-install -d $RPM_BUILD_ROOT{%{apachelibdir},%{apacheconfdir}} \
- install -d $RPM_BUILD_ROOT{/var/log/mlogc/data,%{_bindir},%{_sysconfdir}}
+install -d $RPM_BUILD_ROOT{%{apachelibdir},%{apacheconfdir}/modsecurity.d} \
+ $RPM_BUILD_ROOT{/var/log/mlogc/data,%{_bindir},%{_sysconfdir}} \
+ $RPM_BUILD_ROOT/var/lib/%{name}
install apache2/.libs/mod_%{mod_name}2.so $RPM_BUILD_ROOT%{apachelibdir}
cp -a %{SOURCE1} $RPM_BUILD_ROOT%{apacheconfdir}/90_mod_%{mod_name}.conf
-install -d $RPM_BUILD_ROOT%{apacheconfdir}/modsecurity.d/blocking
cp -a modsecurity.conf-recommended $RPM_BUILD_ROOT%{apacheconfdir}/modsecurity.d
echo '# Drop your local rules in here.' > $RPM_BUILD_ROOT%{apacheconfdir}/modsecurity.d/modsecurity_localrules.conf
@@ -89,6 +89,7 @@ fi
%dir %{apacheconfdir}/modsecurity.d
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{apacheconfdir}/modsecurity.d/*.*
%attr(755,root,root) %{apachelibdir}/*.so
+%attr(770,http,root) %dir /var/lib/%{name}
%files -n mlogc
%defattr(644,root,root,755)
diff --git a/apache-mod_security.conf b/apache-mod_security.conf
index 84332fa..3a905a6 100644
--- a/apache-mod_security.conf
+++ b/apache-mod_security.conf
@@ -5,59 +5,57 @@
LoadModule security2_module modules/mod_security2.so
<IfModule mod_security2.c>
- # This is the ModSecurity Core Rules Set.
-
- # Basic configuration goes in here
- Include conf.d/modsecurity.d/modsecurity.conf-minimal
- Include conf.d/modsecurity.d/modsecurity_crs_10_config.conf
-
- # Protocol violation and anomalies.
-
- Include conf.d/modsecurity.d/modsecurity_crs_20_protocol_violations.conf
- Include conf.d/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf
-
- # HTTP policy rules
-
- Include conf.d/modsecurity.d/modsecurity_crs_30_http_policy.conf
-
- # Here comes the Bad Stuff...
-
- Include conf.d/modsecurity.d/modsecurity_crs_35_bad_robots.conf
- Include conf.d/modsecurity.d/modsecurity_crs_40_generic_attacks.conf
- Include conf.d/modsecurity.d/modsecurity_crs_45_trojans.conf
- Include conf.d/modsecurity.d/modsecurity_crs_50_outbound.conf
-
- # Search engines and other crawlers. Only useful if you want to track
- # Google / Yahoo et. al.
-
- # Include modsecurity.d/modsecurity_crs_55_marketing.conf
-
- Include conf.d/modsecurity.d/modsecurity_crs_23_request_limits.conf
- Include conf.d/modsecurity.d/modsecurity_crs_41_phpids_converter.conf
- Include conf.d/modsecurity.d/modsecurity_crs_41_phpids_filters.conf
- Include conf.d/modsecurity.d/modsecurity_crs_41_sql_injection_attacks.conf
- Include conf.d/modsecurity.d/modsecurity_crs_41_xss_attacks.conf
- Include conf.d/modsecurity.d/modsecurity_crs_42_tight_security.conf
- Include conf.d/modsecurity.d/modsecurity_crs_47_common_exceptions.conf
- Include conf.d/modsecurity.d/modsecurity_crs_48_local_exceptions.conf
- Include conf.d/modsecurity.d/modsecurity_crs_49_enforcement.conf
- Include conf.d/modsecurity.d/modsecurity_crs_49_inbound_blocking.conf
-
- # Optional rules
-
- # Include conf.d/modsecurity.d/modsecurity_crs_40_experimental.conf
- # Include conf.d/modsecurity.d/modsecurity_crs_42_comment_spam.conf
- # Include conf.d/modsecurity.d/modsecurity_crs_46_et_sql_injection.conf
- # Include conf.d/modsecurity.d/modsecurity_crs_46_et_web_rules.conf
- # <IfModule mod_headers.c>
- # Include conf.d/modsecurity.d/modsecurity_crs_49_header_tagging.conf
- # </IfModule>
- # Include conf.d/modsecurity.d/modsecurity_crs_59_outbound_blocking.conf
- # Include conf.d/modsecurity.d/modsecurity_crs_60_correlation.conf
-
- # Put your local rules in here.
-
- Include conf.d/modsecurity.d/modsecurity_localrules.conf
-
- SecDataDir /var/run/httpd
+ # ModSecurity Core Rules Set configuration
+
+ Include conf.d/modsecurity.d/*.conf
+ Include conf.d/modsecurity.d/activated_rules/*.conf
+
+ # Default recommended configuration
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+ SecRequestBodyLimit 13107200
+ SecRequestBodyNoFilesLimit 131072
+ SecRequestBodyInMemoryLimit 131072
+ SecRequestBodyLimitAction Reject
+ SecRule REQBODY_ERROR "!@eq 0" \
+ "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+ SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+ "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
+ failed strict validation: \
+ PE %{REQBODY_PROCESSOR_ERROR}, \
+ BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+ DB %{MULTIPART_DATA_BEFORE}, \
+ DA %{MULTIPART_DATA_AFTER}, \
+ HF %{MULTIPART_HEADER_FOLDING}, \
+ LF %{MULTIPART_LF_LINE}, \
+ SM %{MULTIPART_MISSING_SEMICOLON}, \
+ IQ %{MULTIPART_INVALID_QUOTING}, \
+ IP %{MULTIPART_INVALID_PART}, \
+ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+ SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+ "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+ SecPcreMatchLimit 1000
+ SecPcreMatchLimitRecursion 1000
+
+ SecRule TX:/^MSC_/ "!@streq 0" \
+ "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+ SecResponseBodyAccess Off
+ SecDebugLog /var/log/httpd/modsec_debug.log
+ SecDebugLogLevel 0
+ SecAuditEngine RelevantOnly
+ SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+ SecAuditLogParts ABIJDEFHZ
+ SecAuditLogType Serial
+ SecAuditLog /var/log/httpd/modsec_audit.log
+ SecArgumentSeparator &
+ SecCookieFormat 0
+ SecTmpDir /var/lib/mod_security
+ SecDataDir /var/lib/mod_security
</IfModule>
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/apache-mod_security.git/commitdiff/8c29b7459dc13614ce453e86c36b8a3061c7648a
More information about the pld-cvs-commit
mailing list