Commit e5ad5b67 authored by mh's avatar mh
Browse files

reduce to the max

parent c7aab8ee
###########################################################
# copyleft 2008 immerda.ch
###########################################################
### this file is managed by PUPPET ####
### only modify in svn or you will loose the changes ! ####
###########################################################
<IfDefine SECURITY>
<IfModule !mod_security2.c>
LoadModule security2_module modules/mod_security2.so
</IfModule>
# use Core Rule Set by default:
Include /etc/apache2/modules.d/mod_security/*.conf
Include /etc/apache2/modules.d/mod_security/Zcustom_rules/*.conf
</IfDefine>
# Example configuration file for the mod_security Apache module
<ifDefine !HttpdLocal>
LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so
</ifDefine>
<IfModule mod_security2.c>
# This is the ModSecurity Core Rules Set.
# Basic configuration goes in here
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
# Additional items taken from new minimal modsecurity conf
# Basic configuration options
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
# Handling of file uploads
# TODO Choose a folder private to Apache.
# SecUploadDir /opt/apache-frontend/tmp/
SecUploadKeepFiles Off
SecUploadFileLimit 10
# Debug log
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
# Audit log
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogType Serial
SecAuditLogParts ABIFHZ
SecAuditLog /var/log/httpd/modsec_audit.log
# Alternative mlogc configuration
#SecAuditLogType Concurrent
#SecAuditLogParts ABIDEFGHZ
#SecAuditLogStorageDir /var/log/mlogc/data
#SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"
# Set Data Directory
SecDataDir /var/log/httpd/
# Maximum request body size we will
# accept for buffering
SecRequestBodyLimit 131072
# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072
# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyLimit 524288
# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
# Did we see anything that might be a boundary?
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_". The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
"phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
</IfModule>
LoadModule security2_module modules/mod_security2.so
<IfModule !mod_unique_id.c>
LoadModule unique_id_module modules/mod_unique_id.so
</IfModule>
<IfModule mod_security2.c>
# ModSecurity Core Rules Set configuration
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
</IfModule>
#!/bin/sh
# Autoupdater for modsec rulesets.
#
# This script will attempt to update your rulefiles, and restart apache.
# If it apache does not start after changing rules, it will roll back to
# the old ruleset and restart apache again.
#
# Version: $Id: modsec.sh,v 2.0 2006/09/03 23:58:00 olei Exp $
# Based on a script by:
# URL: http://cs.evilnetwork.org/cycro
#
# Copyleft 2006, SkyHorse.Org, No Rights Reserved
# URL: http://www.skyhorse.org/web-server-administration/auto-update-modsecurity-rules-modsecsh/
#
# generic by skyhorse
# updated by Puzzle ITC
# improved by immerda.ch
APACHEINITD="/etc/init.d/httpd"
MODSECPATH="/etc/httpd/modsecurity.d/asl"
##########################################################################
######### you probably don't need to change anything below here ##########
##########################################################################
# internal
UPDATED=0
cd ${MODSECPATH}
listOfRules="20_asl_useragents.conf 60_asl_recons.conf domain-blacklist.txt malware-blacklist.txt 30_asl_antimalware.conf 98_asl_jitp.conf sql.txt 05_asl_exclude.conf 99_asl_exclude.conf domain-spam-whitelist.txt 05_asl_scanner.conf 99_asl_jitp.conf malware-blacklist-high.txt trusted-domains.txt 10_asl_antimalware.conf 40_asl_apache2-rules.conf Zour_excludes.conf malware-blacklist-local.txt whitelist.txt 10_asl_rules.conf 50_asl_rootkits.conf domain-blacklist-local.txt malware-blacklist-low.txt sql.txt"
baseUrl="http://downloads.prometheus-group.com/delayed/rules/modsec/"
# TODO: introduce that url
#baseUrl="http://updates.atomicorp.com/channels/rules/delayed/modsec/"
for theRule in $listOfRules ; do
# ensure that theRule file is present
touch ${theRule}
/usr/bin/wget -t 30 -O ${theRule}.1 -q ${baseUrl}${theRule}
if [ `md5sum ${theRule} | cut -d " " -f1` != `md5sum ${theRule}.1 | cut -d " " -f1` ] ; then
/bin/mv ${theRule} ${theRule}.bak
/bin/mv ${theRule}.1 ${theRule}
UPDATED=`expr $UPDATED + 1`
else
/bin/rm -f ${theRule}.1
fi
done
if [ "$UPDATED" -gt "0" ]; then
# check config before reloading
$APACHEINITD configtest
if [ $? -eq 0 ]; then
$APACHEINITD reload
$APACHEINITD status
if [ $? -eq 0 ]; then
exit 0
fi
fi
echo "error. Configtest failed"
#roll back everything
for theRule in $listOfRules ; do
echo -n "Rolling back ${theRule}"
/bin/mv ${theRule} ${theRule}.new
/bin/mv ${theRule}.bak ${theRule}
echo "rolled back ok."
done
$APACHEINITD configtest
if [ $? -eq 0 ]; then
# try starting httpd again
$APACHEINITD reload
# did that fix the problem?
$APACHEINITD status
if [ $? -eq 0 ]; then
echo "That did the trick."
# still non zero exitcode as we can't update
exit 1
else
echo "Fatal: Apache server is not running. Server needs attention!"
fi
else
echo "Fatal: Apache configtest is still failing, Server needs attention!"
fi
exit 999
fi
#!/bin/sh
# Autoupdater for modsec rulesets.
#
# This script will attempt to update your rulefiles, and restart apache.
# If it apache does not start after changing rules, it will roll back to
# the old ruleset and restart apache again.
#
# Version: $Id: modsec.sh,v 2.0 2006/09/03 23:58:00 olei Exp $
# Based on a script by:
# URL: http://cs.evilnetwork.org/cycro
#
# Copyleft 2006, SkyHorse.Org, No Rights Reserved
# URL: http://www.skyhorse.org/web-server-administration/auto-update-modsecurity-rules-modsecsh/
APACHEINITD="/etc/init.d/apache2"
APACHECTL="/usr/sbin/apache2ctl"
APACHEPID="/var/run/apache2.pid"
MODSECPATH="/etc/apache2/modsecurity.d/asl"
##########################################################################
######### you probably don't need to change anything below here ##########
##########################################################################
# internal
PID=`cat ${APACHEPID}`
UPDATED=0
#echo -n "Changing PWD: "
cd ${MODSECPATH}
#echo `pwd`
# generic by skyhorse
# updated by Puzzle ITC
listOfRules="20_asl_useragents.conf 60_asl_recons.conf domain-blacklist.txt malware-blacklist.txt 30_asl_antimalware.conf 98_asl_jitp.conf sql.txt 05_asl_exclude.conf 99_asl_exclude.conf domain-spam-whitelist.txt 05_asl_scanner.conf 99_asl_jitp.conf malware-blacklist-high.txt trusted-domains.txt 10_asl_antimalware.conf 40_asl_apache2-rules.conf Zour_excludes.conf malware-blacklist-local.txt whitelist.txt 10_asl_rules.conf 50_asl_rootkits.conf domain-blacklist-local.txt malware-blacklist-low.txt sql.txt"
baseUrl="http://downloads.prometheus-group.com/delayed/rules/modsec/"
for theRule in $listOfRules ; do
#echo -n "Updating $theRule: "
/usr/bin/wget -t 30 -O ${theRule}.1 -q ${baseUrl}${theRule}
if [ ! -e ${theRule} ]; then
mv ${theRule}.1 ${theRule}
else
if [ `md5sum ${theRule} | cut -d " " -f1` != `md5sum ${theRule}.1 | cut -d " " -f1` ] ; then
/bin/mv ${theRule} ${theRule}.bak
/bin/mv ${theRule}.1 ${theRule}
UPDATED=`expr $UPDATED + 1`
#echo "ok."
else
#echo "allready up to date."
/bin/rm -f ${theRule}.1
fi
fi
done
# try restart
if [ "$UPDATED" -gt "0" ]; then
#echo -n "Restarting apache: "
$APACHECTL configtest
configtest=$?
if [ "$configtest" -eq "0" ]; then
$APACHEINITD restart
# did it work? wait 2s to let the apache start
sleep 2
$APACHEINITD status
configtest=$?
if [ "$configtest" -eq "0" ]; then
#echo "Apache restarted ok."
exit 0
fi
echo "error. Apache not running."
fi
#roll back everything
for theRule in $listOfRules ; do
echo -n "Rolling back ${theRule}"
/bin/mv ${theRule} ${theRule}.new
/bin/mv ${theRule}.bak ${theRule}
echo "rolled back ok."
done
$APACHECTL configtest
configtest=$?
if [ "$configtest" -eq "0" ]; then
# try starting httpd again
$APACHEINITD restart
# did that fix the problem?
$APACHEINITD status
configtest=$?
if [ "$configtest" -eq "0" ]; then
echo "That did the trick."
exit 0
fi
else
echo "Fatal: Apache configtest is till failing, Server needs attention!"
fi
echo "Fatal: Apache still not running! Run $APACHEINITD configtest to find the error."
exit 999
fi
#!/bin/bash
# this cronjob cleans up any modsec logs
# that might be in logs of vhosts
# clean up mod_security log directories that are within
# a certain age
[ -z $1 ] && echo "USAGE: $0 days_to_keep" && exit 1
ls -d /var/www/vhosts/*/logs 2>/dev/null | while read logdir; do
find $logdir -mindepth 1 -maxdepth 1 -type d -mtime +5 -print0 | xargs -0 rm -rf
find $logdir -mindepth 1 -maxdepth 1 -type d -mtime +${1} -print0 | xargs -0 rm -rf
done
# base setup of mode_security
class mod_security::base {
include apache
package { 'mod_security':
alias => 'mod_security',
package{'mod_security':
ensure => installed,
require => Package['apache'],
notify => Service['apache'],
}
$config_dir = $::operatingsystem ? {
centos => "${apache::centos::config_dir}/modsecurity.d",
debian => "${apache::debian::config_dir}/modsecurity.d",
default => '/etc/apache2/conf.d',
}
file { 'mod_security_config_dir':
path => $config_dir,
file{'mod_security_config_dir':
ensure => directory,
path => $mod_security::config_dir,
require => Package['mod_security'],
owner => 'root', group => 0, mode => '0755';
}
# Use rule set from Atomic Secured Linux and update them every day
# See : http://www.gotroot.com/mod_security+rules
apache::config::file { 'mod_security_asl.conf': }
file { 'mod_security_asl_config_dir':
path => "${config_dir}/asl",
require => Package['mod_security'],
}
file { 'mod_security_asl_update_script':
path => '/usr/local/bin/mod_security_asl_update.sh',
require => File['mod_security_asl_config_dir'],
}
cron { 'mod_security_asl_update':
user => 'root',
require => File['mod_security_asl_update_script'],
}
if $mod_security::asl_ruleset {
File['mod_security_asl_config_dir']{
ensure => directory,
owner => 'root', group => 0, mode => '0755',
}
File['mod_security_asl_update_script']{
ensure => present,
source => [ "puppet:///modules/site_mod_security/scripts/${::operatingsystem}/mod_security_asl_update.sh",
"puppet:///modules/site_mod_security/scripts/mod_security_asl_update.sh",
"puppet:///modules/mod_security/scripts/${::operatingsystem}/mod_security_asl_update.sh",
"puppet:///modules/mod_security/scripts/mod_security_asl_update.sh" ],
owner => 'root',
group => 0,
mode => '0700',
}
exec { 'mod_security_asl_initialize':
command => '/usr/local/bin/mod_security_asl_update.sh',
creates => "${config_dir}/asl/sql.txt",
require => [ File['mod_security_asl_update_script'], Service['apache'] ]
}
Cron['mod_security_asl_update']{
command => '/usr/local/bin/mod_security_asl_update.sh',
ensure => present,
hour => 3,
minute => 39,
}
Apache::Config::File['mod_security_asl.conf']{
ensure => present,
content => "<IfModule mod_security2.c>\ninclude modsecurity.d/asl/*.conf\n</IfModule>",
}
}
else {
File['mod_security_asl_config_dir']{
ensure => absent,
recurse => true,
force => true,
purge => true,
}
File['mod_security_asl_update_script']{
ensure => absent,
}
Cron['mod_security_asl_update']{
ensure => absent,
}
Apache::Config::File['mod_security_asl.conf']{
ensure => absent,
}
owner => 'root',
group => 0,
mode => '0755';
}
# Automatically clean vhost mod_security logs
file{'mod_security_logclean_script':
path => '/usr/local/bin/mod_security_logclean.sh',
}
cron{'mod_security_logclean':
user => root,
require => File['mod_security_logclean_script'],
}
if $mod_security::log_clean {
File['mod_security_logclean_script']{
ensure => present,
source => [ "puppet:///modules/site_mod_security/scripts/${::operatingsystem}/mod_security_logclean.sh",
"puppet:///modules/site_mod_security/scripts/mod_security_logclean.sh",
"puppet:///modules/mod_security/scripts/${::operatingsystem}/mod_security_logclean.sh",
"puppet:///modules/mod_security/scripts/mod_security_logclean.sh" ],
owner => 'root',
group => 0,
mode => '0700',
}
Cron['mod_security_logclean']{
ensure => present,
command => '/usr/local/bin/mod_security_logclean.sh',
hour => 3,
minute => 23,
}
}
else {
File['mod_security_logclean_script']{
ensure => absent,
}
Cron['mod_security_logclean']{
file{'/usr/local/bin/mod_security_logclean.sh':
source => "puppet:///modules/mod_security/scripts/mod_security_logclean.sh",
owner => 'root',
group => 0,
mode => '0700',
}
file{'/etc/cron.daily/mod_security_logclean.sh': }
if $mod_security::log_clean_days_to_keep {
File['/etc/cron.daily/mod_security_logclean.sh']{
content => "#!/bin/bash\n/usr/local/bin/mod_security_logclean.sh ${mod_security::log_clean_days_to_keep}\n",
}
} else {
File['/etc/cron.daily/mod_security_logclean.sh']{
ensure => absent,
}
}
# since version 2.5 we need to define a SecDataDir
file{'/var/www/modsecurity_data':
ensure => directory,
require => Package['mod_security'],
owner => apache, group => apache, mode => 0640;
}
file{"${config_dir}/sec_data_dir.conf":
content => "SecDataDir /var/www/modsecurity_data\n",
require => File['/var/www/modsecurity_data'],
notify => Service['apache'],
owner => root, group => 0, mode => 0644;
}
}
# centos specific things
class mod_security::centos inherits mod_security::base {
apache::config::global{'mod_security.conf':
source => [ "puppet:///modules/site_mod_security/normal/${::fqdn}/mod_security.conf",
"puppet:///modules/site_mod_security/normal/${::domain}/mod_security.conf",
"puppet:///modules/site_mod_security/normal/${::operatingsystem}.${::lsbmajdistrelease}/mod_security.conf",
"puppet:///modules/site_mod_security/normal/${::operatingsystem}/mod_security.conf",
"puppet:///modules/site_mod_security/normal/mod_security.conf",
"puppet:///modules/mod_security/normal/${::operatingsystem}/mod_security.conf" ],
require => Package['mod_security'],
notify => Service['apache'],
}
package{'mod_security_crs': }
if $mod_security::crs_ruleset {
Package['mod_security_crs']{
ensure => present,
}
} else {
Package['mod_security_crs']{
ensure => absent,
}
}
package{'mod_security_crs-extras': }
if $mod_security::crs_extras_ruleset {
Package['mod_security_crs-extras']{
ensure => present,
if versioncmp($::operatingsystemmajrelease,'7') < 0 {
apache::config::global{'mod_security.conf':
source => [ "puppet:///modules/site_mod_security/normal/${::fqdn}/mod_security.conf",
"puppet:///modules/site_mod_security/normal/${::domain}/mod_security.conf",
"puppet:///modules/site_mod_security/normal/${::operatingsystem}.${::operatingsystemmajrelease}/mod_security.conf",
"puppet:///modules/site_mod_security/normal/${::operatingsystem}/mod_security.conf",
"puppet:///modules/site_mod_security/normal/mod_security.conf",
"puppet:///modules/mod_security/normal/${::operatingsystem}/mod_security.conf" ],
require => Package['mod_security'],
notify => Service['apache'],
}
} else {
Package['mod_security_crs-extras']{
ensure => absent,
# since version 2.5 we need to define a SecDataDir
file{
'/var/www/modsecurity_data':
ensure => directory,
require => Package['mod_security'],
owner => apache,
group => apache,
mode => '0640';
"${mod_security::config_dir}/sec_data_dir.conf":
content => "SecDataDir /var/www/modsecurity_data\n",
require => File['/var/www/modsecurity_data'],
notify => Service['apache'],
owner => root,
group => 0,
mode => '0644';
}
}
}
class mod_security::debian inherits mod_security::base {
Package['mod_security'] {
name => 'libapache-mod-security'