diff options
author | Marcello Coutinho <marcellocoutinho@gmail.com> | 2013-11-11 22:33:00 -0200 |
---|---|---|
committer | Marcello Coutinho <marcellocoutinho@gmail.com> | 2013-11-11 22:33:00 -0200 |
commit | 5faedaa5c007ba545d197f81891115d1da1cc14a (patch) | |
tree | f205affc5f68842879cd902211dd9a4b1d34ac37 /config/apache_mod_security-dev | |
parent | 361b61a7a9030efbe241b51726967a0b1a370d5d (diff) | |
download | pfsense-packages-5faedaa5c007ba545d197f81891115d1da1cc14a.tar.gz pfsense-packages-5faedaa5c007ba545d197f81891115d1da1cc14a.tar.bz2 pfsense-packages-5faedaa5c007ba545d197f81891115d1da1cc14a.zip |
Apache - improve modsecurity config file creation
Diffstat (limited to 'config/apache_mod_security-dev')
7 files changed, 106 insertions, 91 deletions
diff --git a/config/apache_mod_security-dev/apache.template b/config/apache_mod_security-dev/apache.template index 93de58af..9147452c 100644 --- a/config/apache_mod_security-dev/apache.template +++ b/config/apache_mod_security-dev/apache.template @@ -5,69 +5,6 @@ $mod_mem_cache = "LoadModule memcache_module libexec/apache22/mod_memcache.so\n"; } -/* -<IfModule mod_security2.c> - - - # Turn the filtering engine On or Off - SecFilterEngine On - - # XXX Add knobs for these - SecRuleEngine On - SecRequestBodyAccess On - SecResponseBodyAccess On - - SecRequestBodyInMemoryLimit {$secrequestbodyinmemorylimit} - SecRequestBodyLimit {$secrequestbodylimit} - - {$mod_security_custom} - - SecResponseBodyMimeTypesClear - SecResponseBodyMimeType (null) text/plain text/html text/css text/xml - - # XXX Add knobs for these - SecUploadDir /var/spool/apache/private - SecUploadKeepFiles Off - - # The audit engine works independently and - # can be turned On of Off on the per-server or - # on the per-directory basis - SecAuditEngine {$secauditengine} - - # XXX Add knobs for these - # Make sure that URL encoding is valid - SecFilterCheckURLEncoding On - - # XXX Add knobs for these - # Unicode encoding check - SecFilterCheckUnicodeEncoding On - - # XXX Add knobs for these - # Only allow bytes from this range - SecFilterForceByteRange 1 255 - - # Help prevent the effects of a Slowloris-type of attack - # $secreadstatelimit - - # Cookie format checks. - SecFilterCheckCookieFormat On - - # The name of the audit log file - SecAuditLog logs/audit_log - - #http-guardian Anti-dos protection - {$SecGuardianLog} - - # Should mod_security inspect POST payloads - SecFilterScanPOST On - - # Include rules from rules/ directory - {$mod_security_rules} - -</IfModule> - -*/ - $apache_dir=APACHEDIR; $apache_config = <<<EOF ################################################################################## @@ -96,6 +33,7 @@ $apache_dir=APACHEDIR; # with ServerRoot set to "/usr/local" will be interpreted by the # server as "/usr/local//var/log/foo_log". +{$mod_security} # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. diff --git a/config/apache_mod_security-dev/apache_balancer.xml b/config/apache_mod_security-dev/apache_balancer.xml index 3c8de686..16779158 100755 --- a/config/apache_mod_security-dev/apache_balancer.xml +++ b/config/apache_mod_security-dev/apache_balancer.xml @@ -102,7 +102,8 @@ <columnitem> <fielddescr>Description</fielddescr> <fieldname>description</fieldname> - </columnitem> + </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc index 76208c70..91f0ff35 100644 --- a/config/apache_mod_security-dev/apache_mod_security.inc +++ b/config/apache_mod_security-dev/apache_mod_security.inc @@ -3,7 +3,7 @@ apache_mod_security.inc part of apache_mod_security package (http://www.pfSense.com) Copyright (C) 2009, 2010 Scott Ullrich - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. Redistribution and use in source and binary forms, with or without @@ -37,7 +37,7 @@ else // End of system check define ('MODSECURITY_DIR','crs'); // Rules directory location -define("rules_directory", APACHEDIR . "/". MODSECURITY_DIR); +define("RULES_DIRECTORY", APACHEDIR . "/". MODSECURITY_DIR); function apache_textarea_decode($base64){ return preg_replace("/\r\n/","\n",base64_decode($base64)); } @@ -134,7 +134,7 @@ function apache_mod_security_resync() { $write_config++; $config['installedpackages']["modsecurityfiles{$dir}"]['config']=array(); while (false !== ($entry = readdir($handle))) { - if (preg_match("/(\S+).conf/",$entry,$matches)) + if (preg_match("/(\S+).conf$/",$entry,$matches)) $config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]); } closedir($handle); @@ -296,7 +296,7 @@ function generate_apache_configuration() { $options.=($server['routeid'] ? " route={$server['routeid']}" : ""); $options.=($server['loadfactor'] ? " loadfactor={$server['loadfactor']}" : ""); - if (isset($server['ping'])){ + if (isset($server['ping']) && $server['ping']!=""){ $options.= " ping={$server['ping']}"; $options.=($server['ttl'] ? " ttl={$server['ttl']}" : ""); } @@ -311,7 +311,47 @@ function generate_apache_configuration() { //write balancer conf file_put_contents(APACHEDIR."/etc/apache22/Includes/balancers.conf",$balancer_config,LOCK_EX); } - + // configure modsecurity group options + //chroot apache http://forums.freebsd.org/showthread.php?t=6858 + if (is_array($config['installedpackages']['apachemodsecuritygroups'])){ + unset($mods_group); + $i=0; + $write_config=0; + foreach ($config['installedpackages']['apachemodsecuritygroups']['config'] as $mods_groups){ + //RULES_DIRECTORY + $mods_group[$mods_groups['name']]="Include ".RULES_DIRECTORY ."/modsecurity_{$mods_groups['name']}_crs_10_setup.conf\n"; + if ($mods_groups['crs10']==""){ + if (file_exists(RULES_DIRECTORY .'/modsecurity_crs_10_setup.conf.example')){ + $config['installedpackages']['apachemodsecuritygroups']['config'][$i]['crs10']=base64_encode(file_get_contents(RULES_DIRECTORY .'/modsecurity_crs_10_setup.conf.example')); + $write_config++; + } + } + file_put_contents(RULES_DIRECTORY ."/modsecurity_{$mods_groups['name']}_crs_10_setup.conf",apache_textarea_decode($config['installedpackages']['apachemodsecuritygroups']['config'][$i]['crs10']),LOCK_EX); + + foreach (split(",",$mods_groups['baserules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/base_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['optionalrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/optional_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['slrrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/slr_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['experimentalrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/experimental_rules/{$baserule}.conf\n"; + } + $i++; + } + if ($write_config > 0) + write_config("load crs 10 setup file to modsecurity group {$mods_groups['name']}"); + } + //print "<PRE>"; + //var_dump($mods_group); + + //mod_security settings + if (is_array($config['installedpackages']['apachemodsecuritysettings'])){ + $mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0]; + } //configure virtual hosts $namevirtualhosts=array(); $namevirtualhosts[0]=$global_listen; @@ -389,7 +429,10 @@ EOF; $vh_config.=" ProxyPassReverse balancer://{$backend['balancer']}{$backend['backendpath']}\n"; if ($backend['compress']== "no") $vh_config.=" SetInputFilter INFLATE\n SetOutputFilter INFLATE\n"; - if (is_array($config['installedpackages']['apachemodsecuritymanipulation'])){ + if ($backend['modsecgroup']!="" && $backend['modsecgroup']!="none" && $mods_settings['enablemodsecurity']=="on"){ + $vh_config.=$mods_group[$backend['modsecgroup']]; + } + if (is_array($config['installedpackages']['apachemodsecuritymanipulation']) && $mods_settings['enablemodsecurity']=="on"){ foreach($config['installedpackages']['apachemodsecuritymanipulation']['config'] as $manipulation){ if ($backend['modsecmanipulation'] == $manipulation['name']){ if (is_array($manipulation['row'])) @@ -409,7 +452,7 @@ EOF; // check/fix perl version on mod_security util files $perl_files= array("httpd-guardian.pl","rules-updater.pl","runav.pl","arachni2modsec.pl","zap2modsec.pl","regression_tests/rulestest.pl"); foreach ($perl_files as $perl_file){ - $file_path=rules_directory."/util/"; + $file_path=RULES_DIRECTORY."/util/"; if (file_exists($file_path.$perl_file)){ $script=preg_replace("/#!\S+perl/","#!".APACHEDIR."/bin/perl",file_get_contents($file_path.$perl_file)); file_put_contents($file_path.$perl_file,$script,LOCK_EX); @@ -426,12 +469,9 @@ EOF; } } - //mod_security settings - if (is_array($config['installedpackages']['apachemodsecuritysettings']['config'])){ - $mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0]; - if ($mods_settings!="") - $SecGuardianLog="SecGuardianLog \"|".rules_directory."/util/httpd-guardian\""; - } + + if ($mods_settings!="") + $SecGuardianLog="SecGuardianLog \"|".RULES_DIRECTORY."/util/httpd-guardian\""; //fix http-guardian.pl block bins //$file_path=APACHEDIR.MODSECURITY_DIR."/util/".$perl_lib; @@ -628,19 +668,20 @@ EOF; $mod_security_custom = $config['installedpackages']['apachesettings']['config'][0]['modsecuritycustom']; // Process and include rules - if(is_dir(rules_directory)) { + if(is_dir(RULES_DIRECTORY)) { $mod_security_rules = ""; - $files = return_dir_as_array(rules_directory); + $files = return_dir_as_array(RULES_DIRECTORY); foreach($files as $file) { - if(file_exists(rules_directory . "/" . $file)) { + if(file_exists(RULES_DIRECTORY . "/" . $file)) { // XXX: TODO integrate snorts rule on / off thingie - $file_txt = file_get_contents(rules_directory . "/" . $file); + $file_txt = file_get_contents(RULES_DIRECTORY . "/" . $file); $mod_security_rules .= $file_txt . "\n"; } } } #include file templates + include ("/usr/local/pkg/apache_mod_security.template"); include ("/usr/local/pkg/apache.template"); file_put_contents(APACHEDIR . "/etc/apache22/httpd.conf",$apache_config,LOCK_EX); diff --git a/config/apache_mod_security-dev/apache_mod_security.template b/config/apache_mod_security-dev/apache_mod_security.template index e5a2c864..f6ad6e3e 100644 --- a/config/apache_mod_security-dev/apache_mod_security.template +++ b/config/apache_mod_security-dev/apache_mod_security.template @@ -1,8 +1,8 @@ <?php - // Mod_security enabled? - if($modsec_settings['enablemodsecurity']) { - $enable_mod_security = true; - $mod_security = <<< EOF +// Mod_security enabled? +if($mods_settings['enablemodsecurity']=="on") { + $enable_mod_security = true; + $mod_security = <<< EOF # -- Rule engine initialization ---------------------------------------------- # Enable ModSecurity, attaching it to every transaction. Use detection @@ -208,3 +208,5 @@ SecArgumentSeparator & # SecCookieFormat 0 +EOF; +}
\ No newline at end of file diff --git a/config/apache_mod_security-dev/apache_mod_security_groups.xml b/config/apache_mod_security-dev/apache_mod_security_groups.xml index 92b41243..315d2de0 100644 --- a/config/apache_mod_security-dev/apache_mod_security_groups.xml +++ b/config/apache_mod_security-dev/apache_mod_security_groups.xml @@ -74,14 +74,20 @@ </tab> </tabs> <adddeleteeditpagefields> + <movable>on</movable> <columnitem> <fielddescr>Name</fielddescr> <fieldname>name</fieldname> </columnitem> <columnitem> + <fielddescr>Logging</fielddescr> + <fieldname>secauditengine</fieldname> + </columnitem> + <columnitem> <fielddescr>Description</fielddescr> <fieldname>description</fieldname> </columnitem> + </adddeleteeditpagefields> <fields> <field> @@ -94,6 +100,7 @@ <description>Enter group name</description> <type>input</type> <size>25</size> + <required/> </field> <field> <fielddescr>Description</fielddescr> @@ -102,6 +109,7 @@ <type>input</type> <size>45</size> </field> + <field> <fielddescr>Base Rules</fielddescr> <fieldname>baserules</fieldname> @@ -182,26 +190,50 @@ <option><name>log everything, including very detailed debugging information</name><value>9</value></option> </options> </field> - <field> - <name>Custom options</name> + <name>mod_security crs 10 setup</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>mod_security crs 10 setup</fielddescr> + <fieldname>crs10</fieldname> + <dontdisplayname/> + <usecolspan2/> + <description><![CDATA[<b>modsecurity_crs_10_setup.conf file.</b><br>Leave empty to load setup defaults.]]></description> + <type>textarea</type> + <encoding>base64</encoding> + <rows>15</rows> + <cols>90</cols> + </field> + <field> + <name>Custom mod_security ErrorDocument</name> <type>listtopic</type> </field> <field> <fielddescr>Custom mod_security ErrorDocument</fielddescr> <fieldname>errordocument</fieldname> - <description></description> + <dontdisplayname/> + <usecolspan2/> + <description>Custom mod_security ErrorDocument.</description> <type>textarea</type> + <encoding>base64</encoding> <rows>10</rows> - <cols>75</cols> + <cols>90</cols> + </field> + <field> + <name>Custom mod_security rules</name> + <type>listtopic</type> </field> <field> <fielddescr>Custom mod_security rules</fielddescr> <fieldname>modsecuritycustom</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste any custom mod_security rules that you would like to use</description> <type>textarea</type> + <encoding>base64</encoding> <rows>10</rows> - <cols>75</cols> + <cols>90</cols> </field> </fields> <custom_php_resync_config_command> diff --git a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml index 54738d83..ab681c66 100644 --- a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml +++ b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml @@ -82,6 +82,7 @@ <fielddescr>Description</fielddescr> <fieldname>description</fieldname> </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> diff --git a/config/apache_mod_security-dev/apache_view_logs.php b/config/apache_mod_security-dev/apache_view_logs.php index da82baaa..77c14176 100644 --- a/config/apache_mod_security-dev/apache_view_logs.php +++ b/config/apache_mod_security-dev/apache_view_logs.php @@ -96,7 +96,7 @@ function showLog(content,url,logtype) <?php $tab_array = array(); $tab_array[] = array(gettext("Apache"), true, "/pkg_edit.php?xml=apache_settings.xml&id=0"); - $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_setttings.xml"); + $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_settings.xml"); $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=apache_mod_security_sync.xml"); display_top_tabs($tab_array); ?> |