From 5faedaa5c007ba545d197f81891115d1da1cc14a Mon Sep 17 00:00:00 2001
From: Marcello Coutinho <marcellocoutinho@gmail.com>
Date: Mon, 11 Nov 2013 22:33:00 -0200
Subject: Apache - improve modsecurity config file creation

---
 config/apache_mod_security-dev/apache.template     | 64 +-----------------
 config/apache_mod_security-dev/apache_balancer.xml |  3 +-
 .../apache_mod_security.inc                        | 75 +++++++++++++++++-----
 .../apache_mod_security.template                   | 10 +--
 .../apache_mod_security_groups.xml                 | 42 ++++++++++--
 .../apache_mod_security_manipulation.xml           |  1 +
 .../apache_mod_security-dev/apache_view_logs.php   |  2 +-
 7 files changed, 106 insertions(+), 91 deletions(-)

diff --git a/config/apache_mod_security-dev/apache.template b/config/apache_mod_security-dev/apache.template
index 93de58af..9147452c 100644
--- a/config/apache_mod_security-dev/apache.template
+++ b/config/apache_mod_security-dev/apache.template
@@ -5,69 +5,6 @@
 			$mod_mem_cache = "LoadModule memcache_module libexec/apache22/mod_memcache.so\n";
 		}
 
-/*
-<IfModule mod_security2.c>
-
-
-    # Turn the filtering engine On or Off
-    SecFilterEngine On
-
-	# XXX Add knobs for these
-	SecRuleEngine On
-	SecRequestBodyAccess On
-	SecResponseBodyAccess On
-
-	SecRequestBodyInMemoryLimit {$secrequestbodyinmemorylimit}
-	SecRequestBodyLimit {$secrequestbodylimit}
-
-	{$mod_security_custom}
-
-	SecResponseBodyMimeTypesClear
-	SecResponseBodyMimeType (null) text/plain text/html text/css text/xml
-
-	# XXX Add knobs for these
-	SecUploadDir /var/spool/apache/private
-	SecUploadKeepFiles Off
-
-    # The audit engine works independently and
-    # can be turned On of Off on the per-server or
-    # on the per-directory basis
-    SecAuditEngine {$secauditengine}
-
-	# XXX Add knobs for these
-    # Make sure that URL encoding is valid
-    SecFilterCheckURLEncoding On
-
-	# XXX Add knobs for these
-    # Unicode encoding check
-    SecFilterCheckUnicodeEncoding On
-
-	# XXX Add knobs for these
-    # Only allow bytes from this range
-    SecFilterForceByteRange 1 255
-
-	# Help prevent the effects of a Slowloris-type of attack
-	# $secreadstatelimit
-
-    # Cookie format checks.
-    SecFilterCheckCookieFormat On
-
-    # The name of the audit log file
-    SecAuditLog logs/audit_log
-    
-    #http-guardian Anti-dos protection
-    {$SecGuardianLog}
-
-    # Should mod_security inspect POST payloads
-    SecFilterScanPOST On
-
-	# Include rules from rules/ directory
-	{$mod_security_rules}
-
-</IfModule>
-
-*/
-
 $apache_dir=APACHEDIR;
 	$apache_config = <<<EOF
 ##################################################################################
@@ -96,6 +33,7 @@ $apache_dir=APACHEDIR;
 # with ServerRoot set to "/usr/local" will be interpreted by the
 # server as "/usr/local//var/log/foo_log".
 
+{$mod_security}
 #
 # ServerRoot: The top of the directory tree under which the server's
 # configuration, error, and log files are kept.
diff --git a/config/apache_mod_security-dev/apache_balancer.xml b/config/apache_mod_security-dev/apache_balancer.xml
index 3c8de686..16779158 100755
--- a/config/apache_mod_security-dev/apache_balancer.xml
+++ b/config/apache_mod_security-dev/apache_balancer.xml
@@ -102,7 +102,8 @@
 		<columnitem>
 			<fielddescr>Description</fielddescr>
 			<fieldname>description</fieldname>
-		</columnitem>	
+		</columnitem>
+		<movable>on</movable>
 	</adddeleteeditpagefields>
 	<fields>
 		<field>
diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc
index 76208c70..91f0ff35 100644
--- a/config/apache_mod_security-dev/apache_mod_security.inc
+++ b/config/apache_mod_security-dev/apache_mod_security.inc
@@ -3,7 +3,7 @@
 	apache_mod_security.inc
 	part of apache_mod_security package (http://www.pfSense.com)
 	Copyright (C) 2009, 2010 Scott Ullrich
-	Copyright (C) 2012 Marcello Coutinho
+	Copyright (C) 2012-2013 Marcello Coutinho
 	All rights reserved.
 
 	Redistribution and use in source and binary forms, with or without
@@ -37,7 +37,7 @@ else
 // End of system check
 define ('MODSECURITY_DIR','crs');
 // Rules directory location
-define("rules_directory", APACHEDIR . "/". MODSECURITY_DIR);
+define("RULES_DIRECTORY", APACHEDIR . "/". MODSECURITY_DIR);
 function apache_textarea_decode($base64){
 	return preg_replace("/\r\n/","\n",base64_decode($base64));
 }
@@ -134,7 +134,7 @@ function apache_mod_security_resync() {
 			$write_config++;
 			$config['installedpackages']["modsecurityfiles{$dir}"]['config']=array();
 			while (false !== ($entry = readdir($handle))) {
-				if (preg_match("/(\S+).conf/",$entry,$matches))
+				if (preg_match("/(\S+).conf$/",$entry,$matches))
 					$config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]);
 				}
 			closedir($handle);
@@ -296,7 +296,7 @@ function generate_apache_configuration() {
 					
 					$options.=($server['routeid'] ? " route={$server['routeid']}" : "");
 					$options.=($server['loadfactor'] ? " loadfactor={$server['loadfactor']}" : "");
-					if (isset($server['ping'])){
+					if (isset($server['ping']) && $server['ping']!=""){
 						$options.= " ping={$server['ping']}";
 						$options.=($server['ttl'] ? " ttl={$server['ttl']}" : "");
 						}
@@ -311,7 +311,47 @@ function generate_apache_configuration() {
 		//write balancer conf
 		file_put_contents(APACHEDIR."/etc/apache22/Includes/balancers.conf",$balancer_config,LOCK_EX);
 		}
-		
+	// configure modsecurity group options
+	//chroot apache http://forums.freebsd.org/showthread.php?t=6858
+		if (is_array($config['installedpackages']['apachemodsecuritygroups'])){
+			unset($mods_group);
+			$i=0;
+			$write_config=0;
+			foreach ($config['installedpackages']['apachemodsecuritygroups']['config'] as $mods_groups){
+				//RULES_DIRECTORY
+				$mods_group[$mods_groups['name']]="Include ".RULES_DIRECTORY ."/modsecurity_{$mods_groups['name']}_crs_10_setup.conf\n";
+				if ($mods_groups['crs10']==""){
+					if (file_exists(RULES_DIRECTORY .'/modsecurity_crs_10_setup.conf.example')){
+						$config['installedpackages']['apachemodsecuritygroups']['config'][$i]['crs10']=base64_encode(file_get_contents(RULES_DIRECTORY .'/modsecurity_crs_10_setup.conf.example'));
+						$write_config++;
+					}
+				}
+				file_put_contents(RULES_DIRECTORY ."/modsecurity_{$mods_groups['name']}_crs_10_setup.conf",apache_textarea_decode($config['installedpackages']['apachemodsecuritygroups']['config'][$i]['crs10']),LOCK_EX);
+				
+				foreach (split(",",$mods_groups['baserules']) as $baserule){
+					$mods_group[$mods_groups['name']].="  Include ".RULES_DIRECTORY ."/base_rules/{$baserule}.conf\n";
+					}
+				foreach (split(",",$mods_groups['optionalrules']) as $baserule){
+					$mods_group[$mods_groups['name']].="  Include ".RULES_DIRECTORY ."/optional_rules/{$baserule}.conf\n";
+					}
+				foreach (split(",",$mods_groups['slrrules']) as $baserule){
+					$mods_group[$mods_groups['name']].="  Include ".RULES_DIRECTORY ."/slr_rules/{$baserule}.conf\n";
+					}
+				foreach (split(",",$mods_groups['experimentalrules']) as $baserule){
+					$mods_group[$mods_groups['name']].="  Include ".RULES_DIRECTORY ."/experimental_rules/{$baserule}.conf\n";
+					}
+				$i++;
+				}
+			if ($write_config > 0)
+				write_config("load crs 10 setup file to modsecurity group {$mods_groups['name']}");
+		}
+	//print "<PRE>";
+	//var_dump($mods_group);
+	
+	//mod_security settings
+	if (is_array($config['installedpackages']['apachemodsecuritysettings'])){
+		$mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0];
+	}
 	//configure virtual hosts
 	$namevirtualhosts=array();
 	$namevirtualhosts[0]=$global_listen;
@@ -389,7 +429,10 @@ EOF;
 					$vh_config.="  ProxyPassReverse balancer://{$backend['balancer']}{$backend['backendpath']}\n";
 					if ($backend['compress']== "no")
 						$vh_config.="  SetInputFilter   INFLATE\n  SetOutputFilter  INFLATE\n";
-					if (is_array($config['installedpackages']['apachemodsecuritymanipulation'])){
+					if ($backend['modsecgroup']!="" && $backend['modsecgroup']!="none" && $mods_settings['enablemodsecurity']=="on"){
+						$vh_config.=$mods_group[$backend['modsecgroup']];
+					}
+					if (is_array($config['installedpackages']['apachemodsecuritymanipulation']) && $mods_settings['enablemodsecurity']=="on"){
 						foreach($config['installedpackages']['apachemodsecuritymanipulation']['config'] as $manipulation){
 							if ($backend['modsecmanipulation'] == $manipulation['name']){
 								if (is_array($manipulation['row']))
@@ -409,7 +452,7 @@ EOF;
 	// check/fix perl version on mod_security util files
 	$perl_files= array("httpd-guardian.pl","rules-updater.pl","runav.pl","arachni2modsec.pl","zap2modsec.pl","regression_tests/rulestest.pl");
 	foreach ($perl_files as $perl_file){
-		$file_path=rules_directory."/util/";
+		$file_path=RULES_DIRECTORY."/util/";
 		if (file_exists($file_path.$perl_file)){
 			$script=preg_replace("/#!\S+perl/","#!".APACHEDIR."/bin/perl",file_get_contents($file_path.$perl_file));
 			file_put_contents($file_path.$perl_file,$script,LOCK_EX);
@@ -426,12 +469,9 @@ EOF;
 			}
 	}
 	
-	//mod_security settings
-	if (is_array($config['installedpackages']['apachemodsecuritysettings']['config'])){
-		$mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0];
-		if ($mods_settings!="")
-			$SecGuardianLog="SecGuardianLog \"|".rules_directory."/util/httpd-guardian\"";
-		}
+
+	if ($mods_settings!="")
+		$SecGuardianLog="SecGuardianLog \"|".RULES_DIRECTORY."/util/httpd-guardian\"";
 	
 	//fix http-guardian.pl block bins
 	//$file_path=APACHEDIR.MODSECURITY_DIR."/util/".$perl_lib;
@@ -628,19 +668,20 @@ EOF;
 		$mod_security_custom = $config['installedpackages']['apachesettings']['config'][0]['modsecuritycustom'];
 
 	// Process and include rules
-	if(is_dir(rules_directory)) {
+	if(is_dir(RULES_DIRECTORY)) {
 		$mod_security_rules = "";
-		$files = return_dir_as_array(rules_directory);
+		$files = return_dir_as_array(RULES_DIRECTORY);
 		foreach($files as $file) { 
-			if(file_exists(rules_directory . "/" . $file)) {
+			if(file_exists(RULES_DIRECTORY . "/" . $file)) {
 				// XXX: TODO integrate snorts rule on / off thingie
-				$file_txt = file_get_contents(rules_directory . "/" . $file);
+				$file_txt = file_get_contents(RULES_DIRECTORY . "/" . $file);
 				$mod_security_rules .= $file_txt . "\n";
 			}
 		}
 	}
 
 	#include file templates
+	include ("/usr/local/pkg/apache_mod_security.template");
 	include ("/usr/local/pkg/apache.template");
 
 	file_put_contents(APACHEDIR . "/etc/apache22/httpd.conf",$apache_config,LOCK_EX);
diff --git a/config/apache_mod_security-dev/apache_mod_security.template b/config/apache_mod_security-dev/apache_mod_security.template
index e5a2c864..f6ad6e3e 100644
--- a/config/apache_mod_security-dev/apache_mod_security.template
+++ b/config/apache_mod_security-dev/apache_mod_security.template
@@ -1,8 +1,8 @@
 <?php
-	// Mod_security enabled?
-	if($modsec_settings['enablemodsecurity'])  {
-		$enable_mod_security = true;
-		$mod_security = <<< EOF
+// Mod_security enabled?
+if($mods_settings['enablemodsecurity']=="on")  {
+	$enable_mod_security = true;
+	$mod_security = <<< EOF
 # -- Rule engine initialization ----------------------------------------------
 
 # Enable ModSecurity, attaching it to every transaction. Use detection
@@ -208,3 +208,5 @@ SecArgumentSeparator &
 #
 SecCookieFormat 0
 
+EOF;
+}
\ No newline at end of file
diff --git a/config/apache_mod_security-dev/apache_mod_security_groups.xml b/config/apache_mod_security-dev/apache_mod_security_groups.xml
index 92b41243..315d2de0 100644
--- a/config/apache_mod_security-dev/apache_mod_security_groups.xml
+++ b/config/apache_mod_security-dev/apache_mod_security_groups.xml
@@ -74,14 +74,20 @@
 		</tab>
 	</tabs>
 		<adddeleteeditpagefields>
+		<movable>on</movable>
 		<columnitem>
 			<fielddescr>Name</fielddescr>
 			<fieldname>name</fieldname>
 		</columnitem>
+		<columnitem>
+			<fielddescr>Logging</fielddescr>
+			<fieldname>secauditengine</fieldname>
+		</columnitem>
 		<columnitem>
 			<fielddescr>Description</fielddescr>
 			<fieldname>description</fieldname>
 		</columnitem>
+		
 	</adddeleteeditpagefields>
 	<fields>
 		<field>
@@ -94,6 +100,7 @@
 			<description>Enter group name</description>
 			<type>input</type>
 			<size>25</size>
+			<required/>
 		</field>
 		<field>
 			<fielddescr>Description</fielddescr>
@@ -102,6 +109,7 @@
 			<type>input</type>
 			<size>45</size>
 		</field>
+		
 		<field>
 			<fielddescr>Base Rules</fielddescr>
 			<fieldname>baserules</fieldname>
@@ -182,26 +190,50 @@
 			    <option><name>log everything, including very detailed debugging information</name><value>9</value></option>
 			</options>
 		</field>
-
 		<field>
-			<name>Custom options</name>
+			<name>mod_security crs 10 setup</name>
+			<type>listtopic</type>
+		</field>
+		<field>
+			<fielddescr>mod_security crs 10 setup</fielddescr>
+			<fieldname>crs10</fieldname>
+			<dontdisplayname/>
+			<usecolspan2/>
+			<description><![CDATA[<b>modsecurity_crs_10_setup.conf file.</b><br>Leave empty to load setup defaults.]]></description>
+			<type>textarea</type>
+			<encoding>base64</encoding>
+	      	<rows>15</rows>
+	      	<cols>90</cols>			
+		</field>
+		<field>
+			<name>Custom mod_security ErrorDocument</name>
 			<type>listtopic</type>
 		</field>
 		<field>
 			<fielddescr>Custom mod_security ErrorDocument</fielddescr>
 			<fieldname>errordocument</fieldname>
-			<description></description>
+			<dontdisplayname/>
+			<usecolspan2/>
+			<description>Custom mod_security ErrorDocument.</description>
 			<type>textarea</type>
+			<encoding>base64</encoding>
 	      	<rows>10</rows>
-	      	<cols>75</cols>			
+	      	<cols>90</cols>			
+		</field>
+		<field>
+			<name>Custom mod_security rules</name>
+			<type>listtopic</type>
 		</field>
 		<field>
 			<fielddescr>Custom mod_security rules</fielddescr>
 			<fieldname>modsecuritycustom</fieldname>
+			<dontdisplayname/>
+			<usecolspan2/>
 			<description>Paste any custom mod_security rules that you would like to use</description>
 			<type>textarea</type>
+			<encoding>base64</encoding>
 	      	<rows>10</rows>
-	      	<cols>75</cols>			
+	      	<cols>90</cols>			
 		</field>
 	</fields>
 	<custom_php_resync_config_command>
diff --git a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml
index 54738d83..ab681c66 100644
--- a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml
+++ b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml
@@ -82,6 +82,7 @@
 			<fielddescr>Description</fielddescr>
 			<fieldname>description</fieldname>
 		</columnitem>
+		<movable>on</movable>
 	</adddeleteeditpagefields>
 	<fields>
 		<field>
diff --git a/config/apache_mod_security-dev/apache_view_logs.php b/config/apache_mod_security-dev/apache_view_logs.php
index da82baaa..77c14176 100644
--- a/config/apache_mod_security-dev/apache_view_logs.php
+++ b/config/apache_mod_security-dev/apache_view_logs.php
@@ -96,7 +96,7 @@ function showLog(content,url,logtype)
 			<?php
 				$tab_array = array();
 				$tab_array[] = array(gettext("Apache"), true, "/pkg_edit.php?xml=apache_settings.xml&amp;id=0");
-				$tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_setttings.xml");
+				$tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_settings.xml");
 				$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=apache_mod_security_sync.xml");
 				display_top_tabs($tab_array);
 			?>
-- 
cgit v1.2.3