From 5faedaa5c007ba545d197f81891115d1da1cc14a Mon Sep 17 00:00:00 2001 From: Marcello Coutinho Date: Mon, 11 Nov 2013 22:33:00 -0200 Subject: Apache - improve modsecurity config file creation --- config/apache_mod_security-dev/apache.template | 64 +----------------- config/apache_mod_security-dev/apache_balancer.xml | 3 +- .../apache_mod_security.inc | 75 +++++++++++++++++----- .../apache_mod_security.template | 10 +-- .../apache_mod_security_groups.xml | 42 ++++++++++-- .../apache_mod_security_manipulation.xml | 1 + .../apache_mod_security-dev/apache_view_logs.php | 2 +- 7 files changed, 106 insertions(+), 91 deletions(-) diff --git a/config/apache_mod_security-dev/apache.template b/config/apache_mod_security-dev/apache.template index 93de58af..9147452c 100644 --- a/config/apache_mod_security-dev/apache.template +++ b/config/apache_mod_security-dev/apache.template @@ -5,69 +5,6 @@ $mod_mem_cache = "LoadModule memcache_module libexec/apache22/mod_memcache.so\n"; } -/* - - - - # Turn the filtering engine On or Off - SecFilterEngine On - - # XXX Add knobs for these - SecRuleEngine On - SecRequestBodyAccess On - SecResponseBodyAccess On - - SecRequestBodyInMemoryLimit {$secrequestbodyinmemorylimit} - SecRequestBodyLimit {$secrequestbodylimit} - - {$mod_security_custom} - - SecResponseBodyMimeTypesClear - SecResponseBodyMimeType (null) text/plain text/html text/css text/xml - - # XXX Add knobs for these - SecUploadDir /var/spool/apache/private - SecUploadKeepFiles Off - - # The audit engine works independently and - # can be turned On of Off on the per-server or - # on the per-directory basis - SecAuditEngine {$secauditengine} - - # XXX Add knobs for these - # Make sure that URL encoding is valid - SecFilterCheckURLEncoding On - - # XXX Add knobs for these - # Unicode encoding check - SecFilterCheckUnicodeEncoding On - - # XXX Add knobs for these - # Only allow bytes from this range - SecFilterForceByteRange 1 255 - - # Help prevent the effects of a Slowloris-type of attack - # $secreadstatelimit - - # Cookie format checks. - SecFilterCheckCookieFormat On - - # The name of the audit log file - SecAuditLog logs/audit_log - - #http-guardian Anti-dos protection - {$SecGuardianLog} - - # Should mod_security inspect POST payloads - SecFilterScanPOST On - - # Include rules from rules/ directory - {$mod_security_rules} - - - -*/ - $apache_dir=APACHEDIR; $apache_config = << Description description - + + on diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc index 76208c70..91f0ff35 100644 --- a/config/apache_mod_security-dev/apache_mod_security.inc +++ b/config/apache_mod_security-dev/apache_mod_security.inc @@ -3,7 +3,7 @@ apache_mod_security.inc part of apache_mod_security package (http://www.pfSense.com) Copyright (C) 2009, 2010 Scott Ullrich - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. Redistribution and use in source and binary forms, with or without @@ -37,7 +37,7 @@ else // End of system check define ('MODSECURITY_DIR','crs'); // Rules directory location -define("rules_directory", APACHEDIR . "/". MODSECURITY_DIR); +define("RULES_DIRECTORY", APACHEDIR . "/". MODSECURITY_DIR); function apache_textarea_decode($base64){ return preg_replace("/\r\n/","\n",base64_decode($base64)); } @@ -134,7 +134,7 @@ function apache_mod_security_resync() { $write_config++; $config['installedpackages']["modsecurityfiles{$dir}"]['config']=array(); while (false !== ($entry = readdir($handle))) { - if (preg_match("/(\S+).conf/",$entry,$matches)) + if (preg_match("/(\S+).conf$/",$entry,$matches)) $config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]); } closedir($handle); @@ -296,7 +296,7 @@ function generate_apache_configuration() { $options.=($server['routeid'] ? " route={$server['routeid']}" : ""); $options.=($server['loadfactor'] ? " loadfactor={$server['loadfactor']}" : ""); - if (isset($server['ping'])){ + if (isset($server['ping']) && $server['ping']!=""){ $options.= " ping={$server['ping']}"; $options.=($server['ttl'] ? " ttl={$server['ttl']}" : ""); } @@ -311,7 +311,47 @@ function generate_apache_configuration() { //write balancer conf file_put_contents(APACHEDIR."/etc/apache22/Includes/balancers.conf",$balancer_config,LOCK_EX); } - + // configure modsecurity group options + //chroot apache http://forums.freebsd.org/showthread.php?t=6858 + if (is_array($config['installedpackages']['apachemodsecuritygroups'])){ + unset($mods_group); + $i=0; + $write_config=0; + foreach ($config['installedpackages']['apachemodsecuritygroups']['config'] as $mods_groups){ + //RULES_DIRECTORY + $mods_group[$mods_groups['name']]="Include ".RULES_DIRECTORY ."/modsecurity_{$mods_groups['name']}_crs_10_setup.conf\n"; + if ($mods_groups['crs10']==""){ + if (file_exists(RULES_DIRECTORY .'/modsecurity_crs_10_setup.conf.example')){ + $config['installedpackages']['apachemodsecuritygroups']['config'][$i]['crs10']=base64_encode(file_get_contents(RULES_DIRECTORY .'/modsecurity_crs_10_setup.conf.example')); + $write_config++; + } + } + file_put_contents(RULES_DIRECTORY ."/modsecurity_{$mods_groups['name']}_crs_10_setup.conf",apache_textarea_decode($config['installedpackages']['apachemodsecuritygroups']['config'][$i]['crs10']),LOCK_EX); + + foreach (split(",",$mods_groups['baserules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/base_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['optionalrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/optional_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['slrrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/slr_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['experimentalrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/experimental_rules/{$baserule}.conf\n"; + } + $i++; + } + if ($write_config > 0) + write_config("load crs 10 setup file to modsecurity group {$mods_groups['name']}"); + } + //print "
";
+	//var_dump($mods_group);
+	
+	//mod_security settings
+	if (is_array($config['installedpackages']['apachemodsecuritysettings'])){
+		$mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0];
+	}
 	//configure virtual hosts
 	$namevirtualhosts=array();
 	$namevirtualhosts[0]=$global_listen;
@@ -389,7 +429,10 @@ EOF;
 					$vh_config.="  ProxyPassReverse balancer://{$backend['balancer']}{$backend['backendpath']}\n";
 					if ($backend['compress']== "no")
 						$vh_config.="  SetInputFilter   INFLATE\n  SetOutputFilter  INFLATE\n";
-					if (is_array($config['installedpackages']['apachemodsecuritymanipulation'])){
+					if ($backend['modsecgroup']!="" && $backend['modsecgroup']!="none" && $mods_settings['enablemodsecurity']=="on"){
+						$vh_config.=$mods_group[$backend['modsecgroup']];
+					}
+					if (is_array($config['installedpackages']['apachemodsecuritymanipulation']) && $mods_settings['enablemodsecurity']=="on"){
 						foreach($config['installedpackages']['apachemodsecuritymanipulation']['config'] as $manipulation){
 							if ($backend['modsecmanipulation'] == $manipulation['name']){
 								if (is_array($manipulation['row']))
@@ -409,7 +452,7 @@ EOF;
 	// check/fix perl version on mod_security util files
 	$perl_files= array("httpd-guardian.pl","rules-updater.pl","runav.pl","arachni2modsec.pl","zap2modsec.pl","regression_tests/rulestest.pl");
 	foreach ($perl_files as $perl_file){
-		$file_path=rules_directory."/util/";
+		$file_path=RULES_DIRECTORY."/util/";
 		if (file_exists($file_path.$perl_file)){
 			$script=preg_replace("/#!\S+perl/","#!".APACHEDIR."/bin/perl",file_get_contents($file_path.$perl_file));
 			file_put_contents($file_path.$perl_file,$script,LOCK_EX);
@@ -426,12 +469,9 @@ EOF;
 			}
 	}
 	
-	//mod_security settings
-	if (is_array($config['installedpackages']['apachemodsecuritysettings']['config'])){
-		$mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0];
-		if ($mods_settings!="")
-			$SecGuardianLog="SecGuardianLog \"|".rules_directory."/util/httpd-guardian\"";
-		}
+
+	if ($mods_settings!="")
+		$SecGuardianLog="SecGuardianLog \"|".RULES_DIRECTORY."/util/httpd-guardian\"";
 	
 	//fix http-guardian.pl block bins
 	//$file_path=APACHEDIR.MODSECURITY_DIR."/util/".$perl_lib;
@@ -628,19 +668,20 @@ EOF;
 		$mod_security_custom = $config['installedpackages']['apachesettings']['config'][0]['modsecuritycustom'];
 
 	// Process and include rules
-	if(is_dir(rules_directory)) {
+	if(is_dir(RULES_DIRECTORY)) {
 		$mod_security_rules = "";
-		$files = return_dir_as_array(rules_directory);
+		$files = return_dir_as_array(RULES_DIRECTORY);
 		foreach($files as $file) { 
-			if(file_exists(rules_directory . "/" . $file)) {
+			if(file_exists(RULES_DIRECTORY . "/" . $file)) {
 				// XXX: TODO integrate snorts rule on / off thingie
-				$file_txt = file_get_contents(rules_directory . "/" . $file);
+				$file_txt = file_get_contents(RULES_DIRECTORY . "/" . $file);
 				$mod_security_rules .= $file_txt . "\n";
 			}
 		}
 	}
 
 	#include file templates
+	include ("/usr/local/pkg/apache_mod_security.template");
 	include ("/usr/local/pkg/apache.template");
 
 	file_put_contents(APACHEDIR . "/etc/apache22/httpd.conf",$apache_config,LOCK_EX);
diff --git a/config/apache_mod_security-dev/apache_mod_security.template b/config/apache_mod_security-dev/apache_mod_security.template
index e5a2c864..f6ad6e3e 100644
--- a/config/apache_mod_security-dev/apache_mod_security.template
+++ b/config/apache_mod_security-dev/apache_mod_security.template
@@ -1,8 +1,8 @@
 
 	
 		
+		on
 		
 			Name
 			name
 		
+		
+			Logging
+			secauditengine
+		
 		
 			Description
 			description
 		
+		
 	
 	
 		
@@ -94,6 +100,7 @@
 			Enter group name
 			input
 			25
+			
 		
 		
 			Description
@@ -102,6 +109,7 @@
 			input
 			45
 		
+		
 		
 			Base Rules
 			baserules
@@ -182,26 +190,50 @@
 			    
 			
 		
-
 		
-			Custom options
+			mod_security crs 10 setup
+			listtopic
+		
+		
+			mod_security crs 10 setup
+			crs10
+			
+			
+			modsecurity_crs_10_setup.conf file.
Leave empty to load setup defaults.]]>
+ textarea + base64 + 15 + 90 +
+ + Custom mod_security ErrorDocument listtopic Custom mod_security ErrorDocument errordocument - + + + Custom mod_security ErrorDocument. textarea + base64 10 - 75 + 90 + + + Custom mod_security rules + listtopic Custom mod_security rules modsecuritycustom + + Paste any custom mod_security rules that you would like to use textarea + base64 10 - 75 + 90
diff --git a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml index 54738d83..ab681c66 100644 --- a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml +++ b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml @@ -82,6 +82,7 @@ Description description + on diff --git a/config/apache_mod_security-dev/apache_view_logs.php b/config/apache_mod_security-dev/apache_view_logs.php index da82baaa..77c14176 100644 --- a/config/apache_mod_security-dev/apache_view_logs.php +++ b/config/apache_mod_security-dev/apache_view_logs.php @@ -96,7 +96,7 @@ function showLog(content,url,logtype) -- cgit v1.2.3