diff --git a/README-SUSE-mod_security2.txt b/README-SUSE-mod_security2.txt deleted file mode 100644 index ed8e241..0000000 --- a/README-SUSE-mod_security2.txt +++ /dev/null @@ -1,13 +0,0 @@ - -# -# Dear Administrator, -# -# mod_security2 is not activated by default upon installation of the -# apache module. -# -# Your starting point for the configuration of mod_security2 is -# /etc/apache2/conf.d/mod_security2.conf . -# Please see that file for comments on how to activate the module -# and on how to assign rules. -# - diff --git a/README_SUSE b/README_SUSE new file mode 100644 index 0000000..4f11897 --- /dev/null +++ b/README_SUSE @@ -0,0 +1,23 @@ +# mod_security2 is not activated by default upon installation of the +# apache module. +# +# Use +# # a2enmod unique_id +# # a2enmod security2 +# +# to activate security2 module. +# +# Configuration directories: +# /etc/apache2/mod_security2.d is read first +# /etc/apache2/mod_security2.d/rules is read second +# +# owasp-modsecurity-crs and owasp-modsecurity-crs-apache2 can be installed. +# To test: +W +# curl 'http://localhost/?foo=/etc/passwd&bar=/bin/sh' +# +# sholud give 403 with appropriate entry in /var/log/apache2/modsec_audit.log +# and /var/log/apache2/error_log. +# +# See https://coreruleset.org/docs/1-getting-started/1-1-crs-installation/ +# for details. diff --git a/SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz b/SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz deleted file mode 100644 index f6fa190..0000000 --- a/SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:637b53696e96f3855f8d4bc678dd67dc8a4ba1ce7da418dafc74524cbf36c92a -size 291337 diff --git a/apache2-mod_security2-no_rpath.diff b/apache2-mod_security2-no_rpath.diff index 513366d..a0aa4ad 100644 --- a/apache2-mod_security2-no_rpath.diff +++ b/apache2-mod_security2-no_rpath.diff @@ -1,8 +1,8 @@ -Index: apache2/Makefile.am +Index: modsecurity-v2.9.8/apache2/Makefile.am =================================================================== ---- a/apache2/Makefile.am.orig -+++ b/apache2/Makefile.am -@@ -118,7 +118,7 @@ mod_security2_la_LDFLAGS = -module -avoi +--- modsecurity-v2.9.8.orig/apache2/Makefile.am ++++ modsecurity-v2.9.8/apache2/Makefile.am +@@ -125,7 +125,7 @@ mod_security2_la_LDFLAGS = -module -avoi endif if LINUX @@ -11,11 +11,11 @@ Index: apache2/Makefile.am @APR_LDFLAGS@ \ @APU_LDFLAGS@ \ @APXS_LDFLAGS@ \ -Index: apache2/Makefile.in +Index: modsecurity-v2.9.8/apache2/Makefile.in =================================================================== ---- a/apache2/Makefile.in.orig -+++ b/apache2/Makefile.in -@@ -691,7 +691,7 @@ libinjection/mod_security2_la-libinjecti +--- modsecurity-v2.9.8.orig/apache2/Makefile.in ++++ modsecurity-v2.9.8/apache2/Makefile.in +@@ -743,7 +743,7 @@ libinjection/mod_security2_la-libinjecti libinjection/$(DEPDIR)/$(am__dirstamp) mod_security2.la: $(mod_security2_la_OBJECTS) $(mod_security2_la_DEPENDENCIES) $(EXTRA_mod_security2_la_DEPENDENCIES) @@ -24,11 +24,11 @@ Index: apache2/Makefile.in mostlyclean-compile: -rm -f *.$(OBJEXT) -Index: build/libtool.m4 +Index: modsecurity-v2.9.8/build/libtool.m4 =================================================================== ---- a/build/libtool.m4.orig -+++ b/build/libtool.m4 -@@ -5053,7 +5053,7 @@ dnl Note also adjust exclude_expsyms for +--- modsecurity-v2.9.8.orig/build/libtool.m4 ++++ modsecurity-v2.9.8/build/libtool.m4 +@@ -5079,7 +5079,7 @@ dnl Note also adjust exclude_expsyms for # are reset later if shared libraries are not supported. Putting them # here allows them to be overridden if necessary. runpath_var=LD_RUN_PATH @@ -37,7 +37,7 @@ Index: build/libtool.m4 _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic' # ancient GNU ld didn't support --whole-archive et. al. if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then -@@ -5322,7 +5322,7 @@ _LT_EOF +@@ -5350,7 +5350,7 @@ _LT_EOF # DT_RUNPATH tag from executables and libraries. But doing so # requires that you compile everything twice, which is a pain. if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then @@ -46,7 +46,7 @@ Index: build/libtool.m4 _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' else -@@ -6409,7 +6409,7 @@ if test yes != "$_lt_caught_CXX_error"; +@@ -6439,7 +6439,7 @@ if test yes != "$_lt_caught_CXX_error"; _LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname -o $lib' _LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' diff --git a/apache2-mod_security2.changes b/apache2-mod_security2.changes index 84a127a..8c33e6e 100644 --- a/apache2-mod_security2.changes +++ b/apache2-mod_security2.changes @@ -1,3 +1,67 @@ +------------------------------------------------------------------- +Tue Jan 21 13:28:24 UTC 2025 - pgajdos@suse.com + +- package cleanup, coordinated with owasp-modsecurity-crs cleanup +- version update to 2.9.8 (changed upstream: Trustwave -> OWASP) + * Fixed ap_log_perror() usage + * Memory leaks + enhanced logging + * CI improvement: First check syntax & always display error/audit logs + * Fixed assert() usage + * Removed useless code + * feat: Check if the MP header contains invalid character + * Use standard httpd logging format in error log + * fix msc_regexec() != PCRE_ERROR_NOMATCH strict check + * Move xmlFree() call to the right place + * Add collection size in log in case of writing error + * Passing address of lock instead of lock in acquire_global_lock() + * Invalid pointer access in case rule id == NOT_SET_P + * Show error.log after httpd start in CI + * chore: add pull request template + * chore: add gitignore file + * Possible double free + * Set 'jit' variable's initial value + * Missing null byte + optimization + * fix: remove usage of insecure tmpname + * docs: update copyright + * Enhanced logging [Issue #3107] + * Check for null pointer dereference (almost) everywhere + * Fix possible segfault in collection_unpack + * fix: Replace obsolete macros + * chore: update bug-report-for-version-2-x.md + * feat: Add more steps: install built module and restart the server + * Add new flag: --without-lua + * Initial release of CI worklow + * V2/fixbuildissue + * ; incorrectly replaced by space in cmdline + * Detailed error message when writing collections + * docs: Fix organization name in references and security e-mail (v2) + * ctl:ruleRemoveByTag isn't executed if no rule id is present in the rule + * Suppress useless loop on tag matching + * Optimization: Avoid last loop and storing an empty value in case nothing + after last %{..} macro + * Ignore (consistently) empty actions + * Add context info to error message + * Implement msre_action_phase_validate() + * Avoid some useless code and memory allocation in case no macro is present + * 'jit' variable not initialized when WITH_PCRE2 is defined + * Configure: do not check for pcre1 if pcre2 requested + * Double memory allocation + * Fix for DEBUG_CONF compile flag + * Enhance logging + * Fix possible segfault in collection_unpack + * Set the minimum security protocol version for SecRemoteRules + * Allow lua version 5.4 + * Configure: do not check for pcre1 if pcre2 requested + * Check return code of apr_procattr_io_set() + * Do not escape special chars in rx pattern with macro + * Substitute two equals-equals operators in build +- modified patches + % apache2-mod_security2-no_rpath.diff (refreshed) + % modsecurity-2.9.3-input_filtering_errors.patch (refreshed) + % modsecurity-fixes.patch (refreshed) +- added sources + + apache2-mod_security2.keyring + ------------------------------------------------------------------- Tue Jun 4 12:14:51 UTC 2024 - pgajdos@suse.com diff --git a/apache2-mod_security2.keyring b/apache2-mod_security2.keyring new file mode 100644 index 0000000..07821be --- /dev/null +++ b/apache2-mod_security2.keyring @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGW1M88BEACdOnF8zBA5RiSyv5V8vslhbqysNSkqsUmVvGnGoguI8kA0CRNU +YNdaxZ5E/WsZ0lbBNw/xjf9Wa52ZUCKHkGjR4DNxn0IZRjowYTYNxNWrSvdon9MY +XXAN6uomWtRFAbvLTo7VnV5NhrKnx8mXl0SgVDMveaQJ0NCa7onmFpVgNj+i1neU +fPiXqFl///dM6xNLL8DU3a2k42ZUUVYpcu94f78WFfGujePdgP1tHRP08JxfvvaZ +VnwpYHXJXjaoXCpiK4A6jj79BeZIgpEGLcYbI+mk+uIe7L81U4nRIOJgoYk8nIv8 +0no+lS8KDzW3hnBDyzFp6bfyP1K4lM4vc6k1DHVBkUZT3C9CDdxgAbbfD0deq8yI ++5/q38mPAJ6gyicnskji25PzzxnzCRt73wQHCZ/x4RAwnKVeStYLtNqsDSk/Zm0n +qqOwZKf0DpMuwJUCQ2I5xYL/R5FthElL/QAQ9E0C2GG1kj5+V/4spsBwwzQ3Ct2x +ntnME4CInxWPfhlAAVLw28Zb/paExLGO28VcQHM8uBMMZXP4T5L+INbb2ax1WB2n +h3NzBrxzL3H47woWFmTcM1beqcqya5k/Q2tfTl1x4AmifOWXOytGqUpgiM6J2lSS +/0N0rbykep9JftaIZbj2TTVk2VKOv7KQdLUgFXmtPWmb12fVOpkhAfweVQARAQAB +tClPV0FTUCBNb2RTZWN1cml0eSA8bW9kc2VjdXJpdHlAb3dhc3Aub3JnPokCTgQT +AQgAOBYhBAsroZJAZbRGkSAqKtKG4CIUnw9uBQJltTPPAhsDBQsJCAcCBhUKCQgL +AgQWAgMBAh4BAheAAAoJENKG4CIUnw9u2C0P/jVJB7sCyDMAgyp0KkYynt7Qgf2q +WQFDVz/KoPqj1qZaKOBjScZbprgDMuqkDELqpAP4MuzhWjcL9CDTbSuu+YQhwfBo +5mkbBBElFVw5n1rkhY/mpSe+uSZBLOGp37PCqrc17ihXm27Z/d9+mS1bX61ScpOy +50r5rm1r9KG3bXTZRKkK+3bkR25Blapo4rDW8k6LzfmlfucsZ0/VZIol/+GOl3HX +9IPWbUmW7LwS7+SYPms6c6XrPa57v2RgZDb/MOULqeayUjiOMX6bAAlVYJaoQ1yp +VOO5kafResYHhK2Vz6oYvpR4va1KqkVEwOPsBmMmR0qQGtAqeE+yvI7Dm4mUZtYc +jZdx8CDCqgLz8xuGcO2ewenhxy50CkLpoNKvYIMcZo+s+EfL4M9TG+eMDZlEmgGG +rPk96uplna9aWZWYXO2rgZ8kj8G9yOuf+vQAAGh9se2iQmSUw0ph9Sex04VjJAD/ +XQyDeS4Z1TT2TBhHf9+zxb8EsLiEjYzC1Rxj4wsr6uxJpXIdnSLusZ75z2ZpKtpU +O3aDcqMfosO+iocvKgy+TOWgF4SRjoVe/P5INHP/NMHrEX/ZAMqk0CE7jM2z9I/B +aZ2wK87djVaTRgk3x+i2run3hpGr3eKAm0P6lTKhS/zZ9NEa3L1XSzD7JwBEmRuS +70M0myS+bzhfB9VouQINBGW1M88BEACxgm1yOuZLy0IrMfW9DohAVDbspd3VjxjP ++uAF4ZPFuxyXP+Co9Rts3XsBZaPqyFOYknlvo0IBq6EPmsWpZ5jT2cbJyo9LZE4N +aGheccpin3kg1WN/sWdYPW2hlJhgOA/AKsyil0TDEYvGht1M1uz2Hf5d6kp1Ex5d +inVgKneVHTRyJp5jlvgzxYsJKlMX4S+5APo0IfXDiko6BA4ltmd0knQSn6owARkM +BOa4fxzknRZHmYmd24AhYzDShNCGVQHSFn1Pz+wD88FFOczDiPPiaEq8T2J8A15g +kxntWSa67d0R9k6arF3SEHA4YvSCzIQsdhXdnGJwgEl341qr6uant2PErAaWDIXT +XJ4e3oCMT73OW/lEawJvPSJYDDi03RgJBQcs4iN073zzwUIuaFV21RIUcGjRmwnX +mJ7ttyLGqYya88DgXT4zX3xm7un/ZkcRKL0KPNOWGoc2rl/XDMYChqgRvOOPaOlr +6oAF8jxTKnpWSI9edhg7PBAlpQtl3DPnJ8pg9KUvuledJnfIs6VjtbfsGwD7b7M+ +LDVErH218SYsEJ61nmPBzomlJpb9T7TxImBbuP9H6QUq0FKeTk1dbc4bx2Msw7dM +b3AwIGgpS3T1zoS2au9daieoiZxFrjlsyut2DnuZ2XeWJts/VPW/JsREH3nSucQQ +sQVp0ToZtQARAQABiQI2BBgBCAAgFiEECyuhkkBltEaRICoq0obgIhSfD24FAmW1 +M88CGwwACgkQ0obgIhSfD24gXQ//dsZRiGsiZ7rJ9MvFQvSMuKnjNVNhQYCzBO02 +7RQDUKL/pcdjXNaAkGMP+60e6ipPBJPV1dEz2C8no1IBQokF7bMkC3u22dGywH4j +9ddtkE8qeJQ/7Dc+rS7w5dno8EzLiVW9088wm00NXydJ4FuqEpEvUHyEIIqBGPja +UheL5WzzAmPkYPNGAHNKoPp55aPrpcJAr1Dknv+fhptnzcPtNSia+NHeC/aBjPXQ +YBpzcGXbEuj/Jn0ugmMhLhDYQDc8uKmeYSp6p9PjIjZxry6ISGtAKNVJe5+xBKvt +AdotNiOl2ida9Z7RpmgpNqblCyTwIWfji66XCnvZHQzCdMBXfeO5MRvg6diVtcA2 +CJYaiN6FvSWmolp47SRg1/bvRdNxe+IPBWPFufWmU/CrQOyfJy8/H3VjKuaHA0Ba +HyAgobm/kGjkQy2ZO/KMyjesqPcAL8CtKZ57Fzgus3UFIhANC+T6KtxQTIpj1nlN +OdWlYCl1FQXPc561Tgicv4oiJOXOOxiVlF0H3+ldBzijNviciaJcBCS+2clN2moY +GRQm4g0sSm1ItA57xD6dzjqdfN4X0lptKOoQyDfrTJZftuUUtU4xifnVIuWrtBsn +yNxo8FXdFKN9E5vHeAQsZRIXG66Ym0VqI+KhkMYzJpRN6SqZJNiFjdddmJhiCg7o +kKSFrwk= +=tFPe +-----END PGP PUBLIC KEY BLOCK----- diff --git a/apache2-mod_security2.spec b/apache2-mod_security2.spec index aabd703..63a0fb0 100644 --- a/apache2-mod_security2.spec +++ b/apache2-mod_security2.spec @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_security2 # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,21 +16,18 @@ # -%define modname mod_security2 -%define tarballname modsecurity-%{version} -%define usrsharedir %{_datadir}/%{name} Name: apache2-mod_security2 -Version: 2.9.7 +Version: 2.9.8 Release: 0 -Summary: Web Application Firewall for apache httpd +Summary: Web Application Firewall for Apache httpd License: Apache-2.0 Group: Productivity/Networking/Web/Servers URL: https://www.modsecurity.org/ -Source: https://github.com/SpiderLabs/ModSecurity/releases/download/v%{version}/modsecurity-%{version}.tar.gz -Source1: https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master//SpiderLabs-owasp-modsecurity-crs-2.2.9-5-gebe8790.tar.gz -Source2: mod_security2.conf -Source6: README-SUSE-mod_security2.txt -Source7: empty.conf +Source0: https://github.com/owasp-modsecurity/ModSecurity/releases/download/v%{version}/modsecurity-v%{version}.tar.gz +Source1: https://github.com/owasp-modsecurity/ModSecurity/releases/download/v%{version}/modsecurity-v%{version}.tar.gz.asc +Source2: apache2-mod_security2.keyring +Source3: mod_security2.conf +Source4: README_SUSE Patch0: apache2-mod_security2-no_rpath.diff Patch1: modsecurity-fixes.patch Patch2: apache2-mod_security2_tests_conf.patch @@ -54,6 +51,7 @@ BuildRequires: pkgconfig Requires: %{apache_mmn} Requires: %{apache_suse_maintenance_mmn} Requires: apache2 +Recommends: owasp-modsecurity-crs-apache2 %description ModSecurity is an intrusion detection and prevention @@ -63,10 +61,8 @@ ModSecurity is to increase web application security, protecting web applications from known and unknown attacks. %prep -%setup -q -n %{tarballname} -%setup -q -D -T -a 1 -n %{tarballname} -mv -v SpiderLabs* rules -%autopatch -p1 +%autosetup -p1 -n modsecurity-v%{version} +cp %{SOURCE4} . %build aclocal @@ -77,41 +73,23 @@ CFLAGS="%{optflags}" make %{?_smp_mflags} %install pushd apache2 install -d -m 0755 %{buildroot}%{apache_libexecdir} - install .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/%{modname}.so + install .libs/mod_security2.so %{buildroot}%{apache_libexecdir}/mod_security2.so popd -install -D -m 0644 %{SOURCE2} %{buildroot}%{apache_sysconfdir}/conf.d/%{modname}.conf -install -d -m 0755 %{buildroot}%{apache_sysconfdir}/mod_security2.d -install -D -m 0644 %{SOURCE6} %{buildroot}%{apache_sysconfdir}/mod_security2.d -install -D -m 0644 %{SOURCE7} %{buildroot}%{apache_sysconfdir}/mod_security2.d -cp -a %{SOURCE6} doc -install -d -m 0755 %{buildroot}/%{usrsharedir} -install -d -m 0755 %{buildroot}/%{usrsharedir}/tools -rm -f rules/.gitignore rules/LICENSE -cp -a rules/util/README %{buildroot}/%{usrsharedir}/tools/README-rules-updater.txt -cp -a tools/rules-updater.pl tools/rules-updater-example.conf %{buildroot}/%{usrsharedir}/tools -find rules -type f -exec chmod 644 {} + -cp -a rules %{buildroot}/%{usrsharedir} -rm -rf %{buildroot}/%{usrsharedir}/rules/util -rm -rf %{buildroot}/%{usrsharedir}/rules/lua -rm -f %{buildroot}/%{usrsharedir}/rules/READM* -rm -f %{buildroot}/%{usrsharedir}/rules/INSTALL %{buildroot}/%{usrsharedir}/rules/CHANGELOG +mkdir -p %{buildroot}%{apache_sysconfdir}/mod_security2.d +mkdir -p %{buildroot}%{apache_sysconfdir}/mod_security2.d/rules +mkdir -p %{buildroot}%{apache_sysconfdir}/conf.d/ +cp -a %{SOURCE3} %{buildroot}%{apache_sysconfdir}/conf.d/ -# Temporarily disable test suite as there are some failures that need to be solved %check make test -# make test-regression %files -%{apache_libexecdir}/%{modname}.so -%config(noreplace) %{apache_sysconfdir}/conf.d/%{modname}.conf -%dir %{apache_sysconfdir}/mod_security2.d -%{apache_sysconfdir}/mod_security2.d/README-SUSE-mod_security2.txt -%{apache_sysconfdir}/mod_security2.d/empty.conf -%{usrsharedir} +%{apache_libexecdir}/mod_security2.so %license LICENSE -%doc README.md CHANGES NOTICE authors.txt -%doc doc/README.txt -%doc doc/README-SUSE-mod_security2.txt -%doc rules/util/regression-tests +%dir %{apache_sysconfdir}/mod_security2.d +%dir %{apache_sysconfdir}/mod_security2.d/rules +%dir %{apache_sysconfdir}/conf.d/ +%config(noreplace) %{apache_sysconfdir}/conf.d/mod_security2.conf +%doc README.md CHANGES NOTICE authors.txt README_SUSE %changelog diff --git a/empty.conf b/empty.conf deleted file mode 100644 index 7b57715..0000000 --- a/empty.conf +++ /dev/null @@ -1,4 +0,0 @@ -# This configuration file has been intentionally left empty to avoid errors -# resulting from an Include statement that matches no files. -# (IncludeOptional is available for apache > 2.4) -# diff --git a/mod_security2.conf b/mod_security2.conf index 24600a1..5493fd5 100644 --- a/mod_security2.conf +++ b/mod_security2.conf @@ -1,293 +1,55 @@ - -# Dear administrator/webmaster, -# -# Welcome to /etc/apache2/conf.d/mod_security2.conf, the starting point for -# the configuration of mod_security2. -# Please read this text down to line 63 for information about activation -# and configuration of the mod_security2 apache module. -# -# To activate mod_security2, its apache module must be configured to be -# loaded when apache starts. The mod_security2 apache module depends on -# the module mod_unique_id to be able to run. This means that both apache -# modules must be activated/loaded when apache starts. - -# Change the configuration to load these two modules by adding the two -# module names "security2" and "unique_id" to the variable APACHE_MODULES -# in /etc/sysconfig/apache2 . You can do that manually, or use the tools -# a2enmod (enable apache module) and a2dismod (disable apache module). -# These two tools expect the name of the module without the leading -# "mod_" as an argument! -# -# note: /etc/sysconfig/apache2 is evaluated upon apache start by the apache -# start script /usr/sbin/start_apache2 . Changes in APACHE_MODULES are then -# visible in /etc/apache2/sysconfig.d/loadmodule.conf, changed by the start -# script. -# -# example for the use of a2enmod/a2dismod: -# -# a2enmod security2 # enable module security2 -# a2enmod unique_id # enable module unique_id -# -# a2dismod security2 # disable -# a2dismod unique_id # % - -# -# This file /etc/apache2/conf.d/mod_security2.conf makes some basic -# configuration settings, then loads -# /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf -# which is the baseline for the rules that can be loaded later. -# -# Afterwards, all files named *.conf in /etc/apache2/mod_security2.d are read. -# For the rules you wish to apply, place a symlink to the rules file there. -# -# About the rules; The OWASP ModSecurity Core Rule Set version 2.2.9 -# is contained in this package, a splendid set of rules made to provide for a -# decent basic and even advanced protection. The rules files are contained -# in the directory /usr/share/apache2-mod_security2/rules/. -# -# Example (use all of the basic rules that come with the package): -# -# cd /etc/apache2/mod_security2.d -# for i in /usr/share/apache2-mod_security2/rules/base_rules/mod*; do -# ln -s $i . -# done -# -# At last, simply restart apache: -# rcapache2 restart -# -# In doubt, please consult the valuable online documentation on the project's -# website, which is the authoritative source for documentation. -# For offline reading, the webpages for the Reference Guide and the FAQ are -# located in the package's documentation directory, in the state of 2013/01: -# /usr/share/doc/packages/apache2-mod_security2 -# -# Roman Drahtmueller , SUSE, 20140610. -# - - - + # Default recommended configuration + SecRuleEngine On + SecRequestBodyAccess On + SecRule REQUEST_HEADERS:Content-Type "text/xml" \ + "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" + SecRequestBodyLimit 13107200 + SecRequestBodyNoFilesLimit 131072 + SecRequestBodyInMemoryLimit 131072 + SecRequestBodyLimitAction Reject + SecRule REQBODY_ERROR "!@eq 0" \ + "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" + SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ + "id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \ + failed strict validation: \ + PE %{REQBODY_PROCESSOR_ERROR}, \ + BQ %{MULTIPART_BOUNDARY_QUOTED}, \ + BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ + DB %{MULTIPART_DATA_BEFORE}, \ + DA %{MULTIPART_DATA_AFTER}, \ + HF %{MULTIPART_HEADER_FOLDING}, \ + LF %{MULTIPART_LF_LINE}, \ + SM %{MULTIPART_MISSING_SEMICOLON}, \ + IQ %{MULTIPART_INVALID_QUOTING}, \ + IP %{MULTIPART_INVALID_PART}, \ + IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ + FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" -# -- Rule engine initialization ---------------------------------------------- + SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ + "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" -# Enable ModSecurity, attaching it to every transaction. Use detection -# only to start with, because that minimises the chances of post-installation -# disruption. -# -SecRuleEngine DetectionOnly + SecPcreMatchLimit 1000 + SecPcreMatchLimitRecursion 1000 + SecRule TX:/^MSC_/ "!@streq 0" \ + "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" -# -- Request body handling --------------------------------------------------- - -# Allow ModSecurity to access request bodies. If you don't, ModSecurity -# won't be able to see any POST parameters, which opens a large security -# hole for attackers to exploit. -# -SecRequestBodyAccess On - - -# Enable XML request body parser. -# Initiate XML Processor in case of xml content-type -# -SecRule REQUEST_HEADERS:Content-Type "text/xml" \ - "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" - - -# Maximum request body size we will accept for buffering. If you support -# file uploads then the value given on the first line has to be as large -# as the largest file you are willing to accept. The second value refers -# to the size of data, with files excluded. You want to keep that value as -# low as practical. -# -SecRequestBodyLimit 13107200 -SecRequestBodyNoFilesLimit 131072 - -# Store up to 128 KB of request body data in memory. When the multipart -# parser reachers this limit, it will start using your hard disk for -# storage. That is slow, but unavoidable. -# -SecRequestBodyInMemoryLimit 131072 - -# What do do if the request body size is above our configured limit. -# Keep in mind that this setting will automatically be set to ProcessPartial -# when SecRuleEngine is set to DetectionOnly mode in order to minimize -# disruptions when initially deploying ModSecurity. -# -SecRequestBodyLimitAction Reject - -# Verify that we've correctly processed the request body. -# As a rule of thumb, when failing to process a request body -# you should reject the request (when deployed in blocking mode) -# or log a high-severity alert (when deployed in detection-only mode). -# -SecRule REQBODY_ERROR "!@eq 0" \ -"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" - -# By default be strict with what we accept in the multipart/form-data -# request body. If the rule below proves to be too strict for your -# environment consider changing it to detection-only. You are encouraged -# _not_ to remove it altogether. -# -SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ -"id:'200002',phase:2,t:none,log,deny,status:44, \ -msg:'Multipart request body failed strict validation: \ -PE %{REQBODY_PROCESSOR_ERROR}, \ -BQ %{MULTIPART_BOUNDARY_QUOTED}, \ -BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ -DB %{MULTIPART_DATA_BEFORE}, \ -DA %{MULTIPART_DATA_AFTER}, \ -HF %{MULTIPART_HEADER_FOLDING}, \ -LF %{MULTIPART_LF_LINE}, \ -SM %{MULTIPART_MISSING_SEMICOLON}, \ -IQ %{MULTIPART_INVALID_QUOTING}, \ -IP %{MULTIPART_INVALID_PART}, \ -IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ -FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" - -# Did we see anything that might be a boundary? -# -SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ -"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" - -# PCRE Tuning -# We want to avoid a potential RegEx DoS condition -# -SecPcreMatchLimit 1000 -SecPcreMatchLimitRecursion 1000 - -# Some internal errors will set flags in TX and we will need to look for these. -# All of these are prefixed with "MSC_". The following flags currently exist: -# -# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. -# -SecRule TX:/^MSC_/ "!@streq 0" \ - "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" - - -# -- Response body handling -------------------------------------------------- - -# Allow ModSecurity to access response bodies. -# You should have this directive enabled in order to identify errors -# and data leakage issues. -# -# Do keep in mind that enabling this directive does increases both -# memory consumption and response latency. -# -SecResponseBodyAccess On - -# Which response MIME types do you want to inspect? You should adjust the -# configuration below to catch documents but avoid static files -# (e.g., images and archives). -# -SecResponseBodyMimeType text/plain text/html text/xml - -# Buffer response bodies of up to 512 KB in length. -SecResponseBodyLimit 524288 - -# What happens when we encounter a response body larger than the configured -# limit? By default, we process what we have and let the rest through. -# That's somewhat less secure, but does not break any legitimate pages. -# -SecResponseBodyLimitAction ProcessPartial - - -# -- Filesystem configuration ------------------------------------------------ - -# The location where ModSecurity stores temporary files (for example, when -# it needs to handle a file upload that is larger than the configured limit). -# -# This default setting is chosen due to all systems have /tmp available however, -# this is less than ideal. It is recommended that you specify a location that's private. -# -SecTmpDir /tmp/ - -# The location where ModSecurity will keep its persistent data. This default setting -# is chosen due to all systems have /tmp available however, it -# too should be updated to a place that other users can't access. -# -SecDataDir /tmp/ - - -# -- File uploads handling configuration ------------------------------------- - -# The location where ModSecurity stores intercepted uploaded files. This -# location must be private to ModSecurity. You don't want other users on -# the server to access the files, do you? -# -#SecUploadDir /opt/modsecurity/var/upload/ - -# By default, only keep the files that were determined to be unusual -# in some way (by an external inspection script). For this to work you -# will also need at least one file inspection rule. -# -#SecUploadKeepFiles RelevantOnly - -# Uploaded files are by default created with permissions that do not allow -# any other user to access them. You may need to relax that if you want to -# interface ModSecurity to an external program (e.g., an anti-virus). -# -#SecUploadFileMode 0600 - - -# -- Debug log configuration ------------------------------------------------- - -# The default debug log configuration is to duplicate the error, warning -# and notice messages from the error log. -# -#SecDebugLog /var/log/apache2/modsec_debug.log -#SecDebugLogLevel 3 - -# -- Audit log configuration ------------------------------------------------- - -# Log the transactions that are marked by a rule, as well as those that -# trigger a server error (determined by a 5xx or 4xx, excluding 404, -# level response status codes). -# -SecAuditEngine RelevantOnly -SecAuditLogRelevantStatus "^(?:5|4(?!04))" - -# Log everything we know about a transaction. -SecAuditLogParts ABIJDEFHZ - -# Use a single file for logging. This is much easier to look at, but -# assumes that you will use the audit log only ocassionally. -# -SecAuditLogType Serial -SecAuditLog /var/log/apache2/modsec_audit.log - -# Specify the path for concurrent audit logging. -#SecAuditLogStorageDir /opt/modsecurity/var/audit/ - - -# -- Miscellaneous ----------------------------------------------------------- - -# Use the most commonly used application/x-www-form-urlencoded parameter -# separator. There's probably only one application somewhere that uses -# something else so don't expect to change this value. -# -SecArgumentSeparator & - -# Settle on version 0 (zero) cookies, as that is what most applications -# use. Using an incorrect cookie version may open your installation to -# evasion attacks (against the rules that examine named cookies). -# -SecCookieFormat 0 - -# Specify your Unicode Code Point. -# This mapping is used by the t:urlDecodeUni transformation function -# to properly map encoded data to your language. Properly setting -# these directives helps to reduce false positives and negatives. -# -#SecUnicodeCodePage 20127 -#SecUnicodeMapFile unicode.mapping - - - - - - -Include /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf -# as set up with symlinks for files that are placed here: -Include /etc/apache2/mod_security2.d/*.conf + SecResponseBodyAccess Off + SecDebugLog /var/log/apache2/modsec_debug.log + SecDebugLogLevel 0 + SecAuditEngine RelevantOnly + SecAuditLogRelevantStatus "^(?:5|4(?!04))" + SecAuditLogParts ABIJDEFHZ + SecAuditLogType Serial + SecAuditLog /var/log/apache2/modsec_audit.log + SecArgumentSeparator & + SecCookieFormat 0 + SecTmpDir /var/lib/mod_security2 + SecDataDir /var/lib/mod_security2 + IncludeOptional /etc/apache2/mod_security2.d/*.conf + IncludeOptional /etc/apache2/mod_security2.d/rules/*.conf + + diff --git a/modsecurity-2.9.3-input_filtering_errors.patch b/modsecurity-2.9.3-input_filtering_errors.patch index 1dca8e9..6587b89 100644 --- a/modsecurity-2.9.3-input_filtering_errors.patch +++ b/modsecurity-2.9.3-input_filtering_errors.patch @@ -1,7 +1,8 @@ -diff -ru modsecurity-2.9.3.old/apache2/apache2_io.c modsecurity-2.9.3.new/apache2/apache2_io.c ---- modsecurity-2.9.3.old/apache2/apache2_io.c 2018-12-04 19:49:37.000000000 +0100 -+++ modsecurity-2.9.3.new/apache2/apache2_io.c 2021-02-12 13:28:27.739749566 +0100 -@@ -209,6 +209,10 @@ +Index: modsecurity-v2.9.8/apache2/apache2_io.c +=================================================================== +--- modsecurity-v2.9.8.orig/apache2/apache2_io.c ++++ modsecurity-v2.9.8/apache2/apache2_io.c +@@ -222,6 +222,10 @@ apr_status_t read_request_body(modsec_re * too large and APR_EGENERAL when the client disconnects. */ switch(rc) { @@ -12,7 +13,7 @@ diff -ru modsecurity-2.9.3.old/apache2/apache2_io.c modsecurity-2.9.3.new/apache case APR_INCOMPLETE : *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc)); return -7; -@@ -218,7 +222,7 @@ +@@ -231,7 +235,7 @@ apr_status_t read_request_body(modsec_re case APR_TIMEUP : *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc)); return -4; @@ -21,10 +22,11 @@ diff -ru modsecurity-2.9.3.old/apache2/apache2_io.c modsecurity-2.9.3.new/apache *error_msg = apr_psprintf(msr->mp, "Error reading request body: HTTP Error 413 - Request entity too large. (Most likely.)"); return -3; case APR_EGENERAL : -diff -ru modsecurity-2.9.3.old/apache2/mod_security2.c modsecurity-2.9.3.new/apache2/mod_security2.c ---- modsecurity-2.9.3.old/apache2/mod_security2.c 2018-12-04 19:49:37.000000000 +0100 -+++ modsecurity-2.9.3.new/apache2/mod_security2.c 2021-02-12 13:34:22.940428406 +0100 -@@ -1013,7 +1013,7 @@ +Index: modsecurity-v2.9.8/apache2/mod_security2.c +=================================================================== +--- modsecurity-v2.9.8.orig/apache2/mod_security2.c ++++ modsecurity-v2.9.8/apache2/mod_security2.c +@@ -1032,7 +1032,7 @@ static int hook_request_late(request_rec } rc = read_request_body(msr, &my_error_msg); @@ -33,7 +35,7 @@ diff -ru modsecurity-2.9.3.old/apache2/mod_security2.c modsecurity-2.9.3.new/apa switch(rc) { case -1 : if (my_error_msg != NULL) { -@@ -1021,6 +1021,21 @@ +@@ -1040,6 +1040,21 @@ static int hook_request_late(request_rec } return HTTP_INTERNAL_SERVER_ERROR; break; @@ -55,7 +57,7 @@ diff -ru modsecurity-2.9.3.old/apache2/mod_security2.c modsecurity-2.9.3.new/apa case -4 : /* Timeout. */ if (my_error_msg != NULL) { msr_log(msr, 4, "%s", my_error_msg); -@@ -1042,19 +1057,11 @@ +@@ -1061,19 +1076,11 @@ static int hook_request_late(request_rec } } break; diff --git a/modsecurity-2.9.7.tar.gz b/modsecurity-2.9.7.tar.gz deleted file mode 100644 index 155fd62..0000000 --- a/modsecurity-2.9.7.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2a28fcfccfef21581486f98d8d5fe0397499749b8380f60ec7bb1c08478e1839 -size 4320766 diff --git a/modsecurity-fixes.patch b/modsecurity-fixes.patch index d66db1a..f62cf6b 100644 --- a/modsecurity-fixes.patch +++ b/modsecurity-fixes.patch @@ -1,8 +1,8 @@ -Index: modsecurity-2.9.0/apache2/msc_status_engine.c +Index: modsecurity-v2.9.8/apache2/msc_status_engine.c =================================================================== ---- modsecurity-2.9.0.orig/apache2/msc_status_engine.c -+++ modsecurity-2.9.0/apache2/msc_status_engine.c -@@ -37,6 +37,8 @@ +--- modsecurity-v2.9.8.orig/apache2/msc_status_engine.c ++++ modsecurity-v2.9.8/apache2/msc_status_engine.c +@@ -40,6 +40,8 @@ #if (defined(__linux__) || defined(__gnu_linux__)) #include #include @@ -11,11 +11,11 @@ Index: modsecurity-2.9.0/apache2/msc_status_engine.c #endif #ifdef HAVE_SYS_UTSNAME_H #include -Index: modsecurity-2.9.0/apache2/msc_remote_rules.c +Index: modsecurity-v2.9.8/apache2/msc_remote_rules.c =================================================================== ---- modsecurity-2.9.0.orig/apache2/msc_remote_rules.c -+++ modsecurity-2.9.0/apache2/msc_remote_rules.c -@@ -792,6 +792,7 @@ next: +--- modsecurity-v2.9.8.orig/apache2/msc_remote_rules.c ++++ modsecurity-v2.9.8/apache2/msc_remote_rules.c +@@ -797,6 +797,7 @@ next: "compilation."; return -1; #endif @@ -23,10 +23,10 @@ Index: modsecurity-2.9.0/apache2/msc_remote_rules.c } -Index: modsecurity-2.9.0/apache2/msc_util.c +Index: modsecurity-v2.9.8/apache2/msc_util.c =================================================================== ---- modsecurity-2.9.0.orig/apache2/msc_util.c -+++ modsecurity-2.9.0/apache2/msc_util.c +--- modsecurity-v2.9.8.orig/apache2/msc_util.c ++++ modsecurity-v2.9.8/apache2/msc_util.c @@ -18,6 +18,7 @@ #include #include diff --git a/modsecurity-v2.9.8.tar.gz b/modsecurity-v2.9.8.tar.gz new file mode 100644 index 0000000..f47d2e6 --- /dev/null +++ b/modsecurity-v2.9.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cd57bd37f6062dca39dc8fba8d3e8db7351c5095de1e9ce7c3aa3890bc95855f +size 4341347 diff --git a/modsecurity-v2.9.8.tar.gz.asc b/modsecurity-v2.9.8.tar.gz.asc new file mode 100644 index 0000000..638bc21 --- /dev/null +++ b/modsecurity-v2.9.8.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEECyuhkkBltEaRICoq0obgIhSfD24FAmbXB9IACgkQ0obgIhSf +D24nAA//aT21bY/w4MWg72yhXoi0GzcsZ6JU1HwWH3Y+NYfHcmgnwH1FkLdZSGM0 +P9iZE6HCphqSEctm7oHrKzzUAfvdJo+Qv1dKxFAYf7MT4IPfCH2JGXM5IfW6Nx9S +7dh37kR53x0a9oj9n2+m8jWVbCr8yW4t2bOsmLHH6eBqSKAMYNI01wOhH+4kexVH +d56CVIeZ2RmoT6t0KwnsBoLOFHFOr+sHCowlsjvHVB74r/c6bx5uDok6FVbCmEKI +ettqURJerKrqfR9L145pqjJXPuCZJuYDDm905CfsdnTmNs4v7Hgimo9n2BLARtHf +tG+SEpUxotMLEA2ZE6W+cd/AM2nIIJ/TvY/S3XBDb7mmQW33A6wopJ7tu2XZ5SJJ +Nw5n5v9x3K6UYU/NgjdHbgGxy9TVFqSYaAqSrVUVIz2GpM6Oj0wJ9f1Wtj+v9iim +FYO/dXta29D91RT/0SShX1GAfpt8220zDEX0T+6J71znKzPH5+5Cr+UoDLmIR35t +EVbKcGMZW/6hL1mUyHFbjJgKnhFtRoMPuXUSXPWRjfc3HekwrKQmT8oDfkhdqP+Y +WxNspOGyUjKchUvrnnSkZnlGZSPXamFQ7/DLWNFp3P/aT0NkRSa8S0mLvAmRxY51 +HiMAP+AQcsUcLAw0z5Lh7d52UJzYdMaBfs+p+j5GC05qflBpetY= +=oDiC +-----END PGP SIGNATURE-----