apache-formula/apache/files/RedHat/modsecurity.conf.jinja

{%- set apache = pillar.get('apache', {}) %}
{%- set modsec = apache.get('mod_security', {}) %}
{%- set sec_rule_engine = modsec.get('sec_rule_engine', 'DetectionOnly' ) -%}
{%- set sec_request_body_access = modsec.get('sec_request_body_access', 'On' ) -%}
{%- set sec_request_body_limit = modsec.get('sec_request_body_limit', 13107200 ) -%}
{%- set sec_request_body_no_files_limit = modsec.get('sec_request_body_no_files_limit', 131072 ) -%}
{%- set sec_request_body_in_memory_limit = modsec.get('sec_request_body_in_memory_limit', 131072 ) -%}
{%- set sec_request_body_limit_action = modsec.get('sec_request_body_limit_action', 'Reject' ) -%}
{%- set sec_pcre_match_limit = modsec.get('sec_pcre_match_limit', 1000 ) -%}
{%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%}
{%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%}
#
# This file is managed by Salt! Do not edit by hand!
# Modify the salt pillar that generates this file instead
#

LoadModule security2_module modules/mod_security2.so

<IfModule !mod_unique_id.c>
    LoadModule unique_id_module modules/mod_unique_id.so
</IfModule>
<IfModule mod_security2.c>
    # ModSecurity Core Rules Set configuration
           {%- if 'osfinger' in grains and grains.osfinger in ('Red Hat Enterprise Linux Server-6', 'CentOS-6') %}
        Include modsecurity.d/*.conf
        Include modsecurity.d/activated_rules/*.conf
           {%- else %}
        IncludeOptional modsecurity.d/*.conf
        IncludeOptional modsecurity.d/activated_rules/*.conf
           {%- endif %}

    # Default recommended configuration
    SecRuleEngine {{ sec_rule_engine }}
    SecRequestBodyAccess {{ sec_request_body_access }}
    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
    SecRequestBodyLimit {{ sec_request_body_limit }}
    SecRequestBodyNoFilesLimit {{ sec_request_body_no_files_limit }}
    SecRequestBodyInMemoryLimit {{ sec_request_body_in_memory_limit }}
    SecRequestBodyLimitAction {{ sec_request_body_limit_action }}
    SecRule REQBODY_ERROR "!@eq 0" \
    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
    "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
    failed strict validation: \
    PE %{REQBODY_PROCESSOR_ERROR}, \
    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
    DB %{MULTIPART_DATA_BEFORE}, \
    DA %{MULTIPART_DATA_AFTER}, \
    HF %{MULTIPART_HEADER_FOLDING}, \
    LF %{MULTIPART_LF_LINE}, \
    SM %{MULTIPART_MISSING_SEMICOLON}, \
    IQ %{MULTIPART_INVALID_QUOTING}, \
    IP %{MULTIPART_INVALID_PART}, \
    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

    SecPcreMatchLimit {{ sec_pcre_match_limit }}
    SecPcreMatchLimitRecursion {{ sec_pcre_match_limit_recursion }}

    SecRule TX:/^MSC_/ "!@streq 0" \
            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

    SecResponseBodyAccess Off
    SecDebugLog /var/log/httpd/modsec_debug.log
    SecDebugLogLevel {{ sec_debug_log_level }}
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial
    SecAuditLog /var/log/httpd/modsec_audit.log
    SecArgumentSeparator &
    SecCookieFormat 0
    SecTmpDir /var/lib/mod_security
    SecDataDir /var/lib/mod_security
</IfModule>
Add mod_security management Add gitignore, kitchen-ci files Add some tests and documentation 2016-05-11 03:48:26 +02:00			`{%- set apache = pillar.get('apache', {}) %}`
			`{%- set modsec = apache.get('mod_security', {}) %}`
			`{%- set sec_rule_engine = modsec.get('sec_rule_engine', 'DetectionOnly' ) -%}`
			`{%- set sec_request_body_access = modsec.get('sec_request_body_access', 'On' ) -%}`
			`{%- set sec_request_body_limit = modsec.get('sec_request_body_limit', 13107200 ) -%}`
			`{%- set sec_request_body_no_files_limit = modsec.get('sec_request_body_no_files_limit', 131072 ) -%}`
			`{%- set sec_request_body_in_memory_limit = modsec.get('sec_request_body_in_memory_limit', 131072 ) -%}`
			`{%- set sec_request_body_limit_action = modsec.get('sec_request_body_limit_action', 'Reject' ) -%}`
			`{%- set sec_pcre_match_limit = modsec.get('sec_pcre_match_limit', 1000 ) -%}`
			`{%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%}`
			`{%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%}`
			`#`
refactor(formula): align to template-formula & improve ci features FEATURE: Archlinux support FEATURE: Windows support FEATURE: Enhanced CI/CD FEATURE: modular states BREAKING CHANGE: 'apache.sls' converted to new style 'init.ssl' BREAKING CHANGE: "logrotate.sls" became "config/logrotate.sls" BREAKING CHANGE: "debian_full.sls" became "config/debian_full.sls" BREAKING CHANGE: "flags.sls" became "config/flags.sls" BREAKING CHANGE: "manage_security" became "config/manage_security.sls" BREAKING CHANGE: "mod_.sls" became "config/mod_.sls" BREAKING CHANGE: "no_default_host.sls" became "config/no_default_host.sls" BREAKING CHANGE: "own_default_host.sls" became "config/own_default_host.sls" BREAKING CHANGE: "register_site.sls" became "config/register_site.sls" BREAKING CHANGE: "server_status.sls" became "config/server_status.sls" BREAKING CHANGE: "vhosts/" became "config/vhosts/" BREAKING CHANGE: "mod_security/" became "config/mod_security/" NOT-BREAKING CHANGE: 'config.sls' became 'config/init.sls' NOT-BREAKING CHANGE: 'uninstall.sls' symlinked to 'clean.sls' 2020-09-13 06:07:20 +02:00			`# This file is managed by Salt! Do not edit by hand!`
Add mod_security management Add gitignore, kitchen-ci files Add some tests and documentation 2016-05-11 03:48:26 +02:00			`# Modify the salt pillar that generates this file instead`
			`#`

			`LoadModule security2_module modules/mod_security2.so`

			`<IfModule !mod_unique_id.c>`
			`LoadModule unique_id_module modules/mod_unique_id.so`
			`</IfModule>`
			`<IfModule mod_security2.c>`
			`# ModSecurity Core Rules Set configuration`
refactor(formula): align to template-formula & improve ci features FEATURE: Archlinux support FEATURE: Windows support FEATURE: Enhanced CI/CD FEATURE: modular states BREAKING CHANGE: 'apache.sls' converted to new style 'init.ssl' BREAKING CHANGE: "logrotate.sls" became "config/logrotate.sls" BREAKING CHANGE: "debian_full.sls" became "config/debian_full.sls" BREAKING CHANGE: "flags.sls" became "config/flags.sls" BREAKING CHANGE: "manage_security" became "config/manage_security.sls" BREAKING CHANGE: "mod_.sls" became "config/mod_.sls" BREAKING CHANGE: "no_default_host.sls" became "config/no_default_host.sls" BREAKING CHANGE: "own_default_host.sls" became "config/own_default_host.sls" BREAKING CHANGE: "register_site.sls" became "config/register_site.sls" BREAKING CHANGE: "server_status.sls" became "config/server_status.sls" BREAKING CHANGE: "vhosts/" became "config/vhosts/" BREAKING CHANGE: "mod_security/" became "config/mod_security/" NOT-BREAKING CHANGE: 'config.sls' became 'config/init.sls' NOT-BREAKING CHANGE: 'uninstall.sls' symlinked to 'clean.sls' 2020-09-13 06:07:20 +02:00			`{%- if 'osfinger' in grains and grains.osfinger in ('Red Hat Enterprise Linux Server-6', 'CentOS-6') %}`
			`Include modsecurity.d/*.conf`
			`Include modsecurity.d/activated_rules/*.conf`
			`{%- else %}`
			`IncludeOptional modsecurity.d/*.conf`
			`IncludeOptional modsecurity.d/activated_rules/*.conf`
			`{%- endif %}`
fix(modsecurity.conf.jinja): fix `salt-lint` errors ```bash Examining apache/files/RedHat/modsecurity.conf.jinja of type state [201] Trailing whitespace apache/files/RedHat/modsecurity.conf.jinja:26 ``` 2019-10-17 08:44:04 +02:00
Add mod_security management Add gitignore, kitchen-ci files Add some tests and documentation 2016-05-11 03:48:26 +02:00			`# Default recommended configuration`
			`SecRuleEngine {{ sec_rule_engine }}`
			`SecRequestBodyAccess {{ sec_request_body_access }}`
			`SecRule REQUEST_HEADERS:Content-Type "text/xml" \`
			`"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"`
			`SecRequestBodyLimit {{ sec_request_body_limit }}`
			`SecRequestBodyNoFilesLimit {{ sec_request_body_no_files_limit }}`
			`SecRequestBodyInMemoryLimit {{ sec_request_body_in_memory_limit }}`
			`SecRequestBodyLimitAction {{ sec_request_body_limit_action }}`
			`SecRule REQBODY_ERROR "!@eq 0" \`
			`"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"`
			`SecRule MULTIPART_STRICT_ERROR "!@eq 0" \`
			`"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \`
			`failed strict validation: \`
			`PE %{REQBODY_PROCESSOR_ERROR}, \`
			`BQ %{MULTIPART_BOUNDARY_QUOTED}, \`
			`BW %{MULTIPART_BOUNDARY_WHITESPACE}, \`
			`DB %{MULTIPART_DATA_BEFORE}, \`
			`DA %{MULTIPART_DATA_AFTER}, \`
			`HF %{MULTIPART_HEADER_FOLDING}, \`
			`LF %{MULTIPART_LF_LINE}, \`
			`SM %{MULTIPART_MISSING_SEMICOLON}, \`
			`IQ %{MULTIPART_INVALID_QUOTING}, \`
			`IP %{MULTIPART_INVALID_PART}, \`
			`IH %{MULTIPART_INVALID_HEADER_FOLDING}, \`
			`FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"`

			`SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \`
			`"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"`

			`SecPcreMatchLimit {{ sec_pcre_match_limit }}`
			`SecPcreMatchLimitRecursion {{ sec_pcre_match_limit_recursion }}`

			`SecRule TX:/^MSC_/ "!@streq 0" \`
			`"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"`

			`SecResponseBodyAccess Off`
			`SecDebugLog /var/log/httpd/modsec_debug.log`
			`SecDebugLogLevel {{ sec_debug_log_level }}`
			`SecAuditEngine RelevantOnly`
			`SecAuditLogRelevantStatus "^(?:5\|4(?!04))"`
			`SecAuditLogParts ABIJDEFHZ`
			`SecAuditLogType Serial`
			`SecAuditLog /var/log/httpd/modsec_audit.log`
			`SecArgumentSeparator &`
			`SecCookieFormat 0`
			`SecTmpDir /var/lib/mod_security`
			`SecDataDir /var/lib/mod_security`
			`</IfModule>`