Merge pull request #137 from netmanagers/master
Add mod_security management
This commit is contained in:
commit
f2f5ae553d
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
*.swp
|
||||
.kitchen
|
54
.kitchen.yml
Normal file
54
.kitchen.yml
Normal file
@ -0,0 +1,54 @@
|
||||
---
|
||||
driver:
|
||||
name: vagrant
|
||||
|
||||
platforms:
|
||||
- name: debian-jessie64
|
||||
driver_config:
|
||||
box: ssplatt/salt-deb-8
|
||||
- name: centos-7
|
||||
driver_config:
|
||||
box: rchrd/centos-7-x64-salt
|
||||
- name: centos-6
|
||||
driver_config:
|
||||
box: rchrd/centos-6-x64-salt
|
||||
|
||||
provisioner:
|
||||
name: salt_solo
|
||||
salt_version: 2015.8.8
|
||||
data_path: test/shared
|
||||
is_file_root: true
|
||||
pillars:
|
||||
top.sls:
|
||||
base:
|
||||
'*':
|
||||
- apache
|
||||
apache.sls:
|
||||
apache:
|
||||
mod_security:
|
||||
crs_install: True
|
||||
manage_config: True
|
||||
sec_rule_engine: 'On'
|
||||
sec_request_body_access: 'On'
|
||||
sec_request_body_limit: '14000000'
|
||||
sec_request_body_no_files_limit: '114002'
|
||||
sec_request_body_in_memory_limit: '114002'
|
||||
sec_request_body_limit_action: 'Reject'
|
||||
sec_pcre_match_limit: '15000'
|
||||
sec_pcre_match_limit_recursion: '15000'
|
||||
sec_debug_log_level: '3'
|
||||
|
||||
suites:
|
||||
- name: apache
|
||||
provisioner:
|
||||
state_top:
|
||||
base:
|
||||
'*':
|
||||
- apache
|
||||
- name: mod_security
|
||||
provisioner:
|
||||
state_top:
|
||||
base:
|
||||
'*':
|
||||
- apache
|
||||
- apache.mod_security
|
@ -85,6 +85,13 @@ Installs and enables the mod_fcgid module
|
||||
|
||||
Installs and enables the mod_dav_svn module (Debian only)
|
||||
|
||||
``apache.mod_security``
|
||||
----------------------
|
||||
|
||||
Installs an enables the `Apache mod_security2 WAF`<http://modsecurity.org/>`_
|
||||
using data from Pillar. (Debian and RedHat Only)
|
||||
|
||||
Allows you to install the basic Core Rules (CRS) and some basic configuration for mod_security2
|
||||
|
||||
``apache.mod_vhost_alias``
|
||||
----------------------
|
||||
|
241
apache/files/Debian/modsecurity.conf.jinja
Normal file
241
apache/files/Debian/modsecurity.conf.jinja
Normal file
@ -0,0 +1,241 @@
|
||||
{%- set apache = pillar.get('apache', {}) %}
|
||||
{%- set modsec = apache.get('mod_security', {}) %}
|
||||
{%- set sec_rule_engine = modsec.get('sec_rule_engine', 'DetectionOnly' ) -%}
|
||||
{%- set sec_request_body_access = modsec.get('sec_request_body_access', 'On' ) -%}
|
||||
{%- set sec_request_body_limit = modsec.get('sec_request_body_limit', 13107200 ) -%}
|
||||
{%- set sec_request_body_no_files_limit = modsec.get('sec_request_body_no_files_limit', 131072 ) -%}
|
||||
{%- set sec_request_body_in_memory_limit = modsec.get('sec_request_body_in_memory_limit', 131072 ) -%}
|
||||
{%- set sec_request_body_limit_action = modsec.get('sec_request_body_limit_action', 'Reject' ) -%}
|
||||
{%- set sec_pcre_match_limit = modsec.get('sec_pcre_match_limit', 1000 ) -%}
|
||||
{%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%}
|
||||
{%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%}
|
||||
#
|
||||
# This file is managed/autogenerated by salt.
|
||||
# Modify the salt pillar that generates this file instead
|
||||
#
|
||||
# -- Rule engine initialization ----------------------------------------------
|
||||
|
||||
# Enable ModSecurity, attaching it to every transaction. Use detection
|
||||
# only to start with, because that minimises the chances of post-installation
|
||||
# disruption.
|
||||
#
|
||||
SecRuleEngine {{ sec_rule_engine }}
|
||||
|
||||
|
||||
# -- Request body handling ---------------------------------------------------
|
||||
|
||||
# Allow ModSecurity to access request bodies. If you don't, ModSecurity
|
||||
# won't be able to see any POST parameters, which opens a large security
|
||||
# hole for attackers to exploit.
|
||||
#
|
||||
SecRequestBodyAccess {{ sec_request_body_access }}
|
||||
|
||||
|
||||
# Enable XML request body parser.
|
||||
# Initiate XML Processor in case of xml content-type
|
||||
#
|
||||
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
|
||||
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
|
||||
|
||||
# Enable JSON request body parser.
|
||||
# Initiate JSON Processor in case of JSON content-type; change accordingly
|
||||
# if your application does not use 'application/json'
|
||||
#
|
||||
SecRule REQUEST_HEADERS:Content-Type "application/json" \
|
||||
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
|
||||
|
||||
# Maximum request body size we will accept for buffering. If you support
|
||||
# file uploads then the value given on the first line has to be as large
|
||||
# as the largest file you are willing to accept. The second value refers
|
||||
# to the size of data, with files excluded. You want to keep that value as
|
||||
# low as practical.
|
||||
#
|
||||
SecRequestBodyLimit {{ sec_request_body_limit }}
|
||||
SecRequestBodyNoFilesLimit {{ sec_request_body_no_files_limit }}
|
||||
|
||||
# Store up to 128 KB of request body data in memory. When the multipart
|
||||
# parser reachers this limit, it will start using your hard disk for
|
||||
# storage. That is slow, but unavoidable.
|
||||
#
|
||||
SecRequestBodyInMemoryLimit {{ sec_request_body_in_memory_limit }}
|
||||
|
||||
# What do do if the request body size is above our configured limit.
|
||||
# Keep in mind that this setting will automatically be set to ProcessPartial
|
||||
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
|
||||
# disruptions when initially deploying ModSecurity.
|
||||
#
|
||||
SecRequestBodyLimitAction {{ sec_request_body_limit_action }}
|
||||
|
||||
# Verify that we've correctly processed the request body.
|
||||
# As a rule of thumb, when failing to process a request body
|
||||
# you should reject the request (when deployed in blocking mode)
|
||||
# or log a high-severity alert (when deployed in detection-only mode).
|
||||
#
|
||||
SecRule REQBODY_ERROR "!@eq 0" \
|
||||
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
|
||||
|
||||
# By default be strict with what we accept in the multipart/form-data
|
||||
# request body. If the rule below proves to be too strict for your
|
||||
# environment consider changing it to detection-only. You are encouraged
|
||||
# _not_ to remove it altogether.
|
||||
#
|
||||
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
|
||||
"id:'200003',phase:2,t:none,log,deny,status:400, \
|
||||
msg:'Multipart request body failed strict validation: \
|
||||
PE %{REQBODY_PROCESSOR_ERROR}, \
|
||||
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
|
||||
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
|
||||
DB %{MULTIPART_DATA_BEFORE}, \
|
||||
DA %{MULTIPART_DATA_AFTER}, \
|
||||
HF %{MULTIPART_HEADER_FOLDING}, \
|
||||
LF %{MULTIPART_LF_LINE}, \
|
||||
SM %{MULTIPART_MISSING_SEMICOLON}, \
|
||||
IQ %{MULTIPART_INVALID_QUOTING}, \
|
||||
IP %{MULTIPART_INVALID_PART}, \
|
||||
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
|
||||
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
|
||||
|
||||
# Did we see anything that might be a boundary?
|
||||
#
|
||||
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
|
||||
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
|
||||
|
||||
# PCRE Tuning
|
||||
# We want to avoid a potential RegEx DoS condition
|
||||
#
|
||||
SecPcreMatchLimit {{ sec_pcre_match_limit }}
|
||||
SecPcreMatchLimitRecursion {{ sec_pcre_match_limit_recursion }}
|
||||
|
||||
# Some internal errors will set flags in TX and we will need to look for these.
|
||||
# All of these are prefixed with "MSC_". The following flags currently exist:
|
||||
#
|
||||
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
|
||||
#
|
||||
SecRule TX:/^MSC_/ "!@streq 0" \
|
||||
"id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
|
||||
|
||||
|
||||
# -- Response body handling --------------------------------------------------
|
||||
|
||||
# Allow ModSecurity to access response bodies.
|
||||
# You should have this directive enabled in order to identify errors
|
||||
# and data leakage issues.
|
||||
#
|
||||
# Do keep in mind that enabling this directive does increases both
|
||||
# memory consumption and response latency.
|
||||
#
|
||||
SecResponseBodyAccess On
|
||||
|
||||
# Which response MIME types do you want to inspect? You should adjust the
|
||||
# configuration below to catch documents but avoid static files
|
||||
# (e.g., images and archives).
|
||||
#
|
||||
SecResponseBodyMimeType text/plain text/html text/xml
|
||||
|
||||
# Buffer response bodies of up to 512 KB in length.
|
||||
SecResponseBodyLimit 524288
|
||||
|
||||
# What happens when we encounter a response body larger than the configured
|
||||
# limit? By default, we process what we have and let the rest through.
|
||||
# That's somewhat less secure, but does not break any legitimate pages.
|
||||
#
|
||||
SecResponseBodyLimitAction ProcessPartial
|
||||
|
||||
|
||||
# -- Filesystem configuration ------------------------------------------------
|
||||
|
||||
# The location where ModSecurity stores temporary files (for example, when
|
||||
# it needs to handle a file upload that is larger than the configured limit).
|
||||
#
|
||||
# This default setting is chosen due to all systems have /tmp available however,
|
||||
# this is less than ideal. It is recommended that you specify a location that's private.
|
||||
#
|
||||
SecTmpDir /tmp/
|
||||
|
||||
# The location where ModSecurity will keep its persistent data. This default setting
|
||||
# is chosen due to all systems have /tmp available however, it
|
||||
# too should be updated to a place that other users can't access.
|
||||
#
|
||||
SecDataDir /tmp/
|
||||
|
||||
|
||||
# -- File uploads handling configuration -------------------------------------
|
||||
|
||||
# The location where ModSecurity stores intercepted uploaded files. This
|
||||
# location must be private to ModSecurity. You don't want other users on
|
||||
# the server to access the files, do you?
|
||||
#
|
||||
#SecUploadDir /opt/modsecurity/var/upload/
|
||||
|
||||
# By default, only keep the files that were determined to be unusual
|
||||
# in some way (by an external inspection script). For this to work you
|
||||
# will also need at least one file inspection rule.
|
||||
#
|
||||
#SecUploadKeepFiles RelevantOnly
|
||||
|
||||
# Uploaded files are by default created with permissions that do not allow
|
||||
# any other user to access them. You may need to relax that if you want to
|
||||
# interface ModSecurity to an external program (e.g., an anti-virus).
|
||||
#
|
||||
#SecUploadFileMode 0600
|
||||
|
||||
|
||||
# -- Debug log configuration -------------------------------------------------
|
||||
|
||||
# The default debug log configuration is to duplicate the error, warning
|
||||
# and notice messages from the error log.
|
||||
#
|
||||
#SecDebugLog /opt/modsecurity/var/log/debug.log
|
||||
SecDebugLogLevel {{ sec_debug_log_level }}
|
||||
|
||||
|
||||
# -- Audit log configuration -------------------------------------------------
|
||||
|
||||
# Log the transactions that are marked by a rule, as well as those that
|
||||
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
|
||||
# level response status codes).
|
||||
#
|
||||
SecAuditEngine RelevantOnly
|
||||
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
|
||||
|
||||
# Log everything we know about a transaction.
|
||||
SecAuditLogParts ABIJDEFHZ
|
||||
|
||||
# Use a single file for logging. This is much easier to look at, but
|
||||
# assumes that you will use the audit log only ocassionally.
|
||||
#
|
||||
SecAuditLogType Serial
|
||||
SecAuditLog /var/log/apache2/modsec_audit.log
|
||||
|
||||
# Specify the path for concurrent audit logging.
|
||||
#SecAuditLogStorageDir /opt/modsecurity/var/audit/
|
||||
|
||||
|
||||
# -- Miscellaneous -----------------------------------------------------------
|
||||
|
||||
# Use the most commonly used application/x-www-form-urlencoded parameter
|
||||
# separator. There's probably only one application somewhere that uses
|
||||
# something else so don't expect to change this value.
|
||||
#
|
||||
SecArgumentSeparator &
|
||||
|
||||
# Settle on version 0 (zero) cookies, as that is what most applications
|
||||
# use. Using an incorrect cookie version may open your installation to
|
||||
# evasion attacks (against the rules that examine named cookies).
|
||||
#
|
||||
SecCookieFormat 0
|
||||
|
||||
# Specify your Unicode Code Point.
|
||||
# This mapping is used by the t:urlDecodeUni transformation function
|
||||
# to properly map encoded data to your language. Properly setting
|
||||
# these directives helps to reduce false positives and negatives.
|
||||
#
|
||||
SecUnicodeMapFile unicode.mapping 20127
|
||||
|
||||
# Improve the quality of ModSecurity by sharing information about your
|
||||
# current ModSecurity version and dependencies versions.
|
||||
# The following information will be shared: ModSecurity version,
|
||||
# Web Server version, APR version, PCRE version, Lua version, Libxml2
|
||||
# version, Anonymous unique id for host.
|
||||
SecStatusEngine On
|
||||
|
75
apache/files/RedHat/modsecurity.conf.jinja
Normal file
75
apache/files/RedHat/modsecurity.conf.jinja
Normal file
@ -0,0 +1,75 @@
|
||||
{%- set apache = pillar.get('apache', {}) %}
|
||||
{%- set modsec = apache.get('mod_security', {}) %}
|
||||
{%- set sec_rule_engine = modsec.get('sec_rule_engine', 'DetectionOnly' ) -%}
|
||||
{%- set sec_request_body_access = modsec.get('sec_request_body_access', 'On' ) -%}
|
||||
{%- set sec_request_body_limit = modsec.get('sec_request_body_limit', 13107200 ) -%}
|
||||
{%- set sec_request_body_no_files_limit = modsec.get('sec_request_body_no_files_limit', 131072 ) -%}
|
||||
{%- set sec_request_body_in_memory_limit = modsec.get('sec_request_body_in_memory_limit', 131072 ) -%}
|
||||
{%- set sec_request_body_limit_action = modsec.get('sec_request_body_limit_action', 'Reject' ) -%}
|
||||
{%- set sec_pcre_match_limit = modsec.get('sec_pcre_match_limit', 1000 ) -%}
|
||||
{%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%}
|
||||
{%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%}
|
||||
#
|
||||
# This file is managed/autogenerated by salt.
|
||||
# Modify the salt pillar that generates this file instead
|
||||
#
|
||||
|
||||
LoadModule security2_module modules/mod_security2.so
|
||||
|
||||
<IfModule !mod_unique_id.c>
|
||||
LoadModule unique_id_module modules/mod_unique_id.so
|
||||
</IfModule>
|
||||
<IfModule mod_security2.c>
|
||||
# ModSecurity Core Rules Set configuration
|
||||
Include modsecurity.d/*.conf
|
||||
Include modsecurity.d/activated_rules/*.conf
|
||||
|
||||
# Default recommended configuration
|
||||
SecRuleEngine {{ sec_rule_engine }}
|
||||
SecRequestBodyAccess {{ sec_request_body_access }}
|
||||
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
|
||||
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
|
||||
SecRequestBodyLimit {{ sec_request_body_limit }}
|
||||
SecRequestBodyNoFilesLimit {{ sec_request_body_no_files_limit }}
|
||||
SecRequestBodyInMemoryLimit {{ sec_request_body_in_memory_limit }}
|
||||
SecRequestBodyLimitAction {{ sec_request_body_limit_action }}
|
||||
SecRule REQBODY_ERROR "!@eq 0" \
|
||||
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
|
||||
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
|
||||
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
|
||||
failed strict validation: \
|
||||
PE %{REQBODY_PROCESSOR_ERROR}, \
|
||||
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
|
||||
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
|
||||
DB %{MULTIPART_DATA_BEFORE}, \
|
||||
DA %{MULTIPART_DATA_AFTER}, \
|
||||
HF %{MULTIPART_HEADER_FOLDING}, \
|
||||
LF %{MULTIPART_LF_LINE}, \
|
||||
SM %{MULTIPART_MISSING_SEMICOLON}, \
|
||||
IQ %{MULTIPART_INVALID_QUOTING}, \
|
||||
IP %{MULTIPART_INVALID_PART}, \
|
||||
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
|
||||
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
|
||||
|
||||
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
|
||||
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
|
||||
|
||||
SecPcreMatchLimit {{ sec_pcre_match_limit }}
|
||||
SecPcreMatchLimitRecursion {{ sec_pcre_match_limit_recursion }}
|
||||
|
||||
SecRule TX:/^MSC_/ "!@streq 0" \
|
||||
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
|
||||
|
||||
SecResponseBodyAccess Off
|
||||
SecDebugLog /var/log/httpd/modsec_debug.log
|
||||
SecDebugLogLevel {{ sec_debug_log_level }}
|
||||
SecAuditEngine RelevantOnly
|
||||
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
|
||||
SecAuditLogParts ABIJDEFHZ
|
||||
SecAuditLogType Serial
|
||||
SecAuditLog /var/log/httpd/modsec_audit.log
|
||||
SecArgumentSeparator &
|
||||
SecCookieFormat 0
|
||||
SecTmpDir /var/lib/mod_security
|
||||
SecDataDir /var/lib/mod_security
|
||||
</IfModule>
|
@ -1,4 +1,5 @@
|
||||
{% import_yaml "apache/osfingermap.yaml" as osfingermap %}
|
||||
{% import_yaml "apache/modsecurity.yaml" as modsec %}
|
||||
|
||||
{% set apache = salt['grains.filter_by']({
|
||||
'Debian': {
|
||||
@ -116,3 +117,11 @@
|
||||
}, grain='oscodename', merge=salt['grains.filter_by'](
|
||||
osfingermap
|
||||
, grain='osfinger', merge=salt['pillar.get']('apache:lookup')))) %}
|
||||
|
||||
{% set modsecurity = salt['grains.filter_by'](
|
||||
modsec
|
||||
, grain='os_family', merge=salt['pillar.get']('apache:mod_security')) or {} %}
|
||||
|
||||
{# merge the os family/codename mod_sec's specific data over the defaults #}
|
||||
{% do apache.update({ 'mod_security': modsecurity }) %}
|
||||
|
||||
|
46
apache/mod_security.sls
Normal file
46
apache/mod_security.sls
Normal file
@ -0,0 +1,46 @@
|
||||
{% from "apache/map.jinja" import apache with context %}
|
||||
|
||||
include:
|
||||
- apache
|
||||
|
||||
mod-security:
|
||||
pkg.installed:
|
||||
- name: {{ apache.mod_security.package }}
|
||||
- order: 180
|
||||
- require:
|
||||
- pkg: apache
|
||||
|
||||
{% if apache.mod_security.crs_install %}
|
||||
mod-security-crs:
|
||||
pkg.installed:
|
||||
- name: {{ apache.mod_security.crs_package }}
|
||||
- order: 180
|
||||
- require:
|
||||
- pkg: mod-security
|
||||
{% endif %}
|
||||
|
||||
{% if apache.mod_security.manage_config %}
|
||||
mod-security-main-config:
|
||||
file.managed:
|
||||
- name: {{ apache.mod_security.config_file }}
|
||||
- order: 220
|
||||
- template: jinja
|
||||
- source:
|
||||
- {{ 'salt://apache/files/' ~ salt['grains.get']('os_family') ~ '/modsecurity.conf.jinja' }}
|
||||
- context: {{ apache.mod_security }}
|
||||
- require:
|
||||
- pkg: mod-security
|
||||
- watch_in:
|
||||
- module: apache-reload
|
||||
{% endif %}
|
||||
|
||||
{% if grains['os_family']=="Debian" %}
|
||||
a2enmod security2:
|
||||
cmd.run:
|
||||
- unless: ls /etc/apache2/mods-enabled/security2.load && ls /etc/apache2/mods-enabled/security2.conf
|
||||
- order: 225
|
||||
- require:
|
||||
- pkg: mod-security
|
||||
- watch_in:
|
||||
- module: apache-restart
|
||||
{% endif %}
|
15
apache/modsecurity.yaml
Normal file
15
apache/modsecurity.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
default:
|
||||
crs_install: False
|
||||
manage_config: False
|
||||
Debian:
|
||||
crs_install: False
|
||||
manage_config: False
|
||||
package: libapache2-mod-security2
|
||||
crs_package: modsecurity-crs
|
||||
config_file: /etc/modsecurity/modsecurity.conf-recommended
|
||||
RedHat:
|
||||
crs_install: False
|
||||
manage_config: False
|
||||
package: mod_security
|
||||
crs_package: mod_security_crs
|
||||
config_file: /etc/httpd/conf.d/mod_security.conf
|
@ -18,15 +18,16 @@ apache:
|
||||
# ``apache.mod_wsgi`` formula additional configuration:
|
||||
mod_wsgi: mod_wsgi
|
||||
|
||||
|
||||
global:
|
||||
# global apache directives
|
||||
AllowEncodedSlashes: "On"
|
||||
AllowEncodedSlashes: 'On'
|
||||
|
||||
|
||||
name_virtual_hosts:
|
||||
- interface: *
|
||||
- interface: '*'
|
||||
port: 80
|
||||
- interface: *
|
||||
- interface: '*'
|
||||
port: 443
|
||||
|
||||
# ``apache.vhosts`` formula additional configuration:
|
||||
@ -142,3 +143,19 @@ apache:
|
||||
RemoteIPTrustedProxy:
|
||||
- 10.0.8.0/24
|
||||
- 127.0.0.1
|
||||
|
||||
# ``apache.mod_security`` formula additional configuration:
|
||||
mod_security:
|
||||
crs_install: True
|
||||
# If not set, default distro's configuration is installed as is
|
||||
manage_config: True
|
||||
sec_rule_engine: 'On'
|
||||
sec_request_body_access: 'On'
|
||||
sec_request_body_limit: '14000000'
|
||||
sec_request_body_no_files_limit: '114002'
|
||||
sec_request_body_in_memory_limit: '114002'
|
||||
sec_request_body_limit_action: 'Reject'
|
||||
sec_pcre_match_limit: '15000'
|
||||
sec_pcre_match_limit_recursion: '15000'
|
||||
sec_debug_log_level: '3'
|
||||
|
||||
|
@ -0,0 +1,29 @@
|
||||
require_relative '../../../kitchen/data/spec_helper'
|
||||
|
||||
describe 'apache.mod_security' do
|
||||
|
||||
case os[:family]
|
||||
when 'redhat'
|
||||
modspec_file = '/etc/httpd/conf.d/mod_security.conf'
|
||||
when 'debian', 'ubuntu'
|
||||
modspec_file = '/etc/modsecurity/modsecurity.conf-recommended'
|
||||
else
|
||||
# No other supported ATM
|
||||
end
|
||||
|
||||
describe file(modspec_file) do
|
||||
it { should exist }
|
||||
it { should be_mode 644 }
|
||||
it { should be_owned_by 'root' }
|
||||
it { should be_grouped_into 'root' }
|
||||
its(:content) { should match /SecRuleEngine On/ }
|
||||
its(:content) { should match /SecRequestBodyAccess On/ }
|
||||
its(:content) { should match /SecRequestBodyLimit 14000000/ }
|
||||
its(:content) { should match /SecRequestBodyNoFilesLimit 114002/ }
|
||||
its(:content) { should match /SecRequestBodyInMemoryLimit 114002/ }
|
||||
its(:content) { should match /SecRequestBodyLimitAction Reject/ }
|
||||
its(:content) { should match /SecPcreMatchLimit 15000/ }
|
||||
its(:content) { should match /SecPcreMatchLimitRecursion 15000/ }
|
||||
its(:content) { should match /SecDebugLogLevel 3/ }
|
||||
end
|
||||
end
|
9
test/shared/spec_helper.rb
Normal file
9
test/shared/spec_helper.rb
Normal file
@ -0,0 +1,9 @@
|
||||
require "serverspec"
|
||||
require "pathname"
|
||||
|
||||
# Set backend type
|
||||
set :backend, :exec
|
||||
|
||||
RSpec.configure do |c|
|
||||
c.path = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
end
|
Loading…
Reference in New Issue
Block a user