Details
-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
httpd 2.4.23 ER3
-
None
Description
according to mod_security config file, you can define rules inside httpd_root/modsecurity.d/ folder and they will be used. Unfortunatly, they are used before whole mod_security.conf file is loaded, so some setup made by costumer will not be working properly. As you can see bellow, "IncludeOptional" parts are loaded in the beginning of the script, so all similar values used by costumer's scripts and mod_security.conf will be overwritten. I recommend to put "IncludeOptional" part in the end of the script, then costumer's scripts overwrite default setup and not vice versa.
<IfModule mod_security2.c>
# ModSecurity Core Rules Set configuration
IncludeOptional modsecurity.d/*.conf
IncludeOptional modsecurity.d/activated_rules/*.conf
# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecDebugLog /opt/rh/jbcs-httpd24/root/var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /opt/rh/jbcs-httpd24/root/var/log/httpd/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /opt/rh/jbcs-httpd24/root/var/lib/mod_security
SecDataDir /opt/rh/jbcs-httpd24/root/var/lib/mod_security
</IfModule>
example of rules script with SecDebugLogLevel. File /opt/rh/jbcs-httpd24/root/var/log/httpd/modsec_debug.log will be empty after few request to server.
<IfModule security2_module>
SecCollectionTimeout 15
SecDebugLogLevel 9
SecAction 'id:1210,phase:1,t:none,noauditlog,nolog, \
initcol:GLOBAL=global, \
pass'
SecRule GLOBAL:IS_NEW '@eq 1' \
'id:1220,phase:1,t:none,noauditlog,nolog, \
setvar:GLOBAL.counter=1, \
skipAfter:1230'
SecAction 'id:1230,phase:1,t:none,noauditlog,nolog, \
setvar:GLOBAL.counter=+1, \
pass'
</IfModule>
