rpms/mod_security/EL-4 mod_security.conf, 1.6, 1.7 mod_security.spec, 1.22, 1.23

Michael Fleming mfleming at fedoraproject.org
Thu Apr 29 11:16:41 UTC 2010 

Author: mfleming

Update of /cvs/pkgs/rpms/mod_security/EL-4
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv28825

Modified Files:
	mod_security.conf mod_security.spec 
Log Message:
* Thu Apr 29 2010 Michael Fleming <mfleming+rpm at thatfleminggent.com> - 2.5.12-2
- Fix SecDatadir and minimal config per bz #569360



Index: mod_security.conf
===================================================================
RCS file: /cvs/pkgs/rpms/mod_security/EL-4/mod_security.conf,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -p -r1.6 -r1.7
--- mod_security.conf	7 Nov 2009 01:12:51 -0000	1.6
+++ mod_security.conf	29 Apr 2010 11:16:40 -0000	1.7
@@ -10,4 +10,84 @@ LoadModule unique_id_module modules/mod_
 	Include modsecurity.d/*.conf
 	Include modsecurity.d/base_rules/*.conf
 	Include modsecurity.d/modsecurity_localrules.conf
+
+	# Additional items taken from new minimal modsecurity conf
+	# Basic configuration options
+	SecRuleEngine On
+	SecRequestBodyAccess On
+	SecResponseBodyAccess Off
+	
+	# PCRE Tuning
+	SecPcreMatchLimit 1000
+	SecPcreMatchLimitRecursion 1000
+
+	# Handling of file uploads
+	# TODO Choose a folder private to Apache.
+	# SecUploadDir /opt/apache-frontend/tmp/
+	SecUploadKeepFiles Off
+	SecUploadFileLimit 10
+
+	# Debug log
+	SecDebugLog logs/modsec_debug.log
+	SecDebugLogLevel 0
+
+	# Serial audit log
+	SecAuditEngine RelevantOnly
+	SecAuditLogRelevantStatus ^5
+	SecAuditLogParts ABIFHZ
+	SecAuditLogType Serial
+	SecAuditLog logs/modsec_audit.log
+
+	# Set Data Directory
+	SecDataDir logs/
+
+	# Maximum request body size we will
+	# accept for buffering
+	SecRequestBodyLimit 131072
+
+	# Store up to 128 KB in memory
+	SecRequestBodyInMemoryLimit 131072
+
+	# Buffer response bodies of up to
+	# 512 KB in length
+	SecResponseBodyLimit 524288
+
+	# Verify that we've correctly processed the request body.
+	# As a rule of thumb, when failing to process a request body
+	# you should reject the request (when deployed in blocking mode)
+	# or log a high-severity alert (when deployed in detection-only mode).
+	SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
+	"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
+
+	# By default be strict with what we accept in the multipart/form-data
+	# request body. If the rule below proves to be too strict for your
+	# environment consider changing it to detection-only. You are encouraged
+	# _not_ to remove it altogether.
+	SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+	"phase:2,t:none,log,deny,msg:'Multipart request body \
+	failed strict validation: \
+	PE %{REQBODY_PROCESSOR_ERROR}, \
+	BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+	BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+	DB %{MULTIPART_DATA_BEFORE}, \
+	DA %{MULTIPART_DATA_AFTER}, \
+	HF %{MULTIPART_HEADER_FOLDING}, \
+	LF %{MULTIPART_LF_LINE}, \
+	SM %{MULTIPART_SEMICOLON_MISSING}, \
+	IQ %{MULTIPART_INVALID_QUOTING}, \
+	IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+	IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+	
+	# Did we see anything that might be a boundary?
+	SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+	"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+	
+	# Some internal errors will set flags in TX and we will need to look for these.
+	# All of these are prefixed with "MSC_".  The following flags currently exist:
+	#
+	# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
+	#
+	SecRule TX:/^MSC_/ "!@streq 0" \
+	        "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
 </IfModule>


Index: mod_security.spec
===================================================================
RCS file: /cvs/pkgs/rpms/mod_security/EL-4/mod_security.spec,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -p -r1.22 -r1.23
--- mod_security.spec	27 Feb 2010 00:39:08 -0000	1.22
+++ mod_security.spec	29 Apr 2010 11:16:40 -0000	1.23
@@ -32,7 +32,7 @@ rm -rf %{buildroot}
 install -D -m755 apache2/.libs/mod_security2.so %{buildroot}/%{_libdir}/httpd/modules/mod_security2.so
 install -D -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/mod_security.conf
 install -d %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
-cp -R rules/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
+install -D -m644 rules/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
 cp -R rules/base_rules %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
 cp -R rules/optional_rules %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/
 install -D -m644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/modsecurity_localrules.conf
@@ -55,10 +55,12 @@ rm -rf %{buildroot}
 %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/*.conf
 
 %changelog
-* Sat Feb 13 2010 Michael Fleming <mfleming+rpm at thatfleminggent.com> - 2.5.12-2
+* Thu Apr 29 2010 Michael Fleming <mfleming+rpm at thatfleminggent.com> - 2.5.12-2
+- Fix SecDatadir and minimal config per bz #569360
+
+* Sat Feb 13 2010 Michael Fleming <mfleming+rpm at thatfleminggent.com> - 2.5.12-1
 - Update to latest upstream release
 - SECURITY: Fix potential rules bypass and denial of service (bz#563576)
-- Trivial installer fix for EL4
 
 * Fri Nov 6 2009 Michael Fleming <mfleming+rpm at thatfleminggent.com> - 2.5.10-2
 - Fix rules and Apache configuration (bz#533124)

More information about the scm-commits mailing list