Bug 1129843
| Summary: | Packaged config doesn't lend itself to user-specified overrides | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Philip Prindeville <philipp> | ||||
| Component: | mod_security | Assignee: | Othman Madjoudj <athmanem> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 20 | CC: | athmanem, dkopecek, philipp, pvrabec | ||||
| Target Milestone: | --- | Keywords: | EasyFix, Patch, UseCase | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-08-15 17:46:00 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
I'll try to test the patch during the weekend (since it's not urgent or security issue). SecRuleRemoveById point is valid, but overriding SecRuleEngine somewhere else than main config seems confusing a bit. Fixed in mod_security-2.8.0-4 (Rawhide and f21). Let me know if you need those change for 2.7.x branch (ie: F20 and EPEL6). Note to mildew and pvrabec: One of upstream developers recommended this change. (In reply to Athmane Madjoudj from comment #2) > Fixed in mod_security-2.8.0-4 (Rawhide and f21). > > Let me know if you need those change for 2.7.x branch (ie: F20 and EPEL6). > > Note to mildew and pvrabec: One of upstream developers recommended this > change. If you have a build on fedorapeople.org for F20 I'll gladly try it out. Will update COPR repo[1] with to 2.8.0-4 in an hour or so, this repo will have the latest packages. https://copr.fedoraproject.org/coprs/athmane/mod_security/ COPR repo[1] updated, let me know if it fixes the issue (installation instruction included there). [1]https://copr.fedoraproject.org/coprs/athmane/mod_security/ |
Created attachment 926555 [details] Suggested patch Description of problem: The way that mod_security.conf is set up to include the config files out of modsecurity.d/*.conf and then modsecurity/activated_rules/*.conf doesn't lend itself well to local (host- or site-specific) overrides. For instance, there's no way to set the engine's mode to "DetectionOnly" during initial testing: <IfModule mod_security2.c> # ModSecurity Core Rules Set configuration IncludeOptional modsecurity.d/*.conf IncludeOptional modsecurity.d/activated_rules/*.conf # Default recommended configuration SecRuleEngine On SecRequestBodyAccess On This is because at the moment that modsecurity.d/*.conf is loaded up, none of the rule definitions that you might want to "SecRuleRemoveById" have yet been defined. You similarly can't change the SecRuleEngine mode because it gets set a few lines later (and will be overridden). Version-Release number of selected component (if applicable): mod_security-2.7.5-3.fc20.x86_64 How reproducible: Create /etc/httpd/mod_security.d/modsecurity_localrules.conf and put the line: SecRuleEngine DetectionOnly into it. Reload the config. It will still be in enforcing mode. Steps to Reproduce: 1. Create mod_security.d/modsecurity_localrules.conf 2. Put the single line "SecRuleEngine DetectionOnly" into it. 3. Restart the service and test with a violation. Actual results: The request will be blocked. Expected results: The request should be serviced and logged. Additional info: Recommend adding: IncludeOptional mod security.d/local_rules/*.conf at the very end of the conf.d/mod_security.conf file.