Created attachment 926555 [details]
Description of problem:
The way that mod_security.conf is set up to include the config files out of modsecurity.d/*.conf and then modsecurity/activated_rules/*.conf doesn't lend itself well to local (host- or site-specific) overrides.
For instance, there's no way to set the engine's mode to "DetectionOnly" during initial testing:
# ModSecurity Core Rules Set configuration
# Default recommended configuration
This is because at the moment that modsecurity.d/*.conf is loaded up, none of the rule definitions that you might want to "SecRuleRemoveById" have yet been defined. You similarly can't change the SecRuleEngine mode because it gets set a few lines later (and will be overridden).
Version-Release number of selected component (if applicable):
Create /etc/httpd/mod_security.d/modsecurity_localrules.conf and put the line:
into it. Reload the config. It will still be in enforcing mode.
Steps to Reproduce:
1. Create mod_security.d/modsecurity_localrules.conf
2. Put the single line "SecRuleEngine DetectionOnly" into it.
3. Restart the service and test with a violation.
The request will be blocked.
The request should be serviced and logged.
IncludeOptional mod security.d/local_rules/*.conf
at the very end of the conf.d/mod_security.conf file.
I'll try to test the patch during the weekend (since it's not urgent or security issue).
SecRuleRemoveById point is valid, but overriding SecRuleEngine somewhere else than main config seems confusing a bit.
Fixed in mod_security-2.8.0-4 (Rawhide and f21).
Let me know if you need those change for 2.7.x branch (ie: F20 and EPEL6).
Note to mildew and pvrabec: One of upstream developers recommended this change.
Commit id: http://pkgs.fedoraproject.org/cgit/mod_security.git/commit/?id=f262c30fba74f3298352e52bf3e891ae25571ef3
(In reply to Athmane Madjoudj from comment #2)
> Fixed in mod_security-2.8.0-4 (Rawhide and f21).
> Let me know if you need those change for 2.7.x branch (ie: F20 and EPEL6).
> Note to mildew and pvrabec: One of upstream developers recommended this
If you have a build on fedorapeople.org for F20 I'll gladly try it out.
Will update COPR repo with to 2.8.0-4 in an hour or so, this repo will have the latest packages.
COPR repo updated, let me know if it fixes the issue (installation instruction included there).