Bug 1129843 - Packaged config doesn't lend itself to user-specified overrides
Summary: Packaged config doesn't lend itself to user-specified overrides
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: mod_security
Version: 20
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Othman Madjoudj
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-13 19:13 UTC by Philip Prindeville
Modified: 2014-08-15 20:59 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-08-15 17:46:00 UTC


Attachments (Terms of Use)
Suggested patch (1.38 KB, patch)
2014-08-13 19:13 UTC, Philip Prindeville
no flags Details | Diff

Description Philip Prindeville 2014-08-13 19:13:16 UTC
Created attachment 926555 [details]
Suggested patch

Description of problem:

The way that mod_security.conf is set up to include the config files out of modsecurity.d/*.conf and then modsecurity/activated_rules/*.conf doesn't lend itself well to local (host- or site-specific) overrides.

For instance, there's no way to set the engine's mode to "DetectionOnly" during initial testing:

<IfModule mod_security2.c>
    # ModSecurity Core Rules Set configuration
	IncludeOptional modsecurity.d/*.conf
	IncludeOptional modsecurity.d/activated_rules/*.conf
    
    # Default recommended configuration
    SecRuleEngine On
    SecRequestBodyAccess On

This is because at the moment that modsecurity.d/*.conf is loaded up, none of the rule definitions that you might want to "SecRuleRemoveById" have yet been defined. You similarly can't change the SecRuleEngine mode because it gets set a few lines later (and will be overridden).

Version-Release number of selected component (if applicable):

mod_security-2.7.5-3.fc20.x86_64

How reproducible:

Create /etc/httpd/mod_security.d/modsecurity_localrules.conf and put the line:

SecRuleEngine DetectionOnly

into it. Reload the config. It will still be in enforcing mode.

Steps to Reproduce:
1. Create mod_security.d/modsecurity_localrules.conf
2. Put the single line "SecRuleEngine DetectionOnly" into it.
3. Restart the service and test with a violation.

Actual results:

The request will be blocked.

Expected results:

The request should be serviced and logged.

Additional info:

Recommend adding:

    IncludeOptional mod security.d/local_rules/*.conf

at the very end of the conf.d/mod_security.conf file.

Comment 1 Othman Madjoudj 2014-08-13 21:16:10 UTC
I'll try to test the patch during the weekend (since it's not urgent or security issue).

SecRuleRemoveById point is valid, but overriding SecRuleEngine somewhere else than main config seems confusing a bit.

Comment 2 Othman Madjoudj 2014-08-15 17:46:00 UTC
Fixed in mod_security-2.8.0-4 (Rawhide and f21).

Let me know if you need those change for 2.7.x branch (ie: F20 and EPEL6).

Note to mildew and pvrabec: One of upstream developers recommended this change.

Comment 4 Philip Prindeville 2014-08-15 18:15:26 UTC
(In reply to Athmane Madjoudj from comment #2)
> Fixed in mod_security-2.8.0-4 (Rawhide and f21).
> 
> Let me know if you need those change for 2.7.x branch (ie: F20 and EPEL6).
> 
> Note to mildew and pvrabec: One of upstream developers recommended this
> change.

If you have a build on fedorapeople.org for F20 I'll gladly try it out.

Comment 5 Othman Madjoudj 2014-08-15 20:29:39 UTC
Will update COPR repo[1] with to 2.8.0-4 in an hour or so, this repo will have the latest packages.

https://copr.fedoraproject.org/coprs/athmane/mod_security/

Comment 6 Othman Madjoudj 2014-08-15 20:59:51 UTC
COPR repo[1] updated, let me know if it fixes the issue (installation instruction included there).


[1]https://copr.fedoraproject.org/coprs/athmane/mod_security/


Note You need to log in before you can comment on or make changes to this bug.