Created attachment 926555 [details] Suggested patch Description of problem: The way that mod_security.conf is set up to include the config files out of modsecurity.d/*.conf and then modsecurity/activated_rules/*.conf doesn't lend itself well to local (host- or site-specific) overrides. For instance, there's no way to set the engine's mode to "DetectionOnly" during initial testing: <IfModule mod_security2.c> # ModSecurity Core Rules Set configuration IncludeOptional modsecurity.d/*.conf IncludeOptional modsecurity.d/activated_rules/*.conf # Default recommended configuration SecRuleEngine On SecRequestBodyAccess On This is because at the moment that modsecurity.d/*.conf is loaded up, none of the rule definitions that you might want to "SecRuleRemoveById" have yet been defined. You similarly can't change the SecRuleEngine mode because it gets set a few lines later (and will be overridden). Version-Release number of selected component (if applicable): mod_security-2.7.5-3.fc20.x86_64 How reproducible: Create /etc/httpd/mod_security.d/modsecurity_localrules.conf and put the line: SecRuleEngine DetectionOnly into it. Reload the config. It will still be in enforcing mode. Steps to Reproduce: 1. Create mod_security.d/modsecurity_localrules.conf 2. Put the single line "SecRuleEngine DetectionOnly" into it. 3. Restart the service and test with a violation. Actual results: The request will be blocked. Expected results: The request should be serviced and logged. Additional info: Recommend adding: IncludeOptional mod security.d/local_rules/*.conf at the very end of the conf.d/mod_security.conf file.
I'll try to test the patch during the weekend (since it's not urgent or security issue). SecRuleRemoveById point is valid, but overriding SecRuleEngine somewhere else than main config seems confusing a bit.
Fixed in mod_security-2.8.0-4 (Rawhide and f21). Let me know if you need those change for 2.7.x branch (ie: F20 and EPEL6). Note to mildew and pvrabec: One of upstream developers recommended this change.
Commit id: http://pkgs.fedoraproject.org/cgit/mod_security.git/commit/?id=f262c30fba74f3298352e52bf3e891ae25571ef3
(In reply to Athmane Madjoudj from comment #2) > Fixed in mod_security-2.8.0-4 (Rawhide and f21). > > Let me know if you need those change for 2.7.x branch (ie: F20 and EPEL6). > > Note to mildew and pvrabec: One of upstream developers recommended this > change. If you have a build on fedorapeople.org for F20 I'll gladly try it out.
Will update COPR repo[1] with to 2.8.0-4 in an hour or so, this repo will have the latest packages. https://copr.fedoraproject.org/coprs/athmane/mod_security/
COPR repo[1] updated, let me know if it fixes the issue (installation instruction included there). [1]https://copr.fedoraproject.org/coprs/athmane/mod_security/