commit af98d6ae80b96105a9ed63187824cb1a0c483813 Author: CentOS Sources Date: Tue Mar 28 11:20:16 2023 +0000 import mod_security_crs-3.3.4-1.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..18eb5e7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/v3.3.4.tar.gz diff --git a/.mod_security_crs.metadata b/.mod_security_crs.metadata new file mode 100644 index 0000000..0c74509 --- /dev/null +++ b/.mod_security_crs.metadata @@ -0,0 +1 @@ +821796a48bbedd1a0d962614ef473625da85feae SOURCES/v3.3.4.tar.gz diff --git a/SOURCES/mod_security_crs-early-blocking.patch b/SOURCES/mod_security_crs-early-blocking.patch new file mode 100644 index 0000000..2d2dbb3 --- /dev/null +++ b/SOURCES/mod_security_crs-early-blocking.patch @@ -0,0 +1,280 @@ +diff --git a/crs-setup.conf.example b/crs-setup.conf.example +index b443e77..0fdd5cb 100644 +--- a/crs-setup.conf.example ++++ b/crs-setup.conf.example +@@ -234,7 +234,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" + + + # +-# -- [[ Anomaly Mode Severity Levels ]] ---------------------------------------- ++# -- [[ Anomaly Scoring Mode Severity Levels ]] -------------------------------- + # + # Each rule in the CRS has an associated severity level. + # These are the default scoring points for each severity level. +@@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" + + + # +-# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------ ++# -- [[ Anomaly Scoring Mode Blocking Threshold Levels ]] ---------------------- + # + # Here, you can specify at which cumulative anomaly score an inbound request, + # or outbound response, gets blocked. +@@ -319,6 +319,35 @@ SecDefaultAction "phase:2,log,auditlog,pass" + # setvar:tx.outbound_anomaly_score_threshold=4" + + # ++# -- [[ Early Anomaly Scoring Mode Blocking ]] ------------------------------ ++# ++# The anomaly scores for the request and the responses are generally summed up ++# and evaluated at the end of phase:2 and at the end of phase:4 respectively. ++# However, it is possible to enable an early evaluation of these anomaly scores ++# at the end of phase:1 and at the end of phase:3. ++# ++# If a request (or a response) hits the anomaly threshold in this early ++# evaluation, then blocking happens immediately (if blocking is enabled) and ++# the phase 2 (and phase 4 respectively) will no longer be executed. ++# ++# Enable the rule 900120 that sets the variable tx.blocking_early to 1 in order ++# to enable early blocking. The variable tx.blocking_early is set to 0 by ++# default. Early blocking is thus disabled by default. ++# ++# Please note that blocking early will hide potential alerts from you. This ++# means that a payload that would appear in an alert in phase 2 (or phase 4) ++# does not get evaluated if the request is being blocked early. So when you ++# disabled blocking early again at some point in the future, then new alerts ++# from phase 2 might pop up. ++#SecAction \ ++# "id:900120,\ ++# phase:1,\ ++# nolog,\ ++# pass,\ ++# t:none,\ ++# setvar:tx.blocking_early=1" ++ ++ + # -- [[ Application Specific Rule Exclusions ]] ---------------------------------------- + # + # Some well-known applications may undertake actions that appear to be +diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf +index 5044abd..06a1bb3 100644 +--- a/rules/REQUEST-901-INITIALIZATION.conf ++++ b/rules/REQUEST-901-INITIALIZATION.conf +@@ -89,6 +89,15 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ + ver:'OWASP_CRS/3.3.4',\ + setvar:'tx.outbound_anomaly_score_threshold=4'" + ++# Default Blocking Early (rule 900120 in setup.conf) ++SecRule &TX:blocking_early "@eq 0" \ ++ "id:901115,\ ++ phase:1,\ ++ pass,\ ++ nolog,\ ++ ver:'OWASP_CRS/3.3.0',\ ++ setvar:'tx.blocking_early=0'" ++ + # Default Paranoia Level (rule 900000 in setup.conf) + SecRule &TX:paranoia_level "@eq 0" \ + "id:901120,\ +diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf +index 050eb04..755315f 100644 +--- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf ++++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf +@@ -12,7 +12,66 @@ + # -= Paranoia Level 0 (empty) =- (apply unconditionally) + # + +-# Summing up the anomaly score. ++# Skipping early blocking ++ ++SecRule TX:BLOCKING_EARLY "!@eq 1" \ ++ "id:949050,\ ++ phase:1,\ ++ pass,\ ++ t:none,\ ++ nolog,\ ++ skipAfter:BLOCKING_EARLY_ANOMALY_SCORING" ++ ++SecRule TX:BLOCKING_EARLY "!@eq 1" \ ++ "id:949051,\ ++ phase:2,\ ++ pass,\ ++ t:none,\ ++ nolog,\ ++ skipAfter:BLOCKING_EARLY_ANOMALY_SCORING" ++ ++# Summing up the anomaly score for early blocking ++ ++SecRule TX:PARANOIA_LEVEL "@ge 1" \ ++ "id:949052,\ ++ phase:1,\ ++ pass,\ ++ t:none,\ ++ nolog,\ ++ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl1}'" ++ ++SecRule TX:PARANOIA_LEVEL "@ge 2" \ ++ "id:949053,\ ++ phase:1,\ ++ pass,\ ++ t:none,\ ++ nolog,\ ++ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl2}'" ++ ++SecRule TX:PARANOIA_LEVEL "@ge 3" \ ++ "id:949054,\ ++ phase:1,\ ++ pass,\ ++ t:none,\ ++ nolog,\ ++ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl3}'" ++ ++SecRule TX:PARANOIA_LEVEL "@ge 4" \ ++ "id:949055,\ ++ phase:1,\ ++ pass,\ ++ t:none,\ ++ nolog,\ ++ setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl4}'" ++ ++SecAction "id:949059,\ ++ phase:2,\ ++ pass,\ ++ t:none,\ ++ nolog,\ ++ setvar:'tx.anomaly_score=0'" ++ ++SecMarker BLOCKING_EARLY_ANOMALY_SCORING + + # NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs. + # So we add to it. +@@ -93,6 +152,21 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ + severity:'CRITICAL',\ + setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'" + ++SecRule TX:BLOCKING_EARLY "@eq 1" \ ++ "id:949111,\ ++ phase:1,\ ++ deny,\ ++ t:none,\ ++ msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.ANOMALY_SCORE})',\ ++ tag:'application-multi',\ ++ tag:'language-multi',\ ++ tag:'platform-multi',\ ++ tag:'attack-generic',\ ++ ver:'OWASP_CRS/3.3.0',\ ++ severity:'CRITICAL',\ ++ chain" ++ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ ++ "setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'" + + + SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" +diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf +index 13013de..bf9b03d 100644 +--- a/rules/RESPONSE-950-DATA-LEAKAGES.conf ++++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf +@@ -96,7 +96,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAf + # + SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \ + "id:950100,\ +- phase:4,\ ++ phase:3,\ + block,\ + capture,\ + t:none,\ +diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf +index 24130eb..549c07c 100644 +--- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf ++++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf +@@ -22,7 +22,67 @@ + # -= Paranoia Level 0 (empty) =- (apply unconditionally) + # + +-# Summing up the anomaly score. ++ ++# Skipping early blocking ++ ++SecRule TX:BLOCKING_EARLY "!@eq 1" \ ++ "id:959050,\ ++ phase:3,\ ++ pass,\ ++ t:none,\ ++ nolog,\ ++ skipAfter:BLOCKING_EARLY_ANOMALY_SCORING" ++ ++SecRule TX:BLOCKING_EARLY "!@eq 1" \ ++ "id:959051,\ ++ phase:4,\ ++ pass,\ ++ t:none,\ ++ nolog,\ ++ skipAfter:BLOCKING_EARLY_ANOMALY_SCORING" ++ ++# Summing up the anomaly score for early blocking ++ ++SecRule TX:PARANOIA_LEVEL "@ge 1" \ ++ "id:959052,\ ++ phase:3,\ ++ pass,\ ++ t:none,\ ++ nolog,\ ++ setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl1}'" ++ ++SecRule TX:PARANOIA_LEVEL "@ge 2" \ ++ "id:959053,\ ++ phase:3,\ ++ pass,\ ++ t:none,\ ++ nolog,\ ++ setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl2}'" ++ ++SecRule TX:PARANOIA_LEVEL "@ge 3" \ ++ "id:959054,\ ++ phase:3,\ ++ pass,\ ++ t:none,\ ++ nolog,\ ++ setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl3}'" ++ ++SecRule TX:PARANOIA_LEVEL "@ge 4" \ ++ "id:959055,\ ++ phase:3,\ ++ pass,\ ++ t:none,\ ++ nolog,\ ++ setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl4}'" ++ ++SecAction "id:959059,\ ++ phase:4,\ ++ pass,\ ++ t:none,\ ++ nolog,\ ++ setvar:'tx.outbound_anomaly_score=0'" ++ ++SecMarker BLOCKING_EARLY_ANOMALY_SCORING + + # NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs. + # So we add to it. +@@ -76,6 +136,21 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \ + ver:'OWASP_CRS/3.3.4',\ + setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'" + ++SecRule TX:BLOCKING_EARLY "@eq 1" \ ++ "id:959101,\ ++ phase:3,\ ++ deny,\ ++ t:none,\ ++ msg:'Outbound Anomaly Score Exceeded in phase 3 (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\ ++ tag:'application-multi',\ ++ tag:'language-multi',\ ++ tag:'platform-multi',\ ++ tag:'attack-generic',\ ++ ver:'OWASP_CRS/3.3.0',\ ++ severity:'CRITICAL',\ ++ chain" ++ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \ ++ "setvar:'tx.anomaly_score=%{tx.outbound_anomaly_score}'" + + + SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION" diff --git a/SPECS/mod_security_crs.spec b/SPECS/mod_security_crs.spec new file mode 100644 index 0000000..039e6af --- /dev/null +++ b/SPECS/mod_security_crs.spec @@ -0,0 +1,192 @@ +Summary: ModSecurity Rules +Name: mod_security_crs +Version: 3.3.4 +Release: 1%{?dist} +License: ASL 2.0 +URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project +Source: https://github.com/coreruleset/coreruleset/archive/refs/tags/v%{version}.tar.gz +BuildArch: noarch +Requires: mod_security >= 2.9.6 +Obsoletes: mod_security_crs-extras < 3.0.0 +Patch0: mod_security_crs-early-blocking.patch + +%description +This package provides the base rules for mod_security. + +%prep +%setup -q -n coreruleset-%{version} +%patch0 -p1 -b.early_blocking + +%build + +%install + +install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/ +install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules +install -d %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules + +# To exclude rules (pre/post) +mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf +mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf + +install -m0644 rules/*.conf %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/ +install -m0644 rules/*.data %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/ + +mv crs-setup.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf + +# activate base_rules +for f in `ls %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/` ; do + ln -s %{_datarootdir}/mod_modsecurity_crs/rules/$f %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/$f; +done + + +%files +%license LICENSE +%doc CHANGES README.md +%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/activated_rules/* +%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf +%{_datarootdir}/mod_modsecurity_crs + +%changelog +* Mon Dec 05 2022 Luboš Uhliarik - 3.3.4-1 +- new version 3.3.4 +- Resolves: #2143210 - [RFE] upgrade mod_security_crs to latest upstream 3.3.x + +* Wed Sep 07 2022 Tomas Korbar - 3.3.0-6 +- Fix application of early blocking patch +- Related: rhbz#2115313 + +* Fri Aug 05 2022 Tomas Korbar - 3.3.0-5 +- Fix patch for early blocking +- Related: rhbz#2115313 + +* Thu Aug 04 2022 Tomas Korbar - 3.3.0-4 +- Backport early blocking feature +- Resolves: rhbz#2115313 + +* Mon Aug 09 2021 Mohan Boddu - 3.3.0-3 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Mon Aug 2 2021 Joe Orton - 3.3.0-2 +- rebuild (#1986075) + +* Thu Apr 22 2021 Lubos Uhliarik - 3.3.0-1 +- Resolves: #1947962 - [RFE] update mod_security_crs to 3.3 + +* Fri Apr 16 2021 Mohan Boddu - 3.2.0-2 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Fri Mar 05 2021 Lubos Uhliarik - 3.2.0-1 +- new version 3.2.0 + +* Tue Jan 26 2021 Fedora Release Engineering - 3.0.0-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Jul 28 2020 Fedora Release Engineering - 3.0.0-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jan 29 2020 Fedora Release Engineering - 3.0.0-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Jul 25 2019 Fedora Release Engineering - 3.0.0-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Feb 01 2019 Fedora Release Engineering - 3.0.0-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 3.0.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Feb 08 2018 Fedora Release Engineering - 3.0.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 3.0.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Apr 22 2017 Athmane Madjoudj - 3.0.0-4 +- Exclude rule files should not be symlink + +* Sat Apr 22 2017 Athmane Madjoudj - 3.0.0-3 +- Use versioned obsoletes +- Move away from /lib since rules are data + +* Sat Apr 22 2017 Athmane Madjoudj - 3.0.0-2 +- Fix the install part since extra and experimental rules are not longer included in 3.x +- Remove EL5 bits since EL5/EPEL5 are OEL-ed +- Bump reqs + +* Sat Apr 22 2017 Athmane Madjoudj - 3.0.0-1 +- Update to 3.0.0 +- Clean up the spec + +* Fri Feb 10 2017 Fedora Release Engineering - 2.2.9.20160414git-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Apr 29 2016 Athmane Madjoudj 2.2.9.20160414git-1 +- Update to 2.9.20160414git + +* Tue Mar 08 2016 Athmane Madjoudj 2.2.9.20160219git-1 +- Update to 2.2.9 +- Minor spec cleanup + +* Thu Feb 04 2016 Fedora Release Engineering - 2.2.8-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jun 17 2015 Fedora Release Engineering - 2.2.8-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 2.2.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Aug 03 2013 Fedora Release Engineering - 2.2.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Jul 02 2013 Athmane Madjoudj 2.2.8-1 +- Update to 2.2.8 +- Adapt the spec file to new github tarball schema. +- Correct bugus date in the spec file. + +* Thu Feb 14 2013 Fedora Release Engineering - 2.2.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Nov 19 2012 Peter Vrabec 2.2.6-4 +- "extras" subpackage is not provided on RHEL7 + +* Wed Oct 17 2012 Athmane Madjoudj 2.2.6-3 +- Remove the patch since we're requiring mod_security >= 2.7.0 +- Require mod_security >= 2.7.0 + +* Mon Oct 01 2012 Athmane Madjoudj 2.2.6-2 +- Add a patch to fix incompatible rules. +- Update to new git release + +* Sat Sep 15 2012 Athmane Madjoudj 2.2.6-1 +- Update to 2.2.6 +- Update spec file since upstream moved to Github. + +* Thu Sep 13 2012 Athmane Madjoudj 2.2.5-5 +- Enable extra rules sub-package for EPEL. + +* Tue Aug 28 2012 Athmane Madjoudj 2.2.5-4 +- Fix spec for el5 + +* Tue Aug 28 2012 Athmane Madjoudj 2.2.5-3 +- Add BuildRoot def for el5 compatibility + +* Fri Jul 20 2012 Fedora Release Engineering - 2.2.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Jun 22 2012 Peter Vrabec 2.2.5-1 +- upgrade + +* Wed Jun 20 2012 Peter Vrabec 2.2.4-3 +- "extras" subpackage is not provided on RHEL + +* Thu May 03 2012 Peter Vrabec 2.2.4-2 +- fix fedora-review issues (#816975) + +* Thu Apr 19 2012 Peter Vrabec 2.2.4-1 +- initial package + +