rpms/mod_security_crs
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import mod_security_crs-3.3.4-1.el9

Browse Source
This commit is contained in:
CentOS Sources 2023-03-28 11:20:16 +00:00 committed by Stepan Oksanichenko
parent 12926bdff6
commit 9d60603089
4 changed files with 32 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/v3.3.0.tar.gz SOURCES/v3.3.4.tar.gz

2
.mod_security_crs.metadata
View File

@ -1 +1 @@
1f4002b5cf941a9172b6250cea7e3465a85ef6ee SOURCES/v3.3.0.tar.gz 821796a48bbedd1a0d962614ef473625da85feae SOURCES/v3.3.4.tar.gz

38
SOURCES/mod_security_crs-early-blocking.patch
View File

@ -1,14 +1,8 @@
commit 8acabc1806d3c9be5f781da978a7684639b257d8
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Thu Aug 4 12:13:03 2022 +0200
Add early blocking feature
diff --git a/crs-setup.conf.example b/crs-setup.conf.example diff --git a/crs-setup.conf.example b/crs-setup.conf.example
index 6e18996..08c719e 100644 index b443e77..0fdd5cb 100644
--- a/crs-setup.conf.example --- a/crs-setup.conf.example
+++ b/crs-setup.conf.example +++ b/crs-setup.conf.example
@@ -233,7 +233,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" @@ -234,7 +234,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# #
@ -17,7 +11,7 @@ index 6e18996..08c719e 100644
# #
# Each rule in the CRS has an associated severity level. # Each rule in the CRS has an associated severity level.
# These are the default scoring points for each severity level. # These are the default scoring points for each severity level.
@@ -269,7 +269,7 @@ SecDefaultAction "phase:2,log,auditlog,pass" @@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# #
@ -26,7 +20,7 @@ index 6e18996..08c719e 100644
# #
# Here, you can specify at which cumulative anomaly score an inbound request, # Here, you can specify at which cumulative anomaly score an inbound request,
# or outbound response, gets blocked. # or outbound response, gets blocked.
@@ -318,6 +318,35 @@ SecDefaultAction "phase:2,log,auditlog,pass" @@ -319,6 +319,35 @@ SecDefaultAction "phase:2,log,auditlog,pass"
# setvar:tx.outbound_anomaly_score_threshold=4" # setvar:tx.outbound_anomaly_score_threshold=4"
# #
@ -63,11 +57,11 @@ index 6e18996..08c719e 100644
# #
# Some well-known applications may undertake actions that appear to be # Some well-known applications may undertake actions that appear to be
diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf
index 2a6f74e..b279829 100644 index 5044abd..06a1bb3 100644
--- a/rules/REQUEST-901-INITIALIZATION.conf --- a/rules/REQUEST-901-INITIALIZATION.conf
+++ b/rules/REQUEST-901-INITIALIZATION.conf +++ b/rules/REQUEST-901-INITIALIZATION.conf
@@ -88,6 +88,15 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \ @@ -89,6 +89,15 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
ver:'OWASP_CRS/3.3.0',\ ver:'OWASP_CRS/3.3.4',\
setvar:'tx.outbound_anomaly_score_threshold=4'" setvar:'tx.outbound_anomaly_score_threshold=4'"
+# Default Blocking Early (rule 900120 in setup.conf) +# Default Blocking Early (rule 900120 in setup.conf)
@ -83,10 +77,10 @@ index 2a6f74e..b279829 100644
SecRule &TX:paranoia_level "@eq 0" \ SecRule &TX:paranoia_level "@eq 0" \
"id:901120,\ "id:901120,\
diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
index 5f370a1..338ce88 100644 index 050eb04..755315f 100644
--- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf --- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf
+++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf +++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
@@ -11,7 +11,66 @@ @@ -12,7 +12,66 @@
# -= Paranoia Level 0 (empty) =- (apply unconditionally) # -= Paranoia Level 0 (empty) =- (apply unconditionally)
# #
@ -154,7 +148,7 @@ index 5f370a1..338ce88 100644
# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs. # NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
# So we add to it. # So we add to it.
@@ -92,6 +151,21 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ @@ -93,6 +152,21 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
severity:'CRITICAL',\ severity:'CRITICAL',\
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'" setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
@ -177,10 +171,10 @@ index 5f370a1..338ce88 100644
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION" SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf
index c34607e..a192359 100644 index 13013de..bf9b03d 100644
--- a/rules/RESPONSE-950-DATA-LEAKAGES.conf --- a/rules/RESPONSE-950-DATA-LEAKAGES.conf
+++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf +++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf
@@ -95,7 +95,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAf @@ -96,7 +96,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAf
# #
SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \ SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
"id:950100,\ "id:950100,\
@ -190,10 +184,10 @@ index c34607e..a192359 100644
capture,\ capture,\
t:none,\ t:none,\
diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
index 8f8114c..26b525c 100644 index 24130eb..549c07c 100644
--- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf --- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
+++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf +++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
@@ -21,7 +21,67 @@ @@ -22,7 +22,67 @@
# -= Paranoia Level 0 (empty) =- (apply unconditionally) # -= Paranoia Level 0 (empty) =- (apply unconditionally)
# #
@ -262,8 +256,8 @@ index 8f8114c..26b525c 100644
# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs. # NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
# So we add to it. # So we add to it.
@@ -75,6 +135,21 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \ @@ -76,6 +136,21 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
ver:'OWASP_CRS/3.3.0',\ ver:'OWASP_CRS/3.3.4',\
setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'" setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"
+SecRule TX:BLOCKING_EARLY "@eq 1" \ +SecRule TX:BLOCKING_EARLY "@eq 1" \

18
SPECS/mod_security_crs.spec
View File

@ -1,12 +1,12 @@
Summary: ModSecurity Rules Summary: ModSecurity Rules
Name: mod_security_crs Name: mod_security_crs
Version: 3.3.0 Version: 3.3.4
Release: 5%{?dist} Release: 1%{?dist}
License: ASL 2.0 License: ASL 2.0
URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
Source: https://github.com/coreruleset/coreruleset/archive/refs/tags/v%{version}.tar.gz Source: https://github.com/coreruleset/coreruleset/archive/refs/tags/v%{version}.tar.gz
BuildArch: noarch BuildArch: noarch
Requires: mod_security >= 2.8.0 Requires: mod_security >= 2.9.6
Obsoletes: mod_security_crs-extras < 3.0.0 Obsoletes: mod_security_crs-extras < 3.0.0
Patch0: mod_security_crs-early-blocking.patch Patch0: mod_security_crs-early-blocking.patch
@ -29,7 +29,9 @@ install -d %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules
mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
install -m0644 rules/* %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/ install -m0644 rules/*.conf %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/
install -m0644 rules/*.data %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/
mv crs-setup.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf mv crs-setup.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf
# activate base_rules # activate base_rules
@ -46,6 +48,14 @@ done
%{_datarootdir}/mod_modsecurity_crs %{_datarootdir}/mod_modsecurity_crs
%changelog %changelog
* Mon Dec 05 2022 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-1
- new version 3.3.4
- Resolves: #2143210 - [RFE] upgrade mod_security_crs to latest upstream 3.3.x
* Wed Sep 07 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-6
- Fix application of early blocking patch
- Related: rhbz#2115313
* Fri Aug 05 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-5 * Fri Aug 05 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-5
- Fix patch for early blocking - Fix patch for early blocking
- Related: rhbz#2115313 - Related: rhbz#2115313