Compare commits

...

No commits in common. "c8s" and "c9-beta" have entirely different histories.
c8s ... c9-beta

8 changed files with 110 additions and 45 deletions

3
.gitignore vendored
View File

@ -1,2 +1 @@
SOURCES/v3.3.4.tar.gz
/v3.3.4.tar.gz
SOURCES/v3.3.5.tar.gz

View File

@ -0,0 +1 @@
b552005471446a4a2454a6b6ee7e65f864219ce0 SOURCES/v3.3.5.tar.gz

View File

@ -1,5 +1,5 @@
diff --git a/crs-setup.conf.example b/crs-setup.conf.example
index b443e77..0fdd5cb 100644
index e0b1d9c..cc2f97c 100644
--- a/crs-setup.conf.example
+++ b/crs-setup.conf.example
@@ -234,7 +234,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
@ -57,11 +57,11 @@ index b443e77..0fdd5cb 100644
#
# Some well-known applications may undertake actions that appear to be
diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf
index 5044abd..06a1bb3 100644
index 27fd54a..2095bf7 100644
--- a/rules/REQUEST-901-INITIALIZATION.conf
+++ b/rules/REQUEST-901-INITIALIZATION.conf
@@ -89,6 +89,15 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.outbound_anomaly_score_threshold=4'"
+# Default Blocking Early (rule 900120 in setup.conf)
@ -77,7 +77,7 @@ index 5044abd..06a1bb3 100644
SecRule &TX:paranoia_level "@eq 0" \
"id:901120,\
diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
index 050eb04..755315f 100644
index 9ee4a8d..c5e4604 100644
--- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf
+++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
@@ -12,7 +12,66 @@
@ -171,7 +171,7 @@ index 050eb04..755315f 100644
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf
index 13013de..bf9b03d 100644
index 0b6f832..5c61674 100644
--- a/rules/RESPONSE-950-DATA-LEAKAGES.conf
+++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf
@@ -96,7 +96,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAf
@ -184,7 +184,7 @@ index 13013de..bf9b03d 100644
capture,\
t:none,\
diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
index 24130eb..549c07c 100644
index 689cc94..e30ce13 100644
--- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
+++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
@@ -22,7 +22,67 @@
@ -257,7 +257,7 @@ index 24130eb..549c07c 100644
# NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
# So we add to it.
@@ -76,6 +136,21 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"
+SecRule TX:BLOCKING_EARLY "@eq 1" \

View File

@ -0,0 +1,29 @@
diff --git a/rules/REQUEST-913-SCANNER-DETECTION.conf b/rules/REQUEST-913-SCANNER-DETECTION.conf
index 6e12d08..6be0b67 100644
--- a/rules/REQUEST-913-SCANNER-DETECTION.conf
+++ b/rules/REQUEST-913-SCANNER-DETECTION.conf
@@ -31,6 +31,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:913012,phase:2,pass,nolog,skipAf
# 913101 - scripting/generic HTTP clients (data file scripting-user-agents.data)
# 913102 - web crawlers/bots (data file crawlers-user-agents.data)
#
+# Chained rule is doing whitelist for YUM package manager of CentOS / Fedore.
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
"id:913100,\
phase:2,\
@@ -49,10 +50,12 @@ SecRule REQUEST_HEADERS:User-Agent "@pmFromFile scanners-user-agents.data" \
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
- setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
- setvar:'ip.reput_block_flag=1',\
- setvar:'ip.reput_block_reason=%{rule.msg}',\
- expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
+ chain"
+ SecRule MATCHED_VARS "!@rx ^urlgrabber/[0-9\.]+ yum/[0-9\.]+$" \
+ "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+ setvar:'ip.reput_block_flag=1',\
+ setvar:'ip.reput_block_reason=%{rule.msg}',\
+ expirevar:'ip.reput_block_flag=%{tx.reput_block_duration}'"
SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmFromFile scanners-headers.data" \
"id:913110,\

View File

@ -1,8 +1,10 @@
--- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf 2020-07-01 18:38:19.000000000 +0200
+++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf 2023-02-16 09:14:52.151838881 +0100
@@ -543,8 +543,11 @@
diff --git a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
index 3b2376b..504eb26 100644
--- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
+++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
@@ -543,8 +543,11 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAME
ctl:auditLogParts=+E,\
ver:'OWASP_CRS/3.3.4',\
ver:'OWASP_CRS/3.3.5',\
severity:'CRITICAL',\
- setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
- setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

View File

@ -1,24 +1,27 @@
Summary: ModSecurity Rules
Name: mod_security_crs
Version: 3.3.4
Release: 3%{?dist}
Version: 3.3.5
Release: 1%{?dist}
License: ASL 2.0
URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
Group: System Environment/Daemons
Source: https://github.com/coreruleset/coreruleset/archive/refs/tags/v%{version}.tar.gz
BuildArch: noarch
Requires: mod_security >= 2.8.0
Requires: mod_security >= 2.9.6
Obsoletes: mod_security_crs-extras < 3.0.0
Patch0: mod_security_crs-early-blocking.patch
# https://issues.redhat.com/browse/RHEL-16358
Patch1: mod_security_crs-rule-941310-dont-match-japanese-word.patch
# https://issues.redhat.com/browse/RHEL-22733
Patch2: mod_security_crs-rule-913100-req-scanner-detection.patch
%description
This package provides the base rules for mod_security.
%prep
%setup -q -n coreruleset-%{version}
%patch0 -p1 -b.early_blocking
%patch1 -p1 -b.rule_941310
%patch0 -p1 -b .early_blocking
%patch1 -p1 -b .rule_941310
%patch2 -p1 -b .rule_913100
%build
@ -34,6 +37,7 @@ mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example %{buildroot}%{_sysc
install -m0644 rules/*.conf %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/
install -m0644 rules/*.data %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/
mv crs-setup.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf
# activate base_rules
@ -44,38 +48,76 @@ done
%files
%license LICENSE
%doc CHANGES README.md
%doc CHANGES.md README.md
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/activated_rules/*
%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf
%{_datarootdir}/mod_modsecurity_crs
%changelog
* Tue Apr 04 2023 Richard Lescak <rlescak@redhat.com> - 3.3.4-3
- bump release to enable build
- Related: rhbz#2040257
* Mon May 20 2024 Luboš Uhliarik <luhliari@redhat.com> - 3.3.5-1
- Resolves: RHEL-32964 - new version 3.3.5
* Fri Mar 31 2023 Richard Lescak <rlescak@redhat.com> - 3.3.4-2
- add chained regex for rule 941310 to not match japan word 'company'
- Resolves: rhbz#2040257
* Fri Feb 09 2024 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-3
- Resolves: #RHEL-22733 - mod_security_crs - The rule id:913100 in the
REQUEST-913-SCANNER-DETECTION.conf blocks requests with "User-agent:
urlgrabber/3.10 yum/3.4.3"
* Thu Dec 08 2022 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-1
* Fri Feb 02 2024 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-2
- Resolves: RHEL-16358 - A form data, ""(Company in Japanese) is forbade
with REQUEST-941-APPLICATION-ATTACK-XSS.conf of mod_security_crs
* Mon Dec 05 2022 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-1
- new version 3.3.4
- Resolves: #2141432 - [RFE] upgrade mod_security_crs to latest upstream 3.3.x
- Resolves: #2143210 - [RFE] upgrade mod_security_crs to latest upstream 3.3.x
* Wed Sep 07 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-5
* Wed Sep 07 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-6
- Fix application of early blocking patch
- Related: rhbz#2101020
- Related: rhbz#2115313
* Mon Sep 05 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-4
- Rebuild because of build system issue
- Related: rhbz#2101020
* Fri Aug 05 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-5
- Fix patch for early blocking
- Related: rhbz#2115313
* Tue Aug 02 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-3
* Thu Aug 04 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-4
- Backport early blocking feature
- Resolves: rhbz#2101020
- Resolves: rhbz#2115313
* Thu May 06 2021 Lubos Uhliarik <luhliari@redhat.com> - 3.3.0-2
- Resolves: #1855858 - [RFE] update mod_security_crs to 3.3
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.3.0-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Mon Aug 2 2021 Joe Orton <jorton@redhat.com> - 3.3.0-2
- rebuild (#1986075)
* Thu Apr 22 2021 Lubos Uhliarik <luhliari@redhat.com> - 3.3.0-1
- Resolves: #1947962 - [RFE] update mod_security_crs to 3.3
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.2.0-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Fri Mar 05 2021 Lubos Uhliarik <luhliari@redhat.com> - 3.2.0-1
- new version 3.2.0
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

View File

@ -1,7 +0,0 @@
--- !Policy
product_versions:
- rhel-8
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}

View File

@ -1 +0,0 @@
SHA512 (v3.3.4.tar.gz) = a8b8b210054a9a4e3f8e45a5a9428110bb4075e40430e3fc16f4717e363af141265b1fb5c173ff96abeff0ac61ef5eef667a4b9cb703f8edc15e48deb3342827