7 changed files with 1 additions and 474 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +0,0 @@
 SOURCES/v3.3.4.tar.gz
 /v3.3.4.tar.gz
--- a/dead.package
+++ b/dead.package
@ -0,0 +1 @@
 mod_security_crs was removed due to minimization efforts prior to public launch
--- a/gating.yaml
+++ b/gating.yaml
@ -1,7 +0,0 @@
 --- !Policy
 product_versions:
  - rhel-8
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}
--- a/mod_security_crs-early-blocking.patch
+++ b/mod_security_crs-early-blocking.patch
@ -1,280 +0,0 @@
 diff --git a/crs-setup.conf.example b/crs-setup.conf.example
 index b443e77..0fdd5cb 100644
 --- a/crs-setup.conf.example
 +++ b/crs-setup.conf.example
@@ -234,7 +234,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #
 -# -- [[ Anomaly Mode Severity Levels ]] ----------------------------------------
 +# -- [[ Anomaly Scoring Mode Severity Levels ]] --------------------------------
 #
 # Each rule in the CRS has an associated severity level.
 # These are the default scoring points for each severity level.
@@ -270,7 +270,7 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #
 -# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------
 +# -- [[ Anomaly Scoring Mode Blocking Threshold Levels ]] ----------------------
 #
 # Here, you can specify at which cumulative anomaly score an inbound request,
 # or outbound response, gets blocked.
@@ -319,6 +319,35 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #  setvar:tx.outbound_anomaly_score_threshold=4"
 #
 +# -- [[ Early Anomaly Scoring Mode Blocking ]] ------------------------------
 +#
 +# The anomaly scores for the request and the responses are generally summed up
 +# and evaluated at the end of phase:2 and at the end of phase:4 respectively.
 +# However, it is possible to enable an early evaluation of these anomaly scores
 +# at the end of phase:1 and at the end of phase:3.
 +#
 +# If a request (or a response) hits the anomaly threshold in this early
 +# evaluation, then blocking happens immediately (if blocking is enabled) and
 +# the phase 2 (and phase 4 respectively) will no longer be executed.
 +#
 +# Enable the rule 900120 that sets the variable tx.blocking_early to 1 in order
 +# to enable early blocking. The variable tx.blocking_early is set to 0 by
 +# default. Early blocking is thus disabled by default.
 +#
 +# Please note that blocking early will hide potential alerts from you. This 
 +# means that a payload that would appear in an alert in phase 2 (or phase 4)
 +# does not get evaluated if the request is being blocked early. So when you 
 +# disabled blocking early again at some point in the future, then new alerts 
 +# from phase 2 might pop up.
 +#SecAction \
 +#  "id:900120,\
 +#  phase:1,\
 +#  nolog,\
 +#  pass,\
 +#  t:none,\
 +#  setvar:tx.blocking_early=1"
 +
 +
 # -- [[ Application Specific Rule Exclusions ]] ----------------------------------------
 #
 # Some well-known applications may undertake actions that appear to be
 diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf
 index 5044abd..06a1bb3 100644
 --- a/rules/REQUEST-901-INITIALIZATION.conf
 +++ b/rules/REQUEST-901-INITIALIZATION.conf
@@ -89,6 +89,15 @@ SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
     ver:'OWASP_CRS/3.3.4',\
     setvar:'tx.outbound_anomaly_score_threshold=4'"
 +# Default Blocking Early (rule 900120 in setup.conf)
 +SecRule &TX:blocking_early "@eq 0" \
 +    "id:901115,\
 +    phase:1,\
 +    pass,\
 +    nolog,\
 +    ver:'OWASP_CRS/3.3.0',\
 +    setvar:'tx.blocking_early=0'"
 +
 # Default Paranoia Level (rule 900000 in setup.conf)
 SecRule &TX:paranoia_level "@eq 0" \
     "id:901120,\
 diff --git a/rules/REQUEST-949-BLOCKING-EVALUATION.conf b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
 index 050eb04..755315f 100644
 --- a/rules/REQUEST-949-BLOCKING-EVALUATION.conf
 +++ b/rules/REQUEST-949-BLOCKING-EVALUATION.conf
@@ -12,7 +12,66 @@
 # -= Paranoia Level 0 (empty) =- (apply unconditionally)
 #
 -# Summing up the anomaly score.
 +# Skipping early blocking
 +
 +SecRule TX:BLOCKING_EARLY "!@eq 1" \
 +    "id:949050,\
 +    phase:1,\
 +    pass,\
 +    t:none,\
 +    nolog,\
 +    skipAfter:BLOCKING_EARLY_ANOMALY_SCORING"
 +
 +SecRule TX:BLOCKING_EARLY "!@eq 1" \
 +    "id:949051,\
 +    phase:2,\
 +    pass,\
 +    t:none,\
 +    nolog,\
 +    skipAfter:BLOCKING_EARLY_ANOMALY_SCORING"
 +
 +# Summing up the anomaly score for early blocking
 +
 +SecRule TX:PARANOIA_LEVEL "@ge 1" \
 +    "id:949052,\
 +    phase:1,\
 +    pass,\
 +    t:none,\
 +    nolog,\
 +    setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl1}'"
 +
 +SecRule TX:PARANOIA_LEVEL "@ge 2" \
 +    "id:949053,\
 +    phase:1,\
 +    pass,\
 +    t:none,\
 +    nolog,\
 +    setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl2}'"
 +
 +SecRule TX:PARANOIA_LEVEL "@ge 3" \
 +    "id:949054,\
 +    phase:1,\
 +    pass,\
 +    t:none,\
 +    nolog,\
 +    setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl3}'"
 +
 +SecRule TX:PARANOIA_LEVEL "@ge 4" \
 +    "id:949055,\
 +    phase:1,\
 +    pass,\
 +    t:none,\
 +    nolog,\
 +    setvar:'tx.anomaly_score=+%{tx.anomaly_score_pl4}'"
 +
 +SecAction "id:949059,\
 +    phase:2,\
 +    pass,\
 +    t:none,\
 +    nolog,\
 +    setvar:'tx.anomaly_score=0'"
 +
 +SecMarker BLOCKING_EARLY_ANOMALY_SCORING
 # NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
 # So we add to it.
@@ -93,6 +152,21 @@ SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
     severity:'CRITICAL',\
     setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
 +SecRule TX:BLOCKING_EARLY "@eq 1" \
 +    "id:949111,\
 +    phase:1,\
 +    deny,\
 +    t:none,\
 +    msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.ANOMALY_SCORE})',\
 +    tag:'application-multi',\
 +    tag:'language-multi',\
 +    tag:'platform-multi',\
 +    tag:'attack-generic',\
 +    ver:'OWASP_CRS/3.3.0',\
 +    severity:'CRITICAL',\
 +    chain"
 +    SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
 +        "setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:949011,phase:1,pass,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"
 diff --git a/rules/RESPONSE-950-DATA-LEAKAGES.conf b/rules/RESPONSE-950-DATA-LEAKAGES.conf
 index 13013de..bf9b03d 100644
 --- a/rules/RESPONSE-950-DATA-LEAKAGES.conf
 +++ b/rules/RESPONSE-950-DATA-LEAKAGES.conf
@@ -96,7 +96,7 @@ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:950014,phase:4,pass,nolog,skipAf
 #
 SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
     "id:950100,\
 -    phase:4,\
 +    phase:3,\
     block,\
     capture,\
     t:none,\
 diff --git a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
 index 24130eb..549c07c 100644
 --- a/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
 +++ b/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
@@ -22,7 +22,67 @@
 # -= Paranoia Level 0 (empty) =- (apply unconditionally)
 #
 -# Summing up the anomaly score.
 +
 +# Skipping early blocking
 +
 +SecRule TX:BLOCKING_EARLY "!@eq 1" \
 +    "id:959050,\
 +    phase:3,\
 +    pass,\
 +    t:none,\
 +    nolog,\
 +    skipAfter:BLOCKING_EARLY_ANOMALY_SCORING"
 +
 +SecRule TX:BLOCKING_EARLY "!@eq 1" \
 +    "id:959051,\
 +    phase:4,\
 +    pass,\
 +    t:none,\
 +    nolog,\
 +    skipAfter:BLOCKING_EARLY_ANOMALY_SCORING"
 +
 +# Summing up the anomaly score for early blocking
 +
 +SecRule TX:PARANOIA_LEVEL "@ge 1" \
 +    "id:959052,\
 +    phase:3,\
 +    pass,\
 +    t:none,\
 +    nolog,\
 +    setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl1}'"
 +
 +SecRule TX:PARANOIA_LEVEL "@ge 2" \
 +    "id:959053,\
 +    phase:3,\
 +    pass,\
 +    t:none,\
 +    nolog,\
 +    setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl2}'"
 +
 +SecRule TX:PARANOIA_LEVEL "@ge 3" \
 +    "id:959054,\
 +    phase:3,\
 +    pass,\
 +    t:none,\
 +    nolog,\
 +    setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl3}'"
 +
 +SecRule TX:PARANOIA_LEVEL "@ge 4" \
 +    "id:959055,\
 +    phase:3,\
 +    pass,\
 +    t:none,\
 +    nolog,\
 +    setvar:'tx.outbound_anomaly_score=+%{tx.anomaly_score_pl4}'"
 +
 +SecAction "id:959059,\
 +    phase:4,\
 +    pass,\
 +    t:none,\
 +    nolog,\
 +    setvar:'tx.outbound_anomaly_score=0'"
 +
 +SecMarker BLOCKING_EARLY_ANOMALY_SCORING
 # NOTE: tx.anomaly_score should not be set initially, but masking would lead to difficult bugs.
 # So we add to it.
@@ -76,6 +136,21 @@ SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
     ver:'OWASP_CRS/3.3.4',\
     setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"
 +SecRule TX:BLOCKING_EARLY "@eq 1" \
 +    "id:959101,\
 +    phase:3,\
 +    deny,\
 +    t:none,\
 +    msg:'Outbound Anomaly Score Exceeded in phase 3 (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
 +    tag:'application-multi',\
 +    tag:'language-multi',\
 +    tag:'platform-multi',\
 +    tag:'attack-generic',\
 +    ver:'OWASP_CRS/3.3.0',\
 +    severity:'CRITICAL',\
 +    chain"
 +    SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
 +        "setvar:'tx.anomaly_score=%{tx.outbound_anomaly_score}'"
 SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 1" "id:959011,phase:3,pass,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"
--- a/mod_security_crs-rule-941310-dont-match-japanese-word.patch
+++ b/mod_security_crs-rule-941310-dont-match-japanese-word.patch
@ -1,16 +0,0 @@
 --- a/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf	2020-07-01 18:38:19.000000000 +0200
 +++ b/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf	2023-02-16 09:14:52.151838881 +0100
@@ -543,8 +543,11 @@
     ctl:auditLogParts=+E,\
     ver:'OWASP_CRS/3.3.4',\
     severity:'CRITICAL',\
 -    setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
 -    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 +    chain"
 +        SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|REQUEST_FILENAME|XML:/* "@rx [^\xe4]\xbc[^\x9a][^\xbe>]*[^\xe7][^\xa4][\xbe>]|<[^\xbe]*[^\xe7][^\xa4]\xbe" \
 +        "t:none,t:lowercase,t:urlDecode,t:htmlEntityDecode,t:jsDecode,\
 +        setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',\
 +        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
 #
 # https://nedbatchelder.com/blog/200704/xss_with_utf7.html
--- a/mod_security_crs.spec
+++ b/mod_security_crs.spec
@ -1,168 +0,0 @@
 Summary: ModSecurity Rules
 Name: mod_security_crs
 Version: 3.3.4
 Release: 3%{?dist}
 License: ASL 2.0
 URL: https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
 Group: System Environment/Daemons
 Source: https://github.com/coreruleset/coreruleset/archive/refs/tags/v%{version}.tar.gz
 BuildArch: noarch
 Requires: mod_security >= 2.8.0
 Obsoletes: mod_security_crs-extras < 3.0.0
 Patch0: mod_security_crs-early-blocking.patch
 Patch1: mod_security_crs-rule-941310-dont-match-japanese-word.patch
 %description
 This package provides the base rules for mod_security.
 %prep
 %setup -q -n coreruleset-%{version}
 %patch0 -p1 -b.early_blocking
 %patch1 -p1 -b.rule_941310
 %build
 %install
 install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/
 install -d %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules
 install -d %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules
 # To exclude rules (pre/post)
 mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
 mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
 install -m0644 rules/*.conf %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/
 install -m0644 rules/*.data %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/
 mv crs-setup.conf.example %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf
 # activate base_rules
 for f in `ls %{buildroot}%{_datarootdir}/mod_modsecurity_crs/rules/` ; do 
    ln -s %{_datarootdir}/mod_modsecurity_crs/rules/$f %{buildroot}%{_sysconfdir}/httpd/modsecurity.d/activated_rules/$f; 
 done
 %files
 %license LICENSE
 %doc CHANGES README.md
 %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/activated_rules/*
 %config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/crs-setup.conf
 %{_datarootdir}/mod_modsecurity_crs
 %changelog
 * Tue Apr 04 2023 Richard Lescak <rlescak@redhat.com> - 3.3.4-3
 - bump release to enable build
 - Related: rhbz#2040257
 * Fri Mar 31 2023 Richard Lescak <rlescak@redhat.com> - 3.3.4-2
 - add chained regex for rule 941310 to not match japan word 'company'
 - Resolves: rhbz#2040257
 * Thu Dec 08 2022 Luboš Uhliarik <luhliari@redhat.com> - 3.3.4-1
 - new version 3.3.4
 - Resolves: #2141432 - [RFE] upgrade mod_security_crs to latest upstream 3.3.x
 * Wed Sep 07 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-5
 - Fix application of early blocking patch
 - Related: rhbz#2101020
 * Mon Sep 05 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-4
 - Rebuild because of build system issue
 - Related: rhbz#2101020
 * Tue Aug 02 2022 Tomas Korbar <tkorbar@redhat.com> - 3.3.0-3
 - Backport early blocking feature
 - Resolves: rhbz#2101020
 * Thu May 06 2021 Lubos Uhliarik <luhliari@redhat.com> - 3.3.0-2
 - Resolves: #1855858 - [RFE] update mod_security_crs to 3.3
 * Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.0-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
 * Sat Apr 22 2017 Athmane Madjoudj <athmane@fedoraproject.org> - 3.0.0-4
 - Exclude rule files should not be symlink
 * Sat Apr 22 2017 Athmane Madjoudj <athmane@fedoraproject.org> - 3.0.0-3
 - Use versioned obsoletes
 - Move away from /lib since rules are data
 * Sat Apr 22 2017 Athmane Madjoudj <athmane@fedoraproject.org> - 3.0.0-2
 - Fix the install part since extra and experimental rules are not longer included in 3.x
 - Remove EL5 bits since EL5/EPEL5 are OEL-ed
 - Bump reqs
 * Sat Apr 22 2017 Athmane Madjoudj <athmane@fedoraproject.org> - 3.0.0-1
 - Update to 3.0.0
 - Clean up the spec
 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.9.20160414git-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
 * Fri Apr 29 2016 Athmane Madjoudj <athmane@fedoraproject.org> 2.2.9.20160414git-1
 - Update to 2.9.20160414git
 * Tue Mar 08 2016 Athmane Madjoudj <athmane@fedoraproject.org> 2.2.9.20160219git-1
 - Update to 2.2.9
 - Minor spec cleanup
 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.8-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.8-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
 * Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.8-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
 * Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.8-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
 * Tue Jul 02 2013 Athmane Madjoudj <athmane@fedoraproject.org> 2.2.8-1
 - Update to 2.2.8
 - Adapt the spec file to new github tarball schema.
 - Correct bugus date in the spec file.
 * Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.6-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
 * Mon Nov 19 2012 Peter Vrabec <pvrabec@redhat.com> 2.2.6-4
 - "extras" subpackage is not provided on RHEL7
 * Wed Oct 17 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.2.6-3
 - Remove the patch since we're requiring mod_security >= 2.7.0
 - Require mod_security >= 2.7.0
 * Mon Oct 01 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.2.6-2
 - Add a patch to fix incompatible rules.
 - Update to new git release
 * Sat Sep 15 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.2.6-1
 - Update to 2.2.6
 - Update spec file since upstream moved to Github.
 * Thu Sep 13 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.2.5-5
 - Enable extra rules sub-package for EPEL.
 * Tue Aug 28 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.2.5-4
 - Fix spec for el5
 * Tue Aug 28 2012 Athmane Madjoudj <athmane@fedoraproject.org> 2.2.5-3
 - Add BuildRoot def for el5 compatibility
 * Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.5-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
 * Fri Jun 22 2012 Peter Vrabec <pvrabec@redhat.com> 2.2.5-1
 - upgrade
 * Wed Jun 20 2012 Peter Vrabec <pvrabec@redhat.com> 2.2.4-3
 - "extras" subpackage is not provided on RHEL
 * Thu May 03 2012 Peter Vrabec <pvrabec@redhat.com> 2.2.4-2
 - fix fedora-review issues (#816975)
 * Thu Apr 19 2012 Peter Vrabec <pvrabec@redhat.com> 2.2.4-1
 - initial package
--- a/1
+++ b/1
@ -1 +0,0 @@
 SHA512 (v3.3.4.tar.gz) = a8b8b210054a9a4e3f8e45a5a9428110bb4075e40430e3fc16f4717e363af141265b1fb5c173ff96abeff0ac61ef5eef667a4b9cb703f8edc15e48deb3342827
		`@ -0,0 +1 @@`
							`mod_security_crs was removed due to minimization efforts prior to public launch`
		`@ -1 +0,0 @@`
			`SHA512 (v3.3.4.tar.gz) = a8b8b210054a9a4e3f8e45a5a9428110bb4075e40430e3fc16f4717e363af141265b1fb5c173ff96abeff0ac61ef5eef667a4b9cb703f8edc15e48deb3342827`