Merge pull request #1494 from DavidS/combined-pr

Combined PR for Sec changes

README.md

@@ -1813,7 +1813,7 @@ Installs and configures Trustwave's [`mod_security`][]. It is enabled and runs b
 
 **Parameters within `apache::mod::security`**:
 
-- `activated_rules`: An [array][] of rules from the `modsec_crs_path` to activate via symlinks. Default: `modsec_default_rules` in [`apache::params`][].
+- `activated_rules`: An [array][] of rules from the `modsec_crs_path` or absolute to activate via symlinks. Default: `modsec_default_rules` in [`apache::params`][].
 - `allowed_methods`: A space-separated list of allowed HTTP methods. Default: 'GET HEAD POST OPTIONS'.
 - `content_types`: A list of one or more allowed [MIME types][MIME `content-type`]. Default: 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf'
 - `crs_package`: Names the package that installs CRS rules. Default: `modsec_crs_package` in [`apache::params`][].
@@ -1822,9 +1822,10 @@ ${modsec\_dir}/activated\_rules.
 - `modsec_secruleengine`: Configures the modsec rules engine. Valid options: 'On', 'Off', and 'DetectionOnly'. Default: `modsec_secruleengine` in [`apache::params`][].
 - `restricted_extensions`: A space-separated list of prohibited file extensions. Default: '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'.
 - `restricted_headers`: A list of restricted headers separated by slashes and spaces. Default: 'Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'.
-- `secdefaultaction`: Configures the Mode of Operation, Self-Contained ('deny') vs. Collaborative Detection ('pass'), for the OWASP ModSecurity Core Rule Set. Default: 'deny'.
+- `secdefaultaction`: Configures the Mode of Operation, Self-Contained ('deny') vs. Collaborative Detection ('pass'), for the OWASP ModSecurity Core Rule Set. Default: 'deny'. Fuller values can be set too like "log,auditlog,deny,status:406,tag:'SLA 24/7'"
 - `secpcrematchlimit`: Sets the number for the match limit in the PCRE library. Default: '1500'
 - `secpcrematchlimitrecursion`: Sets the number for the match limit recursion in the PCRE library. Default: '1500'
+- `audit_log_releavant_status`: Configures which response status code is to be considered relevant for the purpose of audit logging. Defaults: '^(?:5|4(?!04))'.
 - `audit_log_parts`: Sets the sections to be put in the [audit log][]. Default: 'ABIJDEFHZ'
 - `anomaly_score_blocking`: De-/Activates the Collaborative Detection Blocking of the OWASP ModSecurity Core Rule Set. Default: off.
 - `inbound_anomaly_threshold`: Sets the scoring threshold level of the inbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. Default: '5'.

manifests/mod/security.pp

@@ -3,6 +3,7 @@
   $activated_rules            = $::apache::params::modsec_default_rules,
   $modsec_dir                 = $::apache::params::modsec_dir,
   $modsec_secruleengine       = $::apache::params::modsec_secruleengine,
+  $audit_log_relevant_status  = '^(?:5|4(?!04))',
   $audit_log_parts            = $::apache::params::modsec_audit_log_parts,
   $secpcrematchlimit          = $::apache::params::secpcrematchlimit,
   $secpcrematchlimitrecursion = $::apache::params::secpcrematchlimitrecursion,
@@ -21,6 +22,11 @@
 ) inherits ::apache::params {
   include ::apache
 
+  $_secdefaultaction = $secdefaultaction ? {
+    /log/   => $secdefaultaction, # it has log or nolog,auditlog or log,noauditlog
+    default => "${secdefaultaction},log",
+  }
+
   if $::osfamily == 'FreeBSD' {
     fail('FreeBSD is not currently supported')
   }
@@ -80,6 +86,19 @@
     notify  => Class['apache::service'],
   }
 
+  # Template uses:
+  # - $_secdefaultaction
+  # - $critical_anomaly_score
+  # - $error_anomaly_score
+  # - $warning_anomaly_score
+  # - $notice_anomaly_score
+  # - $inbound_anomaly_threshold
+  # - $outbound_anomaly_threshold
+  # - $anomaly_score_blocking
+  # - $allowed_methods
+  # - $content_types
+  # - $restricted_extensions
+  # - $restricted_headers
   file { "${modsec_dir}/security_crs.conf":
     ensure  => file,
     content => template('apache/mod/security_crs.conf.erb'),

manifests/security/rule_link.pp

@@ -3,10 +3,15 @@
   $parts = split($title, '/')
   $filename = $parts[-1]
 
+  $target = $title ? {
+    /^\//   => $title,
+    default => "${::apache::params::modsec_crs_path}/${title}",
+  }
+
   file { $filename:
     ensure  => 'link',
     path    => "${::apache::mod::security::modsec_dir}/activated_rules/${filename}",
-    target  => "${::apache::params::modsec_crs_path}/${title}",
+    target  => $target ,
     require => File["${::apache::mod::security::modsec_dir}/activated_rules"],
     notify  => Class['apache::service'],
   }

spec/classes/mod/security_spec.rb

@@ -27,6 +27,7 @@
     it { should contain_file('security.conf').with(
       :path => '/etc/httpd/conf.modules.d/security.conf'
     ) }
+    it { should contain_file('security.conf').with_content %r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!04\)\)"$} }
     it { should contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABIJDEFHZ$} }
     it { should contain_file('/etc/httpd/modsecurity.d').with(
       :ensure => 'directory',
@@ -45,13 +46,29 @@
       :path => '/etc/httpd/modsecurity.d/security_crs.conf'
     ) }
     it { should contain_apache__security__rule_link('base_rules/modsecurity_35_bad_robots.data') }
+    it { should contain_file('modsecurity_35_bad_robots.data').with(
+      :path   => '/etc/httpd/modsecurity.d/activated_rules/modsecurity_35_bad_robots.data',
+      :target => '/usr/lib/modsecurity.d/base_rules/modsecurity_35_bad_robots.data',
+    ) }
 
     describe 'with parameters' do
       let :params do
-        { :audit_log_parts => "ABCDZ"
+        {
+          :activated_rules           => [
+            '/tmp/foo/bar.conf',
+          ],
+          :audit_log_relevant_status => "^(?:5|4(?!01|04))",
+          :audit_log_parts           => "ABCDZ",
+          :secdefaultaction          => "deny,status:406,nolog,auditlog",
         }
       end
+      it { should contain_file('security.conf').with_content %r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!01\|04\)\)"$} }
       it { should contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABCDZ$} }
+      it { should contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content %r{^\s*SecDefaultAction "phase:2,deny,status:406,nolog,auditlog"$} }
+      it { should contain_file('bar.conf').with(
+        :path   => '/etc/httpd/modsecurity.d/activated_rules/bar.conf',
+        :target => '/tmp/foo/bar.conf',
+      ) }
     end
   end
 
@@ -81,6 +98,7 @@
     it { should contain_file('security.conf').with(
       :path => '/etc/apache2/mods-available/security.conf'
     ) }
+    it { should contain_file('security.conf').with_content %r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!04\)\)"$} }
     it { should contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABIJDEFHZ$} }
     it { should contain_file('/etc/modsecurity').with(
       :ensure => 'directory',
@@ -99,13 +117,29 @@
       :path => '/etc/modsecurity/security_crs.conf'
     ) }
     it { should contain_apache__security__rule_link('base_rules/modsecurity_35_bad_robots.data') }
+    it { should contain_file('modsecurity_35_bad_robots.data').with(
+      :path   => '/etc/modsecurity/activated_rules/modsecurity_35_bad_robots.data',
+      :target => '/usr/share/modsecurity-crs/base_rules/modsecurity_35_bad_robots.data',
+    ) }
 
     describe 'with parameters' do
       let :params do
-        { :audit_log_parts => "ACEZ"
+        {
+          :activated_rules           => [
+            '/tmp/foo/bar.conf',
+          ],
+          :audit_log_relevant_status => "^(?:5|4(?!01|04))",
+          :audit_log_parts           => "ABCDZ",
+          :secdefaultaction          => "deny,status:406,nolog,auditlog",
         }
       end
-      it { should contain_file('security.conf').with_content  %r{^\s+SecAuditLogParts ACEZ$} }
+      it { should contain_file('security.conf').with_content %r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!01\|04\)\)"$} }
+      it { should contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABCDZ$} }
+      it { should contain_file('/etc/modsecurity/security_crs.conf').with_content %r{^\s*SecDefaultAction "phase:2,deny,status:406,nolog,auditlog"$} }
+      it { should contain_file('bar.conf').with(
+        :path   => '/etc/modsecurity/activated_rules/bar.conf',
+        :target => '/tmp/foo/bar.conf',
+      ) }
     end
   end
 

templates/mod/security.conf.erb

@@ -49,7 +49,7 @@
     SecResponseBodyLimitAction ProcessPartial
     SecDebugLogLevel 0
     SecAuditEngine RelevantOnly
-    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+    SecAuditLogRelevantStatus "<%= @audit_log_relevant_status %>"
     SecAuditLogParts <%= @audit_log_parts %>
     SecAuditLogType Serial
     SecArgumentSeparator &

templates/mod/security_crs.conf.erb

@@ -63,8 +63,8 @@ SecComponentSignature "OWASP_CRS/2.2.6"
 # Ref: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html
 # Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecDefaultAction
 #
-SecDefaultAction "phase:1,<%= @secdefaultaction -%>,log"
-SecDefaultAction "phase:2,<%= @secdefaultaction -%>,log"
+SecDefaultAction "phase:1,<%= @_secdefaultaction -%>"
+SecDefaultAction "phase:2,<%= @_secdefaultaction -%>"
 
 #
 # -- [[ Collaborative Detection Severity Levels ]] ----------------------------------------