Fixes hardened web server routines

docs/guides/web/apache_hardened_webserver/modsecurity.md

@@ -36,7 +36,7 @@ One thing missing with `mod_security` when installed from the generic Rocky Linu
 
 To install the base package, use this command. It will install any missing dependencies. You also need `wget` if you do not have it installed:
 
-```
+```bash
 dnf install mod_security wget
 ```
 
@@ -53,57 +53,60 @@ dnf install mod_security wget
 3. Under "Assets" on the next page, right-click on the "Source Code (tar.gz)" link and copy the link.
 
 4. On your server, go to the Apache configuration directory:
-    
-    ```
+
+    ```bash
     cd /etc/httpd/conf
     ```
 
 5. Enter `wget` and paste your link. Example:
 
-    ```
+    ```bash
     wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.5.tar.gz
     ```
 
-6. Decompress the file: 
+6. Decompress the file:
 
-    ```
+    ```bash
     tar xzvf v3.3.5.tar.gz
     ```
+
     This creates a directory with the release information in the name. Example: "coreruleset-3.3.5"
 
 7. Create a symbolic link called "crs" linking to the directory of the release. Example:
 
-    ```
+    ```bash
     ln -s coreruleset-3.3.5/ /etc/httpd/conf/crs
     ```
 
 8. Remove the `tar.gz` file. Example:
 
-    ```
+    ```bash
     rm -f v3.3.5.tar.gz
     ```
 
 9. Copy the temporary configuration so that it will load when started:
 
-    ```
+    ```bash
     cp crs/crs-setup.conf.example crs/crs-setup.conf
     ```
+
     This file is editable, but you probably will not need to make any changes.
 
 The `mod_security` rules are now in place.
 
 ## Configuration
 
-With the rules in place, the next step is configuring these rules to load and run when `httpd` and `mod_security` run. 
+With the rules in place, the next step is configuring these rules to load and run when `httpd` and `mod_security` run.
 
 `mod_security` already has a configuration file located in `/etc/httpd/conf.d/mod_security.conf`. You will need to modify this file to include the OWASP rules. To do this, edit that configuration file:
 
-```
+```bash
 vi /etc/httpd/conf.d/mod_security.conf
 ```
+
 Add the following content just before the end tag (`</IfModule`):
 
-```
+```bash
     Include    /etc/httpd/conf/crs/crs-setup.conf
 
     SecAction "id:900110,phase:1,pass,nolog,\
@@ -129,25 +132,25 @@ Add the following content just before the end tag (`</IfModule`):
     # ...
 ```
 
-Use ++esc++ to get out of insert mode, and ++shift+:+wq++ to save your changes, and quit.
+Use ++esc++ to get out of insert mode, and ++shift+colon+"wq"++ to save your changes, and quit.
 
-## Restart `httpd` and verify `mod_security` 
+## Restart `httpd` and verify `mod_security`
 
 All you need to do at this point is to restart `httpd`:
 
-```
+```bash
 systemctl restart httpd
 ```
 
 Verify that the service started as expected:
 
-```
+```bash
 systemctl status httpd
 ```
 
 Entries like this in `/var/log/httpd/error_log` will show that `mod_security` is loading correctly:
 
-```
+```bash
 [Thu Jun 08 20:31:50.259935 2023] [:notice] [pid 1971:tid 1971] ModSecurity: PCRE compiled version="8.44 "; loaded version="8.44 2020-02-12"
 [Thu Jun 08 20:31:50.259936 2023] [:notice] [pid 1971:tid 1971] ModSecurity: LUA compiled version="Lua 5.4"
 [Thu Jun 08 20:31:50.259937 2023] [:notice] [pid 1971:tid 1971] ModSecurity: YAJL compiled version="2.1.0"
@@ -156,7 +159,7 @@ Entries like this in `/var/log/httpd/error_log` will show that `mod_security` is
 
 If you access the web site on the server, you should receive an entry in the `/var/log/httpd/modsec_audit.log` that shows the loading of OWASP rules:
 
-```
+```bash
 Apache-Handler: proxy:unix:/run/php-fpm/www.sock|fcgi://localhost
 Stopwatch: 1686249687051191 2023 (- - -)
 Stopwatch2: 1686249687051191 2023; combined=697, p1=145, p2=458, p3=14, p4=45, p5=35, sr=22, sw=0, l=0, gc=0
@@ -165,9 +168,10 @@ Producer: ModSecurity for Apache/2.9.6 (http://www.modsecurity.org/); OWASP_CRS/
 Server: Apache/2.4.53 (Rocky Linux)
 Engine-Mode: "ENABLED"
 ```
+
 ## Conclusion
 
-`mod_security` with OWASP rules is another tool to help in hardening an Apache web server. Periodic checking of the [GitHub site for newer rules](https://github.com/coreruleset/coreruleset) and the latest official release is an ongoing maintenance step you need to make. 
+`mod_security` with OWASP rules is another tool to help in hardening an Apache web server. Periodic checking of the [GitHub site for newer rules](https://github.com/coreruleset/coreruleset) and the latest official release is an ongoing maintenance step you need to make.
 
 `mod_security`, as with other hardening tools, has the potential of false-positive responses, so you must prepare to tune this tool to your installation.
 

docs/guides/web/apache_hardened_webserver/ossec-hids.md

@@ -33,13 +33,13 @@ If you prefer support, and have the budget for it, check out [Atomicorp's paid `
 
 Downloading the repository requires `wget`. Install that first, and install the EPEL repository if you do not have it installed already, with:
 
-```
+```bash
 dnf install wget epel-release
 ```
 
 Download and enable Atomicorp's no cost repository:
 
-```
+```bash
 wget -q -O - https://www.atomicorp.com/installers/atomic | sh
 ```
 
@@ -51,25 +51,25 @@ Next, it will ask you if you want to enable the repository by default, and again
 
 You only need the atomic repository for a couple of packages. For this reason, you are going to change the repository and specify only those packages needed:
 
-```
+```bash
 vi /etc/yum.repos.d/atomic.repo
 ```
 
 Add this line beneath the "enabled = 1" in the top section:
 
-```
+```bash
 includepkgs = ossec* GeoIP* inotify-tools
 ```
 
-That is the only change you need. Save your changes and get out of the repository (in `vi` that is ++esc++ to enter command mode, then ++shift+:+wq++ to save and quit).
+That is the only change you need. Save your changes and get out of the repository (in `vi` that is ++esc++ to enter command mode, then ++shift+colon+"wq"++ to save and quit).
 
 This restricts the Atomicorp repository only to install and update these packages.
 
 ## Installing `ossec-hids`
 
 With the repository configured, you need to install the packages:
 
-```
+```bash
 dnf install ossec-hids-server ossec-hids inotify-tools
 ```
 
@@ -81,13 +81,13 @@ The default configuration is in a state requiring many changes. Most of these ha
 
 To edit the configuration file, enter:
 
-```
+```bash
 vi /var/ossec/etc/ossec.conf
 ```
 
 The author will break apart this configuration showing the changes in line and explaining them:
 
-```
+```bash
 <global>
   <email_notification>yes</email_notification>  
   <email_to>admin1@youremaildomain.com</email_to>
@@ -108,7 +108,7 @@ You need to set the "from" email address. You need this to deal with SPAM filter
 
 The `<white_list>` sections deal with the server's localhost IP and with the "public" IP address (remember our substitution of a private IP address) of the firewall, from which all connections on the trusted network will show. You can add many `<white_list>` entries.
 
-```
+```bash
 <syscheck>
   <!-- Frequency that syscheck is executed -- default every 22 hours -->
   <frequency>86400</frequency>
@@ -122,7 +122,7 @@ The `<rootcheck>` section just beneath the `<syscheck>` section is yet another p
 
 Changing the `<frequency>` for the running of `<rootcheck>` to once every 24 hours (86400 seconds) from the default of 22 hours is an optional change shown.
 
-```
+```bash
 <localfile>
   <log_format>apache</log_format>
   <location>/var/log/httpd/*access_log</location>
@@ -137,7 +137,7 @@ The `<localfile>` section deals with the locations of the logs you want to watch
 
 You need to add in the Apache log locations, and you want to add these in as wild cards because you could have a bunch of logs for many different web customers.
 
-```
+```bash
   <command>
     <name>firewalld-drop</name>
     <executable>firewall-drop.sh</executable>
@@ -157,7 +157,7 @@ The "firewall-drop" script already exists within the `ossec-hids` path. It tells
 
 Enable and start the service when all the configuration changes are complete. If everything starts correctly, you are ready to move on:
 
-```
+```bash
 systemctl enable ossec-hids
 systemctl start ossec-hids
 ```

docs/guides/web/apache_hardened_webserver/rkhunter.md

@@ -15,6 +15,8 @@ tags:
 
 Rootkit hunter (`rkhunter`) is a well known tool for checking vulnerabilities, rootkits, back doors, and possible local exploits on a server. It is possible to use it on _any_ server used for _any_ purpose. When tuned and automated, it can report any suspicious activity to the system administrator. This procedure outlines the installation, tuning, and use of rootkit hunter.
 
+`rkhunter` is just one possible part of a hardened server setup. Use it alone or with other tools to maximize security.
+
 ## Prerequisites
 
 * Proficiency with a command-line editor (using `vi` in this example)
@@ -24,14 +26,6 @@ Rootkit hunter (`rkhunter`) is a well known tool for checking vulnerabilities, r
 
 This document was originally written in conjunction with the apache hardened web server routines, but works equally well on a server running any software.
 
-## Introduction
-
-`rkhunter` (Root Kit Hunter) is a Unix-based tool that scans for rootkits, back doors, and possible local exploits. It is a good part of a hardened server, and will notify the administrator quickly when something suspicious happens on the server's file system, providing it is properly configured.
-
-`rkhunter` is just one possible part of a hardened Apache web server setup. Use it alone or with other tools to maximize security. If you want to use this along with other tools for hardening, refer back to the [Apache Hardened Web Server guide](index.md).
-
-This document also uses all of the assumptions and conventions outlined in that original document. It is a good idea to review it before continuing.
-
 ## General steps
 
 1. install `rkhunter`
@@ -44,34 +38,33 @@ This document also uses all of the assumptions and conventions outlined in that
 
 `rkhunter` requires the EPEL (Extra Packages for Enterprise Linux) repository. Install that repository if you do not have it installed already:
 
-```
+```bash
 dnf install epel-release
 ```
 
 Install `rkhunter`:
 
-```
+```bash
 dnf install rkhunter
 ```
 
 ## Configuring `rkhunter`
 
-The only configuration options that you _need_ to set are those dealing with mailing reports to the Administrator. 
+The only configuration options that you _need_ to set are those dealing with mailing reports to the Administrator.
 
 !!! warning
 
     Modification of _any_ configuration file in Linux carries risk. Before altering **any** configuration file in Linux, creating a backup of the _original_ file is recommended.
 
-
 To change the configuration file, run:
 
-```
+```bash
 vi /etc/rkhunter.conf
 ```
 
 Search for:
 
-```
+```bash
 #MAIL-ON-WARNING=me@mydomain   root@mydomain
 ```
 
@@ -81,8 +74,7 @@ Change the `root@mydomain` to `root@whatever_the_server_name_is`.
 
 You will probably also want to remove the remark (and edit the line to fit your needs) from the `MAIL-CMD` line:
 
-
-```
+```bash
 MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}"
 ```
 
@@ -96,7 +88,7 @@ You will also need to move the script somewhere other than `/etc/cron.daily/`, s
 
 If you want to test `rkhunter` before you start, including all email functionality, run `rkhunter --check` from the command line. If installed and functioning correctly, you should receive an output similar to the following:
 
-```
+```bash
 [root@sol admin]# rkhunter --check
 [Rootkit Hunter version 1.4.6]
 
@@ -252,7 +244,7 @@ Performing file properties checks
 
 Hold off completing the remaining steps if problems exist with the email setup. When confirming email works, but before allowing `rkhunter` to run automatically, run the command manually again with the "--propupd" flag to create the `rkhunter.dat` file. This ensures recognition of your environment and configuration:
 
-```
+```bash
 rkhunter --propupd
 ```