Saltstack Official Apache Formula
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.

242 Zeilen
9.4KB

  1. {%- set apache = pillar.get('apache', {}) %}
  2. {%- set modsec = apache.get('mod_security', {}) %}
  3. {%- set sec_rule_engine = modsec.get('sec_rule_engine', 'DetectionOnly' ) -%}
  4. {%- set sec_request_body_access = modsec.get('sec_request_body_access', 'On' ) -%}
  5. {%- set sec_request_body_limit = modsec.get('sec_request_body_limit', 13107200 ) -%}
  6. {%- set sec_request_body_no_files_limit = modsec.get('sec_request_body_no_files_limit', 131072 ) -%}
  7. {%- set sec_request_body_in_memory_limit = modsec.get('sec_request_body_in_memory_limit', 131072 ) -%}
  8. {%- set sec_request_body_limit_action = modsec.get('sec_request_body_limit_action', 'Reject' ) -%}
  9. {%- set sec_pcre_match_limit = modsec.get('sec_pcre_match_limit', 1000 ) -%}
  10. {%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%}
  11. {%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%}
  12. #
  13. # This file is managed by Salt! Do not edit by hand!
  14. # Modify the salt pillar that generates this file instead
  15. #
  16. # -- Rule engine initialization ----------------------------------------------
  17. # Enable ModSecurity, attaching it to every transaction. Use detection
  18. # only to start with, because that minimises the chances of post-installation
  19. # disruption.
  20. #
  21. SecRuleEngine {{ sec_rule_engine }}
  22. # -- Request body handling ---------------------------------------------------
  23. # Allow ModSecurity to access request bodies. If you don't, ModSecurity
  24. # won't be able to see any POST parameters, which opens a large security
  25. # hole for attackers to exploit.
  26. #
  27. SecRequestBodyAccess {{ sec_request_body_access }}
  28. # Enable XML request body parser.
  29. # Initiate XML Processor in case of xml content-type
  30. #
  31. SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
  32. "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
  33. # Enable JSON request body parser.
  34. # Initiate JSON Processor in case of JSON content-type; change accordingly
  35. # if your application does not use 'application/json'
  36. #
  37. SecRule REQUEST_HEADERS:Content-Type "application/json" \
  38. "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
  39. # Maximum request body size we will accept for buffering. If you support
  40. # file uploads then the value given on the first line has to be as large
  41. # as the largest file you are willing to accept. The second value refers
  42. # to the size of data, with files excluded. You want to keep that value as
  43. # low as practical.
  44. #
  45. SecRequestBodyLimit {{ sec_request_body_limit }}
  46. SecRequestBodyNoFilesLimit {{ sec_request_body_no_files_limit }}
  47. # Store up to 128 KB of request body data in memory. When the multipart
  48. # parser reaches this limit, it will start using your hard disk for
  49. # storage. That is slow, but unavoidable.
  50. #
  51. SecRequestBodyInMemoryLimit {{ sec_request_body_in_memory_limit }}
  52. # What do do if the request body size is above our configured limit.
  53. # Keep in mind that this setting will automatically be set to ProcessPartial
  54. # when SecRuleEngine is set to DetectionOnly mode in order to minimize
  55. # disruptions when initially deploying ModSecurity.
  56. #
  57. SecRequestBodyLimitAction {{ sec_request_body_limit_action }}
  58. # Verify that we've correctly processed the request body.
  59. # As a rule of thumb, when failing to process a request body
  60. # you should reject the request (when deployed in blocking mode)
  61. # or log a high-severity alert (when deployed in detection-only mode).
  62. #
  63. SecRule REQBODY_ERROR "!@eq 0" \
  64. "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
  65. # By default be strict with what we accept in the multipart/form-data
  66. # request body. If the rule below proves to be too strict for your
  67. # environment consider changing it to detection-only. You are encouraged
  68. # _not_ to remove it altogether.
  69. #
  70. SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
  71. "id:'200003',phase:2,t:none,log,deny,status:400, \
  72. msg:'Multipart request body failed strict validation: \
  73. PE %{REQBODY_PROCESSOR_ERROR}, \
  74. BQ %{MULTIPART_BOUNDARY_QUOTED}, \
  75. BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
  76. DB %{MULTIPART_DATA_BEFORE}, \
  77. DA %{MULTIPART_DATA_AFTER}, \
  78. HF %{MULTIPART_HEADER_FOLDING}, \
  79. LF %{MULTIPART_LF_LINE}, \
  80. SM %{MULTIPART_MISSING_SEMICOLON}, \
  81. IQ %{MULTIPART_INVALID_QUOTING}, \
  82. IP %{MULTIPART_INVALID_PART}, \
  83. IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
  84. FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
  85. # Did we see anything that might be a boundary?
  86. #
  87. SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
  88. "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
  89. # PCRE Tuning
  90. # We want to avoid a potential RegEx DoS condition
  91. #
  92. SecPcreMatchLimit {{ sec_pcre_match_limit }}
  93. SecPcreMatchLimitRecursion {{ sec_pcre_match_limit_recursion }}
  94. # Some internal errors will set flags in TX and we will need to look for these.
  95. # All of these are prefixed with "MSC_". The following flags currently exist:
  96. #
  97. # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
  98. #
  99. SecRule TX:/^MSC_/ "!@streq 0" \
  100. "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
  101. # -- Response body handling --------------------------------------------------
  102. # Allow ModSecurity to access response bodies.
  103. # You should have this directive enabled in order to identify errors
  104. # and data leakage issues.
  105. #
  106. # Do keep in mind that enabling this directive does increases both
  107. # memory consumption and response latency.
  108. #
  109. SecResponseBodyAccess On
  110. # Which response MIME types do you want to inspect? You should adjust the
  111. # configuration below to catch documents but avoid static files
  112. # (e.g., images and archives).
  113. #
  114. SecResponseBodyMimeType text/plain text/html text/xml
  115. # Buffer response bodies of up to 512 KB in length.
  116. SecResponseBodyLimit 524288
  117. # What happens when we encounter a response body larger than the configured
  118. # limit? By default, we process what we have and let the rest through.
  119. # That's somewhat less secure, but does not break any legitimate pages.
  120. #
  121. SecResponseBodyLimitAction ProcessPartial
  122. # -- Filesystem configuration ------------------------------------------------
  123. # The location where ModSecurity stores temporary files (for example, when
  124. # it needs to handle a file upload that is larger than the configured limit).
  125. #
  126. # This default setting is chosen due to all systems have /tmp available however,
  127. # this is less than ideal. It is recommended that you specify a location that's private.
  128. #
  129. SecTmpDir /tmp/
  130. # The location where ModSecurity will keep its persistent data. This default setting
  131. # is chosen due to all systems have /tmp available however, it
  132. # too should be updated to a place that other users can't access.
  133. #
  134. SecDataDir /tmp/
  135. # -- File uploads handling configuration -------------------------------------
  136. # The location where ModSecurity stores intercepted uploaded files. This
  137. # location must be private to ModSecurity. You don't want other users on
  138. # the server to access the files, do you?
  139. #
  140. #SecUploadDir /opt/modsecurity/var/upload/
  141. # By default, only keep the files that were determined to be unusual
  142. # in some way (by an external inspection script). For this to work you
  143. # will also need at least one file inspection rule.
  144. #
  145. #SecUploadKeepFiles RelevantOnly
  146. # Uploaded files are by default created with permissions that do not allow
  147. # any other user to access them. You may need to relax that if you want to
  148. # interface ModSecurity to an external program (e.g., an anti-virus).
  149. #
  150. #SecUploadFileMode 0600
  151. # -- Debug log configuration -------------------------------------------------
  152. # The default debug log configuration is to duplicate the error, warning
  153. # and notice messages from the error log.
  154. #
  155. #SecDebugLog /opt/modsecurity/var/log/debug.log
  156. SecDebugLogLevel {{ sec_debug_log_level }}
  157. # -- Audit log configuration -------------------------------------------------
  158. # Log the transactions that are marked by a rule, as well as those that
  159. # trigger a server error (determined by a 5xx or 4xx, excluding 404,
  160. # level response status codes).
  161. #
  162. SecAuditEngine RelevantOnly
  163. SecAuditLogRelevantStatus "^(?:5|4(?!04))"
  164. # Log everything we know about a transaction.
  165. SecAuditLogParts ABIJDEFHZ
  166. # Use a single file for logging. This is much easier to look at, but
  167. # assumes that you will use the audit log only ocassionally.
  168. #
  169. SecAuditLogType Serial
  170. SecAuditLog /var/log/modsec_audit.log
  171. # Specify the path for concurrent audit logging.
  172. #SecAuditLogStorageDir /opt/modsecurity/var/audit/
  173. # -- Miscellaneous -----------------------------------------------------------
  174. # Use the most commonly used application/x-www-form-urlencoded parameter
  175. # separator. There's probably only one application somewhere that uses
  176. # something else so don't expect to change this value.
  177. #
  178. SecArgumentSeparator &
  179. # Settle on version 0 (zero) cookies, as that is what most applications
  180. # use. Using an incorrect cookie version may open your installation to
  181. # evasion attacks (against the rules that examine named cookies).
  182. #
  183. SecCookieFormat 0
  184. # Specify your Unicode Code Point.
  185. # This mapping is used by the t:urlDecodeUni transformation function
  186. # to properly map encoded data to your language. Properly setting
  187. # these directives helps to reduce false positives and negatives.
  188. #
  189. SecUnicodeMapFile unicode.mapping 20127
  190. # Improve the quality of ModSecurity by sharing information about your
  191. # current ModSecurity version and dependencies versions.
  192. # The following information will be shared: ModSecurity version,
  193. # Web Server version, APR version, PCRE version, Lua version, Libxml2
  194. # version, Anonymous unique id for host.
  195. SecStatusEngine On