Saltstack Official Apache Formula
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.

76 lines
3.4KB

  1. {%- set apache = pillar.get('apache', {}) %}
  2. {%- set modsec = apache.get('mod_security', {}) %}
  3. {%- set sec_rule_engine = modsec.get('sec_rule_engine', 'DetectionOnly' ) -%}
  4. {%- set sec_request_body_access = modsec.get('sec_request_body_access', 'On' ) -%}
  5. {%- set sec_request_body_limit = modsec.get('sec_request_body_limit', 13107200 ) -%}
  6. {%- set sec_request_body_no_files_limit = modsec.get('sec_request_body_no_files_limit', 131072 ) -%}
  7. {%- set sec_request_body_in_memory_limit = modsec.get('sec_request_body_in_memory_limit', 131072 ) -%}
  8. {%- set sec_request_body_limit_action = modsec.get('sec_request_body_limit_action', 'Reject' ) -%}
  9. {%- set sec_pcre_match_limit = modsec.get('sec_pcre_match_limit', 1000 ) -%}
  10. {%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%}
  11. {%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%}
  12. #
  13. # This file is managed/autogenerated by salt.
  14. # Modify the salt pillar that generates this file instead
  15. #
  16. LoadModule security2_module modules/mod_security2.so
  17. <IfModule !mod_unique_id.c>
  18. LoadModule unique_id_module modules/mod_unique_id.so
  19. </IfModule>
  20. <IfModule mod_security2.c>
  21. # ModSecurity Core Rules Set configuration
  22. Include modsecurity.d/*.conf
  23. Include modsecurity.d/activated_rules/*.conf
  24. # Default recommended configuration
  25. SecRuleEngine {{ sec_rule_engine }}
  26. SecRequestBodyAccess {{ sec_request_body_access }}
  27. SecRule REQUEST_HEADERS:Content-Type "text/xml" \
  28. "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
  29. SecRequestBodyLimit {{ sec_request_body_limit }}
  30. SecRequestBodyNoFilesLimit {{ sec_request_body_no_files_limit }}
  31. SecRequestBodyInMemoryLimit {{ sec_request_body_in_memory_limit }}
  32. SecRequestBodyLimitAction {{ sec_request_body_limit_action }}
  33. SecRule REQBODY_ERROR "!@eq 0" \
  34. "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
  35. SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
  36. "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
  37. failed strict validation: \
  38. PE %{REQBODY_PROCESSOR_ERROR}, \
  39. BQ %{MULTIPART_BOUNDARY_QUOTED}, \
  40. BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
  41. DB %{MULTIPART_DATA_BEFORE}, \
  42. DA %{MULTIPART_DATA_AFTER}, \
  43. HF %{MULTIPART_HEADER_FOLDING}, \
  44. LF %{MULTIPART_LF_LINE}, \
  45. SM %{MULTIPART_MISSING_SEMICOLON}, \
  46. IQ %{MULTIPART_INVALID_QUOTING}, \
  47. IP %{MULTIPART_INVALID_PART}, \
  48. IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
  49. FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
  50. SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
  51. "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
  52. SecPcreMatchLimit {{ sec_pcre_match_limit }}
  53. SecPcreMatchLimitRecursion {{ sec_pcre_match_limit_recursion }}
  54. SecRule TX:/^MSC_/ "!@streq 0" \
  55. "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
  56. SecResponseBodyAccess Off
  57. SecDebugLog /var/log/httpd/modsec_debug.log
  58. SecDebugLogLevel {{ sec_debug_log_level }}
  59. SecAuditEngine RelevantOnly
  60. SecAuditLogRelevantStatus "^(?:5|4(?!04))"
  61. SecAuditLogParts ABIJDEFHZ
  62. SecAuditLogType Serial
  63. SecAuditLog /var/log/httpd/modsec_audit.log
  64. SecArgumentSeparator &
  65. SecCookieFormat 0
  66. SecTmpDir /var/lib/mod_security
  67. SecDataDir /var/lib/mod_security
  68. </IfModule>