FreeBSD Bugzilla – Attachment 154035 Details for
Bug 197833
[maintainer update] [patch] www/mod_security: update to 2.9.0
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
mod_security.diff (text/plain), 8.90 KB, created by
Walter Hop
on 2015-03-08 20:48:39 UTC
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Walter Hop
Created:
2015-03-08 20:48:39 UTC
Size:
8.90 KB
patch
obsolete
>Index: Makefile >=================================================================== >--- Makefile (revision 380800) >+++ Makefile (working copy) >@@ -1,12 +1,11 @@ > # $FreeBSD$ > > PORTNAME= mod_security >-PORTVERSION= 2.7.7 >-PORTREVISION= 3 >+PORTVERSION= 2.9.0 > CATEGORIES= www security > MASTER_SITES= http://www.modsecurity.org/tarball/${PORTVERSION}/ > PKGNAMEPREFIX= ${APACHE_PKGNAMEPREFIX} >-DISTNAME= ${PORTNAME:S/_//:S/2//}-apache_${PORTVERSION} >+DISTNAME= ${PORTNAME:S/_//:S/2//}-${PORTVERSION} > > MAINTAINER= walter@lifeforms.nl > COMMENT= Intrusion detection and prevention engine >@@ -14,14 +13,17 @@ > LICENSE= APACHE20 > > LIB_DEPENDS+= libpcre.so:${PORTSDIR}/devel/pcre \ >- libapr-1.so:${PORTSDIR}/devel/apr1 >+ libapr-1.so:${PORTSDIR}/devel/apr1 \ >+ libyajl.so:${PORTSDIR}/devel/yajl \ >+ libcurl.so:${PORTSDIR}/ftp/curl > > USE_APACHE= 22+ > USE_GNOME= libxml2 > GNU_CONFIGURE= yes >-USES= perl5 >+USES= perl5 shebangfix pkgconfig >+SHEBANG_FILES=tools/rules-updater.pl.in mlogc/mlogc-batch-load.pl.in >+perl_OLD_CMD =@PERL@ > >-AP_GENPLIST= yes > AP_INC= ${LOCALBASE}/include/libxml2 > AP_LIB= ${LOCALBASE}/lib > MODULENAME= mod_security2 >@@ -30,26 +32,32 @@ > PORTDOCS= * > DOCSDIR= ${PREFIX}/share/doc/${MODULENAME} > >-SUB_FILES+= mod_security2.conf >+SUB_FILES+= pkg-message >+SUB_FILES+= README > SUB_LIST+= APACHEETCDIR="${APACHEETCDIR}" >+SUB_LIST+= APACHEMODDIR="${APACHEMODDIR}" > >-PLIST_FILES= etc/modsecurity.conf-example \ >- ${APACHEMODDIR}/mod_security2.so \ >- bin/rules-updater.pl \ >- lib/mod_security2.so >+PLIST_SUB+= APXS="${APXS}" >+PLIST_SUB+= APACHEMODDIR="${APACHEMODDIR}" > >-OPTIONS_DEFINE= LUA MLOGC >+OPTIONS_DEFINE= LUA MLOGC FUZZYHASH DOCS >+OPTIONS_SUB=yes > > LUA_CONFIGURE_ON= --with-lua=${LOCALBASE} > LUA_CONFIGURE_OFF+= --without-lua >-LUA_USES= lua >+LUA_USES= lua:51 > > MLOGC_DESC= Build ModSecurity Log Collector >-MLOGC_CONFIGURE_ON= --with-curl=${LOCALBASE} --disable-errors >+MLOGC_CONFIGURE_ON= --disable-errors > MLOGC_CONFIGURE_OFF= --disable-mlogc >-MLOGC_LIB_DEPENDS= libcurl.so:${PORTSDIR}/ftp/curl >-MLOGC_PLIST_FILES= bin/mlogc bin/mlogc-batch-load.pl > >+FUZZYHASH_DESC= Allow matching contents using fuzzy hashes with ssdeep >+FUZZYHASH_CONFIGURE_ON= --with-ssdeep=${LOCALBASE} >+FUZZYHASH_CONFIGURE_OFF= --without-ssdeep >+FUZZYHASH_LIB_DEPENDS= libfuzzy.so:${PORTSDIR}/security/ssdeep >+ >+ETCDIR=etc/modsecurity >+ > # ap2x- prefix OPTIONSFILE fix > OPTIONSFILE= ${PORT_DBDIR}/www_mod_security/options > .include <bsd.port.options.mk> >@@ -56,7 +64,7 @@ > > REINPLACE_ARGS= -i "" > AP_EXTRAS+= -DWITH_LIBXML2 >-CONFIGURE_ARGS+= --with-apxs=${APXS} --with-pcre=${LOCALBASE} >+CONFIGURE_ARGS+= --with-apxs=${APXS} --with-pcre=${LOCALBASE} --with-yajl=${LOCALBASE} --with-curl=${LOCALBASE} > > post-patch: > @${REINPLACE_CMD} -e "s/lua5.1/lua-${LUA_VER}/g" ${WRKSRC}/configure >@@ -65,10 +73,14 @@ > @${MKDIR} ${STAGEDIR}${PREFIX}/${APACHEMODDIR} > > post-install: >+ @${MKDIR} ${STAGEDIR}${PREFIX}/${ETCDIR} > ${INSTALL_DATA} ${WRKSRC}/modsecurity.conf-recommended \ >- ${STAGEDIR}${PREFIX}/etc/modsecurity.conf-example >+ ${STAGEDIR}${PREFIX}/${ETCDIR}/modsecurity.conf.sample >+ ${INSTALL_DATA} ${WRKSRC}/unicode.mapping \ >+ ${STAGEDIR}${PREFIX}/${ETCDIR}/unicode.mapping > > @${MKDIR} ${STAGEDIR}${DOCSDIR} > (cd ${WRKSRC} && ${COPYTREE_SHARE} "doc" ${STAGEDIR}${DOCSDIR}) >+ ${INSTALL_DATA} ${WRKDIR}/README ${STAGEDIR}${DOCSDIR}/ > > .include <bsd.port.mk> >Index: distinfo >=================================================================== >--- distinfo (revision 380800) >+++ distinfo (working copy) >@@ -1,2 +1,2 @@ >-SHA256 (modsecurity-apache_2.7.7.tar.gz) = 11e05cfa6b363c2844c6412a40ff16f0021e302152b38870fd1f2f44b204379b >-SIZE (modsecurity-apache_2.7.7.tar.gz) = 1003835 >+SHA256 (modsecurity-2.9.0.tar.gz) = e2bbf789966c1f80094d88d9085a81bde082b2054f8e38e0db571ca49208f434 >+SIZE (modsecurity-2.9.0.tar.gz) = 4246467 >Index: files/README.in >=================================================================== >--- files/README.in (revision 0) >+++ files/README.in (working copy) >@@ -0,0 +1,83 @@ >+Configuring ModSecurity on FreeBSD >+---------------------------------- >+ >+To enable ModSecurity in Apache, add the following to your httpd.conf: >+ >+ LoadModule security2_module %%APACHEMODDIR%%/mod_security2.so >+ Include etc/modsecurity/*.conf >+ >+Getting the Core Rule Set >+------------------------- >+ >+ModSecurity requires firewall rule definitions. Most people use the >+OWASP ModSecurity Core Rule Set (CRS). The easiest way to track the >+OWASP CRS repository right now is to use Git. Let's make a directory >+for all our ModSecurity related stuff, and clone the CRS repository >+under it. >+ >+ pkg install git >+ cd /usr/local/etc/modsecurity >+ git clone https://github.com/SpiderLabs/owasp-modsecurity-crs >+ cp owasp-modsecurity-crs/modsecurity_crs_10_setup.conf.example \ >+ crs.conf >+ >+To activate the CRS base rules, add the following to your httpd.conf: >+ >+ Include etc/modsecurity/owasp-modsecurity-crs/base_rules/*.conf >+ >+You can also add custom configuration and CRS exceptions here. >+For instance, you might want to disable rules that generate false >+positives. Example: >+ >+ SecRuleRemoveById 960015 >+ >+Starting ModSecurity >+-------------------- >+ >+When the configuration is all set, simply restart Apache and confirm >+that ModSecurity is loaded by checking Apache's log file: >+ >+ apachectl restart >+ tail /var/log/httpd-error.log >+ >+Configuring blocking mode >+------------------------- >+ >+Now that ModSecurity is active, try making a suspicious request to >+your web server, for instance browse to a URL: >+http://www.example.com/?foo=/etc/passwd. The CRS has a rule against >+this type of request. After browsing to the URL, you should now see >+the request logged in /var/log/modsec_audit.log. >+ >+You'll notice that the request succeeds, and the response is sent to >+the browser normally. The reason is that ModSecurity runs in >+"DetectionOnly" mode by default, in order to prevent downtime from >+misconfiguration or heavy-handed blocking. You can enable blocking >+mode simply by editing modsecurity.conf and changing the following >+line: >+ >+ SecRuleEngine On >+ >+Again, restart Apache. Now, make the same suspicious request to your >+web server. You should now see a "403 Forbidden" error! >+ >+In practice, it's probably best to keep SecRuleEngine DetectionOnly >+for some time, while your users exercise the web applications. >+Meanwhile, you should keep an eye on /var/log/modsec_audit.log to see >+what is being blocked. If there are any false positives, you need to >+mitigate this by writing custom exceptions. >+ >+Maintenance >+----------- >+ >+An essential resource for working with ModSecurity is the ModSecurity >+Handbook by Ivan Ristic. ModSecurity exposes quite some internals, and >+it's good to scan this book before you start writing custom rules and >+exceptions. >+ >+You probably want to keep the CRS updated from time to time. You can >+do this with Git: >+ >+ cd /usr/local/etc/modsecurity/owasp-modsecurity-crs >+ git pull >+ apachectl restart > >Property changes on: files/README.in >___________________________________________________________________ >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property >Index: files/pkg-message.in >=================================================================== >--- files/pkg-message.in (revision 0) >+++ files/pkg-message.in (working copy) >@@ -0,0 +1,9 @@ >+ >+You have installed ModSecurity. >+To enable ModSecurity in Apache, add the following to your httpd.conf: >+ >+ LoadModule security2_module %%APACHEMODDIR%%/mod_security2.so >+ Include etc/modsecurity/*.conf >+ >+Most users will use the signatures from the OWASP Core Rule Set (CRS). >+For configuration instructions, see %%DOCSDIR%%/README. > >Property changes on: files/pkg-message.in >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property >Index: pkg-plist >=================================================================== >--- pkg-plist (revision 0) >+++ pkg-plist (working copy) >@@ -0,0 +1,10 @@ >+bin/rules-updater.pl >+lib/mod_security2.so >+%%APACHEMODDIR%%/mod_security2.so >+@exec %%APXS%% -e -n unique_id -a %%APACHEMODDIR%%/mod_unique_id.so >+@unexec if cmp -s %D/etc/modsecurity/modsecurity.conf.sample %D/etc/modsecurity/modsecurity.conf; then rm -f %D/etc/modsecurity/modsecurity.conf; fi >+%%ETCDIR%%/modsecurity.conf.sample >+@exec if [ ! -f %D/etc/modsecurity/modsecurity.conf ] ; then cp -p %D/%F %B/modsecurity.conf; fi >+%%ETCDIR%%/unicode.mapping >+%%MLOGC%%bin/mlogc >+%%MLOGC%%bin/mlogc-batch-load.pl > >Property changes on: pkg-plist >___________________________________________________________________ >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 197833
:
153193
| 154035