Beta Branch ModSecurity's OWASP Core Rule Set 3.2.0 in 123.09beta01

ModSecurity's OWASP Core Rule Set 3.2.0 in 123.09beta01

- update optional Nginx modsecurity OWASP core rule set from 3.1.1 to 3.2.0 https://github.com/SpiderLabs/owasp-modsecurity-crs/releases when NGINX_MODSECURITY='y' is set in persistent config file /etc/centminmod/custom_config.inc prior to centmin.sh menu option 4 nginx recompiles. By default, NGINX_MODSECURITY='n' is the default so not enabled by default
- add support for devtoolset-9 GCC 9 when detected as available

---

Continue reading...

123.09beta01 branch

• Branch: https://github.com/centminmod/centminmod/tree/123.09beta01
• Commit History: https://github.com/centminmod/centminmod/commits/123.09beta01

 

when NGINX_MODSECURITY='y' and NGINX_MODSECURITY_MAXMIND='y' is set in persistent config file /etc/centminmod/custom_config.inc prior to centmin.sh menu option 4 nginx recompiles

Code (Text):

ModSecurity -  for Linux
 
 Mandatory dependencies
   + libInjection                                  ....v3.9.2-30-gbf234eb
   + SecLang tests                                 ....c8cf2c5
 
 Optional dependencies
   + GeoIP/MaxMind                                 ....found
      * (MaxMind) v1.3.2
         -lmaxminddb  , -DWITH_MAXMIND -I/usr/local/include
      * (GeoIP) v1.6.12
         -lGeoIP  , -I/usr/include/
   + LibCURL                                       ....found v7.68.0
      -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
   + YAJL                                          ....found v2.0.4
      -lyajl  , -DWITH_YAJL
   + LMDB                                          ....disabled
   + LibXML2                                       ....found v2.9.10
      -lxml2 -lz -llzma -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
   + SSDEEP                                        ....found
      -lfuzzy -L/usr/lib64/, -DWITH_SSDEEP -I/usr/include
   + LUA                                           ....found v501
      -llua-5.1 -L/usr/lib64/, -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include
 
 Other Options
   + Test Utilities                                ....enabled
   + SecDebugLog                                   ....enabled
   + afl fuzzer                                    ....disabled
   + library examples                              ....enabled
   + Building parser                               ....disabled
   + Treating pm operations as critical section    ....disabled
 

contents of /usr/local/nginx/conf/dynamic-modules.conf with dynamic Modsecurity module loading for modules/ngx_http_modsecurity_module.so

Code (Text):

# place custom load_module lines in this dynamic-modules-includes.conf
# file so that they persistent i.e. for manually dropped in dynamic modules
include /usr/local/nginx/conf/dynamic-modules-includes.conf;
load_module "modules/ngx_http_image_filter_module.so";
load_module "modules/ngx_http_headers_more_filter_module.so";
load_module "modules/ndk_http_module.so";
load_module "modules/ngx_http_set_misc_module.so";
load_module "modules/ngx_http_echo_module.so";
load_module "modules/ngx_http_lua_module.so";
load_module "modules/ngx_http_fancyindex_module.so";
load_module "modules/ngx_http_brotli_filter_module.so";
load_module "modules/ngx_http_brotli_static_module.so";
load_module "modules/ngx_http_geoip2_module.so";
load_module "modules/ngx_http_modsecurity_module.so";

contents of /usr/local/nginx/modsec/main.conf

Code (Text):

# Edit to set SecRuleEngine On
Include "/usr/local/nginx/modsec/modsecurity.conf"

# OWASP CRS v3 rules
Include "/usr/local/nginx/owasp-modsecurity-crs-3.2.0/crs-setup.conf"
Include "/usr/local/nginx/owasp-modsecurity-crs-3.2.0/rules/*.conf"

# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"

added to /usr/local/nginx/conf/conf.d/virtual.conf

Code (Text):

    modsecurity on;
    modsecurity_rules_file /usr/local/nginx/modsec/main.conf;

contents of directory for OWASP Modsecurity core rule set /usr/local/nginx/owasp-modsecurity-crs-3.2.0/

Code (Text):

ls -lah /usr/local/nginx/owasp-modsecurity-crs-3.2.0/
total 216K
drwxrwxr-x   6 root root 4.0K Mar  3 22:02 .
drwxr-xr-x. 16 root root 4.0K Mar  3 22:02 ..
-rw-rw-r--   1 root root  62K Sep 24 08:54 CHANGES
-rw-rw-r--   1 root root 7.7K Sep 24 08:54 CONTRIBUTING.md
-rw-rw-r--   1 root root 2.8K Sep 24 08:54 CONTRIBUTORS.md
-rw-r--r--   1 root root  31K Mar  3 22:02 crs-setup.conf
-rw-rw-r--   1 root root  31K Sep 24 08:54 crs-setup.conf.example
drwxrwxr-x   3 root root 4.0K Sep 24 08:54 documentation
drwxrwxr-x   2 root root 4.0K Sep 24 08:54 .github
-rw-rw-r--   1 root root  374 Sep 24 08:54 .gitignore
-rw-rw-r--   1 root root  176 Sep 24 08:54 .gitmodules
-rw-rw-r--   1 root root  17K Sep 24 08:54 INSTALL
-rw-rw-r--   1 root root 2.8K Sep 24 08:54 KNOWN_BUGS
-rw-rw-r--   1 root root  12K Sep 24 08:54 LICENSE
-rw-rw-r--   1 root root 2.3K Sep 24 08:54 README.md
drwxrwxr-x   2 root root 4.0K Sep 24 08:54 rules
-rw-rw-r--   1 root root 2.1K Sep 24 08:54 .travis.yml
drwxrwxr-x  13 root root 4.0K Sep 24 08:54 util

looks like there's an error and failed compilation with NGINX_MODSECURITY_MAXMIND='y' set

Code (Text):

Making install in src
make[1]: Entering directory `/svr-setup/ModSecurity/src'
make[2]: Entering directory `/svr-setup/ModSecurity/src'
/bin/sh ../libtool  --tag=CXX   --mode=compile ccache g++ -DHAVE_CONFIG_H -I.  -std=c++11 -I.. -g -I../others -fPIC -O3 -I../headers -DWITH_GEOIP -I/usr/include/      -DWITH_YAJL    -I/usr/local/include -DPCRE_HAVE_JIT -DWITH_SSDEEP -I/usr/include -DWITH_MAXMIND -I/usr/local/include   -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include -I/usr/include/libxml2 -DWITH_LIBXML2   -g -O2 -MT utils/libmodsecurity_la-geo_lookup.lo -MD -MP -MF utils/.deps/libmodsecurity_la-geo_lookup.Tpo -c -o utils/libmodsecurity_la-geo_lookup.lo `test -f 'utils/geo_lookup.cc' || echo './'`utils/geo_lookup.cc
libtool: compile:  ccache g++ -DHAVE_CONFIG_H -I. -std=c++11 -I.. -g -I../others -fPIC -O3 -I../headers -DWITH_GEOIP -I/usr/include/ -DWITH_YAJL -I/usr/local/include -DPCRE_HAVE_JIT -DWITH_SSDEEP -I/usr/include -DWITH_MAXMIND -I/usr/local/include -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include -I/usr/include/libxml2 -DWITH_LIBXML2 -g -O2 -MT utils/libmodsecurity_la-geo_lookup.lo -MD -MP -MF utils/.deps/libmodsecurity_la-geo_lookup.Tpo -c utils/geo_lookup.cc  -fPIC -DPIC -o utils/.libs/libmodsecurity_la-geo_lookup.o
utils/geo_lookup.cc: In member function ‘bool modsecurity::Utils::GeoLookup::lookup(const string&, modsecurity::Transaction*, std::function<bool(int, const std::basic_string<char>&)>) const’:
utils/geo_lookup.cc:124:32: error: invalid conversion from ‘const MMDB_s*’ to ‘MMDB_s*’ [-fpermissive]
  124 |         r = MMDB_lookup_string(&mmdb, target.c_str(), &gai_error, &mmdb_error);
      |                                ^~~~~
      |                                |
      |                                const MMDB_s*
In file included from ../src/utils/geo_lookup.h:22,
                 from utils/geo_lookup.cc:25:
/usr/local/include/maxminddb.h:203:62: note:   initializing argument 1 of ‘MMDB_lookup_result_s MMDB_lookup_string(MMDB_s*, const char*, int*, int*)’
  203 | extern MMDB_lookup_result_s MMDB_lookup_string(MMDB_s *const mmdb,
      |                                                ~~~~~~~~~~~~~~^~~~
make[2]: *** [utils/libmodsecurity_la-geo_lookup.lo] Error 1
make[2]: Leaving directory `/svr-setup/ModSecurity/src'
make[1]: *** [install-recursive] Error 1
make[1]: Leaving directory `/svr-setup/ModSecurity/src'
make: *** [install-recursive] Error 1
/svr-setup/nginx-1.17.9

modsecurity bug report seems to exist for this Fails to compile with MaxMind DB · Issue #2259 · SpiderLabs/ModSecurity

I have libmaxmind version 1.3.2 installed from Nginx GeoIP 2 Lite module

Code (Text):

/usr/local/bin/mmdblookup --version
  mmdblookup version 1.3.2

while latest version of libmaxmind = 1.4.2 maxmind/libmaxminddb

when NGINX_MODSECURITY_MAXMIND='n' set then libmodsecurity compiles fine

Code (Text):

Making install in src
make[1]: Entering directory `/svr-setup/ModSecurity/src'
make[2]: Entering directory `/svr-setup/ModSecurity/src'
make[3]: Entering directory `/svr-setup/ModSecurity/src'
 /bin/mkdir -p '/usr/local/modsecurity/lib'
 /bin/sh ../libtool   --mode=install /bin/install -c   libmodsecurity.la '/usr/local/modsecurity/lib'
libtool: install: /bin/install -c .libs/libmodsecurity.so.3.0.4 /usr/local/modsecurity/lib/libmodsecurity.so.3.0.4
libtool: install: (cd /usr/local/modsecurity/lib && { ln -s -f libmodsecurity.so.3.0.4 libmodsecurity.so.3 || { rm -f libmodsecurity.so.3 && ln -s libmodsecurity.so.3.0.4 libmodsecurity.so.3; }; })
libtool: install: (cd /usr/local/modsecurity/lib && { ln -s -f libmodsecurity.so.3.0.4 libmodsecurity.so || { rm -f libmodsecurity.so && ln -s libmodsecurity.so.3.0.4 libmodsecurity.so; }; })
libtool: install: /bin/install -c .libs/libmodsecurity.lai /usr/local/modsecurity/lib/libmodsecurity.la
libtool: install: /bin/install -c .libs/libmodsecurity.a /usr/local/modsecurity/lib/libmodsecurity.a
libtool: install: chmod 644 /usr/local/modsecurity/lib/libmodsecurity.a
libtool: install: ranlib /usr/local/modsecurity/lib/libmodsecurity.a
libtool: finish: PATH="/opt/rh/devtoolset-9/root/usr/bin:/opt/rh/devtoolset-9/root/usr/bin:/opt/rh/devtoolset-9/root/usr/bin:/opt/rh/devtoolset-8/root/usr/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/sbin" ldconfig -n /usr/local/modsecurity/lib
----------------------------------------------------------------------
Libraries have been installed in:
   /usr/local/modsecurity/lib

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,-rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
 /bin/mkdir -p '/usr/local/modsecurity/include/modsecurity/actions/'
 /bin/install -c -m 644 ../headers/modsecurity/actions/action.h '/usr/local/modsecurity/include/modsecurity/actions/'
 /bin/mkdir -p '/usr/local/modsecurity/include/modsecurity/collection/'
 /bin/install -c -m 644 ../headers/modsecurity/collection/collection.h ../headers/modsecurity/collection/collections.h '/usr/local/modsecurity/include/modsecurity/collection/'
 /bin/mkdir -p '/usr/local/modsecurity/include/modsecurity'
 /bin/install -c -m 644 ../headers/modsecurity/anchored_set_variable.h ../headers/modsecurity/anchored_variable.h ../headers/modsecurity/audit_log.h ../headers/modsecurity/debug_log.h ../headers/modsecurity/intervention.h ../headers/modsecurity/modsecurity.h ../headers/modsecurity/rule.h ../headers/modsecurity/rule_message.h ../headers/modsecurity/rules.h ../headers/modsecurity/rules_set.h ../headers/modsecurity/rules_set_properties.h ../headers/modsecurity/rules_exceptions.h ../headers/modsecurity/transaction.h ../headers/modsecurity/variable_origin.h ../headers/modsecurity/variable_value.h '/usr/local/modsecurity/include/modsecurity'
make[3]: Leaving directory `/svr-setup/ModSecurity/src'
make[2]: Leaving directory `/svr-setup/ModSecurity/src'
make[1]: Leaving directory `/svr-setup/ModSecurity/src'

Code (Text):

ModSecurity -  for Linux

 Mandatory dependencies
   + libInjection                                  ....v3.9.2-30-gbf234eb
   + SecLang tests                                 ....c8cf2c5

 Optional dependencies
   + GeoIP/MaxMind                                 ....found
      * (GeoIP) v1.6.12
         -lGeoIP  , -I/usr/include/
   + LibCURL                                       ....found v7.68.0
      -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
   + YAJL                                          ....found v2.0.4
      -lyajl  , -DWITH_YAJL
   + LMDB                                          ....disabled
   + LibXML2                                       ....found v2.9.10
      -lxml2 -lz -llzma -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
   + SSDEEP                                        ....found
      -lfuzzy -L/usr/lib64/, -DWITH_SSDEEP -I/usr/include
   + LUA                                           ....found v501
      -llua-5.1 -L/usr/lib64/, -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include

 Other Options
   + Test Utilities                                ....enabled
   + SecDebugLog                                   ....enabled
   + afl fuzzer                                    ....disabled
   + library examples                              ....enabled
   + Building parser                               ....disabled
   + Treating pm operations as critical section    ....disabled

edit: update routine so libmaxmindb 1.4.2 is installed and with NGINX_MODSECURITY_MAXMIND='y' is set in persistent config file /etc/centminmod/custom_config.inc it works

Code (Text):

/usr/local/bin/mmdblookup --version 
  mmdblookup version 1.4.2

Code (Text):

Making install in src
make[1]: Entering directory `/svr-setup/ModSecurity/src'
make[2]: Entering directory `/svr-setup/ModSecurity/src'
make[3]: Entering directory `/svr-setup/ModSecurity/src'
 /bin/mkdir -p '/usr/local/modsecurity/lib'
 /bin/sh ../libtool   --mode=install /bin/install -c   libmodsecurity.la '/usr/local/modsecurity/lib'
libtool: install: /bin/install -c .libs/libmodsecurity.so.3.0.4 /usr/local/modsecurity/lib/libmodsecurity.so.3.0.4
libtool: install: (cd /usr/local/modsecurity/lib && { ln -s -f libmodsecurity.so.3.0.4 libmodsecurity.so.3 || { rm -f libmodsecurity.so.3 && ln -s libmodsecurity.so.3.0.4 libmodsecurity.so.3; }; })
libtool: install: (cd /usr/local/modsecurity/lib && { ln -s -f libmodsecurity.so.3.0.4 libmodsecurity.so || { rm -f libmodsecurity.so && ln -s libmodsecurity.so.3.0.4 libmodsecurity.so; }; })
libtool: install: /bin/install -c .libs/libmodsecurity.lai /usr/local/modsecurity/lib/libmodsecurity.la
libtool: install: /bin/install -c .libs/libmodsecurity.a /usr/local/modsecurity/lib/libmodsecurity.a
libtool: install: chmod 644 /usr/local/modsecurity/lib/libmodsecurity.a
libtool: install: ranlib /usr/local/modsecurity/lib/libmodsecurity.a
libtool: finish: PATH="/opt/rh/devtoolset-9/root/usr/bin:/opt/rh/devtoolset-9/root/usr/bin:/opt/rh/devtoolset-9/root/usr/bin:/opt/rh/devtoolset-8/root/usr/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/sbin" ldconfig -n /usr/local/modsecurity/lib
----------------------------------------------------------------------
Libraries have been installed in:
   /usr/local/modsecurity/lib

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,-rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
 /bin/mkdir -p '/usr/local/modsecurity/include/modsecurity/actions/'
 /bin/install -c -m 644 ../headers/modsecurity/actions/action.h '/usr/local/modsecurity/include/modsecurity/actions/'
 /bin/mkdir -p '/usr/local/modsecurity/include/modsecurity/collection/'
 /bin/install -c -m 644 ../headers/modsecurity/collection/collection.h ../headers/modsecurity/collection/collections.h '/usr/local/modsecurity/include/modsecurity/collection/'
 /bin/mkdir -p '/usr/local/modsecurity/include/modsecurity'
 /bin/install -c -m 644 ../headers/modsecurity/anchored_set_variable.h ../headers/modsecurity/anchored_variable.h ../headers/modsecurity/audit_log.h ../headers/modsecurity/debug_log.h ../headers/modsecurity/intervention.h ../headers/modsecurity/modsecurity.h ../headers/modsecurity/rule.h ../headers/modsecurity/rule_message.h ../headers/modsecurity/rules.h ../headers/modsecurity/rules_set.h ../headers/modsecurity/rules_set_properties.h ../headers/modsecurity/rules_exceptions.h ../headers/modsecurity/transaction.h ../headers/modsecurity/variable_origin.h ../headers/modsecurity/variable_value.h '/usr/local/modsecurity/include/modsecurity'
make[3]: Leaving directory `/svr-setup/ModSecurity/src'
make[2]: Leaving directory `/svr-setup/ModSecurity/src'
make[1]: Leaving directory `/svr-setup/ModSecurity/src'

Code (Text):

ModSecurity -  for Linux
 
 Mandatory dependencies
   + libInjection                                  ....v3.9.2-30-gbf234eb
   + SecLang tests                                 ....c8cf2c5
 
 Optional dependencies
   + GeoIP/MaxMind                                 ....found
      * (MaxMind) v1.4.2
         -lmaxminddb  , -DWITH_MAXMIND -I/usr/local/include
      * (GeoIP) v1.6.12
         -lGeoIP  , -I/usr/include/
   + LibCURL                                       ....found v7.68.0
      -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
   + YAJL                                          ....found v2.0.4
      -lyajl  , -DWITH_YAJL
   + LMDB                                          ....disabled
   + LibXML2                                       ....found v2.9.10
      -lxml2 -lz -llzma -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
   + SSDEEP                                        ....found
      -lfuzzy -L/usr/lib64/, -DWITH_SSDEEP -I/usr/include
   + LUA                                           ....found v501
      -llua-5.1 -L/usr/lib64/, -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include
 
 Other Options
   + Test Utilities                                ....enabled
   + SecDebugLog                                   ....enabled
   + afl fuzzer                                    ....disabled
   + library examples                              ....enabled
   + Building parser                               ....disabled
   + Treating pm operations as critical section    ....disabled

updated with fix for NGINX_MODSECURITY_MAXMIND='y' Beta Branch - re-enable NGINX_MODSECURITY_MAXMIND='y' in 123.09beta01