Learn about Centmin Mod LEMP Stack today
Register Now

Beta Branch ModSecurity's OWASP Core Rule Set 3.2.0 in 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, Mar 4, 2020.

  1. eva2000

    eva2000 Administrator Staff Member

    43,525
    9,875
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,251
    Local Time:
    6:31 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    ModSecurity's OWASP Core Rule Set 3.2.0 in 123.09beta01

    - update optional Nginx modsecurity OWASP core rule set from 3.1.1 to 3.2.0 https://github.com/SpiderLabs/owasp-modsecurity-crs/releases when NGINX_MODSECURITY='y' is set in persistent config file /etc/centminmod/custom_config.inc prior to centmin.sh menu option 4 nginx recompiles. By default, NGINX_MODSECURITY='n' is the default so not enabled by default
    - add support for devtoolset-9 GCC 9 when detected as available

    Continue reading...

    123.09beta01 branch
     
    • Like Like x 1
  2. eva2000

    eva2000 Administrator Staff Member

    43,525
    9,875
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,251
    Local Time:
    6:31 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    when NGINX_MODSECURITY='y' and NGINX_MODSECURITY_MAXMIND='y' is set in persistent config file /etc/centminmod/custom_config.inc prior to centmin.sh menu option 4 nginx recompiles
    Code (Text):
    ModSecurity -  for Linux
     
     Mandatory dependencies
       + libInjection                                  ....v3.9.2-30-gbf234eb
       + SecLang tests                                 ....c8cf2c5
     
     Optional dependencies
       + GeoIP/MaxMind                                 ....found
          * (MaxMind) v1.3.2
             -lmaxminddb  , -DWITH_MAXMIND -I/usr/local/include
          * (GeoIP) v1.6.12
             -lGeoIP  , -I/usr/include/
       + LibCURL                                       ....found v7.68.0
          -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
       + YAJL                                          ....found v2.0.4
          -lyajl  , -DWITH_YAJL
       + LMDB                                          ....disabled
       + LibXML2                                       ....found v2.9.10
          -lxml2 -lz -llzma -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
       + SSDEEP                                        ....found
          -lfuzzy -L/usr/lib64/, -DWITH_SSDEEP -I/usr/include
       + LUA                                           ....found v501
          -llua-5.1 -L/usr/lib64/, -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include
     
     Other Options
       + Test Utilities                                ....enabled
       + SecDebugLog                                   ....enabled
       + afl fuzzer                                    ....disabled
       + library examples                              ....enabled
       + Building parser                               ....disabled
       + Treating pm operations as critical section    ....disabled
     

    contents of /usr/local/nginx/conf/dynamic-modules.conf with dynamic Modsecurity module loading for modules/ngx_http_modsecurity_module.so
    Code (Text):
    # place custom load_module lines in this dynamic-modules-includes.conf
    # file so that they persistent i.e. for manually dropped in dynamic modules
    include /usr/local/nginx/conf/dynamic-modules-includes.conf;
    load_module "modules/ngx_http_image_filter_module.so";
    load_module "modules/ngx_http_headers_more_filter_module.so";
    load_module "modules/ndk_http_module.so";
    load_module "modules/ngx_http_set_misc_module.so";
    load_module "modules/ngx_http_echo_module.so";
    load_module "modules/ngx_http_lua_module.so";
    load_module "modules/ngx_http_fancyindex_module.so";
    load_module "modules/ngx_http_brotli_filter_module.so";
    load_module "modules/ngx_http_brotli_static_module.so";
    load_module "modules/ngx_http_geoip2_module.so";
    load_module "modules/ngx_http_modsecurity_module.so";
    

    contents of /usr/local/nginx/modsec/main.conf

    Code (Text):
    # Edit to set SecRuleEngine On
    Include "/usr/local/nginx/modsec/modsecurity.conf"
    
    # OWASP CRS v3 rules
    Include "/usr/local/nginx/owasp-modsecurity-crs-3.2.0/crs-setup.conf"
    Include "/usr/local/nginx/owasp-modsecurity-crs-3.2.0/rules/*.conf"
    
    # Basic test rule
    SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
    

    added to /usr/local/nginx/conf/conf.d/virtual.conf
    Code (Text):
        modsecurity on;
        modsecurity_rules_file /usr/local/nginx/modsec/main.conf;
    

    contents of directory for OWASP Modsecurity core rule set /usr/local/nginx/owasp-modsecurity-crs-3.2.0/
    Code (Text):
    ls -lah /usr/local/nginx/owasp-modsecurity-crs-3.2.0/
    total 216K
    drwxrwxr-x   6 root root 4.0K Mar  3 22:02 .
    drwxr-xr-x. 16 root root 4.0K Mar  3 22:02 ..
    -rw-rw-r--   1 root root  62K Sep 24 08:54 CHANGES
    -rw-rw-r--   1 root root 7.7K Sep 24 08:54 CONTRIBUTING.md
    -rw-rw-r--   1 root root 2.8K Sep 24 08:54 CONTRIBUTORS.md
    -rw-r--r--   1 root root  31K Mar  3 22:02 crs-setup.conf
    -rw-rw-r--   1 root root  31K Sep 24 08:54 crs-setup.conf.example
    drwxrwxr-x   3 root root 4.0K Sep 24 08:54 documentation
    drwxrwxr-x   2 root root 4.0K Sep 24 08:54 .github
    -rw-rw-r--   1 root root  374 Sep 24 08:54 .gitignore
    -rw-rw-r--   1 root root  176 Sep 24 08:54 .gitmodules
    -rw-rw-r--   1 root root  17K Sep 24 08:54 INSTALL
    -rw-rw-r--   1 root root 2.8K Sep 24 08:54 KNOWN_BUGS
    -rw-rw-r--   1 root root  12K Sep 24 08:54 LICENSE
    -rw-rw-r--   1 root root 2.3K Sep 24 08:54 README.md
    drwxrwxr-x   2 root root 4.0K Sep 24 08:54 rules
    -rw-rw-r--   1 root root 2.1K Sep 24 08:54 .travis.yml
    drwxrwxr-x  13 root root 4.0K Sep 24 08:54 util
    

    looks like there's an error and failed compilation with NGINX_MODSECURITY_MAXMIND='y' set
    Code (Text):
    Making install in src
    make[1]: Entering directory `/svr-setup/ModSecurity/src'
    make[2]: Entering directory `/svr-setup/ModSecurity/src'
    /bin/sh ../libtool  --tag=CXX   --mode=compile ccache g++ -DHAVE_CONFIG_H -I.  -std=c++11 -I.. -g -I../others -fPIC -O3 -I../headers -DWITH_GEOIP -I/usr/include/      -DWITH_YAJL    -I/usr/local/include -DPCRE_HAVE_JIT -DWITH_SSDEEP -I/usr/include -DWITH_MAXMIND -I/usr/local/include   -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include -I/usr/include/libxml2 -DWITH_LIBXML2   -g -O2 -MT utils/libmodsecurity_la-geo_lookup.lo -MD -MP -MF utils/.deps/libmodsecurity_la-geo_lookup.Tpo -c -o utils/libmodsecurity_la-geo_lookup.lo `test -f 'utils/geo_lookup.cc' || echo './'`utils/geo_lookup.cc
    libtool: compile:  ccache g++ -DHAVE_CONFIG_H -I. -std=c++11 -I.. -g -I../others -fPIC -O3 -I../headers -DWITH_GEOIP -I/usr/include/ -DWITH_YAJL -I/usr/local/include -DPCRE_HAVE_JIT -DWITH_SSDEEP -I/usr/include -DWITH_MAXMIND -I/usr/local/include -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include -I/usr/include/libxml2 -DWITH_LIBXML2 -g -O2 -MT utils/libmodsecurity_la-geo_lookup.lo -MD -MP -MF utils/.deps/libmodsecurity_la-geo_lookup.Tpo -c utils/geo_lookup.cc  -fPIC -DPIC -o utils/.libs/libmodsecurity_la-geo_lookup.o
    utils/geo_lookup.cc: In member function ‘bool modsecurity::Utils::GeoLookup::lookup(const string&, modsecurity::Transaction*, std::function<bool(int, const std::basic_string<char>&)>) const’:
    utils/geo_lookup.cc:124:32: error: invalid conversion from ‘const MMDB_s*’ to ‘MMDB_s*’ [-fpermissive]
      124 |         r = MMDB_lookup_string(&mmdb, target.c_str(), &gai_error, &mmdb_error);
          |                                ^~~~~
          |                                |
          |                                const MMDB_s*
    In file included from ../src/utils/geo_lookup.h:22,
                     from utils/geo_lookup.cc:25:
    /usr/local/include/maxminddb.h:203:62: note:   initializing argument 1 of ‘MMDB_lookup_result_s MMDB_lookup_string(MMDB_s*, const char*, int*, int*)’
      203 | extern MMDB_lookup_result_s MMDB_lookup_string(MMDB_s *const mmdb,
          |                                                ~~~~~~~~~~~~~~^~~~
    make[2]: *** [utils/libmodsecurity_la-geo_lookup.lo] Error 1
    make[2]: Leaving directory `/svr-setup/ModSecurity/src'
    make[1]: *** [install-recursive] Error 1
    make[1]: Leaving directory `/svr-setup/ModSecurity/src'
    make: *** [install-recursive] Error 1
    /svr-setup/nginx-1.17.9

    modsecurity bug report seems to exist for this Fails to compile with MaxMind DB · Issue #2259 · SpiderLabs/ModSecurity

    I have libmaxmind version 1.3.2 installed from Nginx GeoIP 2 Lite module
    Code (Text):
    /usr/local/bin/mmdblookup --version
      mmdblookup version 1.3.2
    

    while latest version of libmaxmind = 1.4.2 maxmind/libmaxminddb

    when NGINX_MODSECURITY_MAXMIND='n' set then libmodsecurity compiles fine
    Code (Text):
    Making install in src
    make[1]: Entering directory `/svr-setup/ModSecurity/src'
    make[2]: Entering directory `/svr-setup/ModSecurity/src'
    make[3]: Entering directory `/svr-setup/ModSecurity/src'
     /bin/mkdir -p '/usr/local/modsecurity/lib'
     /bin/sh ../libtool   --mode=install /bin/install -c   libmodsecurity.la '/usr/local/modsecurity/lib'
    libtool: install: /bin/install -c .libs/libmodsecurity.so.3.0.4 /usr/local/modsecurity/lib/libmodsecurity.so.3.0.4
    libtool: install: (cd /usr/local/modsecurity/lib && { ln -s -f libmodsecurity.so.3.0.4 libmodsecurity.so.3 || { rm -f libmodsecurity.so.3 && ln -s libmodsecurity.so.3.0.4 libmodsecurity.so.3; }; })
    libtool: install: (cd /usr/local/modsecurity/lib && { ln -s -f libmodsecurity.so.3.0.4 libmodsecurity.so || { rm -f libmodsecurity.so && ln -s libmodsecurity.so.3.0.4 libmodsecurity.so; }; })
    libtool: install: /bin/install -c .libs/libmodsecurity.lai /usr/local/modsecurity/lib/libmodsecurity.la
    libtool: install: /bin/install -c .libs/libmodsecurity.a /usr/local/modsecurity/lib/libmodsecurity.a
    libtool: install: chmod 644 /usr/local/modsecurity/lib/libmodsecurity.a
    libtool: install: ranlib /usr/local/modsecurity/lib/libmodsecurity.a
    libtool: finish: PATH="/opt/rh/devtoolset-9/root/usr/bin:/opt/rh/devtoolset-9/root/usr/bin:/opt/rh/devtoolset-9/root/usr/bin:/opt/rh/devtoolset-8/root/usr/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/sbin" ldconfig -n /usr/local/modsecurity/lib
    ----------------------------------------------------------------------
    Libraries have been installed in:
       /usr/local/modsecurity/lib
    
    If you ever happen to want to link against installed libraries
    in a given directory, LIBDIR, you must either use libtool, and
    specify the full pathname of the library, or use the `-LLIBDIR'
    flag during linking and do at least one of the following:
       - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
         during execution
       - add LIBDIR to the `LD_RUN_PATH' environment variable
         during linking
       - use the `-Wl,-rpath -Wl,LIBDIR' linker flag
       - have your system administrator add LIBDIR to `/etc/ld.so.conf'
    
    See any operating system documentation about shared libraries for
    more information, such as the ld(1) and ld.so(8) manual pages.
    ----------------------------------------------------------------------
     /bin/mkdir -p '/usr/local/modsecurity/include/modsecurity/actions/'
     /bin/install -c -m 644 ../headers/modsecurity/actions/action.h '/usr/local/modsecurity/include/modsecurity/actions/'
     /bin/mkdir -p '/usr/local/modsecurity/include/modsecurity/collection/'
     /bin/install -c -m 644 ../headers/modsecurity/collection/collection.h ../headers/modsecurity/collection/collections.h '/usr/local/modsecurity/include/modsecurity/collection/'
     /bin/mkdir -p '/usr/local/modsecurity/include/modsecurity'
     /bin/install -c -m 644 ../headers/modsecurity/anchored_set_variable.h ../headers/modsecurity/anchored_variable.h ../headers/modsecurity/audit_log.h ../headers/modsecurity/debug_log.h ../headers/modsecurity/intervention.h ../headers/modsecurity/modsecurity.h ../headers/modsecurity/rule.h ../headers/modsecurity/rule_message.h ../headers/modsecurity/rules.h ../headers/modsecurity/rules_set.h ../headers/modsecurity/rules_set_properties.h ../headers/modsecurity/rules_exceptions.h ../headers/modsecurity/transaction.h ../headers/modsecurity/variable_origin.h ../headers/modsecurity/variable_value.h '/usr/local/modsecurity/include/modsecurity'
    make[3]: Leaving directory `/svr-setup/ModSecurity/src'
    make[2]: Leaving directory `/svr-setup/ModSecurity/src'
    make[1]: Leaving directory `/svr-setup/ModSecurity/src'


    Code (Text):
    ModSecurity -  for Linux
    
     Mandatory dependencies
       + libInjection                                  ....v3.9.2-30-gbf234eb
       + SecLang tests                                 ....c8cf2c5
    
     Optional dependencies
       + GeoIP/MaxMind                                 ....found
          * (GeoIP) v1.6.12
             -lGeoIP  , -I/usr/include/
       + LibCURL                                       ....found v7.68.0
          -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
       + YAJL                                          ....found v2.0.4
          -lyajl  , -DWITH_YAJL
       + LMDB                                          ....disabled
       + LibXML2                                       ....found v2.9.10
          -lxml2 -lz -llzma -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
       + SSDEEP                                        ....found
          -lfuzzy -L/usr/lib64/, -DWITH_SSDEEP -I/usr/include
       + LUA                                           ....found v501
          -llua-5.1 -L/usr/lib64/, -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include
    
     Other Options
       + Test Utilities                                ....enabled
       + SecDebugLog                                   ....enabled
       + afl fuzzer                                    ....disabled
       + library examples                              ....enabled
       + Building parser                               ....disabled
       + Treating pm operations as critical section    ....disabled
    


    edit: update routine so libmaxmindb 1.4.2 is installed and with NGINX_MODSECURITY_MAXMIND='y' is set in persistent config file /etc/centminmod/custom_config.inc it works
    Code (Text):
    /usr/local/bin/mmdblookup --version 
      mmdblookup version 1.4.2
    

    Code (Text):
    Making install in src
    make[1]: Entering directory `/svr-setup/ModSecurity/src'
    make[2]: Entering directory `/svr-setup/ModSecurity/src'
    make[3]: Entering directory `/svr-setup/ModSecurity/src'
     /bin/mkdir -p '/usr/local/modsecurity/lib'
     /bin/sh ../libtool   --mode=install /bin/install -c   libmodsecurity.la '/usr/local/modsecurity/lib'
    libtool: install: /bin/install -c .libs/libmodsecurity.so.3.0.4 /usr/local/modsecurity/lib/libmodsecurity.so.3.0.4
    libtool: install: (cd /usr/local/modsecurity/lib && { ln -s -f libmodsecurity.so.3.0.4 libmodsecurity.so.3 || { rm -f libmodsecurity.so.3 && ln -s libmodsecurity.so.3.0.4 libmodsecurity.so.3; }; })
    libtool: install: (cd /usr/local/modsecurity/lib && { ln -s -f libmodsecurity.so.3.0.4 libmodsecurity.so || { rm -f libmodsecurity.so && ln -s libmodsecurity.so.3.0.4 libmodsecurity.so; }; })
    libtool: install: /bin/install -c .libs/libmodsecurity.lai /usr/local/modsecurity/lib/libmodsecurity.la
    libtool: install: /bin/install -c .libs/libmodsecurity.a /usr/local/modsecurity/lib/libmodsecurity.a
    libtool: install: chmod 644 /usr/local/modsecurity/lib/libmodsecurity.a
    libtool: install: ranlib /usr/local/modsecurity/lib/libmodsecurity.a
    libtool: finish: PATH="/opt/rh/devtoolset-9/root/usr/bin:/opt/rh/devtoolset-9/root/usr/bin:/opt/rh/devtoolset-9/root/usr/bin:/opt/rh/devtoolset-8/root/usr/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/sbin" ldconfig -n /usr/local/modsecurity/lib
    ----------------------------------------------------------------------
    Libraries have been installed in:
       /usr/local/modsecurity/lib
    
    If you ever happen to want to link against installed libraries
    in a given directory, LIBDIR, you must either use libtool, and
    specify the full pathname of the library, or use the `-LLIBDIR'
    flag during linking and do at least one of the following:
       - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
         during execution
       - add LIBDIR to the `LD_RUN_PATH' environment variable
         during linking
       - use the `-Wl,-rpath -Wl,LIBDIR' linker flag
       - have your system administrator add LIBDIR to `/etc/ld.so.conf'
    
    See any operating system documentation about shared libraries for
    more information, such as the ld(1) and ld.so(8) manual pages.
    ----------------------------------------------------------------------
     /bin/mkdir -p '/usr/local/modsecurity/include/modsecurity/actions/'
     /bin/install -c -m 644 ../headers/modsecurity/actions/action.h '/usr/local/modsecurity/include/modsecurity/actions/'
     /bin/mkdir -p '/usr/local/modsecurity/include/modsecurity/collection/'
     /bin/install -c -m 644 ../headers/modsecurity/collection/collection.h ../headers/modsecurity/collection/collections.h '/usr/local/modsecurity/include/modsecurity/collection/'
     /bin/mkdir -p '/usr/local/modsecurity/include/modsecurity'
     /bin/install -c -m 644 ../headers/modsecurity/anchored_set_variable.h ../headers/modsecurity/anchored_variable.h ../headers/modsecurity/audit_log.h ../headers/modsecurity/debug_log.h ../headers/modsecurity/intervention.h ../headers/modsecurity/modsecurity.h ../headers/modsecurity/rule.h ../headers/modsecurity/rule_message.h ../headers/modsecurity/rules.h ../headers/modsecurity/rules_set.h ../headers/modsecurity/rules_set_properties.h ../headers/modsecurity/rules_exceptions.h ../headers/modsecurity/transaction.h ../headers/modsecurity/variable_origin.h ../headers/modsecurity/variable_value.h '/usr/local/modsecurity/include/modsecurity'
    make[3]: Leaving directory `/svr-setup/ModSecurity/src'
    make[2]: Leaving directory `/svr-setup/ModSecurity/src'
    make[1]: Leaving directory `/svr-setup/ModSecurity/src'

    Code (Text):
    ModSecurity -  for Linux
     
     Mandatory dependencies
       + libInjection                                  ....v3.9.2-30-gbf234eb
       + SecLang tests                                 ....c8cf2c5
     
     Optional dependencies
       + GeoIP/MaxMind                                 ....found
          * (MaxMind) v1.4.2
             -lmaxminddb  , -DWITH_MAXMIND -I/usr/local/include
          * (GeoIP) v1.6.12
             -lGeoIP  , -I/usr/include/
       + LibCURL                                       ....found v7.68.0
          -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
       + YAJL                                          ....found v2.0.4
          -lyajl  , -DWITH_YAJL
       + LMDB                                          ....disabled
       + LibXML2                                       ....found v2.9.10
          -lxml2 -lz -llzma -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
       + SSDEEP                                        ....found
          -lfuzzy -L/usr/lib64/, -DWITH_SSDEEP -I/usr/include
       + LUA                                           ....found v501
          -llua-5.1 -L/usr/lib64/, -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include
     
     Other Options
       + Test Utilities                                ....enabled
       + SecDebugLog                                   ....enabled
       + afl fuzzer                                    ....disabled
       + library examples                              ....enabled
       + Building parser                               ....disabled
       + Treating pm operations as critical section    ....disabled


    updated with fix for NGINX_MODSECURITY_MAXMIND='y' Beta Branch - re-enable NGINX_MODSECURITY_MAXMIND='y' in 123.09beta01