From c3955e736be7dd47e15eafc3c73e02f19f2181f3 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Tue, 13 Feb 2024 10:23:45 -0300 Subject: [PATCH 1/7] chore: update naming and use crs-version where needed Signed-off-by: Felipe Zipitria --- content/deployment/install.md | 6 +++--- content/deployment/quick_start.md | 8 ++++---- layouts/shortcodes/crsfiles.html | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/content/deployment/install.md b/content/deployment/install.md index 83ae81e9..c1a11b63 100644 --- a/content/deployment/install.md +++ b/content/deployment/install.md @@ -160,7 +160,7 @@ gpg> quit The result when verifying a release will then look like so: ```bash -gpg --verify coreruleset-3.3.2.tar.gz.asc v3.3.2.tar.gz +gpg --verify coreruleset-{{< param crs_latest_release >}}.tar.gz.asc v{{< param crs_latest_release >}}.tar.gz gpg: Signature made Wed Jun 30 15:05:48 2021 CEST gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72 gpg: Good signature from "OWASP Core Rule Set " [ultimate] @@ -218,9 +218,9 @@ It is recommended to create a folder specifically to contain the CRS rules. In t ### Includes for Nginx -Nginx will include files from the Nginx configuration directory (`/etc/nginx` or `/usr/local/nginx/conf/`, depending on the environment). Because only one `ModSecurityConfig` directive can be specified within `nginx.conf`, it is recommended to name that file `modsec_includes.conf` and include additional files from there. In the example below, the cloned `owasp-modsecurity-crs` folder was copied into the Nginx configuration directory. From there, the appropriate include directives are specified which will include OWASP CRS when the server is restarted. In the example below, the `modsecurity.conf` file has also been included, which includes recommended configurations for ModSecurity. +Nginx will include files from the Nginx configuration directory (`/etc/nginx` or `/usr/local/nginx/conf/`, depending on the environment). Because only one `ModSecurityConfig` directive can be specified within `nginx.conf`, it is recommended to name that file `modsec_includes.conf` and include additional files from there. In the example below, the cloned `coreruleset` folder was copied into the Nginx configuration directory. From there, the appropriate include directives are specified which will include OWASP CRS when the server is restarted. In the example below, the `modsecurity.conf` file has also been included, which includes recommended configurations for ModSecurity. ```nginx include modsecurity.conf -{{% crsfiles prefix="include coreruleset-" version="3.3.2" %}} +{{% crsfiles prefix="include coreruleset-" %}} ``` diff --git a/content/deployment/quick_start.md b/content/deployment/quick_start.md index ae32017e..315bb246 100644 --- a/content/deployment/quick_start.md +++ b/content/deployment/quick_start.md @@ -79,7 +79,7 @@ Note that while it's common practice to make a new `modsecurity.d` folder, as ou ```bash mkdir /etc/httpd/modsecurity.d -tar -zxvf v{{< param crs_latest_release >}}.tar.gz -C /etc/httpd/modsecurity.d/owasp-modsecurity-crs +tar -zxvf v{{< param crs_latest_release >}}.tar.gz -C /etc/httpd/modsecurity.d/coreruleset ``` ### Setting Up the Main Configuration File @@ -95,7 +95,7 @@ In many scenarios, the default example CRS configuration will be a good enough s Once any settings have been changed within the example configuration file, as needed, it should be renamed to remove the .example portion, like so: ```bash -cd /etc/httpd/modsecurity.d/owasp-modsecurity-crs/ +cd /etc/httpd/modsecurity.d/coreruleset/ mv crs-setup.conf.example crs-setup.conf ``` @@ -104,8 +104,8 @@ mv crs-setup.conf.example crs-setup.conf The last step is to tell the web server where the rules are. This is achieved by `include`-ing the rule configuration files in the `httpd.conf` file. Again, this example demonstrates using Apache, but the process is similar on other systems (see the [extended install]({{< ref "install.md" >}}) page for details). ```bash -echo 'IncludeOptional /etc/httpd/owasp-modsecurity-crs/crs-setup.conf' >> /etc/httpd/conf/httpd.conf -echo 'IncludeOptional /etc/httpd/owasp-modsecurity-crs/rules/*.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional /etc/httpd/coreruleset/crs-setup.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional /etc/httpd/coreruleset/rules/*.conf' >> /etc/httpd/conf/httpd.conf ``` Now that everything has been configured, it should be possible to restart and being using the OWASP Core Rule Set. The CRS rules typically require a bit of tuning with rule exclusions, depending on the site and web applications in question. For more information on tuning, see [false positives and tuning]({{< ref "false_positives_tuning.md" >}}). diff --git a/layouts/shortcodes/crsfiles.html b/layouts/shortcodes/crsfiles.html index 452fc2eb..91bfd46b 100644 --- a/layouts/shortcodes/crsfiles.html +++ b/layouts/shortcodes/crsfiles.html @@ -1,5 +1,5 @@ {{- $urlPre := "https://api.github.com" -}} -{{- $crsversion := .Get "version" -}} +{{- $crsversion := .Site.Param "crs_latest_release" -}} {{- $prefix := .Get "prefix" | default "" -}} {{- $filesJ := getJSON $urlPre (printf "/repos/coreruleset/coreruleset/git/trees/v%s" $crsversion) "?recursive=1" -}} {{- $text := slice -}} @@ -13,4 +13,4 @@ {{- end -}} {{- end -}} {{- end -}} -{{ htmlEscape (delimit $text "\n") }} \ No newline at end of file +{{ htmlEscape (delimit $text "\n") }} From 3bc7f89428c42468f07c187ea4588d12331a1cc2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Zipitr=C3=ADa?= <3012076+fzipi@users.noreply.github.com> Date: Tue, 13 Feb 2024 11:18:17 -0300 Subject: [PATCH 2/7] Apply suggestions from code review --- content/deployment/quick_start.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/deployment/quick_start.md b/content/deployment/quick_start.md index 315bb246..89f15447 100644 --- a/content/deployment/quick_start.md +++ b/content/deployment/quick_start.md @@ -79,7 +79,7 @@ Note that while it's common practice to make a new `modsecurity.d` folder, as ou ```bash mkdir /etc/httpd/modsecurity.d -tar -zxvf v{{< param crs_latest_release >}}.tar.gz -C /etc/httpd/modsecurity.d/coreruleset +tar -zxvf v{{< param crs_latest_release >}}.tar.gz -C /etc/httpd/modsecurity.d/crs ``` ### Setting Up the Main Configuration File @@ -95,7 +95,7 @@ In many scenarios, the default example CRS configuration will be a good enough s Once any settings have been changed within the example configuration file, as needed, it should be renamed to remove the .example portion, like so: ```bash -cd /etc/httpd/modsecurity.d/coreruleset/ +cd /etc/httpd/modsecurity.d/crs/ mv crs-setup.conf.example crs-setup.conf ``` @@ -104,8 +104,8 @@ mv crs-setup.conf.example crs-setup.conf The last step is to tell the web server where the rules are. This is achieved by `include`-ing the rule configuration files in the `httpd.conf` file. Again, this example demonstrates using Apache, but the process is similar on other systems (see the [extended install]({{< ref "install.md" >}}) page for details). ```bash -echo 'IncludeOptional /etc/httpd/coreruleset/crs-setup.conf' >> /etc/httpd/conf/httpd.conf -echo 'IncludeOptional /etc/httpd/coreruleset/rules/*.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional /etc/httpd/crs/crs-setup.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional /etc/httpd/crs/rules/*.conf' >> /etc/httpd/conf/httpd.conf ``` Now that everything has been configured, it should be possible to restart and being using the OWASP Core Rule Set. The CRS rules typically require a bit of tuning with rule exclusions, depending on the site and web applications in question. For more information on tuning, see [false positives and tuning]({{< ref "false_positives_tuning.md" >}}). From 87ae25d4d8a31099232c80d62105f270e7610e09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felipe=20Zipitr=C3=ADa?= <3012076+fzipi@users.noreply.github.com> Date: Tue, 13 Feb 2024 14:33:38 -0300 Subject: [PATCH 3/7] Update install.md Add plugins syntax. --- content/deployment/install.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/content/deployment/install.md b/content/deployment/install.md index c1a11b63..5dc2775b 100644 --- a/content/deployment/install.md +++ b/content/deployment/install.md @@ -211,8 +211,11 @@ It is recommended to create a folder specifically to contain the CRS rules. In t ```apache Include modsecurity.d/modsecurity.conf - Include modsecurity.d/coreruleset-{{< param crs_latest_release >}}/crs-setup.conf - Include modsecurity.d/coreruleset-{{< param crs_latest_release >}}/rules/*.conf + Include modsecurity.d/crs/crs-setup.conf + Include modsecurity.d/crs/plugins/*-config.conf + Include modsecurity.d/crs/plugins/*-before.conf + Include modsecurity.d/crs/rules/*.conf + Include modsecurity.d/crs/plugins/*-after.conf ``` From 457ac5045f3d899e05f6d40053ba83dd274c8522 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Wed, 14 Feb 2024 10:30:24 -0300 Subject: [PATCH 4/7] fix: update prefix directory Signed-off-by: Felipe Zipitria --- config/_default/config.toml | 1 + content/deployment/install.md | 18 +++++++++++------- content/deployment/quick_start.md | 17 +++++++++++------ layouts/shortcodes/crsfiles.html | 7 ++++--- 4 files changed, 27 insertions(+), 16 deletions(-) diff --git a/config/_default/config.toml b/config/_default/config.toml index ce1efc47..ed979bf6 100644 --- a/config/_default/config.toml +++ b/config/_default/config.toml @@ -43,6 +43,7 @@ home = [ "HTML", "RSS", "JSON"] # CRS related parameters crs_latest_release = "3.3.4" crs_dev_branch = "v4.0/dev" + crs_install_dir = "/etc/crs4" [[menu.shortcuts]] name = " Core Rule Set Home" diff --git a/content/deployment/install.md b/content/deployment/install.md index 5dc2775b..72aa1563 100644 --- a/content/deployment/install.md +++ b/content/deployment/install.md @@ -211,11 +211,11 @@ It is recommended to create a folder specifically to contain the CRS rules. In t ```apache Include modsecurity.d/modsecurity.conf - Include modsecurity.d/crs/crs-setup.conf - Include modsecurity.d/crs/plugins/*-config.conf - Include modsecurity.d/crs/plugins/*-before.conf - Include modsecurity.d/crs/rules/*.conf - Include modsecurity.d/crs/plugins/*-after.conf + Include {{< param crs_install_dir >}}/crs-setup.conf + Include {{< param crs_install_dir >}}/plugins/*-config.conf + Include {{< param crs_install_dir >}}/plugins/*-before.conf + Include {{< param crs_install_dir >}}/rules/*.conf + Include {{< param crs_install_dir >}}/plugins/*-after.conf ``` @@ -225,5 +225,9 @@ Nginx will include files from the Nginx configuration directory (`/etc/nginx` or ```nginx include modsecurity.conf -{{% crsfiles prefix="include coreruleset-" %}} -``` +{{% crsfiles prepend="include " %}} +``` + +{{% notice note %}} +You will also need to include the plugins you want along with your CRS installation. +{{% /notice %}} \ No newline at end of file diff --git a/content/deployment/quick_start.md b/content/deployment/quick_start.md index 89f15447..f722df11 100644 --- a/content/deployment/quick_start.md +++ b/content/deployment/quick_start.md @@ -78,10 +78,12 @@ The examples presented below demonstrate using Apache. For information on config Note that while it's common practice to make a new `modsecurity.d` folder, as outlined below, this isn't strictly necessary. The path scheme outlined is common on RHEL-based operating systems; the Apache path used may need to be adjusted to match the server's installation. ```bash -mkdir /etc/httpd/modsecurity.d -tar -zxvf v{{< param crs_latest_release >}}.tar.gz -C /etc/httpd/modsecurity.d/crs +mkdir {{< param crs_install_dir >}} +tar -xzvf v{{< param crs_latest_release >}}.tar.gz --strip-components 1 -C {{< param crs_install_dir >}} ``` +Now all the CRS files will be located below the `{{< param crs_install_dir >}}` directory. + ### Setting Up the Main Configuration File After extracting the rule set files, the next step is to set up the main OWASP Core Rule Set configuration file. An example configuration file is provided as part of the release package, located in the main directory: `crs-setup.conf.example`. @@ -95,7 +97,7 @@ In many scenarios, the default example CRS configuration will be a good enough s Once any settings have been changed within the example configuration file, as needed, it should be renamed to remove the .example portion, like so: ```bash -cd /etc/httpd/modsecurity.d/crs/ +cd {{< param crs_install_dir >}} mv crs-setup.conf.example crs-setup.conf ``` @@ -104,11 +106,14 @@ mv crs-setup.conf.example crs-setup.conf The last step is to tell the web server where the rules are. This is achieved by `include`-ing the rule configuration files in the `httpd.conf` file. Again, this example demonstrates using Apache, but the process is similar on other systems (see the [extended install]({{< ref "install.md" >}}) page for details). ```bash -echo 'IncludeOptional /etc/httpd/crs/crs-setup.conf' >> /etc/httpd/conf/httpd.conf -echo 'IncludeOptional /etc/httpd/crs/rules/*.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional {{< param crs_install_dir >}}/crs-setup.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional {{< param crs_install_dir >}}/plugins/*-config.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional {{< param crs_install_dir >}}/plugins/*-before.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional {{< param crs_install_dir >}}/rules/*.conf' >> /etc/httpd/conf/httpd.conf +echo 'IncludeOptional {{< param crs_install_dir >}}/plugins/*-after.conf' >> /etc/httpd/conf/httpd.conf ``` -Now that everything has been configured, it should be possible to restart and being using the OWASP Core Rule Set. The CRS rules typically require a bit of tuning with rule exclusions, depending on the site and web applications in question. For more information on tuning, see [false positives and tuning]({{< ref "false_positives_tuning.md" >}}). +Now that everything has been configured, it should be possible to restart and being using the OWASP CRS. The CRS rules typically require a bit of tuning with rule exclusions, depending on the site and web applications in question. For more information on tuning, see [false positives and tuning]({{< ref "false_positives_tuning.md" >}}). ```bash systemctl restart httpd.service diff --git a/layouts/shortcodes/crsfiles.html b/layouts/shortcodes/crsfiles.html index 91bfd46b..3f9c1674 100644 --- a/layouts/shortcodes/crsfiles.html +++ b/layouts/shortcodes/crsfiles.html @@ -1,15 +1,16 @@ {{- $urlPre := "https://api.github.com" -}} {{- $crsversion := .Site.Param "crs_latest_release" -}} -{{- $prefix := .Get "prefix" | default "" -}} +{{- $prefix := .Site.Param "crs_install_dir" -}} +{{- $prepend := .Get "prepend" | default "" -}} {{- $filesJ := getJSON $urlPre (printf "/repos/coreruleset/coreruleset/git/trees/v%s" $crsversion) "?recursive=1" -}} {{- $text := slice -}} {{- range $idx, $file := $filesJ.tree -}} {{- if eq $file.type "blob" -}} {{- if strings.HasSuffix $file.path "example" -}} - {{- $text = $text | append (printf "%s%s/%s" $prefix $crsversion (strings.TrimSuffix ".example" $file.path) ) -}} + {{- $text = $text | append (printf "%s%s/%s" $prepend $prefix (strings.TrimSuffix ".example" $file.path) ) -}} {{- end -}} {{- if and (eq (path.Dir $file.path) "rules") (strings.HasSuffix $file.path "conf") -}} - {{- $text = $text | append (printf "%s%s/%s" $prefix $crsversion $file.path) -}} + {{- $text = $text | append (printf "%s%s/%s" $prepend $prefix $file.path) -}} {{- end -}} {{- end -}} {{- end -}} From c15a9e048dff89b7b4efa07502789da159196673 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Wed, 14 Feb 2024 11:40:37 -0300 Subject: [PATCH 5/7] fix: update versions for release Signed-off-by: Felipe Zipitria --- config/_default/config.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/_default/config.toml b/config/_default/config.toml index ed979bf6..bd133fda 100644 --- a/config/_default/config.toml +++ b/config/_default/config.toml @@ -41,8 +41,8 @@ home = [ "HTML", "RSS", "JSON"] #custom_css = ["css/foo.css", "css/bar.css"] # CRS related parameters - crs_latest_release = "3.3.4" - crs_dev_branch = "v4.0/dev" + crs_latest_release = "4.0.0" + crs_dev_branch = "main" crs_install_dir = "/etc/crs4" [[menu.shortcuts]] From d12f019470fba1ad92b32a7107e9339467791abd Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Wed, 14 Feb 2024 11:44:51 -0300 Subject: [PATCH 6/7] fix: build need a working version Signed-off-by: Felipe Zipitria --- config/_default/config.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/_default/config.toml b/config/_default/config.toml index bd133fda..9b576ef5 100644 --- a/config/_default/config.toml +++ b/config/_default/config.toml @@ -41,7 +41,7 @@ home = [ "HTML", "RSS", "JSON"] #custom_css = ["css/foo.css", "css/bar.css"] # CRS related parameters - crs_latest_release = "4.0.0" + crs_latest_release = "3.3.4" crs_dev_branch = "main" crs_install_dir = "/etc/crs4" From a9d55702f5aca5d54bb062348f2133bfeb3c9cb8 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Wed, 14 Feb 2024 11:53:02 -0300 Subject: [PATCH 7/7] fix: remove crsfiles listing in nginx Signed-off-by: Felipe Zipitria --- config/_default/config.toml | 2 +- content/deployment/install.md | 20 ++++++++++++-------- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/config/_default/config.toml b/config/_default/config.toml index 9b576ef5..bd133fda 100644 --- a/config/_default/config.toml +++ b/config/_default/config.toml @@ -41,7 +41,7 @@ home = [ "HTML", "RSS", "JSON"] #custom_css = ["css/foo.css", "css/bar.css"] # CRS related parameters - crs_latest_release = "3.3.4" + crs_latest_release = "4.0.0" crs_dev_branch = "main" crs_install_dir = "/etc/crs4" diff --git a/content/deployment/install.md b/content/deployment/install.md index 72aa1563..f92c5041 100644 --- a/content/deployment/install.md +++ b/content/deployment/install.md @@ -210,12 +210,12 @@ It is recommended to create a folder specifically to contain the CRS rules. In t ```apache - Include modsecurity.d/modsecurity.conf - Include {{< param crs_install_dir >}}/crs-setup.conf - Include {{< param crs_install_dir >}}/plugins/*-config.conf - Include {{< param crs_install_dir >}}/plugins/*-before.conf - Include {{< param crs_install_dir >}}/rules/*.conf - Include {{< param crs_install_dir >}}/plugins/*-after.conf + Include modsecurity.d/modsecurity.conf + Include {{< param crs_install_dir >}}/crs-setup.conf + Include {{< param crs_install_dir >}}/plugins/*-config.conf + Include {{< param crs_install_dir >}}/plugins/*-before.conf + Include {{< param crs_install_dir >}}/rules/*.conf + Include {{< param crs_install_dir >}}/plugins/*-after.conf ``` @@ -224,8 +224,12 @@ It is recommended to create a folder specifically to contain the CRS rules. In t Nginx will include files from the Nginx configuration directory (`/etc/nginx` or `/usr/local/nginx/conf/`, depending on the environment). Because only one `ModSecurityConfig` directive can be specified within `nginx.conf`, it is recommended to name that file `modsec_includes.conf` and include additional files from there. In the example below, the cloned `coreruleset` folder was copied into the Nginx configuration directory. From there, the appropriate include directives are specified which will include OWASP CRS when the server is restarted. In the example below, the `modsecurity.conf` file has also been included, which includes recommended configurations for ModSecurity. ```nginx -include modsecurity.conf -{{% crsfiles prepend="include " %}} + Include modsecurity.d/modsecurity.conf + Include {{< param crs_install_dir >}}/crs-setup.conf + Include {{< param crs_install_dir >}}/plugins/*-config.conf + Include {{< param crs_install_dir >}}/plugins/*-before.conf + Include {{< param crs_install_dir >}}/rules/*.conf + Include {{< param crs_install_dir >}}/plugins/*-after.conf ``` {{% notice note %}}