Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: update naming and use crs-version where needed #112

Merged
merged 9 commits into from
Feb 14, 2024
Merged

chore: update naming and use crs-version where needed #112

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
c3955e7
chore: update naming and use crs-version where needed
fzipi Feb 13, 2024
3bc7f89
Apply suggestions from code review
fzipi Feb 13, 2024
87ae25d
Update install.md
fzipi Feb 13, 2024
3e3ddc6
Merge branch 'main' into use-crs-version
fzipi Feb 13, 2024
6c20e04
Merge branch 'main' into use-crs-version
fzipi Feb 14, 2024
457ac50
fix: update prefix directory
fzipi Feb 14, 2024
c15a9e0
fix: update versions for release
fzipi Feb 14, 2024
d12f019
fix: build need a working version
fzipi Feb 14, 2024
a9d5570
fix: remove crsfiles listing in nginx
fzipi Feb 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions config/_default/config.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,8 +41,9 @@ home = [ "HTML", "RSS", "JSON"]
#custom_css = ["css/foo.css", "css/bar.css"]

# CRS related parameters
crs_latest_release = "3.3.4"
crs_dev_branch = "v4.0/dev"
crs_latest_release = "4.0.0"
crs_dev_branch = "main"
crs_install_dir = "/etc/crs4"

[[menu.shortcuts]]
name = "<i class='fas fa-bookmark'></i> Core Rule Set Home"
Expand Down
27 changes: 19 additions & 8 deletions content/deployment/install.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,7 @@ gpg> quit
The result when verifying a release will then look like so:

```bash
gpg --verify coreruleset-3.3.2.tar.gz.asc v3.3.2.tar.gz
gpg --verify coreruleset-{{< param crs_latest_release >}}.tar.gz.asc v{{< param crs_latest_release >}}.tar.gz
gpg: Signature made Wed Jun 30 15:05:48 2021 CEST
gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72
gpg: Good signature from "OWASP Core Rule Set <[email protected]>" [ultimate]
Expand Down Expand Up @@ -210,17 +210,28 @@ It is recommended to create a folder specifically to contain the CRS rules. In t

```apache
<IfModule security2_module>
Include modsecurity.d/modsecurity.conf
Include modsecurity.d/coreruleset-{{< param crs_latest_release >}}/crs-setup.conf
Include modsecurity.d/coreruleset-{{< param crs_latest_release >}}/rules/*.conf
Include modsecurity.d/modsecurity.conf
Include {{< param crs_install_dir >}}/crs-setup.conf
Include {{< param crs_install_dir >}}/plugins/*-config.conf
Include {{< param crs_install_dir >}}/plugins/*-before.conf
Include {{< param crs_install_dir >}}/rules/*.conf
Include {{< param crs_install_dir >}}/plugins/*-after.conf
</IfModule>
```

### Includes for Nginx

Nginx will include files from the Nginx configuration directory (`/etc/nginx` or `/usr/local/nginx/conf/`, depending on the environment). Because only one `ModSecurityConfig` directive can be specified within `nginx.conf`, it is recommended to name that file `modsec_includes.conf` and include additional files from there. In the example below, the cloned `owasp-modsecurity-crs` folder was copied into the Nginx configuration directory. From there, the appropriate include directives are specified which will include OWASP CRS when the server is restarted. In the example below, the `modsecurity.conf` file has also been included, which includes recommended configurations for ModSecurity.
Nginx will include files from the Nginx configuration directory (`/etc/nginx` or `/usr/local/nginx/conf/`, depending on the environment). Because only one `ModSecurityConfig` directive can be specified within `nginx.conf`, it is recommended to name that file `modsec_includes.conf` and include additional files from there. In the example below, the cloned `coreruleset` folder was copied into the Nginx configuration directory. From there, the appropriate include directives are specified which will include OWASP CRS when the server is restarted. In the example below, the `modsecurity.conf` file has also been included, which includes recommended configurations for ModSecurity.

```nginx
include modsecurity.conf
{{% crsfiles prefix="include coreruleset-" version="3.3.2" %}}
```
Include modsecurity.d/modsecurity.conf
Include {{< param crs_install_dir >}}/crs-setup.conf
Include {{< param crs_install_dir >}}/plugins/*-config.conf
Include {{< param crs_install_dir >}}/plugins/*-before.conf
Include {{< param crs_install_dir >}}/rules/*.conf
Include {{< param crs_install_dir >}}/plugins/*-after.conf
```

{{% notice note %}}
You will also need to include the plugins you want along with your CRS installation.
{{% /notice %}}
17 changes: 11 additions & 6 deletions content/deployment/quick_start.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,10 +78,12 @@ The examples presented below demonstrate using Apache. For information on config
Note that while it's common practice to make a new `modsecurity.d` folder, as outlined below, this isn't strictly necessary. The path scheme outlined is common on RHEL-based operating systems; the Apache path used may need to be adjusted to match the server's installation.

```bash
mkdir /etc/httpd/modsecurity.d
tar -zxvf v{{< param crs_latest_release >}}.tar.gz -C /etc/httpd/modsecurity.d/owasp-modsecurity-crs
mkdir {{< param crs_install_dir >}}
tar -xzvf v{{< param crs_latest_release >}}.tar.gz --strip-components 1 -C {{< param crs_install_dir >}}
fzipi marked this conversation as resolved.
Show resolved Hide resolved
```

Now all the CRS files will be located below the `{{< param crs_install_dir >}}` directory.

### Setting Up the Main Configuration File

After extracting the rule set files, the next step is to set up the main OWASP Core Rule Set configuration file. An example configuration file is provided as part of the release package, located in the main directory: `crs-setup.conf.example`.
Expand All @@ -95,7 +97,7 @@ In many scenarios, the default example CRS configuration will be a good enough s
Once any settings have been changed within the example configuration file, as needed, it should be renamed to remove the .example portion, like so:

```bash
cd /etc/httpd/modsecurity.d/owasp-modsecurity-crs/
cd {{< param crs_install_dir >}}
mv crs-setup.conf.example crs-setup.conf
```

Expand All @@ -104,11 +106,14 @@ mv crs-setup.conf.example crs-setup.conf
The last step is to tell the web server where the rules are. This is achieved by `include`-ing the rule configuration files in the `httpd.conf` file. Again, this example demonstrates using Apache, but the process is similar on other systems (see the [extended install]({{< ref "install.md" >}}) page for details).

```bash
echo 'IncludeOptional /etc/httpd/owasp-modsecurity-crs/crs-setup.conf' >> /etc/httpd/conf/httpd.conf
echo 'IncludeOptional /etc/httpd/owasp-modsecurity-crs/rules/*.conf' >> /etc/httpd/conf/httpd.conf
echo 'IncludeOptional {{< param crs_install_dir >}}/crs-setup.conf' >> /etc/httpd/conf/httpd.conf
echo 'IncludeOptional {{< param crs_install_dir >}}/plugins/*-config.conf' >> /etc/httpd/conf/httpd.conf
echo 'IncludeOptional {{< param crs_install_dir >}}/plugins/*-before.conf' >> /etc/httpd/conf/httpd.conf
echo 'IncludeOptional {{< param crs_install_dir >}}/rules/*.conf' >> /etc/httpd/conf/httpd.conf
echo 'IncludeOptional {{< param crs_install_dir >}}/plugins/*-after.conf' >> /etc/httpd/conf/httpd.conf
```

Now that everything has been configured, it should be possible to restart and being using the OWASP Core Rule Set. The CRS rules typically require a bit of tuning with rule exclusions, depending on the site and web applications in question. For more information on tuning, see [false positives and tuning]({{< ref "false_positives_tuning.md" >}}).
Now that everything has been configured, it should be possible to restart and being using the OWASP CRS. The CRS rules typically require a bit of tuning with rule exclusions, depending on the site and web applications in question. For more information on tuning, see [false positives and tuning]({{< ref "false_positives_tuning.md" >}}).

```bash
systemctl restart httpd.service
Expand Down
11 changes: 6 additions & 5 deletions layouts/shortcodes/crsfiles.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,17 @@
{{- $urlPre := "https://api.github.com" -}}
{{- $crsversion := .Get "version" -}}
{{- $prefix := .Get "prefix" | default "" -}}
{{- $crsversion := .Site.Param "crs_latest_release" -}}
{{- $prefix := .Site.Param "crs_install_dir" -}}
{{- $prepend := .Get "prepend" | default "" -}}
{{- $filesJ := getJSON $urlPre (printf "/repos/coreruleset/coreruleset/git/trees/v%s" $crsversion) "?recursive=1" -}}
{{- $text := slice -}}
{{- range $idx, $file := $filesJ.tree -}}
{{- if eq $file.type "blob" -}}
{{- if strings.HasSuffix $file.path "example" -}}
{{- $text = $text | append (printf "%s%s/%s" $prefix $crsversion (strings.TrimSuffix ".example" $file.path) ) -}}
{{- $text = $text | append (printf "%s%s/%s" $prepend $prefix (strings.TrimSuffix ".example" $file.path) ) -}}
{{- end -}}
{{- if and (eq (path.Dir $file.path) "rules") (strings.HasSuffix $file.path "conf") -}}
{{- $text = $text | append (printf "%s%s/%s" $prefix $crsversion $file.path) -}}
{{- $text = $text | append (printf "%s%s/%s" $prepend $prefix $file.path) -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{ htmlEscape (delimit $text "\n") }}
{{ htmlEscape (delimit $text "\n") }}