GUI editor to tame mod_security rules

⌈⌋ branch:  modseccfg


Artifact [96419cc87c]

Artifact 96419cc87c5fa4ffcf5a1a5756a9b59710d72e858e59caf192cff3eb88cfeacf:

  • File FAQ.md — part of check-in [8e624a20d3] at 2020-11-20 14:28:48 on branch trunk — Type and description changes in crsoptions. Release as 0.3.0 (user: mario size: 3913)

FAQ

Not really a FAQ, just some preemptive notes and a few common errors.

Errors

Doesn't work

That's not a useful error message.
(Someone here is slightly annoyed from Stackoverflow questions these days.)

Something doesn't work

Many features are unimplemented as of yet.

App crashes

It will do that if you use most functions but haven't:

  • selected a vhost file
  • or an existing log file
  • and if remote files (sshfs-mounted server) aren't really writable (no working check yet)

Doesn't start

Look at the terminal output.

Python import error for _tkinter

As mentioned in the README setup instructions, you do need python3-tk installed (or whatever it's called in your distro).

Syntax error for f"…" strings

Requires py >=3.6

Main window freezes

It'll do that whilst reading logs, or any other window pops up (editor, info, etc.)

App hangs after main window closed

The multi-window interface may get stuck in a dead loop, if the mainwindow got closed before any aux windows.

How to file a bug report?

Use /tktnew and include the full console output, expected behaviour, and necessary log and conf excerpts, file names and mount point if any. Else it will be closed on sight.

Features

Does this really delete config files?

No. Per default it will even create heaps of backup files in ~/backup-config/.

Does the remote binding option need :/ ?

It does suffice to say modseccfg srv5:.
The slash is just for decoration, the colon makes it a servername argument.

Why don't all rules have tags?

The CoreRuleSet omits them for most rules.
(Something like tag:app-wordpress etc. would be sensible. Hint, hint.)

Where's the config file?

In ~/.config/modseccfg/settings.json

Are there sshfs options to be set?

Secret config option is sshfs_o.

Other secret options

editor_font can't be edited from the config window, due to being a list. The config definition allows to add a third font property ["…", "…", "bold"] however.

Can this use other log scanners?

If there's a command line tool to scan audit logs for problems, then yes, an option could be added. (In fact, it's planned to bundle a bin/ folder and according menu for Log analyzers.)

Why doesn't this provide for editing of VirtualHost sections?

That would be more work. And less intuitive for the majority, and those that have properly separated vhosts into distinct config files.

There's a few python packages for Apache config parsing that would allow so, but none that are overly convenient to build upon. (Not to mention support for non-destructive file updating.)

It always writes to the first VirtualHost in a file

Yes.

All SecRule* flags are appended, or injected before any first closing </VirtualHost>

Use a better structure:

  • vhost.domain.conf

     <VirtualHost *:80>
        Include vhost.domain.dir
     </VirtualHost>
     <VirtualHost *:443>
        Include vhost.domain.dir
        Include ssl.conf
     </VirtualHost>
    
  • vhost.domain.dir

      ServerName example.com
      DocumentRoot /www/domain/
      …
      SecRuleEngine On
    

Which coincidentally avoids some repetition.

Can this use python package xyz?

No idea.

Where's the nginx support?

Not planned. Code contributions are accepted however.

There are enough nginx config parsers out there. Adopting one of them should be simple. Basically just needs to reuse the vhosts structure, and pass any modsecurity_rules_file over to vhosts.vhosts()

Will this work with mod_security v3 ?

Probably not. I'd imagine this to be a parsing nightmare for Apache as well. So if, it's probably just going to cover secrule_includes, and you'll have to have vhost.name.secrule files alongside.