== SecAction == 
'''Description:''' Unconditionally processes the action list it receives as the first and only parameter. The syntax of the parameter is identical to that of the third parameter of <code>SecRule</code>.

'''Syntax:''' <code>SecAction "action1,action2,action3,...“</code>

'''Scope:''' Any

SecAuditLogParts ABCFHZ 
SecAuditLogType concurrent 
SecAuditLogStorageDir logs/audit 
SecAuditLogRelevantStatus ^(?:5|4(?!04))
</pre>

== SecAuditLog ==
'''Description:''' Defines the path to the main audit log file (serial logging format) or the concurrent logging index file (concurrent logging format).

'''Syntax:''' <code>SecAuditLog /path/to/audit.log</code> 

'''Scope:''' Any Version: 2.0.0

This file will be used to store the audit log entries if serial audit logging format is used. If concurrent audit logging format is used this file will be used as an index, and contain a record of all audit log files created. If you are planning to use concurrent audit logging to send your audit log data off to a remote server you will need to deploy the ModSecurity Log Collector (mlogc), like this:
When used in combination with mlogc (only possible with concurrent logging), this directive defines the mlogc location and command line.
SecAuditLog "|/path/to/mlogc /path/to/mlogc.conf"

This audit log file is opened on startup when the server typically still runs as root. You should not allow non-root users to have write privileges for this file or for the directory.

== SecAuditLog2 ==
'''Description:''' Defines the path to the secondary audit log index file when concurrent logging is enabled. See SecAuditLog for more details.

'''Syntax:''' <code>SecAuditLog2 /path/to/audit.log</code> 

'''Scope:''' Any 

'''Version:''' 2.1.2

The purpose of SecAuditLog2 is to make logging to two remote servers possible, which is typically achieved by running two instances of the mlogc tool, each with a different configuration (in addition, one of the instances will need to be instructed not to delete the files it submits). This directive can be used only if SecAuditLog was previously configured and only if concurrent logging format is used.

== SecAuditLogDirMode==
'''Description:''' Configures the mode (permissions) of any directories created for the concurrent audit logs, using an octal mode value as parameter (as used in chmod).

'''Syntax:''' <code>SecAuditLogDirMode 0640|"default"</code> 

'''Default:''' 0600 

'''Scope:''' Any 

'''Version:''' 2.5.10

'''Version:''' 2.9.1

; Note : The JSON format is only available if ModSecurity was compiled with support to JSON via the YAJL library. During the compilation time, the yajl-dev package (or similar) must be part of the system. The configure scripts provides information if the YAJL support was enabled or not.

== SecAuditLogFileMode ==
'''Description:''' Configures the mode (permissions) of any files created for concurrent audit logs using an octal mode (as used in chmod). See SecAuditLogDirMode for controlling the mode of created audit log directories.

'''Syntax:''' <code>SecAuditLogFileMode 0640|"default"</code> 

'''Default:''' 0600

'''Scope:''' Any 

'''Version:''' 2.5.10

'''Example Usage:''' <code>SecAuditLogParts ABCFHZ</code> 

'''Scope:''' Any Version: 2.0.0

'''Default:''' ABCFHZ Note

The format of the audit log format is documented in detail in the Audit Log Data Format Documentation.

Available audit log parts:
A: Audit log header (mandatory).
B: Request headers.
C: Request body (present only if the request body exists and ModSecurity is configured to intercept it. This would require SecRequestBodyAccess to be set to on).
D: Reserved for intermediary response headers; not implemented yet.
E: Intermediary response body (present only if ModSecurity is configured to intercept response bodies, and if the audit log engine is configured to record it. Intercepting response bodies requires SecResponseBodyAccess to be enabled). Intermediary response body is the same as the actual response body unless ModSecurity intercepts the intermediary response body, in which case the actual response body will contain the error message (either the Apache default error message, or the ErrorDocument page).
F: Final response headers (excluding the Date and Server headers, which are always added by Apache in the late stage of content delivery).
G: Reserved for the actual response body; not implemented yet.
H: Audit log trailer.
I: This part is a replacement for part C. It will log the same data as C in all cases except when multipart/form-data encoding in used. In this case, it will log a fake application/x-www-form-urlencoded body that contains the information about parameters but not about the files. This is handy if you don’t want to have (often large) files stored in your audit logs.
J: This part contains information about the files uploaded using multipart/form-data encoding.
K: This part contains a full list of every rule that matched (one per line) in the order they were matched. The rules are fully qualified and will thus show inherited actions and default operators. Supported as of v2.5.0.
Z: Final boundary, signifies the end of the entry (mandatory).

== SecAuditLogRelevantStatus ==
'''Description:''' Configures which response status code is to be considered relevant for the purpose of audit logging.

'''Syntax:''' <code>SecAuditLogRelevantStatus REGEX</code> 

'''Example Usage:''' <code>SecAuditLogRelevantStatus "^(?:5|4(?!04))"</code> 

'''Default:''' 134217728 (131072 KB) 

Anything over the limit will be rejected with status code 413 (Request Entity Too Large). There is a hard limit of 1 GB.
; Note : In ModSecurity 2.5.x and earlier, SecRequestBodyLimit works only when used in the main server configuration, or a VirtualHost container. In these versions, request body limit is enforced immediately after phase 1, but before phase 2 configuration (i.e. whatever is placed in a Location container) is resolved.  You can work around this limitation by using a phase 1 rule that changes the request body limit dynamically, using the ctl:requestBodyLimit action. ModSecurity 2.6.x (currently in the trunk only) and better do not have this limitation.

== SecRequestBodyNoFilesLimit ==
'''Description''': Configures the maximum request body size ModSecurity will accept for buffering, excluding the size of any files being transported in the request.

'''Syntax:''' <code>SecRequestBodyNoFilesLimit NUMBER_IN_BYTES </code>

'''Example Usage:''' <code>SecRequestBodyNoFilesLimit 131072 </code>

'''Scope:''' Any 

'''Version''': 2.5.0

'''Supported on libModSecurity:''' No

'''Default:''' 1048576 (1 MB)

Generally speaking, the default value is not small enough. For most applications, you should be able to reduce it down to 128 KB or lower. Anything over the limit will be rejected with status code 413 (Request Entity Too Large). There is a hard limit of 1 GB. This directive is useful to reduce susceptibility to DoS attacks when someone is sending request bodies of very large sizes. Web applications that require file uploads must configure SecRequestBodyLimit to a high value, but because large files are streamed to disk, file uploads will not increase memory consumption. However, it’s still possible for someone to take advantage of a large request body limit and send non-upload requests with large body sizes. This directive eliminates that loophole.

== SecRequestBodyLimitAction == 
'''Description''': Controls what happens once a request body limit, configured with SecRequestBodyLimit, is encountered

'''Syntax:''' <code>SecRequestBodyLimitAction Reject|ProcessPartial </code>

'''Example Usage:''' <code>SecRequestBodyLimitAction ProcessPartial</code>

The default is set to 100 files, but you are encouraged to reduce this value. Any file over the limit will not be extracted and the MULTIPART_FILE_LIMIT_EXCEEDED and MULTIPART_STRICT_ERROR flags will be set. To prevent bypassing any file checks, you must check for one of these flags.

; Note : If the limit is exceeded, the part name and file name will still be recorded in FILES_NAME and FILES, the file size will be recorded in FILES_SIZES, but there will be no record in FILES_TMPNAMES as a temporary file was not created.

== SecUploadFileMode ==
'''Description:''' Configures the mode (permissions) of any uploaded files using an octal mode (as used in chmod).

'''Syntax:''' <code>SecUploadFileMode 0640|"default"</code>

'''Example Usage:''' <code>SecUploadFileMode 0640</code>

'''Scope:''' Any

'''Version:''' 2.1.6

# api: modseccfg
# encoding: utf-8
# type: function
# category: config
# title: SecOption directives
# description: config window for core mod_security directives
# version: 0.2
# config: -
# license: ASL
# author: Mod_Sec team (options and their documentation)
#
# Autogenerated list of mod_security directives and flags.
# Binds it to pluginconf.gui and writer.update
#
## WARNING: NEEDS PATCHED PLUGINCONF.GUI (plugins= param)

options['SecAuditLogDirMode'] = {
    "name": "SecAuditLogDirMode",
    "description": "Configures the mode (permissions) of any directories created for the concurrent audit logs, using an octal mode value as parameter (as used in chmod).",
    "type": "select",
    "value": "",
    "help": "The default mode for new audit log directories (0600) only grants read/write access to the owner (typically the account under which Apache is running, for example apache). If access from other accounts is needed (e.g., for use with mpm-itk), then you may use this directive to grant additional read and/or write privileges. You should use this directive with caution to avoid exposing potentially sensitive data to unauthorized users. Using the value default as parameter reverts the configuration back to the default setting. This feature is not available on operating systems not supporting octal file modes.\n\nExample:",
    "select": {
        "0640": "0640",
        "\"default\"": "\"default\""
    }
}
options['SecAuditLogFormat'] = {
    "name": "SecAuditLogFormat",
    "description": "Select the output format of the AuditLogs. The format can be either the native AuditLogs format or JSON.",
    "type": "select",

options['SecAuditLogFileMode'] = {
    "name": "SecAuditLogFileMode",
    "description": "Configures the mode (permissions) of any files created for concurrent audit logs using an octal mode (as used in chmod). See SecAuditLogDirMode for controlling the mode of created audit log directories.",
    "type": "select",
    "value": "",
    "help": "This feature is not available on operating systems not supporting octal file modes. The default mode (0600) only grants read/write access to the account writing the file. If access from another account is needed (using mpm-itk is a good example), then this directive may be required. However, use this directive with caution to avoid exposing potentially sensitive data to unauthorized users. Using the value \u201cdefault\u201d will revert back to the default setting.",
    "select": {
        "0640": "0640",
        "\"default\"": "\"default\""
    }
}
options['SecAuditLogParts'] = {
    "name": "SecAuditLogParts",
    "description": "Defines which parts of each transaction are going to be recorded in the audit log. Each part is assigned a single letter; when a letter appears in the list then the equivalent part will be recorded. See below for the list of all parts.",
    "type": "str",
    "value": "",
    "help": "The format of the audit log format is documented in detail in the Audit Log Data Format Documentation.\nAvailable audit log parts:\nA: Audit log header (mandatory).\nB: Request headers.\nC: Request body (present only if the request body exists and ModSecurity is configured to intercept it. This would require SecRequestBodyAccess to be set to on).\nD: Reserved for intermediary response headers; not implemented yet.\nE: Intermediary response body (present only if ModSecurity is configured to intercept response bodies, and if the audit log engine is configured to record it. Intercepting response bodies requires SecResponseBodyAccess to be enabled). Intermediary response body is the same as the actual response body unless ModSecurity intercepts the intermediary response body, in which case the actual response body will contain the error message (either the Apache default error message, or the ErrorDocument page).\nF: Final response headers (excluding the Date and Server headers, which are always added by Apache in the late stage of content delivery).\nG: Reserved for the actual response body; not implemented yet.\nH: Audit log trailer.\nI: This part is a replacement for part C. It will log the same data as C in all cases except when multipart/form-data encoding in used. In this case, it will log a fake application/x-www-form-urlencoded body that contains the information about parameters but not about the files. This is handy if you don\u2019t want to have (often large) files stored in your audit logs.\nJ: This part contains information about the files uploaded using multipart/form-data encoding.\nK: This part contains a full list of every rule that matched (one per line) in the order they were matched. The rules are fully qualified and will thus show inherited actions and default operators. Supported as of v2.5.0.\nZ: Final boundary, signifies the end of the entry (mandatory)."
}
options['SecAuditLogRelevantStatus'] = {
    "name": "SecAuditLogRelevantStatus",
    "description": "Configures which response status code is to be considered relevant for the purpose of audit logging.",
    "type": "str",
    "value": "",
    "help": ""

options['SecUploadFileMode'] = {
    "name": "SecUploadFileMode",
    "description": "Configures the mode (permissions) of any uploaded files using an octal mode (as used in chmod).",
    "type": "select",
    "value": "",
    "help": "This feature is not available on operating systems not supporting octal file modes. The default mode (0600) only grants read/write access to the account writing the file. If access from another account is needed (using clamd is a good example), then this directive may be required. However, use this directive with caution to avoid exposing potentially sensitive data to unauthorized users. Using the value \"default\" will revert back to the default setting.",
    "select": {
        "0640": "0640",
        "\"default\"": "\"default\""
    }
}
options['SecUploadKeepFiles'] = {
    "name": "SecUploadKeepFiles",
    "description": "Configures whether or not the intercepted files will be kept after transaction is processed.",
    "type": "select",

        "On": "On",
        "Off": "Off"
    }
}


#-- group
def mk_groups():
    plugins = {}
    groups = [



        ["global", "module", "SecOptions", "Update mod_security directives in\n", "RuleEngine$|StatusEng|Pcre|Inherit|Intercept|Chroot|Sig|Default"],
        ["log", "log", "Logging", "Options pertaining the logs", "AuditLog|AuditEngine"],
        ["dir", "tmp", "Directories", "Temp storage", "TmpDir|DataDir"],
        ["body", "bodyaccess", "BodyAccess", "Access to HTTP payloads", "Body"],
        ["dbg", "debug", "Debug / Upload", "Debug log and upload inspection", "Upload|Debug"],
        ["hash", "hash", "Hash", "Hashing functions (forms and links signature)", "Hash"],
        ["pdf", "pdf", "PDF Engine", "PDF related options", "Pdf"],

        ["else", "else", "Other options", "Less common directives", "-"]
    ]
    groups[-1][-1] = "^(?!.*(" + ("|".join([d[4] for d in groups])) + "))"  # "else" gets opposite of other regexps
    for grp, cat, title, desc, rx in groups:
        plugins[grp] = {
            "id": grp,
            "api": "mod_security",
            "title": title,
            "description": desc,
            "version": "0.1",
            "type": "config",
            "category": cat,
            "config": [o for o in options.values() if re.search(rx, o["name"])]
        }

    return plugins


def window(confn):

    # prepare config list
    for k,c in options.items():
        if c["type"] == "int":
            c["type"] = "str"
        c["value"] = ""   # unset defaults
    plugins = mk_groups()
    plugins["global"]["description"] += confn
    plugin_states = {k:1 for k in plugins.keys()}

    # map config variables from extracted `vhosts.cfg{}` dict onto mixed-case `conf` dict here
    vh = vhosts.vhosts.get(confn) # existing *.conf
    if not vh:
        vh = read_vh(confn) # previously unknown *.conf
    conf = {}
    if vh.cfg:
        names = {k: k.lower() for k in options.keys()}
        for dir,id in names.items():
            if id in vh.cfg:
                conf[dir] = vh.cfg[id]
    prev = copy.copy(conf)

    # show
    #
    ## WARNING: NEEDS PATCHED PLUGINCONF.GUI (plugins= param)
    #
    save = pluginconf.gui.window(
        conf, plugin_states, files=[], plugins=plugins,
        title="mod_security option directives", icon=icons.apache,
        opt_label=True, size=(700,800)
    )
    if not save:
        return
    
    # update if there were any changes