GUI editor to tame mod_security rules

⌈⌋ ⎇ branch:  modseccfg


Check-in [fd5f570868]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Update README with GIF, use .rst for pkg README.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: fd5f570868f85bd42b34180c6d808419bf52f1b20c83c02329f0249287449f69
User & Date: mario 2020-11-13 15:20:26
Context
2020-11-14
10:15
Introduce remote() `srvroot` file I/O wrapper, to fusemount ssh:/ root to work on. Mode can be activated with cmdline param: `modseccfg srv5:` check-in: 0b3b4b79d9 user: mario tags: trunk
2020-11-13
15:20
Update README with GIF, use .rst for pkg README. check-in: fd5f570868 user: mario tags: trunk
14:50
Initial prototype (conf parser, log reader, mainwindow somewhat functional) check-in: 5f35cb034d user: mario tags: trunk, 0.0.9
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to Makefile.

1
2
3
4
5
6
7
8
9

10
run:
	./g.py

setup:
	version --read modseccfg/__init__.py --incr --write
	python3 setup.py bdist_wheel
	rm -r modseccfg.egg-info

upload:

	python3 setup.py upload









>
|
1
2
3
4
5
6
7
8
9
10
11
run:
	./g.py

setup:
	version --read modseccfg/__init__.py --incr --write
	python3 setup.py bdist_wheel
	rm -r modseccfg.egg-info

upload:
	pandoc README.md -o README.rst
	python3 setup.py bdist_wheel upload

Changes to README.md.

1
2
3
4
5
6
7
8
9
10
11
12
13


14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44


> *WARNING: THIS IS ALPHA STAGE QUALITY AND WILL MOST CERTAINLY DELETE YOUR APACHE CONFIGURATION*
> (It doesn't, but: no waranty and such.)

## modseccfg

 * Simple GUI editor for SecRuleDisableById settings
 * Tries to suggest false positives from error and audit logs
 * And a few options to configure mod_security and CRS variables.
 * Obviously requires `ssh -X` forwarding, or preparing config
   rules on a local test setup, and `*.conf` files to be writable
   by current user (running as root is not advised).

# Usage



You obviously should have Apache(2.x) + mod_security(2.9) + CRS(3.x) set up
and running already (in DetectionOnly mode initially), to allow for log
inspection and adapting rules.

 1. start modseccfg (`python3 -m modseccfg`)
 2. Select a configuration/vhost file to inspect + work on.
 3. Pick the according error.log
 4. Inspect the rules with a high error count.
 5. [Disable] offending rules (if they're not essential to CRS, or would
    likely poke holes into useful protections).
 6. Thenceforth restart Apache after testing changes (`apache2ctl -t`).

## Notes

 * Preferrably do not edit default `/etc/apache*` files
 * Work on separated `/srv/web/conf.d/*` configuration, if available
 * And keep vhost settings in e.g. `vhost.*.dir` files, rather than
   multiple `<VirtualHost>` in one `*.conf` (else only the first section
   will be augmented).

## Missing features

 * Doesn't process any audit.log yet.
 * Can't classify wrapped (`<Location>` or other directives) rules yet.
 * No rule information dialog.
 * No SecOption editor yet.
 * No CRS settings (setvar:crs…) editor yet.
 * Recipes are not worth using yet.
 * No sudo usage.
 * No support for nginx or mod_sec v3.









|




|
>
>













|







|









>
>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
> *WARNING: THIS IS ALPHA STAGE QUALITY AND WILL MOST CERTAINLY DELETE YOUR APACHE CONFIGURATION*
> (It doesn't, but: no waranty and such.)

## modseccfg

 * Simple GUI editor for SecRuleDisableById settings
 * Tries to suggest false positives from error and audit logs
 * (And a few options to configure mod_security and CRS variables.)
 * Obviously requires `ssh -X` forwarding, or preparing config
   rules on a local test setup, and `*.conf` files to be writable
   by current user (running as root is not advised).

## Usage

![](https://fossil.include-once.org/modseccfg/raw/59f5daf65f51?m=image/gif)

You obviously should have Apache(2.x) + mod_security(2.9) + CRS(3.x) set up
and running already (in DetectionOnly mode initially), to allow for log
inspection and adapting rules.

 1. start modseccfg (`python3 -m modseccfg`)
 2. Select a configuration/vhost file to inspect + work on.
 3. Pick the according error.log
 4. Inspect the rules with a high error count.
 5. [Disable] offending rules (if they're not essential to CRS, or would
    likely poke holes into useful protections).
 6. Thenceforth restart Apache after testing changes (`apache2ctl -t`).

### Notes

 * Preferrably do not edit default `/etc/apache*` files
 * Work on separated `/srv/web/conf.d/*` configuration, if available
 * And keep vhost settings in e.g. `vhost.*.dir` files, rather than
   multiple `<VirtualHost>` in one `*.conf` (else only the first section
   will be augmented).

### Missing features

 * Doesn't process any audit.log yet.
 * Can't classify wrapped (`<Location>` or other directives) rules yet.
 * No rule information dialog.
 * No SecOption editor yet.
 * No CRS settings (setvar:crs…) editor yet.
 * Recipes are not worth using yet.
 * No sudo usage.
 * No support for nginx or mod_sec v3.
 * No support for Windows setups. (Would work, but no interest in user support.)

Changes to setup.py.

8
9
10
11
12
13
14

15
16
17
18
19
20
21
22
23
24
#

from pluginconf.setup import setup

setup(
    fn="modseccfg/__init__.py",
    name="modseccfg",

    package_dir={"": "."},
    package_data={},
    data_files=[],
    entry_points={
        "console_scripts": [
            "modseccfg=modseccfg.mainwindow:main",
        ]
    }
)








>










8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#

from pluginconf.setup import setup

setup(
    fn="modseccfg/__init__.py",
    name="modseccfg",
    long_description="README.rst",
    package_dir={"": "."},
    package_data={},
    data_files=[],
    entry_points={
        "console_scripts": [
            "modseccfg=modseccfg.mainwindow:main",
        ]
    }
)