GUI editor to tame mod_security rules

βŒˆβŒ‹ βŽ‡ branch:  modseccfg

Fix is_glob taking precedence over not writable() in log reader, more details for subprocess.run() tasks (instead of os.system() now)
mario authored 0 days ago last checkin 21714627e
πŸ“‚ data Add data/ dir, and common_false_positives.log (for CRS 2.2 however, nβ€Ήβ€Ί 8 days ago
πŸ“„ __init__.py Release as 0.4.0β€Ήβ€Ί 0 days ago
πŸ“„ __main__.py Initial prototype (conf parser, log reader, mainwindow somewhat functβ€Ήβ€Ί 12 days ago
πŸ“„ crsoptions.py Change `fn` to select with existing vhost/conf filesβ€Ήβ€Ί 1 days ago
πŸ“„ editor.py Pointless featuritis: add "r/o" for editor statusbar, adapt flag on "β€Ήβ€Ί 0 days ago
πŸ“„ icons.py Use crs icon.β€Ήβ€Ί 6 days ago
πŸ“„ logs.py Fix is_glob taking precedence over not writable() in log reader, moreβ€Ήβ€Ί 0 days ago
πŸ“„ mainwindow.py Release as 0.4.0β€Ήβ€Ί 0 days ago
πŸ“„ recipe.py Build data bad() from log line. Complete some comments for recipies, β€Ήβ€Ί 0 days ago
πŸ“„ ruleinfo.py Wrap .msg textβ€Ήβ€Ί 7 days ago
πŸ“„ secoptions.py Reshuffle directive categories, add 0640 in place of "octal_mode"β€Ήβ€Ί 6 days ago
πŸ“„ utils.py Fix is_glob taking precedence over not writable() in log reader, moreβ€Ήβ€Ί 0 days ago
πŸ“„ vhosts.py Introduce vhost.warn message (for writeability or multiple vhost warnβ€Ήβ€Ί 0 days ago
πŸ“„ writer.py Fix missing lookahead for rx.end (closing VHost section got stripped β€Ήβ€Ί 4 days ago

modseccfg

WARNING: THIS IS ALPHA STAGE QUALITY AND WILL MOST CERTAINLY DELETE YOUR APACHE CONFIGURATION - It doesn't, but: no warranty and such. - Also, hasn't many features yet.

mod_security config

  • Simple GUI editor for SecRuleRemoveById settings
  • Tries to suggest false positives from error and audit logs
  • Can configure mod_security directives and CoreRuleSet variables.
  • Runs locally, via ssh -X forwarding, or per modseccfg vps5:/ automount.

Installation

  • You can install this package locally or on a server:

    pip3 install -U modseccfg
    
  • Requires a full Python 3.x installation:

    sudo apt install python3-tk ttf-unifont libapache2-mod-security2
    

Start options

  • To run the GUI locally / on test setups:

    modseccfg
    
  • To start it on a server per X11 forwarding (terribly slow over SSH):

    ssh -X vps5 modseccfg
    
  • Alternatively use xpra:

    xpra --start ssh:vps5 --start=modseccfg
    
  • Best: use an automatic filesystem mount (with ssh shortcut/pubkey auth already configured). That's a bit slow on startup, but pays off when browsing for details.

    modseccfg root@vps5:/
    

WARNING: This will bind the remote / server root. Take care to configure the mount point (File β†’ Settings β†’ Utils β†’ Remote binding), and no backup or cleanup job is running whilst modseccfg is active.
This doesn't strictly require the root user for ssh, but permissions for logs and individual *.conf files when changed (chown the ones that shall be editable). The sshfs/fuse mount will be terminated with the GUI, though.

Usage

You obviously should have Apache(2.x) + mod_security(2.9) + CRS(3.x) set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.

  1. Start modseccfg (python3 -m modseccfg)
  2. Select a configuration/vhost file to inspect + work on.
  3. Pick the according error.log
  4. Inspect the rules with a high error count.
  5. [Disable] offending rules
    • Don't just go by the error count however!
    • Make sure you don't disable essential or heuristic rules.
    • Compare error with access log details.
    • Else craft an exception rule ([Modify] or β†’Recipes).
  6. Thenceforth restart Apache after testing changes (apache2ctl -t).

Notes

  • Preferrably do not edit default /etc/apache* files
  • Work on separated /srv/web/conf.d/* configuration, if available
  • And keep vhost settings in e.g. vhost.*.dir files, rather than multiple <VirtualHost> in one *.conf (else only the first section will be augmented).
  • Use the editor (F4) to verify more complex settings.

Missing features

  • Rule [modify] is still unimplemented.
  • Recipes are not worth using yet.
  • No sudo usage.