Artifact [888b8b7654]
Artifact 888b8b765443948c0424086a1e2ca567ba461945e915bcfa92abad9e15b130bf:
- File README.md — part of check-in [8e624a20d3] at 2020-11-20 14:28:48 on branch trunk — Type and description changes in crsoptions. Release as 0.3.0 (user: mario size: 3119)
WARNING: THIS IS ALPHA STAGE QUALITY AND WILL MOST CERTAINLY DELETE YOUR APACHE CONFIGURATION
- It doesn't, but: no warranty and such. - Also, hasn't many features yet.
modseccfg
- Simple GUI editor for SecRuleRemoveById settings
- Tries to suggest false positives from error and audit logs
- And configure mod_security and CoreRuleSet variables.
- Runs locally, via
ssh -X
forwarding, or permodseccfg vps5:/
automount.
Installation
You can install this package locally or on a server:
pip3 install modseccfg
And your distro must provide a full Python 3.x installaton:
sudo apt install python3-tk ttf-unifont libapache2-mod-security2
Start options
To run the GUI locally / on test setups:
modseccfg
To start it on a server per X11 forwarding (terribly slow over SSH):
ssh -X vps5 modseccfg
Alternatively use xpra:
xpra --start ssh:vps5 --start=modseccfg
Best: use an automatic filesystem mount (with ssh shortcut/pubkey auth already configured). That's a bit slow on startup, but pays off when browsing for details.
modseccfg vps5:/
WARNING: This will bind the remote /
server root. Take care to
configure the mount point (File β Settings β Utils β Remote binding),
and no backup or cleanup job is running whilst modseccfg is active.
This doesn't strictly require the root user for ssh, but permissions
for logs and individual *.conf
files when changed (chown
the ones
that shall be editable).
The sshfs/fuse mount will be terminated with the GUI, though.
Usage
You obviously should have Apache(2.x) + mod_security(2.9) + CRS(3.x) set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.
- Start modseccfg (
python3 -m modseccfg
) - Select a configuration/vhost file to inspect + work on.
- Pick the according error.log
- Inspect the rules with a high error count (β[info] button to see docs).
- [Disable] offending rules
- Don't just go by the error count however!
- Make sure you don't disable essential or heuristic rules.
- Compare error with access log details.
- Else craft an exception rule ([Modify] or βRecipes).
- Thenceforth restart Apache after testing changes (
apache2ctl -t
).
Notes
- Preferrably do not edit default
/etc/apache*
files - Work on separated
/srv/web/conf.d/*
configuration, if available - And keep vhost settings in e.g.
vhost.*.dir
files, rather than multiple<VirtualHost>
in one*.conf
(else only the first section will be augmented).
Missing features
- File permission check on remote host is non-functional still.
- Doesn't process any audit.log yet.
- Can't classify wrapped (
<Location>
/<FilesMatch>
) rules yet. - ~~No rule information dialog.~~
- ~~No SecOption editor yet.~~
- ~~No CRS settings (setvar:crsβ¦) editor yet.~~
- Recipes are not worth using yet.
- No sudo usage.