GUI editor to tame mod_security rules

⌈⌋ ⎇ branch:  modseccfg


modify

SecRuleUpdate dialog

The âž— Modify dialog allows to change flags for rules, such as logging or distruptive actions. It also combines SecRuleUpdateTarget changes, so input parameters can be exempt from rules. It's not overly practical in a GUI tool, but again provides a good starting point for adapting behaviour and has some tooltip help.

img

Looks more complicated than it is. You usually just want to change the colorful flags for some rules. Params and control options are less useful usually.

The Save will apply whatever the preview box atop this dialog shows. So technically you could edit the generated directives. (They only update whenever a significant input or checkbox is changed.)

Target/Vars

Defines which input variables you want to remove from the rule condition / check.

  • You don't usually want to change rules that check any TX.* variables, but REQUEST_* or ARGS for example.
  • You can select from some of the default options, or add custom names in either of the input fields.
  • Additional targets could be comma-separated (ARGS:user,ARGS:pw). Though it's easier to just invoke the dialog repeatedly or use any editor (F4) afterwards.
  • The Transforms are applied to those input fields before any @rx condition is tested.

Actions/Flags

You can have one of the disruptive actions enabled (allow/pass or deny, drop, block, or pause). Whereas logging options are freely combinable.

  • The "pause" option can be set under Params, but is actually a flag (perhaps best comined with "block", or rarely "pass").
  • "chain" and "skip" are options that cannot/should not be overridden, hence greyed out.
  • The "status" option takes effect when the action is "deny".

Actions/Params

Parameterized options are presented with an input field or dropdown here. Though you probably don't want to change rule message or logdata.

  • "redirect" is another disruptive option (best combined with "block").
  • But disabling "ctl:ruleEngine" can sometimes be useful, if you have a custom rule that should exempt all other rules from running.
  • "phase" is another option which can't really be changed.

Actions/Control

Some additional flags are presented below the fold. Along with the lesser used options from some rules.

  • Meta attributes like "ver" and "severity" are not very useful here.
  • But changing the "ctl:auditEngine" or its logParts could be useful for debugging individual rules.

Attachments:

  • modify.png [download] added by mario on 2021-01-03 19:59:40. [details]