GUI editor to tame mod_security rules

βŒˆβŒ‹ βŽ‡ branch:  modseccfg

patch for PluginMeta() wrapper required in last pluginconf.gui.window()
mario authored 403 days ago last checkin 4f8b060ed
πŸ“‚ data Add data/ dir, and common_false_positives.log (for CRS 2.2 however, nβ€Ήβ€Ί 1477 days ago
πŸ“‚ install Add basic plugin_load(), generilize `add_menu()` into `init()`β€Ήβ€Ί 1437 days ago
πŸ“‚ scripts Add basic plugin_load(), generilize `add_menu()` into `init()`β€Ήβ€Ί 1437 days ago
πŸ“„ __init__.py comment fixesβ€Ήβ€Ί 773 days ago
πŸ“„ __main__.py Initial prototype (conf parser, log reader, mainwindow somewhat functβ€Ήβ€Ί 1481 days ago
πŸ“„ advise.py hacky support for [menu]β†’[event] markupβ€Ήβ€Ί 1461 days ago
πŸ“„ crsoptions.py patch for PluginMeta() wrapper required in last pluginconf.gui.windowβ€Ήβ€Ί 403 days ago
πŸ“„ editor.py Use SPDX id in license:β€Ήβ€Ί 1464 days ago
πŸ“„ icons.py Use crs icon.β€Ήβ€Ί 1475 days ago
πŸ“„ logs.py change print() to log()β€Ήβ€Ί 1441 days ago
πŸ“„ mainwindow.py accessible MenuInstance for newer PSG, migrate to pluginconf.bind intβ€Ήβ€Ί 762 days ago
πŸ“„ modify.py Remove remaining emoji Unicode occurences (info, modify, vhosts)β€Ήβ€Ί 1377 days ago
πŸ“„ msc_pyrewrite.py Performance fix for pyrewrite in range() check.β€Ήβ€Ί 1344 days ago
πŸ“„ recipe.py Add $msg placeholder for recipesβ€Ήβ€Ί 1369 days ago
πŸ“„ ruleinfo.py Remove remaining emoji Unicode occurences (info, modify, vhosts)β€Ήβ€Ί 1377 days ago
πŸ“„ secoptions.py patch for PluginMeta() wrapper required in last pluginconf.gui.windowβ€Ήβ€Ί 403 days ago
πŸ“„ utils.py accessible MenuInstance for newer PSG, migrate to pluginconf.bind intβ€Ήβ€Ί 762 days ago
πŸ“„ vhosts.py comment fixesβ€Ήβ€Ί 773 days ago
πŸ“„ writer.py comment fixesβ€Ήβ€Ί 773 days ago

modseccfg

Help

mod_security config GUI

  • GUI to define SecRuleRemoveById settings on a vhost-basis
  • Tries to suggest false positives from error and audit logs
  • And configure mod_security and CoreRuleSet variables.
  • Runs locally, via ssh -X forwarding, or per modseccfg ssh:/ remoting.

WARNING: THIS IS ALPHA STAGE QUALITY AND WILL MOST CERTAINLY DELETE YOUR APACHE CONFIGURATION - It doesn't, but: no warranty and such. - Also, hasn't many features yet.

Installation

  • You can install this package locally or on a server:

    pip3 install -U modseccfg

  • And your distro must provide a full Python installaton and mod_security:

    sudo apt install python3-tk ttf-unifont libapache2-mod-security2

Start options

  • To run the GUI locally / on test setups:

    modseccfg

  • Or to connect to a remote server:

    modseccfg root@vps5:/

Takes a bit longer on startup, but is heaps better than X11 forwarding.

Usage

You obviously should have Apache + mod_security + CRS set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.

  1. Start modseccfg (python3 -m modseccfg)
  2. Select a configuration/vhost file to inspect + work on.
  3. Pick the according error.log
  4. Inspect the rules with a high error count.
  5. [Disable] offending rules
    • Don't just go by the error count however!
    • Make sure you don't disable essential or heuristic rules.
    • Compare error with access log details.
    • Else craft an exception rule ([Modify] or β†’Recipes).
  6. Thenceforth restart Apache (after testing changes: apache2ctl -t).

See also:

Notes

  • Preferrably do not edit default /etc/apache* files
  • Work on separated /srv/web/conf.d/* configuration, if available
  • And keep vhost settings in e.g. vhost.*.dir files, rather than multiple <VirtualHost> in one *.conf (else only the first section will be augmented).
  • Use the editor (F4) to verify more complex settings.

Missing features

  • Rule [modify] is still unimplemented.
  • Recipes are not worth using yet.
  • No sudo usage.

Attachments:

  • overview.gif [download] added by mario on 2020-12-09 22:39:53. [details]