feat: improve rule configuration

- Configure rules to update in a separate configuration file - Use generic script to configure rules that doesn't rely on exact match of rule - Log which rules are configured - Log when a rule that should be configured wasn't found
coreruleset · Dec 23, 2024 · 2f1b656 · 2f1b656
1 parent c50bb16
commit 2f1b656
Show file tree

Hide file tree

Showing 10 changed files with 217 additions and 156 deletions.
diff --git a/apache/Dockerfile b/apache/Dockerfile
@@ -158,7 +158,7 @@ COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
 COPY src/bin/* /usr/local/bin/
 COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/
 COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
-COPY src/opt/modsecurity/activate-*.sh /opt/modsecurity/
+COPY src/opt/modsecurity/* /opt/modsecurity/
 COPY apache/docker-entrypoint.sh /
 
 RUN set -eux; \
@@ -167,6 +167,7 @@ RUN set -eux; \
     apt-get install -qq -y --no-install-recommends --no-install-suggests \
         ca-certificates \
         curl \
+        ed \
         gnupg \
         iproute2 \
         libcurl3-gnutls \

diff --git a/apache/Dockerfile-alpine b/apache/Dockerfile-alpine
@@ -166,7 +166,7 @@ COPY --from=build /usr/local/apache2/ModSecurity-${MODSEC2_VERSION}/unicode.mapp
 COPY --from=crs_release /opt/owasp-crs /opt/owasp-crs
 COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
 COPY src/bin/* /usr/local/bin/
-COPY src/opt/modsecurity/activate-*.sh /opt/modsecurity/
+COPY src/opt/modsecurity/* /opt/modsecurity/
 COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/
 COPY apache/docker-entrypoint.sh /
 
@@ -176,6 +176,7 @@ RUN set -eux; \
     apk add --no-cache \
         ca-certificates \
         curl \
+        ed \
         gnupg \
         iproute2 \
         libfuzzy2 \

diff --git a/apache/docker-entrypoint.sh b/apache/docker-entrypoint.sh
@@ -3,7 +3,7 @@
 /usr/local/bin/generate-certificate /usr/local/apache2
 /usr/local/bin/check-low-port
 
-. /opt/modsecurity/activate-plugins.sh
-. /opt/modsecurity/activate-rules.sh
+/opt/modsecurity/activate-plugins.sh
+/opt/modsecurity/configure-rules.sh
 
 exec "$@"
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
@@ -192,7 +192,6 @@ ENV \
     SSL_VERIFY=off \
     WORKER_CONNECTIONS=1024 \
     # CRS specific variables
-    PARANOIA=1 \
     ANOMALY_INBOUND=5 \
     ANOMALY_OUTBOUND=4 \
     BLOCKING_PARANOIA=1
@@ -208,7 +207,8 @@ COPY src/etc/modsecurity.d/modsecurity-override.conf /etc/nginx/templates/modsec
 COPY src/etc/modsecurity.d/setup.conf /etc/nginx/templates/modsecurity.d/setup.conf.template
 COPY nginx/docker-entrypoint.d/*.sh /docker-entrypoint.d/
 COPY src/opt/modsecurity/activate-plugins.sh /docker-entrypoint.d/94-activate-plugins.sh
-COPY src/opt/modsecurity/activate-rules.sh /docker-entrypoint.d/95-activate-rules.sh
+COPY src/opt/modsecurity/configure-rules.sh /docker-entrypoint.d/95-configure-rules.sh
+COPY src/opt/modsecurity/configure-rules.conf /docker-entrypoint.d/
 # We use the templating mechanism from the nginx image here.
 COPY nginx/templates /etc/nginx/templates/
 COPY src/bin/* /usr/local/bin/
@@ -221,6 +221,7 @@ RUN set -eux; \
     LD_LIBRARY_PATH="" apt-get install -y -qq --no-install-recommends --no-install-suggests \
         ca-certificates \
         curl \
+        ed \
         libcurl4-gnutls-dev \
         libfuzzy2 \
         liblua${LUA_VERSION} \

diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine
@@ -200,7 +200,8 @@ COPY src/etc/modsecurity.d/modsecurity-override.conf /etc/nginx/templates/modsec
 COPY src/etc/modsecurity.d/setup.conf /etc/nginx/templates/modsecurity.d/setup.conf.template
 COPY nginx/docker-entrypoint.d/*.sh /docker-entrypoint.d/
 COPY src/opt/modsecurity/activate-plugins.sh /docker-entrypoint.d/94-activate-plugins.sh
-COPY src/opt/modsecurity/activate-rules.sh /docker-entrypoint.d/95-activate-rules.sh
+COPY src/opt/modsecurity/configure-rules.sh /docker-entrypoint.d/95-configure-rules.sh
+COPY src/opt/modsecurity/configure-rules.conf /docker-entrypoint.d/
 # We use the templating mechanism from the nginx image here.
 COPY nginx/templates /etc/nginx/templates/
 COPY src/bin/* /usr/local/bin/
@@ -211,6 +212,7 @@ RUN set -eux; \
     apk add --no-cache \
         curl \
         curl-dev \
+        ed \
         libfuzzy2 \
         libmaxminddb-dev \
         libstdc++ \

diff --git a/openresty/Dockerfile-alpine b/openresty/Dockerfile-alpine
@@ -203,7 +203,8 @@ COPY src/etc/modsecurity.d/modsecurity.conf /usr/local/openresty/nginx/templates
 COPY src/etc/modsecurity.d/modsecurity-override.conf /usr/local/openresty/nginx/templates/modsecurity.d/modsecurity-override.conf.template
 COPY src/etc/modsecurity.d/setup.conf /usr/local/openresty/nginx/templates/modsecurity.d/setup.conf.template
 COPY src/opt/modsecurity/activate-plugins.sh /docker-entrypoint.d/94-activate-plugins.sh
-COPY src/opt/modsecurity/activate-rules.sh /docker-entrypoint.d/95-activate-rules.sh
+COPY src/opt/modsecurity/configure-rules.sh /docker-entrypoint.d/95-configure-rules.sh
+COPY src/opt/modsecurity/configure-rules.conf /docker-entrypoint.d/
 COPY src/bin/* /usr/local/bin/
 
 # Openresty specific block.
@@ -216,6 +217,7 @@ RUN set -eux; \
     apk add --no-cache \
         curl \
         curl-dev \
+        ed \
         libfuzzy2 \
         libmaxminddb-dev \
         libstdc++ \

diff --git a/src/opt/modsecurity/activate-plugins.sh b/src/opt/modsecurity/activate-plugins.sh
@@ -1,5 +1,7 @@
 #!/bin/sh -e
 
+printf "# # #\nRunning CRS plugin activation\n- - -\n\n"
+
 # Check if crs-setup.conf is overriden
 if [ -n "${MANUAL_MODE}" ]; then
   echo "Using manual config mode"
@@ -25,3 +27,4 @@ for suffix in "config" "before" "after"; do
     fi
 done
 
+printf -- "- - -\nFinished CRS plugin activation\n# # #\n\n"
diff --git a/src/opt/modsecurity/activate-rules.sh b/src/opt/modsecurity/activate-rules.sh
diff --git a/src/opt/modsecurity/configure-rules.conf b/src/opt/modsecurity/configure-rules.conf
@@ -0,0 +1,28 @@
+# Format: <legacy (0|1)>|<env var>|<rule ID>|<tx var name>
+# The octothorpe (#) designates a comment, comments are ignored
+
+# Superceded by BLOCKING_PARANOIA
+true|PARANOIA|900000|blocking_paranoia_level
+true|PARANOIA|900001|detection_paranoia_level
+false|BLOCKING_PARANOIA|900000|blocking_paranoia_level
+# Superceded by DETECTION_PARANOIA
+true|EXECUTING_PARANOIA|900001|executing_paranoia_level
+false|DETECTION_PARANOIA|900001|detection_paranoia_level
+false|ENFORCE_BODYPROC_URLENCODED|900010|enforce_bodyproc_urlencoded
+false|INBOUND_ANOMALY|900110|inbound_anomaly_score_threshold
+false|OUTBOUND_ANOMALY|900110|outbound_anomaly_score_threshold
+false|ALLOWED_METHODS|900200|allowed_methods
+false|ALLOWED_REQUEST_CONTENT_TYPE|900220|allowed_request_content_type
+false|ALLOWED_REQUEST_CONTENT_TYPE_CHARSET|900280|allowed_request_content_type_charset
+false|ALLOWED_HTTP_VERSIONS|900230|allowed_http_versions
+false|RESTRICTED_EXTENSIONS|900240|restricted_extensions
+false|RESTRICTED_HEADERS_BASIC|900250|restricted_headers_basic
+false|RESTRICTED_HEADERS_EXTENDED|900255|restricted_headers_extended
+false|MAX_NUM_ARGS|900300|max_num_args
+false|ARG_NAME_LENGTH|900310|arg_name_length
+false|ARG_LENGTH|900230|arg_length
+false|TOTAL_ARG_LENGTH|900330|total_arg_length
+false|MAX_FILE_SIZE|900340|max_file_size
+false|COMBINED_FILE_SIZES|900350|combined_file_sizes
+false|VALIDATE_UTF8_ENCODING|900950|crs_validate_utf8_encoding
+false|REPORTING_LEVEL|900115|reporting_level