From bdd24a8411337b6308e001e3e3016930c8e55007 Mon Sep 17 00:00:00 2001 From: Michael Orlitzky Date: Sat, 13 May 2017 20:17:43 -0400 Subject: www-apache/mod_security: new revision with updated default configuration. I've made a few small changes to the configuration file that we install by default. First, I've added two settings, SecTmpDir and SecUploadDir, which serve a similar purpose as the existing SecDataDir. All of those need to be located somewhere safe, and the upstream defaults point to /tmp (which is not safe). It is therefore necessary that we override them, and point them to a location that is created and made private in the ebuild. We now use /var/lib/modsecurity/{data,tmp,upload} and I've made them mode 0750 by default (owned by apache:apache). I've also removed two settings that used to be present. Our default configuration is extremely close to the upstream defaults, and sets almost nothing in 79_mod_security.conf explicitly. The presence of SecHttpBlKey was therefore rather strange, since it was disabled by default and contained nothing Gentoo-specific. I've removed it for consistency (it is documented upstream for people who want it). The other setting that I've removed is SecGeoLookupDb. This one could at least be justified for containing a Gentoo-specific path. However, the path doesn't work out-of-the-box; it requires you to (manually, or via cron) update your GeoIP database at least once before using it. At that point, you know the location of the database, and can point mod_security to it yourself. Taking that into consideration, it again makes more sense to omit the setting for consistency and defer to the upstream documentation and defaults. Package-Manager: Portage-2.3.3, Repoman-2.3.1 --- www-apache/mod_security/files/79_mod_security.conf | 20 ++-- .../mod_security/mod_security-2.9.1-r1.ebuild | 108 +++++++++++++++++++++ www-apache/mod_security/mod_security-2.9.1.ebuild | 103 -------------------- 3 files changed, 122 insertions(+), 109 deletions(-) create mode 100644 www-apache/mod_security/mod_security-2.9.1-r1.ebuild delete mode 100644 www-apache/mod_security/mod_security-2.9.1.ebuild (limited to 'www-apache') diff --git a/www-apache/mod_security/files/79_mod_security.conf b/www-apache/mod_security/files/79_mod_security.conf index bd88e88a9771..8c7e128571ed 100644 --- a/www-apache/mod_security/files/79_mod_security.conf +++ b/www-apache/mod_security/files/79_mod_security.conf @@ -1,11 +1,19 @@ LoadModule security2_module modules/mod_security2.so - SecDataDir /var/lib/modsecurity - # Enable looking up geolocation data from MaxMind's GeoIP database - # SecGeoLookupDb /usr/share/GeoIP/GeoIP.dat + # These paths are Gentoo-specific, created by the ebuild. + SecDataDir /var/lib/modsecurity/data + SecTmpDir /var/lib/modsecurity/tmp + SecUploadDir /var/lib/modsecurity/upload - # Define here your http:BL API key if any - # see http://www.projecthoneypot.org/httpbl_api.php - #SecHttpBlKey xxxxxxxx + # A copy of upstream's modsecurity.conf-recommended is installed + # along with the documentation for mod_security. It contains many + # recommended settings that you should evaluate for your system. + # The full documentation for the available settings can be found + # in the mod_security reference manual, at + # + # https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual + # + # and in particular in the "Configuration Directives" setting. + # diff --git a/www-apache/mod_security/mod_security-2.9.1-r1.ebuild b/www-apache/mod_security/mod_security-2.9.1-r1.ebuild new file mode 100644 index 000000000000..6dc8bf354d1c --- /dev/null +++ b/www-apache/mod_security/mod_security-2.9.1-r1.ebuild @@ -0,0 +1,108 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 + +inherit apache-module + +MY_PN=modsecurity +MY_P=${MY_PN}-${PV} + +DESCRIPTION="Application firewall and intrusion detection for Apache" +HOMEPAGE="http://www.modsecurity.org/" +SRC_URI="http://www.modsecurity.org/tarball/${PV}/${MY_P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="doc fuzzyhash geoip jit json lua mlogc" + +COMMON_DEPEND="dev-libs/apr + dev-libs/apr-util[openssl] + dev-libs/libxml2 + dev-libs/libpcre[jit?] + fuzzyhash? ( app-crypt/ssdeep ) + json? ( dev-libs/yajl ) + lua? ( dev-lang/lua:0 ) + mlogc? ( net-misc/curl ) + www-servers/apache[apache2_modules_unique_id]" +DEPEND="${COMMON_DEPEND} + doc? ( app-doc/doxygen )" +RDEPEND="${COMMON_DEPEND} + geoip? ( dev-libs/geoip ) + mlogc? ( dev-lang/perl )" +PDEPEND=">=www-apache/modsecurity-crs-2.2.6-r1" + +S="${WORKDIR}/${MY_P}" + +APACHE2_MOD_FILE="apache2/.libs/${PN}2.so" +APACHE2_MOD_CONF="79_${PN}" +APACHE2_MOD_DEFINE="SECURITY" + +# Tests require symbols only defined within the Apache binary. +RESTRICT=test + +need_apache2 + +src_configure() { + econf --enable-shared \ + --disable-static \ + --with-apxs="${APXS}" \ + --enable-request-early \ + --with-pic \ + $(use_with fuzzyhash ssdeep) \ + $(use_with json yajl) \ + $(use_enable mlogc) \ + $(use_with lua) \ + $(use_enable lua lua-cache) \ + $(use_enable jit pcre-jit) +} + +src_compile() { + default + + # Building the docs is broken at the moment, see e.g. + # https://github.com/SpiderLabs/ModSecurity/issues/1322 + if use doc; then + doxygen doc/doxygen-apache.conf || die 'failed to build documentation' + fi +} + +src_install() { + apache-module_src_install + + dodoc CHANGES README.TXT modsecurity.conf-recommended + + if use doc; then + dodoc -r doc/apache/html + fi + + if use mlogc; then + insinto /etc/ + newins mlogc/mlogc-default.conf mlogc.conf + dobin mlogc/mlogc + dobin mlogc/mlogc-batch-load.pl + newdoc mlogc/INSTALL INSTALL-mlogc + fi + + # Use /var/lib instead of /var/cache. This stuff is "persistent," + # and isn't a cached copy of something that we can recreate. + # Bug 605496. + keepdir /var/lib/modsecurity + fowners apache:apache /var/lib/modsecurity + fperms 0750 /var/lib/modsecurity + for dir in data tmp upload; do + keepdir "/var/lib/modsecurity/${dir}" + fowners apache:apache "/var/lib/modsecurity/${dir}" + fperms 0750 "/var/lib/modsecurity/${dir}" + done +} + +pkg_postinst() { + elog "The base configuration file has been renamed ${APACHE2_MOD_CONF}" + elog "so that you can put your own configuration in (for example)" + elog "90_modsecurity_local.conf." + elog "" + elog "That would be the correct place for site-global security rules." + elog "Note: 80_modsecurity_crs.conf is used by www-apache/modsecurity-crs" +} diff --git a/www-apache/mod_security/mod_security-2.9.1.ebuild b/www-apache/mod_security/mod_security-2.9.1.ebuild deleted file mode 100644 index c444dd2ecf3c..000000000000 --- a/www-apache/mod_security/mod_security-2.9.1.ebuild +++ /dev/null @@ -1,103 +0,0 @@ -# Copyright 1999-2017 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=5 - -inherit apache-module - -MY_PN=modsecurity -MY_P=${MY_PN}-${PV} - -DESCRIPTION="Application firewall and intrusion detection for Apache" -HOMEPAGE="http://www.modsecurity.org/" -SRC_URI="http://www.modsecurity.org/tarball/${PV}/${MY_P}.tar.gz" - -LICENSE="Apache-2.0" -SLOT="0" -KEYWORDS="~amd64 ~x86" -IUSE="doc fuzzyhash geoip jit json lua mlogc" - -COMMON_DEPEND="dev-libs/apr - dev-libs/apr-util[openssl] - dev-libs/libxml2 - dev-libs/libpcre[jit?] - fuzzyhash? ( app-crypt/ssdeep ) - json? ( dev-libs/yajl ) - lua? ( dev-lang/lua:0 ) - mlogc? ( net-misc/curl ) - www-servers/apache[apache2_modules_unique_id]" -DEPEND="${COMMON_DEPEND} - doc? ( app-doc/doxygen )" -RDEPEND="${COMMON_DEPEND} - geoip? ( dev-libs/geoip ) - mlogc? ( dev-lang/perl )" -PDEPEND=">=www-apache/modsecurity-crs-2.2.6-r1" - -S="${WORKDIR}/${MY_P}" - -APACHE2_MOD_FILE="apache2/.libs/${PN}2.so" -APACHE2_MOD_CONF="79_${PN}" -APACHE2_MOD_DEFINE="SECURITY" - -# Tests require symbols only defined within the Apache binary. -RESTRICT=test - -need_apache2 - -src_configure() { - econf --enable-shared \ - --disable-static \ - --with-apxs="${APXS}" \ - --enable-request-early \ - --with-pic \ - $(use_with fuzzyhash ssdeep) \ - $(use_with json yajl) \ - $(use_enable mlogc) \ - $(use_with lua) \ - $(use_enable lua lua-cache) \ - $(use_enable jit pcre-jit) -} - -src_compile() { - default - - # Building the docs is broken at the moment, see e.g. - # https://github.com/SpiderLabs/ModSecurity/issues/1322 - if use doc; then - doxygen doc/doxygen-apache.conf || die 'failed to build documentation' - fi -} - -src_install() { - apache-module_src_install - - dodoc CHANGES README.TXT modsecurity.conf-recommended - - if use doc; then - dodoc -r doc/apache/html - fi - - if use mlogc; then - insinto /etc/ - newins mlogc/mlogc-default.conf mlogc.conf - dobin mlogc/mlogc - dobin mlogc/mlogc-batch-load.pl - newdoc mlogc/INSTALL INSTALL-mlogc - fi - - # Use /var/lib instead of /var/cache. This stuff is "persistent," - # and isn't a cached copy of something that we can recreate. - # Bug 605496. - keepdir /var/lib/modsecurity - fowners apache:apache /var/lib/modsecurity - fperms 0770 /var/lib/modsecurity -} - -pkg_postinst() { - elog "The base configuration file has been renamed ${APACHE2_MOD_CONF}" - elog "so that you can put your own configuration in (for example)" - elog "90_modsecurity_local.conf." - elog "" - elog "That would be the correct place for site-global security rules." - elog "Note: 80_modsecurity_crs.conf is used by www-apache/modsecurity-crs" -} -- cgit v1.2.3-65-gdbad