Added vhost option SecRuleRemoveByMsg

puppetlabs · Mar 30, 2016 · 800c7ce · 800c7ce
1 parent 8082d2a
commit 800c7ce
Show file tree

Hide file tree

Showing 4 changed files with 99 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -2263,6 +2263,22 @@ apache::vhost { 'sample.example.net':
 
 Specifies an array of IP addresses to exclude from [`mod_security`][] rule matching. Default: undef.
 
+###### `modsec_disable_msgs`
+
+Array of mod_security Msgs to remove from the virtual host. Also takes a hash allowing removal of an Msg from a specific location. Default: undef.
+
+``` puppet
+apache::vhost { 'sample.example.net':
+  modsec_disable_msgs => [ 'Blind SQL Injection Attack', 'Session Fixation Attack' ],
+}
+```
+
+``` puppet
+apache::vhost { 'sample.example.net':
+  modsec_disable_msgs => { '/location1' => [ 'Blind SQL Injection Attack', 'Session Fixation Attack' ] },
+}
+```
+
 ###### `modsec_disable_tags`
 
 Array of mod_security Tags to remove from the virtual host. Also takes a hash allowing removal of an Tag from a specific location. Default: undef.

diff --git a/manifests/vhost.pp b/manifests/vhost.pp
@@ -130,6 +130,7 @@
   $modsec_disable_vhost        = undef,
   $modsec_disable_ids          = undef,
   $modsec_disable_ips          = undef,
+  $modsec_disable_msgs         = undef,
   $modsec_disable_tags         = undef,
   $modsec_body_limit           = undef,
   $jk_mounts                   = undef,
@@ -509,6 +510,16 @@
     }
   }
 
+  if $modsec_disable_msgs {
+    if is_hash($modsec_disable_msgs) {
+      $_modsec_disable_msgs = $modsec_disable_msgs
+    } elsif is_array($modsec_disable_msgs) {
+      $_modsec_disable_msgs = { '.*' => $modsec_disable_msgs }
+    } else {
+      fail("Apache::Vhost[${name}]: 'modsec_disable_msgs' must be either a Hash of location/Msgs or an Array of Msgs")
+    }
+  }
+
   if $modsec_disable_tags {
     if is_hash($modsec_disable_tags) {
       $_modsec_disable_tags = $modsec_disable_tags
@@ -993,9 +1004,10 @@
   # - $modsec_disable_vhost
   # - $modsec_disable_ids
   # - $modsec_disable_ips
+  # - $modsec_disable_msgs
   # - $modsec_disable_tags
   # - $modsec_body_limit
-  if $modsec_disable_vhost or $modsec_disable_ids or $modsec_disable_ips or $modsec_disable_tags {
+  if $modsec_disable_vhost or $modsec_disable_ids or $modsec_disable_ips or $modsec_disable_msgs or $modsec_disable_tags {
     concat::fragment { "${name}-security":
       target  => "${priority_real}${filename}.conf",
       order   => 320,

diff --git a/spec/acceptance/mod_security_spec.rb b/spec/acceptance/mod_security_spec.rb
@@ -249,6 +249,67 @@ class { 'apache::mod::security': }
 
   end #mod_security should allow disabling by id
 
+  context "mod_security should allow disabling by msg" do
+    it 'succeeds in puppeting mod_security' do
+      pp= <<-EOS
+        host { 'modsec.example.com': ip => '127.0.0.1', }
+        class { 'apache': }
+        class { 'apache::mod::security': }
+        apache::vhost { 'modsec.example.com':
+          port    => '80',
+          docroot => '/var/www/html',
+        }
+        file { '/var/www/html/index.html':
+          ensure  => file,
+          content => 'Index page',
+        }
+        file { '/var/www/html/index2.html':
+          ensure  => file,
+          content => 'Page 2',
+        }
+      EOS
+      apply_manifest(pp, :catch_failures => true)
+    end
+
+    describe service($service_name) do
+      if (fact('operatingsystem') == 'Debian' && fact('operatingsystemmajrelease') == '8')
+        pending 'Should be enabled - Bug 760616 on Debian 8'
+      else
+        it { should be_enabled }
+      end
+      it { is_expected.to be_running }
+    end
+
+    describe file("#{$mod_dir}/security.conf") do
+      it { is_expected.to contain "mod_security2.c" }
+    end
+
+    it 'should block query with SQL' do
+      shell '/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22]
+    end
+
+    it 'should disable mod_security per vhost' do
+      pp= <<-EOS
+        class { 'apache': }
+        class { 'apache::mod::security': }
+        apache::vhost { 'modsec.example.com':
+          port               => '80',
+          docroot            => '/var/www/html',
+          modsec_disable_msgs => [ 'Blind SQL Injection Attack' ],
+        }
+      EOS
+      apply_manifest(pp, :catch_failures => true)
+    end
+
+    it 'should return index page' do
+      shell('/usr/bin/curl -A beaker -f modsec.example.com:80?SELECT%20*FROM%20mysql.users') do |r|
+        expect(r.stdout).to match(/Index page/)
+        expect(r.exit_code).to eq(0)
+      end
+    end
+
+  end #mod_security should allow disabling by msg
+
   context "mod_security should allow disabling by tag" do
     it 'succeeds in puppeting mod_security' do
       pp= <<-EOS

diff --git a/templates/vhost/_security.erb b/templates/vhost/_security.erb
@@ -15,6 +15,15 @@
   SecRule REMOTE_ADDR "<%= ips %>" "nolog,allow,id:1234123455"
   SecAction  "phase:2,pass,nolog,id:1234123456"
 <% end -%>
+<% if @_modsec_disable_msgs.is_a?(Hash) -%>
+<%   @_modsec_disable_msgs.each do |location,rules| -%>
+  <LocationMatch <%= location %>>
+<%     Array(rules).each do |rule| -%>
+    SecRuleRemoveByMsg "<%= rule %>"
+<%     end -%>
+  </LocationMatch>
+<%   end -%>
+<% end -%>
 <% if @_modsec_disable_tags.is_a?(Hash) -%>
 <%   @_modsec_disable_tags.each do |location,rules| -%>
   <LocationMatch <%= location %>>