bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

improved core rule set for modsec adjustment, wiki page fixes

Browse Source
This commit is contained in:
Bastian de Byl
2022-07-19 18:42:03 -04:00
parent a916194a9d
commit 7727897835
5 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ansible/roles/podman/defaults/main.yml
View File

@@ -112,7 +112,7 @@ crs_rule_links:
- name: REQUEST-944-APPLICATION-ATTACK-JAVA - name: REQUEST-944-APPLICATION-ATTACK-JAVA
enabled: true enabled: true
- name: REQUEST-949-BLOCKING-EVALUATION - name: REQUEST-949-BLOCKING-EVALUATION
enabled: true enabled: false
- name: RESPONSE-950-DATA-LEAKAGES - name: RESPONSE-950-DATA-LEAKAGES
enabled: true enabled: true
- name: RESPONSE-951-DATA-LEAKAGES-SQL - name: RESPONSE-951-DATA-LEAKAGES-SQL

26
ansible/roles/podman/tasks/configuration-nginx-modsec.yml
View File

@@ -48,7 +48,9 @@
mode: 0644 mode: 0644
remote_src: true remote_src: true
loop: "{{ modsec_conf_links }}" loop: "{{ modsec_conf_links }}"
notify: restorecon podman notify:
- restorecon podman
- restart nginx
tags: modsec tags: modsec
- name: setup coreruleset rules - name: setup coreruleset rules
@@ -63,7 +65,23 @@
remote_src: true remote_src: true
when: item.enabled when: item.enabled
loop: "{{ crs_rule_links }}" loop: "{{ crs_rule_links }}"
notify: restorecon podman notify:
- restorecon podman
- restart nginx
tags:
- modsec
- modsec_rules
- name: removed disabled coreruleset rules
become: true
ansible.builtin.file:
path: "{{ modsec_rules_path }}/{{ item.name }}.conf"
state: absent
when: not item.enabled
loop: "{{ crs_rule_links }}"
notify:
- restorecon podman
- restart nginx
tags: tags:
- modsec - modsec
- modsec_rules - modsec_rules
@@ -79,7 +97,9 @@
mode: 0644 mode: 0644
remote_src: true remote_src: true
loop: "{{ crs_data_links }}" loop: "{{ crs_data_links }}"
notify: restorecon podman notify:
- restorecon podman
- restart nginx
tags: tags:
- modsec - modsec
- modsec_rules - modsec_rules

2
ansible/roles/podman/tasks/container-bookstack.yml
View File

@@ -60,7 +60,7 @@
containers.podman.podman_container: containers.podman.podman_container:
name: bookstack name: bookstack
image: docker.io/solidnerd/bookstack:22.04 image: docker.io/solidnerd/bookstack:22.04
recreate: false recreate: true
restart: false restart: false
restart_policy: on-failure restart_policy: on-failure
log_driver: journald log_driver: journald

2
ansible/roles/podman/tasks/podman.yml
View File

@@ -85,6 +85,8 @@
become_user: "{{ podman_user }}" become_user: "{{ podman_user }}"
containers.podman.podman_network: containers.podman.podman_network:
name: shared name: shared
internal: false
disable_dns: false
tags: podman tags: podman
- name: allow unprivileged ports to lower number - name: allow unprivileged ports to lower number

2
ansible/roles/podman/templates/nginx/sites/wiki.skudakrennsport.com.https.conf.j2
View File

@@ -6,7 +6,7 @@ server {
modsecurity on; modsecurity on;
modsecurity_rules_file /etc/nginx/modsec_includes.conf; modsecurity_rules_file /etc/nginx/modsec_includes.conf;
resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; resolver 9.9.9.9 valid=60s;
listen 443 ssl http2; listen 443 ssl http2;
server_name {{ bookstack_server_name }}; server_name {{ bookstack_server_name }};