CU-cyk0dp[complete] Merge pull request #3 from bdebyl/CU-cyk0dp

CU-cyk0dp Added more rules to modsecurity

ansible/roles/common/defaults/main.yml

@@ -1,6 +1,7 @@
 ---
 deps: [
   docker,
+  git,
   fail2ban,
   python-docker
 ]

ansible/roles/http/defaults/main.yml

@@ -5,27 +5,131 @@ deps: [
   nginx-mod-modsecurity
 ]
 
-nginx_dir: /etc/nginx
-nginx_conf_dir: "{{ nginx_dir }}/conf"
-modsec_rules_dir: "{{ nginx_conf_dir }}/rules"
-modsec_crs_before_rule_conf:
-  "{{ modsec_rules_dir }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
-modsec_crs_after_rule_conf:
-  "{{ modsec_rules_dir }}/REQUEST-999-EXCLUSION-RULES-AFTER-CRS.conf"
-
 ci_server_name: ci.bdebyl.net
+install_path: /usr/share
 
-modsec_conf_url:
+nginx_path: /etc/nginx
-  https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
+nginx_conf_path: "{{ nginx_path }}/conf"
+modsec_rules_path: "{{ nginx_conf_path }}/rules"
+modsec_crs_before_rule_conf:
+  "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
+modsec_crs_after_rule_conf:
+  "{{ modsec_rules_path }}/REQUEST-999-EXCLUSION-RULES-AFTER-CRS.conf"
+modsec_path: "{{ install_path }}/modsecurity"
+crs_path: "{{ install_path }}/coreruleset"
+crs_rules_path: "{{ crs_path }}/rules"
 
-modsec_unicode_url:
+modsec_whitelist_local_re: >-
-  https://github.com/SpiderLabs/ModSecurity/raw/v3/master/unicode.mapping
+  ^SecRule.*REMOTE_ADDR.*192\.168\.1\.1/24.*$
 
-crs_setup_url:
+modsec_whitelist_local: >-
-  https://github.com/coreruleset/coreruleset/raw/v3.4/dev/crs-setup.conf.example
+  SecRule REMOTE_ADDR "@ipMatch 192.168.1.1/24"
+  "id:1,phase:1,nolog,allow,ctl:ruleEngine=Off"
 
-crs_before_url:
+modsec_git_urls:
-  https://github.com/coreruleset/coreruleset/raw/v3.4/dev/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
+  - src: "https://github.com/coreruleset/coreruleset.git"
+    dest: "{{ crs_path }}"
+    ver: "v3.3.0"
+  - src: "https://github.com/SpiderLabs/ModSecurity.git"
+    dest: "{{ modsec_path }}"
+    ver: "v3.0.4"
 
-crs_after_url:
+modsec_conf_links:
-  https://github.com/coreruleset/coreruleset/raw/v3.4/dev/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
+  - src: "{{ modsec_path }}/modsecurity.conf-recommended"
+    dest: "{{ nginx_path }}/modsecurity.conf"
+  - src: "{{ modsec_path }}/unicode.mapping"
+    dest: "{{ nginx_path }}/unicode.mapping"
+  - src: "{{ crs_path }}/crs-setup.conf.example"
+    dest: "{{ nginx_conf_path }}/crs-setup.conf"
+  - src:
+      "{{ crs_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example"
+    dest: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
+  - src:
+      "{{ crs_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example"
+    dest: "{{ modsec_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"
+
+crs_rule_links:
+  - name: REQUEST-901-INITIALIZATION
+    enabled: true
+  - name: REQUEST-903.9001-DRUPAL-EXCLUSION-RULES
+    enabled: true
+  - name: REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES
+    enabled: true
+  - name: REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES
+    enabled: true
+  - name: REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES
+    enabled: true
+  - name: REQUEST-903.9005-CPANEL-EXCLUSION-RULES
+    enabled: true
+  - name: REQUEST-903.9006-XENFORO-EXCLUSION-RULES
+    enabled: true
+  - name: REQUEST-905-COMMON-EXCEPTIONS
+    enabled: true
+  - name: REQUEST-910-IP-REPUTATION
+    enabled: true
+  - name: REQUEST-911-METHOD-ENFORCEMENT
+    enabled: true
+  - name: REQUEST-912-DOS-PROTECTION
+    enabled: true
+  - name: REQUEST-913-SCANNER-DETECTION
+    enabled: true
+  - name: REQUEST-920-PROTOCOL-ENFORCEMENT
+    enabled: true
+  - name: REQUEST-921-PROTOCOL-ATTACK
+    enabled: true
+  - name: REQUEST-930-APPLICATION-ATTACK-LFI
+    enabled: true
+  - name: REQUEST-931-APPLICATION-ATTACK-RFI
+    enabled: true
+  - name: REQUEST-932-APPLICATION-ATTACK-RCE
+    enabled: true
+  - name: REQUEST-933-APPLICATION-ATTACK-PHP
+    enabled: true
+  - name: REQUEST-934-APPLICATION-ATTACK-NODEJS
+    enabled: true
+  - name: REQUEST-941-APPLICATION-ATTACK-XSS
+    enabled: true
+  - name: REQUEST-942-APPLICATION-ATTACK-SQLI
+    enabled: true
+  - name: REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION
+    enabled: true
+  - name: REQUEST-944-APPLICATION-ATTACK-JAVA
+    enabled: true
+  - name: REQUEST-949-BLOCKING-EVALUATION
+    enabled: true
+  - name: RESPONSE-950-DATA-LEAKAGES
+    enabled: true
+  - name: RESPONSE-951-DATA-LEAKAGES-SQL
+    enabled: true
+  - name: RESPONSE-952-DATA-LEAKAGES-JAVA
+    enabled: true
+  - name: RESPONSE-953-DATA-LEAKAGES-PHP
+    enabled: true
+  - name: RESPONSE-954-DATA-LEAKAGES-IIS
+    enabled: true
+  - name: RESPONSE-959-BLOCKING-EVALUATION
+    enabled: true
+  - name: RESPONSE-980-CORRELATION
+    enabled: true
+
+crs_data_links:
+  - crawlers-user-agents
+  - iis-errors
+  - java-classes
+  - java-code-leakages
+  - java-errors
+  - lfi-os-files
+  - php-config-directives
+  - php-errors
+  - php-function-names-933150
+  - php-function-names-933151
+  - php-variables
+  - restricted-files
+  - restricted-upload
+  - scanners-headers
+  - scanners-urls
+  - scanners-user-agents
+  - scripting-user-agents
+  - sql-errors
+  - unix-shell
+  - windows-powershell-commands

ansible/roles/http/tasks/modsec.yml

@@ -8,39 +8,76 @@
     group: root
     mode: 0644
   with_items:
-    - "{{ nginx_conf_dir }}"
+    - "{{ nginx_conf_path }}"
-    - "{{ modsec_rules_dir }}"
+    - "{{ modsec_rules_path }}"
   tags: modsec
 
 - name: create modsec_includes.conf
   become: true
   copy:
     src: files/nginx/modsec_includes.conf
-    dest: "{{ nginx_dir }}/modsec_includes.conf"
+    dest: "{{ nginx_path }}/modsec_includes.conf"
     mode: 0644
   notify: restart_nginx
   tags: modsec
 
-- name: fetch core rule set files for mod-security
+- name: clone coreruleset and modsecurity
   become: true
-  get_url:
+  git:
-    url: "{{ item.url }}"
+    repo: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    mode: 0644
+    update: false
-  with_items:
+    version: "{{ item.ver }}"
-    - {"url": "{{ modsec_conf_url }}",
+  with_items: "{{ modsec_git_urls }}"
-       "dest": "{{ nginx_dir }}/modsecurity.conf"}
-    - {"url": "{{ modsec_unicode_url }}",
-       "dest": "{{ nginx_dir }}/unicode.mapping"}
-    - {"url": "{{ crs_setup_url }}",
-       "dest": "{{ nginx_conf_dir }}/crs-setup.conf"}
-    - {"url": "{{ crs_before_url }}",
-       "dest": "{{ modsec_crs_before_rule_conf }}"}
-    - {"url": "{{ crs_after_url }}",
-       "dest": "{{ modsec_crs_after_rule_conf }}"}
   notify: restart_nginx
   tags: modsec
 
+- name: setup modsec and coreruleset configs
+  become: true
+  file:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    state: link
+    force: true
+    mode: 0644
+  with_items: "{{ modsec_conf_links }}"
+  notify: restart_nginx
+  tags: modsec
+
+- name: setup coreruleset rules
+  become: true
+  file:
+    src: "{{ crs_rules_path }}/{{ item.name }}.conf"
+    dest: "{{ modsec_rules_path }}/{{ item.name }}.conf"
+    state: "{{ item.enabled | ternary('link', 'absent') }}"
+    force: true
+    mode: 0644
+  with_items: "{{ crs_rule_links }}"
+  notify: restart_nginx
+  tags: modsec, modsec_rules
+
+- name: setup coreruleset data
+  become: true
+  file:
+    src: "{{ crs_rules_path }}/{{ item }}.data"
+    dest: "{{ modsec_rules_path }}/{{ item }}.data"
+    state: link
+    force: true
+    mode: 0644
+  with_items: "{{ crs_data_links }}"
+  notify: restart_nginx
+  tags: modsec, modsec_rules
+
+- name: whitelist local ip addresses
+  become: true
+  lineinfile:
+    path: "{{ nginx_path }}/modsecurity.conf"
+    regexp: "{{ modsec_whitelist_local_re }}"
+    line: "{{ modsec_whitelist_local }}"
+    mode: 0644
+  notify: restart_nginx
+  tags: modsec, modsec_rules, modsec_whitelist
+
 - name: activate mod-security
   become: true
   lineinfile:

ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2

@@ -29,14 +29,14 @@ server {
 
   location / {
     modsecurity on;
-    modsecurity_rules_file {{ nginx_dir }}/modsec_includes.conf;
+    modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
 
     proxy_set_header X-Forwarded-For   $remote_addr;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header Host              $http_host;
 
     proxy_pass         http://drone;
-    proxy_redirect     off;
+    proxy_repathect     off;
     proxy_http_version 1.1;
     proxy_buffering    off;