From fec4bab48763892c443775159d518b314a4d170b Mon Sep 17 00:00:00 2001
From: Bastian de Byl <bastian@bdebyl.net>
Date: Thu, 1 Oct 2020 00:26:09 -0400
Subject: [PATCH] CU-cyk0dp cleaned up modsecurity, added whitelisting

---
 ansible/roles/http/defaults/main.yml | 20 ++++++++++++++------
 ansible/roles/http/tasks/modsec.yml  | 28 +++++++++-------------------
 2 files changed, 23 insertions(+), 25 deletions(-)

diff --git a/ansible/roles/http/defaults/main.yml b/ansible/roles/http/defaults/main.yml
index 5bdfe4d..d44d3f3 100644
--- a/ansible/roles/http/defaults/main.yml
+++ b/ansible/roles/http/defaults/main.yml
@@ -5,6 +5,9 @@ deps: [
   nginx-mod-modsecurity
 ]
 
+ci_server_name: ci.bdebyl.net
+install_path: /usr/share
+
 nginx_path: /etc/nginx
 nginx_conf_path: "{{ nginx_path }}/conf"
 modsec_rules_path: "{{ nginx_conf_path }}/rules"
@@ -12,14 +15,17 @@ modsec_crs_before_rule_conf:
   "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
 modsec_crs_after_rule_conf:
   "{{ modsec_rules_path }}/REQUEST-999-EXCLUSION-RULES-AFTER-CRS.conf"
-
-ci_server_name: ci.bdebyl.net
-
-install_path: /usr/share
 modsec_path: "{{ install_path }}/modsecurity"
 crs_path: "{{ install_path }}/coreruleset"
 crs_rules_path: "{{ crs_path }}/rules"
 
+modsec_whitelist_local_re: >-
+  ^SecRule.*REMOTE_ADDR.*192\.168\.1\.1/24.*$
+
+modsec_whitelist_local: >-
+  SecRule REMOTE_ADDR "@ipMatch 192.168.1.1/24"
+  "id:1,phase:1,nolog,allow,ctl:ruleEngine=Off"
+
 modsec_git_urls:
   - src: "https://github.com/coreruleset/coreruleset.git"
     dest: "{{ crs_path }}"
@@ -35,9 +41,11 @@ modsec_conf_links:
     dest: "{{ nginx_path }}/unicode.mapping"
   - src: "{{ crs_path }}/crs-setup.conf.example"
     dest: "{{ nginx_conf_path }}/crs-setup.conf"
-  - src: "{{ crs_rules_path  }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example"
+  - src:
+      "{{ crs_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example"
     dest: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
-  - src: "{{ crs_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example"
+  - src:
+      "{{ crs_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example"
     dest: "{{ modsec_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"
 
 crs_rule_links:
diff --git a/ansible/roles/http/tasks/modsec.yml b/ansible/roles/http/tasks/modsec.yml
index 9b81879..5827941 100644
--- a/ansible/roles/http/tasks/modsec.yml
+++ b/ansible/roles/http/tasks/modsec.yml
@@ -68,25 +68,15 @@
   notify: restart_nginx
   tags: modsec, modsec_rules
 
-# name: fetch core rule set files for mod-security
-# become: true
-# get_url:
-#   url: "{{ item.url }}"
-#   dest: "{{ item.dest }}"
-#   mode: 0644
-# with_items:
-#   - {"url": "{{ modsec_conf_url }}",
-#      "dest": "{{ nginx_path }}/modsecurity.conf"}
-#   - {"url": "{{ modsec_unicode_url }}",
-#      "dest": "{{ nginx_path }}/unicode.mapping"}
-#   - {"url": "{{ crs_setup_url }}",
-#      "dest": "{{ nginx_conf_path }}/crs-setup.conf"}
-#   - {"url": "{{ crs_before_url }}",
-#      "dest": "{{ modsec_crs_before_rule_conf }}"}
-#   - {"url": "{{ crs_after_url }}",
-#      "dest": "{{ modsec_crs_after_rule_conf }}"}
-# notify: restart_nginx
-# tags: modsec
+- name: whitelist local ip addresses
+  become: true
+  lineinfile:
+    path: "{{ nginx_path }}/modsecurity.conf"
+    regexp: "{{ modsec_whitelist_local_re }}"
+    line: "{{ modsec_whitelist_local }}"
+    mode: 0644
+  notify: restart_nginx
+  tags: modsec, modsec_rules, modsec_whitelist
 
 - name: activate mod-security
   become: true