| 1 |
commit: 2b0a47c1be1e03f7cc380e8f0f95cfbf6550a075 |
| 2 |
Author: Diego Elio Pettenò <flameeyes <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Thu Nov 3 21:46:07 2016 +0000 |
| 4 |
Commit: Diego Elio Pettenò <flameeyes <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Thu Nov 3 21:46:22 2016 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2b0a47c1 |
| 7 |
|
| 8 |
www-apache/modsecurity-crs: update to version 2.2.9 (last version before v3.) |
| 9 |
|
| 10 |
Update the sedding and removal of experimental rules, and install slr_rules that are now compatible with mod_security v2.7 |
| 11 |
|
| 12 |
Package-Manager: portage-2.3.0 |
| 13 |
|
| 14 |
www-apache/modsecurity-crs/Manifest | 1 + |
| 15 |
.../modsecurity-crs/modsecurity-crs-2.2.9.ebuild | 136 +++++++++++++++++++++ |
| 16 |
2 files changed, 137 insertions(+) |
| 17 |
|
| 18 |
diff --git a/www-apache/modsecurity-crs/Manifest b/www-apache/modsecurity-crs/Manifest |
| 19 |
index c3cd841..543075c 100644 |
| 20 |
--- a/www-apache/modsecurity-crs/Manifest |
| 21 |
+++ b/www-apache/modsecurity-crs/Manifest |
| 22 |
@@ -1,2 +1,3 @@ |
| 23 |
DIST modsecurity-crs-2.2.6.tar.gz 291070 SHA256 1c837fc7ace28f732b5034c90a17635e31fe3c9a45425c079fd1fd6bae01b790 SHA512 0e6c2735814dd24ba2329bc756e382b0430937a703d492b2ac00f95af6598903961b43013e99cd49240fe6b7a5439a7b1b3e79c3b7a48828465252dafd586165 WHIRLPOOL d8c85f8e6db07ecbc5a9a680e843f485d87294c71ceeb84aa83e562441ea78db477f9850431ded67371fbe455438fb89fedb5d3070e524abebe53b3c9a039f72 |
| 24 |
DIST modsecurity-crs-2.2.7.tar.gz 294137 SHA256 54bc74815d6e6c3b476aec673a48e3ce08ee82b76bfe941408efab757aa8a0f7 SHA512 d0d3dac1b391c8ab730cc16546c9508d93c85dd674b2750d12fff99c17e5575b36bea0cf00e06fdd20c2db5dfdbdc3fd7bbaa26502988617632acfde1ee88927 WHIRLPOOL fc72bdbd5c79dffa0b2c65893cb8cdab0708705ce48ca3d49115339a5b4ff8cbe7cc42bcb49abd966243a2e48cb2af290ea125c6de4b185eb8b1c20e7eb66057 |
| 25 |
+DIST modsecurity-crs-2.2.9.tar.gz 279898 SHA256 203669540abf864d40e892acf2ea02ec4ab47f9769747d28d79b6c2a501e3dfc SHA512 fc95cfff9d4ba9a4478c704e5d16e4054e514eb3ffb6343706840aad76607f997b4cc4b8b148adc5cb83743ea7996328d35b8556115de29d6a0e034b67591a09 WHIRLPOOL 8e741a5430905e061ba024e8ae2b5bd08ae19e6ae30d9ca8a0160c9f73afee7bfe57caf73ba7eecebc00e34141f5d46cb1378793a89c8c56966139c10f70c30a |
| 26 |
|
| 27 |
diff --git a/www-apache/modsecurity-crs/modsecurity-crs-2.2.9.ebuild b/www-apache/modsecurity-crs/modsecurity-crs-2.2.9.ebuild |
| 28 |
new file mode 100644 |
| 29 |
index 00000000..c33f3da |
| 30 |
--- /dev/null |
| 31 |
+++ b/www-apache/modsecurity-crs/modsecurity-crs-2.2.9.ebuild |
| 32 |
@@ -0,0 +1,136 @@ |
| 33 |
+# Copyright 1999-2016 Gentoo Foundation |
| 34 |
+# Distributed under the terms of the GNU General Public License v2 |
| 35 |
+# $Id$ |
| 36 |
+ |
| 37 |
+EAPI=6 |
| 38 |
+ |
| 39 |
+GITHUB_USER=SpiderLabs |
| 40 |
+GITHUB_PROJECT=owasp-${PN} |
| 41 |
+ |
| 42 |
+DESCRIPTION="Core Rule Set for ModSecurity" |
| 43 |
+HOMEPAGE="http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project" |
| 44 |
+SRC_URI="https://github.com/${GITHUB_USER}/${GITHUB_PROJECT}/archive/${PV}.tar.gz -> ${P}.tar.gz" |
| 45 |
+ |
| 46 |
+LICENSE="Apache-2.0" |
| 47 |
+SLOT="0" |
| 48 |
+KEYWORDS="~amd64 ~ppc ~sparc ~x86" |
| 49 |
+IUSE="lua geoip" |
| 50 |
+ |
| 51 |
+RDEPEND=">=www-apache/mod_security-2.7[lua?,geoip?]" |
| 52 |
+DEPEND="" |
| 53 |
+ |
| 54 |
+S="${WORKDIR}/${GITHUB_PROJECT}-${PV}" |
| 55 |
+ |
| 56 |
+RULESDIR=/etc/modsecurity |
| 57 |
+LUADIR=/usr/share/${PN}/lua |
| 58 |
+ |
| 59 |
+src_prepare() { |
| 60 |
+ if ! use lua; then |
| 61 |
+ # comment out this since it's in the same file as another one we want to keep |
| 62 |
+ sed -i -e "/id:'900036'/s:^:#:" \ |
| 63 |
+ experimental_rules/modsecurity_crs_61_ip_forensics.conf || die |
| 64 |
+ |
| 65 |
+ # remove these that rely on the presence of the lua files |
| 66 |
+ rm \ |
| 67 |
+ experimental_rules/modsecurity_crs_16_scanner_integration.conf \ |
| 68 |
+ experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf \ |
| 69 |
+ experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf \ |
| 70 |
+ experimental_rules/modsecurity_crs_48_bayes_analysis.conf \ |
| 71 |
+ experimental_rules/modsecurity_crs_55_response_profiling.conf \ |
| 72 |
+ experimental_rules/modsecurity_crs_56_pvi_checks.conf \ |
| 73 |
+ || die |
| 74 |
+ else |
| 75 |
+ # fix up the path to the scripts; there seems to be no |
| 76 |
+ # consistency at all on how the rules are loaded. |
| 77 |
+ sed -i \ |
| 78 |
+ -e "s:/etc/apache2/modsecurity-crs/lua/:${LUADIR}/:" \ |
| 79 |
+ -e "s:profile_page_scripts.lua:${LUADIR}/\0:" \ |
| 80 |
+ -e "s:/usr/local/apache/conf/crs/lua/:${LUADIR}/:" \ |
| 81 |
+ -e "s:/usr/local/apache/conf/modsec_current/base_rules/:${LUADIR}/:" \ |
| 82 |
+ -e "s:/etc/apache2/modsecurity-crs/lua/:${LUADIR}/:" \ |
| 83 |
+ -e "s:\.\./lua/:${LUADIR}/:" \ |
| 84 |
+ *_rules/*.conf || die |
| 85 |
+ |
| 86 |
+ # fix up the shebang on the scripts |
| 87 |
+ sed -i -e "s:/opt/local/bin/lua:/usr/bin/lua:" \ |
| 88 |
+ lua/*.lua || die |
| 89 |
+ fi |
| 90 |
+ |
| 91 |
+ sed -i \ |
| 92 |
+ -e '/SecGeoLookupDb/s:^:#:' \ |
| 93 |
+ -e '/SecGeoLookupDb/a# Gentoo already defines it in 79_modsecurity.conf' \ |
| 94 |
+ experimental_rules/modsecurity_crs_61_ip_forensics.conf \ |
| 95 |
+ experimental_rules/modsecurity_crs_11_proxy_abuse.conf || die |
| 96 |
+ |
| 97 |
+ if ! use geoip; then |
| 98 |
+ rm experimental_rules/modsecurity_crs_11_proxy_abuse.conf |
| 99 |
+ |
| 100 |
+ if use lua; then |
| 101 |
+ # only comment this out as the file is going to be used for other things |
| 102 |
+ sed -i -e "/id:'900039'/,+1 s:^:#:" \ |
| 103 |
+ experimental_rules/modsecurity_crs_61_ip_forensics.conf || die |
| 104 |
+ else |
| 105 |
+ rm experimental_rules/modsecurity_crs_61_ip_forensics.conf || die |
| 106 |
+ fi |
| 107 |
+ fi |
| 108 |
+ |
| 109 |
+ eapply_user |
| 110 |
+} |
| 111 |
+ |
| 112 |
+src_install() { |
| 113 |
+ insinto "${RULESDIR}" |
| 114 |
+ doins -r base_rules optional_rules experimental_rules slr_rules |
| 115 |
+ |
| 116 |
+ insinto "${LUADIR}" |
| 117 |
+ doins lua/*.lua |
| 118 |
+ |
| 119 |
+ dodoc CHANGES README.md |
| 120 |
+ |
| 121 |
+ ( |
| 122 |
+ cat - <<EOF |
| 123 |
+<IfDefine SECURITY> |
| 124 |
+EOF |
| 125 |
+ |
| 126 |
+ cat modsecurity_crs_10_setup.conf.example |
| 127 |
+ |
| 128 |
+ cat - <<EOF |
| 129 |
+ |
| 130 |
+Include /etc/modsecurity/base_rules/*.conf |
| 131 |
+ |
| 132 |
+# Include Trustwave SpiderLabs Research Team rules |
| 133 |
+# Include /etc/modsecurity/slr_rules/*.conf |
| 134 |
+# Not installed yet as of 2.2.6 |
| 135 |
+ |
| 136 |
+# Optionally use the other rules as well |
| 137 |
+# Include /etc/modsecurity/optional_rules/*.conf |
| 138 |
+# Include /etc/modsecurity/experimental_rules/*.conf |
| 139 |
+</IfDefine> |
| 140 |
+ |
| 141 |
+# -*- apache -*- |
| 142 |
+# vim: ts=4 filetype=apache |
| 143 |
+ |
| 144 |
+EOF |
| 145 |
+ ) > "${T}"/"80_${PN}.conf" |
| 146 |
+ |
| 147 |
+ insinto /etc/apache2/modules.d/ |
| 148 |
+ doins "${T}"/"80_${PN}.conf" |
| 149 |
+} |
| 150 |
+ |
| 151 |
+pkg_postinst() { |
| 152 |
+ elog |
| 153 |
+ elog "If you want to enable further rules, check the following directories:" |
| 154 |
+ elog " ${RULESDIR}/optional_rules" |
| 155 |
+ elog " ${RULESDIR}/experimental_rules" |
| 156 |
+ elog "" |
| 157 |
+ elog "Starting from version 2.0.9, the default for the Core Rule Set is again to block" |
| 158 |
+ elog "when rules hit. If you wish to go back to the 2.0.8 method of anomaly scoring, you" |
| 159 |
+ elog "should change 80_${PN}.conf so that you have these settings enabled:" |
| 160 |
+ elog "" |
| 161 |
+ elog " #SecDefaultAction \"phase:2,deny,log\"" |
| 162 |
+ elog " SecAction \"phase:1,t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on\"" |
| 163 |
+ elog "" |
| 164 |
+ elog "Starting from version 2.1.2 rules are installed, for consistency, under" |
| 165 |
+ elog "/etc/modsecurity, and can be configured with the following file:" |
| 166 |
+ elog " /etc/apache2/modules.d/80_${PN}.conf" |
| 167 |
+ elog "" |
| 168 |
+} |
Archives