diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2017-10-09 18:53:29 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2017-10-09 18:53:29 +0100 |
| commit | 4f2d7949f03e1c198bc888f2d05f421d35c57e21 (patch) | |
| tree | ba5f07bf3f9d22d82e54a462313f5d244036c768 /www-apache/modsecurity-crs | |
reinit the tree, so we can have metadata
Diffstat (limited to 'www-apache/modsecurity-crs')
| -rw-r--r-- | www-apache/modsecurity-crs/Manifest | 12 | ||||
| -rw-r--r-- | www-apache/modsecurity-crs/files/80_mod_security-crs.conf | 8 | ||||
| -rw-r--r-- | www-apache/modsecurity-crs/metadata.xml | 7 | ||||
| -rw-r--r-- | www-apache/modsecurity-crs/modsecurity-crs-2.2.6-r1.ebuild | 136 | ||||
| -rw-r--r-- | www-apache/modsecurity-crs/modsecurity-crs-2.2.7.ebuild | 131 | ||||
| -rw-r--r-- | www-apache/modsecurity-crs/modsecurity-crs-2.2.9.ebuild | 135 | ||||
| -rw-r--r-- | www-apache/modsecurity-crs/modsecurity-crs-3.0.2.ebuild | 52 |
7 files changed, 481 insertions, 0 deletions
diff --git a/www-apache/modsecurity-crs/Manifest b/www-apache/modsecurity-crs/Manifest new file mode 100644 index 000000000000..d2505c91507b --- /dev/null +++ b/www-apache/modsecurity-crs/Manifest @@ -0,0 +1,12 @@ +AUX 80_mod_security-crs.conf 289 SHA256 4fdcb7396f562af44133146c25a0af7bdd9aaa1014561fc6dfabfe78c391e4ca SHA512 e5b86164a68e15d67a294688c993799fca10928c1265cee04555becfb17fb516314471d8c4eaea1205ac1703890cedb4647d93ce75b0a2a1ab9a401a495465dc WHIRLPOOL 81c0a6831d2ded00e68e2cb9dc4a84da04a054df1652e031081c26c4b9b4d6c376d6ed6751e92f4c44855ce57725c9d65d8a7fe00e8b94e0caf797f1743edcbc +DIST modsecurity-crs-2.2.6.tar.gz 291070 SHA256 1c837fc7ace28f732b5034c90a17635e31fe3c9a45425c079fd1fd6bae01b790 SHA512 0e6c2735814dd24ba2329bc756e382b0430937a703d492b2ac00f95af6598903961b43013e99cd49240fe6b7a5439a7b1b3e79c3b7a48828465252dafd586165 WHIRLPOOL d8c85f8e6db07ecbc5a9a680e843f485d87294c71ceeb84aa83e562441ea78db477f9850431ded67371fbe455438fb89fedb5d3070e524abebe53b3c9a039f72 +DIST modsecurity-crs-2.2.7.tar.gz 294137 SHA256 54bc74815d6e6c3b476aec673a48e3ce08ee82b76bfe941408efab757aa8a0f7 SHA512 d0d3dac1b391c8ab730cc16546c9508d93c85dd674b2750d12fff99c17e5575b36bea0cf00e06fdd20c2db5dfdbdc3fd7bbaa26502988617632acfde1ee88927 WHIRLPOOL fc72bdbd5c79dffa0b2c65893cb8cdab0708705ce48ca3d49115339a5b4ff8cbe7cc42bcb49abd966243a2e48cb2af290ea125c6de4b185eb8b1c20e7eb66057 +DIST modsecurity-crs-2.2.9.tar.gz 279898 SHA256 203669540abf864d40e892acf2ea02ec4ab47f9769747d28d79b6c2a501e3dfc SHA512 fc95cfff9d4ba9a4478c704e5d16e4054e514eb3ffb6343706840aad76607f997b4cc4b8b148adc5cb83743ea7996328d35b8556115de29d6a0e034b67591a09 WHIRLPOOL 8e741a5430905e061ba024e8ae2b5bd08ae19e6ae30d9ca8a0160c9f73afee7bfe57caf73ba7eecebc00e34141f5d46cb1378793a89c8c56966139c10f70c30a +DIST modsecurity-crs-3.0.2.tar.gz 156751 SHA256 c1fd6b2c2ab8992357b588d9e615ae9e2c34e622206339d93a7817f0da50e67f SHA512 ae8fe9a0f00a57708c8680cb76882214e4f5ff647e13087aaf1bfc7382cefb38d2f3a88eb1f210031b553f56d3e44c12dbdc68f8b0d09fb4a9e2f15a70d885aa WHIRLPOOL 9282a709b0e933143ba80597d7d996b2f1a958ab01986e4a9ef0056f92ee5848e81c2548f20cbe5b1cb13379c0909fdfbd239c8712b1655ee7c8934132aaa74b +EBUILD modsecurity-crs-2.2.6-r1.ebuild 4139 SHA256 99ba406013b371d379b23b85ba6bc47762a64eae0904b1dd6681996cb7b6a5c2 SHA512 d05973d37550531e6dcc6c73d2d1ae4e2ca874f87f3b6773be13a3a3e7afd1a790e7be7daf694b8a0a187e78e342dff54760bc028cdb2258c823e699fcb81db5 WHIRLPOOL 3d7a238b26d3bf61bfc7d85943cccee2385b7351be55f8c9775f5aefeaf9cb75a61396874581dda3f71fa53fa3da54ddc3b350b99e4ec04203fe1f9624de1450 +EBUILD modsecurity-crs-2.2.7.ebuild 4071 SHA256 b9e8e7da33381803e88181bd01e746dd067021ea367a9f478cafd6a1309afc30 SHA512 9e876a537185a2acf610bf0873ea9bbcd9c078884f5f4e3a6c40d71488417fa03993fe9fad309b72c1a5b7427d2c9e201e2a1e9dd0d56ff8343a5e4019f60a5f WHIRLPOOL 1b73fa278883516aa050be49abbd67f66d6558d603ae29b7e3981dcfa920b35f80fbc39b33f6cc0da125cad88542402f4cfb1258e943913543f7b8586675198c +EBUILD modsecurity-crs-2.2.9.ebuild 4162 SHA256 b030b25f0c0535ae1a7862be80fbdff85a3ef746ba8a234f8378519392faacac SHA512 68d0bc9a0f02ee6451ea2efb47c6db7f950917a0beb8628aa43e6f11ae639fb8bb91b38becab4b4a9cbda9e7ca70a71ff8034180b85a2f20bbf49afce1c37278 WHIRLPOOL 53b332440696d503a2497cd03152453932002ad0f932c3a42f440336a347a88f972a2087f19e2c767494846fd7f3e9499a1aaabd39de594bb6c317de6ba33982 +EBUILD modsecurity-crs-3.0.2.ebuild 1452 SHA256 28da76572eba4dae96c9f4afbc4e5da4a10a02b6bb195bd98362c6061aea4e14 SHA512 8627119dcf5338c33e6c7ffa24c69ed43102252d71c511f0c2466785f50d45c794183957efaa49c32af54b2881415ebab561aaf169d7e0b0550802ba9c82dccc WHIRLPOOL 199fedff57ea0e423f83809d946f3b83f3057a972a8b334f61c88ca866e4b9b334b4b1302d7c0559cfa24b3e75192707d0f7f0e78b84e5e43f3929239e0a7d03 +MISC ChangeLog 2740 SHA256 5d4c0930c18495544a0af26ca4bbfc7616760dc07ea935323378c36fdc0550b5 SHA512 5d9f02cdf313271affd92efadf5c92d83ab3e378d3d6ee6b8db77c4ebdec9c4612d27e2d4077ff4d825ada14a96f8a162464fef2ae19f246dd8be42f5dbcf53d WHIRLPOOL 2bfd3ca4014d7e976ec6aedba9b4dc0496298f1700ad3832da325d2dc4817db3b7af887c0ec1032adb3c5971a958cfab243de79f4b1e985b9c35c62a24e92fd4 +MISC ChangeLog-2015 6123 SHA256 9565b4914708c5597bdd2d4fe548f640680489ab558e4cc5ee6c0380bb021b5c SHA512 2c41bd06d3711cfc683bae5371f895112b823781834d1a7da64ee28051b2c5db568ece351a09227120b50527cb1b8d44f1a12582bdcac0a9690e78e817985d00 WHIRLPOOL a0a6686ecb0bdf5bac43f31a8ea358cbeb0ccb6ce31207589f90c4ce0f8113357aba0ba5e0ea61a46c4557fb5d212d0ec0f446fc9efa4c16fb43817dd7a395b1 +MISC metadata.xml 240 SHA256 57fa8d351691a7ca9a37bfdbf6812aff39d28ded7f59adb8a8a3ad5f1062806e SHA512 f387811090c36052ca6dfd48c20af460ebb892738ecd449a5a213ecf7313dfc1cc6eb118e4d28ec24e26078995c4d291784f26b6afc1f822cf83ca5482bd7310 WHIRLPOOL 95eada281cf78384a55ef971b6ca0e02d51c6d946e2bc644ed20f4980c502e7d189799c46fec54a6eecf8c521a4c89911ee0ee1a5adf57cc0eea95e4baf62ad0 diff --git a/www-apache/modsecurity-crs/files/80_mod_security-crs.conf b/www-apache/modsecurity-crs/files/80_mod_security-crs.conf new file mode 100644 index 000000000000..c6b767a3cf24 --- /dev/null +++ b/www-apache/modsecurity-crs/files/80_mod_security-crs.conf @@ -0,0 +1,8 @@ +<IfDefine SECURITY> + # Add your custom CRS configuration here. A copy of upstream's + # crs-setup.conf.example is includes with the documentation of + # modsecurity-crs. + + # Include the rules AFTER your custom configuration. + Include /usr/share/modsecurity-crs/rules/*.conf +</IfDefine> diff --git a/www-apache/modsecurity-crs/metadata.xml b/www-apache/modsecurity-crs/metadata.xml new file mode 100644 index 000000000000..f73da4e681d0 --- /dev/null +++ b/www-apache/modsecurity-crs/metadata.xml @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> + <upstream> + <remote-id type="github">SpiderLabs/owasp-modsecurity-crs</remote-id> + </upstream> +</pkgmetadata> diff --git a/www-apache/modsecurity-crs/modsecurity-crs-2.2.6-r1.ebuild b/www-apache/modsecurity-crs/modsecurity-crs-2.2.6-r1.ebuild new file mode 100644 index 000000000000..ca7ba53a426e --- /dev/null +++ b/www-apache/modsecurity-crs/modsecurity-crs-2.2.6-r1.ebuild @@ -0,0 +1,136 @@ +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=4 + +GITHUB_USER=SpiderLabs +GITHUB_PROJECT=owasp-${PN} + +DESCRIPTION="Core Rule Set for ModSecurity" +HOMEPAGE="http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project" +SRC_URI="https://github.com/${GITHUB_USER}/${GITHUB_PROJECT}/tarball/v${PV} -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="amd64 ppc sparc x86" +IUSE="lua geoip" + +RDEPEND=">=www-apache/mod_security-2.7[lua?,geoip?]" +DEPEND="" + +S="${WORKDIR}/${P}" + +RULESDIR=/etc/modsecurity +LUADIR=/usr/share/${PN}/lua + +src_unpack() { + default + mv "${WORKDIR}/${GITHUB_USER}-${GITHUB_PROJECT}-"* "${P}" || die +} + +src_prepare() { + if ! use lua; then + # comment out this since it's in the same file as another one we want to keep + sed -i -e "/id:'96000[456]'/s:^:#:" \ + experimental_rules/modsecurity_crs_61_ip_forensics.conf || die + + # remove these that rely on the presence of the lua files + rm \ + experimental_rules/modsecurity_crs_16_scanner_integration.conf \ + experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf \ + experimental_rules/modsecurity_crs_41_advanced_filters.conf \ + experimental_rules/modsecurity_crs_55_response_profiling.conf \ + experimental_rules/modsecurity_crs_56_pvi_checks.conf \ + || die + else + # fix up the path to the scripts; there seems to be no + # consistency at all on how the rules are loaded. + sed -i \ + -e "s:/etc/apache2/modsecurity-crs/lua/:${LUADIR}/:" \ + -e "s:profile_page_scripts.lua:${LUADIR}/\0:" \ + -e "s:/usr/local/apache/conf/crs/lua/:${LUADIR}/:" \ + -e "s:/usr/local/apache/conf/modsec_current/base_rules/:${LUADIR}/:" \ + -e "s:/etc/apache2/modsecurity-crs/lua/:${LUADIR}/:" \ + -e "s:\.\./lua/:${LUADIR}/:" \ + *_rules/*.conf || die + + # fix up the shebang on the scripts + sed -i -e "s:/opt/local/bin/lua:/usr/bin/lua:" \ + lua/*.lua || die + fi + + sed -i \ + -e '/SecGeoLookupDb/s:^:#:' \ + -e '/SecGeoLookupDb/a# Gentoo already defines it in 79_modsecurity.conf' \ + experimental_rules/modsecurity_crs_61_ip_forensics.conf || die + + if ! use geoip; then + if use lua; then + # only comment this out as the file is going to be used for other things + sed -i -e "/id:'960007'/,+1 s:^:#:" \ + experimental_rules/modsecurity_crs_61_ip_forensics.conf || die + else + rm experimental_rules/modsecurity_crs_61_ip_forensics.conf || die + fi + fi +} + +src_install() { + insinto "${RULESDIR}" + # slr_rules as of 2.2.6 have broken IDs that don't work with + # ModSecurity 2.7, but the rules require 2.7 to begin with. + doins -r base_rules optional_rules experimental_rules #slr_rules + + insinto "${LUADIR}" + doins lua/*.lua + + dodoc CHANGELOG README.md + + ( + cat - <<EOF +<IfDefine SECURITY> +EOF + + cat modsecurity_crs_10_setup.conf.example + + cat - <<EOF + +Include /etc/modsecurity/base_rules/*.conf + +# Include Trustwave SpiderLabs Research Team rules +# Include /etc/modsecurity/slr_rules/*.conf +# Not installed yet as of 2.2.6 + +# Optionally use the other rules as well +# Include /etc/modsecurity/optional_rules/*.conf +# Include /etc/modsecurity/experimental_rules/*.conf +</IfDefine> + +# -*- apache -*- +# vim: ts=4 filetype=apache + +EOF + ) > "${T}"/"80_${PN}.conf" + + insinto /etc/apache2/modules.d/ + doins "${T}"/"80_${PN}.conf" +} + +pkg_postinst() { + elog + elog "If you want to enable further rules, check the following directories:" + elog " ${RULESDIR}/optional_rules" + elog " ${RULESDIR}/experimental_rules" + elog "" + elog "Starting from version 2.0.9, the default for the Core Rule Set is again to block" + elog "when rules hit. If you wish to go back to the 2.0.8 method of anomaly scoring, you" + elog "should change 80_${PN}.conf so that you have these settings enabled:" + elog "" + elog " #SecDefaultAction \"phase:2,deny,log\"" + elog " SecAction \"phase:1,t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on\"" + elog "" + elog "Starting from version 2.1.2 rules are installed, for consistency, under" + elog "/etc/modsecurity, and can be configured with the following file:" + elog " /etc/apache2/modules.d/80_${PN}.conf" + elog "" +} diff --git a/www-apache/modsecurity-crs/modsecurity-crs-2.2.7.ebuild b/www-apache/modsecurity-crs/modsecurity-crs-2.2.7.ebuild new file mode 100644 index 000000000000..ec65336cc7b3 --- /dev/null +++ b/www-apache/modsecurity-crs/modsecurity-crs-2.2.7.ebuild @@ -0,0 +1,131 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 + +GITHUB_USER=SpiderLabs +GITHUB_PROJECT=owasp-${PN} + +DESCRIPTION="Core Rule Set for ModSecurity" +HOMEPAGE="http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project" +SRC_URI="https://github.com/${GITHUB_USER}/${GITHUB_PROJECT}/archive/${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="amd64 ppc sparc x86" +IUSE="lua geoip" + +RDEPEND=">=www-apache/mod_security-2.7[lua?,geoip?]" +DEPEND="" + +S="${WORKDIR}/${GITHUB_PROJECT}-${PV}" + +RULESDIR=/etc/modsecurity +LUADIR=/usr/share/${PN}/lua + +src_prepare() { + if ! use lua; then + # comment out this since it's in the same file as another one we want to keep + sed -i -e "/id:'96000[456]'/s:^:#:" \ + experimental_rules/modsecurity_crs_61_ip_forensics.conf || die + + # remove these that rely on the presence of the lua files + rm \ + experimental_rules/modsecurity_crs_16_scanner_integration.conf \ + experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf \ + experimental_rules/modsecurity_crs_41_advanced_filters.conf \ + experimental_rules/modsecurity_crs_55_response_profiling.conf \ + experimental_rules/modsecurity_crs_56_pvi_checks.conf \ + || die + else + # fix up the path to the scripts; there seems to be no + # consistency at all on how the rules are loaded. + sed -i \ + -e "s:/etc/apache2/modsecurity-crs/lua/:${LUADIR}/:" \ + -e "s:profile_page_scripts.lua:${LUADIR}/\0:" \ + -e "s:/usr/local/apache/conf/crs/lua/:${LUADIR}/:" \ + -e "s:/usr/local/apache/conf/modsec_current/base_rules/:${LUADIR}/:" \ + -e "s:/etc/apache2/modsecurity-crs/lua/:${LUADIR}/:" \ + -e "s:\.\./lua/:${LUADIR}/:" \ + *_rules/*.conf || die + + # fix up the shebang on the scripts + sed -i -e "s:/opt/local/bin/lua:/usr/bin/lua:" \ + lua/*.lua || die + fi + + sed -i \ + -e '/SecGeoLookupDb/s:^:#:' \ + -e '/SecGeoLookupDb/a# Gentoo already defines it in 79_modsecurity.conf' \ + experimental_rules/modsecurity_crs_61_ip_forensics.conf || die + + if ! use geoip; then + if use lua; then + # only comment this out as the file is going to be used for other things + sed -i -e "/id:'960007'/,+1 s:^:#:" \ + experimental_rules/modsecurity_crs_61_ip_forensics.conf || die + else + rm experimental_rules/modsecurity_crs_61_ip_forensics.conf || die + fi + fi +} + +src_install() { + insinto "${RULESDIR}" + # slr_rules as of 2.2.6 have broken IDs that don't work with + # ModSecurity 2.7, but the rules require 2.7 to begin with. + doins -r base_rules optional_rules experimental_rules #slr_rules + + insinto "${LUADIR}" + doins lua/*.lua + + dodoc CHANGELOG README.md + + ( + cat - <<EOF +<IfDefine SECURITY> +EOF + + cat modsecurity_crs_10_setup.conf.example + + cat - <<EOF + +Include /etc/modsecurity/base_rules/*.conf + +# Include Trustwave SpiderLabs Research Team rules +# Include /etc/modsecurity/slr_rules/*.conf +# Not installed yet as of 2.2.6 + +# Optionally use the other rules as well +# Include /etc/modsecurity/optional_rules/*.conf +# Include /etc/modsecurity/experimental_rules/*.conf +</IfDefine> + +# -*- apache -*- +# vim: ts=4 filetype=apache + +EOF + ) > "${T}"/"80_${PN}.conf" + + insinto /etc/apache2/modules.d/ + doins "${T}"/"80_${PN}.conf" +} + +pkg_postinst() { + elog + elog "If you want to enable further rules, check the following directories:" + elog " ${RULESDIR}/optional_rules" + elog " ${RULESDIR}/experimental_rules" + elog "" + elog "Starting from version 2.0.9, the default for the Core Rule Set is again to block" + elog "when rules hit. If you wish to go back to the 2.0.8 method of anomaly scoring, you" + elog "should change 80_${PN}.conf so that you have these settings enabled:" + elog "" + elog " #SecDefaultAction \"phase:2,deny,log\"" + elog " SecAction \"phase:1,t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on\"" + elog "" + elog "Starting from version 2.1.2 rules are installed, for consistency, under" + elog "/etc/modsecurity, and can be configured with the following file:" + elog " /etc/apache2/modules.d/80_${PN}.conf" + elog "" +} diff --git a/www-apache/modsecurity-crs/modsecurity-crs-2.2.9.ebuild b/www-apache/modsecurity-crs/modsecurity-crs-2.2.9.ebuild new file mode 100644 index 000000000000..7a435d3f663b --- /dev/null +++ b/www-apache/modsecurity-crs/modsecurity-crs-2.2.9.ebuild @@ -0,0 +1,135 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +GITHUB_USER=SpiderLabs +GITHUB_PROJECT=owasp-${PN} + +DESCRIPTION="Core Rule Set for ModSecurity" +HOMEPAGE="http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project" +SRC_URI="https://github.com/${GITHUB_USER}/${GITHUB_PROJECT}/archive/${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~ppc ~sparc ~x86" +IUSE="lua geoip" + +RDEPEND=">=www-apache/mod_security-2.7[lua?,geoip?]" +DEPEND="" + +S="${WORKDIR}/${GITHUB_PROJECT}-${PV}" + +RULESDIR=/etc/modsecurity +LUADIR=/usr/share/${PN}/lua + +src_prepare() { + if ! use lua; then + # comment out this since it's in the same file as another one we want to keep + sed -i -e "/id:'900036'/s:^:#:" \ + experimental_rules/modsecurity_crs_61_ip_forensics.conf || die + + # remove these that rely on the presence of the lua files + rm \ + experimental_rules/modsecurity_crs_16_scanner_integration.conf \ + experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf \ + experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf \ + experimental_rules/modsecurity_crs_48_bayes_analysis.conf \ + experimental_rules/modsecurity_crs_55_response_profiling.conf \ + experimental_rules/modsecurity_crs_56_pvi_checks.conf \ + || die + else + # fix up the path to the scripts; there seems to be no + # consistency at all on how the rules are loaded. + sed -i \ + -e "s:/etc/apache2/modsecurity-crs/lua/:${LUADIR}/:" \ + -e "s:profile_page_scripts.lua:${LUADIR}/\0:" \ + -e "s:/usr/local/apache/conf/crs/lua/:${LUADIR}/:" \ + -e "s:/usr/local/apache/conf/modsec_current/base_rules/:${LUADIR}/:" \ + -e "s:/etc/apache2/modsecurity-crs/lua/:${LUADIR}/:" \ + -e "s:\.\./lua/:${LUADIR}/:" \ + *_rules/*.conf || die + + # fix up the shebang on the scripts + sed -i -e "s:/opt/local/bin/lua:/usr/bin/lua:" \ + lua/*.lua || die + fi + + sed -i \ + -e '/SecGeoLookupDb/s:^:#:' \ + -e '/SecGeoLookupDb/a# Gentoo already defines it in 79_modsecurity.conf' \ + experimental_rules/modsecurity_crs_61_ip_forensics.conf \ + experimental_rules/modsecurity_crs_11_proxy_abuse.conf || die + + if ! use geoip; then + rm experimental_rules/modsecurity_crs_11_proxy_abuse.conf + + if use lua; then + # only comment this out as the file is going to be used for other things + sed -i -e "/id:'900039'/,+1 s:^:#:" \ + experimental_rules/modsecurity_crs_61_ip_forensics.conf || die + else + rm experimental_rules/modsecurity_crs_61_ip_forensics.conf || die + fi + fi + + eapply_user +} + +src_install() { + insinto "${RULESDIR}" + doins -r base_rules optional_rules experimental_rules slr_rules + + insinto "${LUADIR}" + doins lua/*.lua + + dodoc CHANGES README.md + + ( + cat - <<EOF +<IfDefine SECURITY> +EOF + + cat modsecurity_crs_10_setup.conf.example + + cat - <<EOF + +Include /etc/modsecurity/base_rules/*.conf + +# Include Trustwave SpiderLabs Research Team rules +# Include /etc/modsecurity/slr_rules/*.conf +# Not installed yet as of 2.2.6 + +# Optionally use the other rules as well +# Include /etc/modsecurity/optional_rules/*.conf +# Include /etc/modsecurity/experimental_rules/*.conf +</IfDefine> + +# -*- apache -*- +# vim: ts=4 filetype=apache + +EOF + ) > "${T}"/"80_${PN}.conf" + + insinto /etc/apache2/modules.d/ + doins "${T}"/"80_${PN}.conf" +} + +pkg_postinst() { + elog + elog "If you want to enable further rules, check the following directories:" + elog " ${RULESDIR}/optional_rules" + elog " ${RULESDIR}/experimental_rules" + elog "" + elog "Starting from version 2.0.9, the default for the Core Rule Set is again to block" + elog "when rules hit. If you wish to go back to the 2.0.8 method of anomaly scoring, you" + elog "should change 80_${PN}.conf so that you have these settings enabled:" + elog "" + elog " #SecDefaultAction \"phase:2,deny,log\"" + elog " SecAction \"phase:1,t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on\"" + elog "" + elog "Starting from version 2.1.2 rules are installed, for consistency, under" + elog "/etc/modsecurity, and can be configured with the following file:" + elog " /etc/apache2/modules.d/80_${PN}.conf" + elog "" +} diff --git a/www-apache/modsecurity-crs/modsecurity-crs-3.0.2.ebuild b/www-apache/modsecurity-crs/modsecurity-crs-3.0.2.ebuild new file mode 100644 index 000000000000..77271b211900 --- /dev/null +++ b/www-apache/modsecurity-crs/modsecurity-crs-3.0.2.ebuild @@ -0,0 +1,52 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +DESCRIPTION="Core Rule Set for ModSecurity" +HOMEPAGE="https://modsecurity.org/crs/" +SRC_URI="https://github.com/SpiderLabs/owasp-${PN}/archive/v${PV}.tar.gz + -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="" + +DEPEND="" +RDEPEND=">=www-apache/mod_security-2.9.1" + +S="${WORKDIR}/owasp-${P}" + +src_install() { + insinto "/usr/share/${PN}" + doins -r rules + + dodoc CHANGES CONTRIBUTORS KNOWN_BUGS README.md crs-setup.conf.example \ + id_renumbering/{IDNUMBERING,IdNumbering.csv} + + # I don't think it's worth pulling in apache-module.eclass just for + # this path... + insinto /etc/apache2/modules.d + doins "${FILESDIR}/80_mod_security-crs.conf" +} + +pkg_postinst() { + einfo "The CRS configuration file has been installed to" + einfo + einfo " ${ROOT}etc/apache2/modules.d/80_mod_security-crs.conf" + einfo + einfo "The CRS rules have been renumbered as of version 3.0.0." + einfo "If your configuration refers to any rules based on their" + einfo "number, then you will need to update your configuration" + einfo "to reflect the new numbering system. You can find more" + einfo "information in" + einfo + einfo " ${ROOT}usr/share/doc/${PF}/IDNUMBERING" + einfo + einfo "and a CSV file containing the old -> new rule number" + einfo "mapping was installed as" + einfo + einfo " ${ROOT}usr/share/doc/${PF}/IdNumbering.csv" + einfo +} |