From fc4659850a14019b2ad6435db3354bdd8a92f6b9 Mon Sep 17 00:00:00 2001 From: Zacharias Zacharodimos Date: Thu, 8 Feb 2024 10:48:27 +0100 Subject: [PATCH] Parametrize the SecDebugLogLevel --- manifests/mod/security.pp | 76 +++++++++++++++++-------------- spec/classes/mod/security_spec.rb | 2 + templates/mod/security.conf.epp | 2 +- 3 files changed, 44 insertions(+), 36 deletions(-) diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index a64be57f8a..05bb1e6172 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -1,116 +1,119 @@ # @summary # Installs and configures `mod_security`. -# +# # @param version # Manage mod_security or mod_security2 # # @param logroot # Configures the location of audit and debug logs. -# +# # @param crs_package # Name of package that installs CRS rules. -# +# # @param activated_rules # An array of rules from the modsec_crs_path or absolute to activate via symlinks. # # @param custom_rules -# +# # @param custom_rules_set # # @param modsec_dir # Defines the path where Puppet installs the modsec configuration and activated rules links. -# +# # @param modsec_secruleengine # Configures the rules engine. -# +# # @param audit_log_relevant_status # Configures which response status code is to be considered relevant for the purpose of audit logging. -# +# # @param audit_log_parts # Defines which parts of each transaction are going to be recorded in the audit log. Each part is assigned a single letter; when a # letter appears in the list then the equivalent part will be recorded. -# +# # @param audit_log_type # Defines the type of audit logging mechanism to be used. -# +# # @param audit_log_storage_dir # Defines the directory where concurrent audit log entries are to be stored. This directive is only needed when concurrent audit logging is used. -# +# +# @param debug_log_level +# Defines the level of debug logging mechanism to be used. Values can be set from 0 to 9, with 9 being the maximum version of information logged. +# # @param secpcrematchlimit # Sets the match limit in the PCRE library. -# +# # @param secpcrematchlimitrecursion # Sets the match limit recursion in the PCRE library. -# +# # @param allowed_methods # A space-separated list of allowed HTTP methods. -# +# # @param content_types # A list of one or more allowed MIME types. -# +# # @param restricted_extensions # A space-sparated list of prohibited file extensions. -# +# # @param restricted_headers # A list of restricted headers separated by slashes and spaces. -# +# # @param secdefaultaction # Defines the default list of actions, which will be inherited by the rules in the same configuration context. -# +# # @param inbound_anomaly_threshold # Sets the scoring threshold level of the inbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. -# +# # @param outbound_anomaly_threshold # Sets the scoring threshold level of the outbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set. -# +# # @param critical_anomaly_score # Sets the Anomaly Score for rules assigned with a critical severity. -# +# # @param error_anomaly_score # Sets the Anomaly Score for rules assigned with a error severity. -# +# # @param warning_anomaly_score # Sets the Anomaly Score for rules assigned with a warning severity. -# +# # @param notice_anomaly_score # Sets the Anomaly Score for rules assigned with a notice severity. -# +# # @param paranoia_level # Sets the paranoia level in the OWASP ModSecurity Core Rule Set. -# +# # @param executing_paranoia_level # Sets the executing paranoia level in the OWASP ModSecurity Core Rule Set. # The default is equal to, and cannot be lower than, $paranoia_level. -# +# # @param secrequestmaxnumargs # Sets the maximum number of arguments in the request. -# +# # @param secrequestbodylimit # Sets the maximum request body size ModSecurity will accept for buffering. -# +# # @param secrequestbodynofileslimit -# Configures the maximum request body size ModSecurity will accept for buffering, excluding the size of any files being transported +# Configures the maximum request body size ModSecurity will accept for buffering, excluding the size of any files being transported # in the request. -# +# # @param secrequestbodyinmemorylimit # Configures the maximum request body size that ModSecurity will store in memory. -# +# # @param secrequestbodyaccess # Toggle SecRequestBodyAccess On or Off -# +# # @param secrequestbodylimitaction # Controls what happens once a request body limit, configured with # SecRequestBodyLimit, is encountered -# +# # @param secresponsebodyaccess # Toggle SecResponseBodyAccess On or Off # # @param secresponsebodylimitaction # Controls what happens once a response body limit, configured with -# SecResponseBodyLimitAction, is encountered. -# +# SecResponseBodyLimitAction, is encountered. +# # @param manage_security_crs -# Toggles whether to manage ModSecurity Core Rule Set +# Toggles whether to manage ModSecurity Core Rule Set # # @param enable_dos_protection # Toggles the optional OWASP ModSecurity Core Rule Set DOS protection rule @@ -144,6 +147,7 @@ String $audit_log_parts = $apache::params::modsec_audit_log_parts, String $audit_log_type = $apache::params::modsec_audit_log_type, Optional[Stdlib::Absolutepath] $audit_log_storage_dir = undef, + Integer[0,9] $debug_log_level = 0, Integer $secpcrematchlimit = $apache::params::secpcrematchlimit, Integer $secpcrematchlimitrecursion = $apache::params::secpcrematchlimitrecursion, String $allowed_methods = 'GET HEAD POST OPTIONS', @@ -231,6 +235,7 @@ # - $audit_log_parts # - $audit_log_type # - $audit_log_storage_dir + # - $debug_log_level # - secpcrematchlimit # - secpcrematchlimitrecursion # - secrequestbodylimit @@ -257,6 +262,7 @@ 'audit_log_parts' => $audit_log_parts, 'audit_log_type' => $audit_log_type, 'audit_log_storage_dir' => $audit_log_storage_dir, + 'debug_log_level' => $debug_log_level, 'logroot' => $logroot, } diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb index ec41852199..3bc0234bca 100644 --- a/spec/classes/mod/security_spec.rb +++ b/spec/classes/mod/security_spec.rb @@ -103,6 +103,7 @@ audit_log_parts: 'ABCDZ', audit_log_type: 'Concurrent', audit_log_storage_dir: '/var/log/httpd/audit', + debug_log_level: 3, secdefaultaction: 'deny,status:406,nolog,auditlog', secrequestbodyaccess: 'Off', secresponsebodyaccess: 'On', @@ -117,6 +118,7 @@ it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogStorageDir /var/log/httpd/audit$} } it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecRequestBodyAccess Off$} } it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecResponseBodyAccess On$} } + it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecDebugLogLevel 3$} } it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecRequestBodyLimitAction ProcessPartial$} } it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecResponseBodyLimitAction Reject$} } it { is_expected.to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content %r{^\s*SecDefaultAction "phase:2,deny,status:406,nolog,auditlog"$} } diff --git a/templates/mod/security.conf.epp b/templates/mod/security.conf.epp index dbca254b30..e2dc2241f9 100644 --- a/templates/mod/security.conf.epp +++ b/templates/mod/security.conf.epp @@ -44,7 +44,7 @@ SecResponseBodyMimeType text/plain text/html text/xml SecResponseBodyLimit 524288 SecResponseBodyLimitAction <%= $secresponsebodylimitaction %> - SecDebugLogLevel 0 + SecDebugLogLevel <%= $debug_log_level %> SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "<%= $audit_log_relevant_status %>" SecAuditLogParts <%= $audit_log_parts %>