From d67a5b8ca013cb880fa374f958e7bb181b3b8b7b Mon Sep 17 00:00:00 2001 From: jessebot Date: Sat, 29 Jun 2024 07:56:05 +0200 Subject: [PATCH] Upgrade OWASP_MODSECURITY_CRS_VERSION 3.3.5 to 4.4.0 and update docs Signed-off-by: jessebot --- .../third-party-addons/modsecurity.md | 94 +++++++++++++++++++ images/nginx-1.25/rootfs/build.sh | 15 ++- 2 files changed, 100 insertions(+), 9 deletions(-) diff --git a/docs/user-guide/third-party-addons/modsecurity.md b/docs/user-guide/third-party-addons/modsecurity.md index 93a7f40972..38d39888d1 100644 --- a/docs/user-guide/third-party-addons/modsecurity.md +++ b/docs/user-guide/third-party-addons/modsecurity.md @@ -14,3 +14,97 @@ The default `Serial` value in SecAuditLogType can impact performance. The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. The directory `/etc/nginx/owasp-modsecurity-crs` contains the [OWASP ModSecurity Core Rule Set repository](https://github.com/coreruleset/coreruleset). Using `enable-owasp-modsecurity-crs: "true"` we enable the use of the rules. + +## Supported annotations + +For more info on supported annotations, please see [annotations/#modsecurity](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#modsecurity) + +## Example of using ModSecurity with plugins via the helm chart + +Suppose you have a ConfigMap that contains the contents of the [nextcloud-rule-exclusions plugin](https://github.com/coreruleset/nextcloud-rule-exclusions-plugin/blob/main/plugins/nextcloud-rule-exclusions-before.conf) like this: + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: modsecurity-plugins +data: + empty-after.conf: | + # no data + empty-before.conf: | + # no data + empty-config.conf: | + # no data + nextcloud-rule-exclusions-before.conf: + # this is just a snippet + # find the full file at https://github.com/coreruleset/nextcloud-rule-exclusions-plugin + # + # [ File Manager ] + # The web interface uploads files, and interacts with the user. + SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \ + "id:9508102,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'nextcloud-rule-exclusions-plugin/1.2.0',\ + ctl:ruleRemoveById=920420,\ + ctl:ruleRemoveById=920440,\ + ctl:ruleRemoveById=941000-942999,\ + ctl:ruleRemoveById=951000-951999,\ + ctl:ruleRemoveById=953100-953130,\ + ctl:ruleRemoveByTag=attack-injection-php" +``` + +If you're using the helm chart, you can pass in the following parameters in your `values.yaml`: + +```yaml +controller: + config: + # Enables Modsecurity + enable-modsecurity: "true" + + # Update ModSecurity config and rules + modsecurity-snippet: | + # this enables the mod security nextcloud plugin + Include /etc/nginx/owasp-modsecurity-crs/plugins/nextcloud-rule-exclusions-before.conf + + # this enables the default OWASP Core Rule Set + Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf + + # Enable prevention mode. Options: DetectionOnly,On,Off (default is DetectionOnly) + SecRuleEngine On + + # Enable scanning of the request body + SecRequestBodyAccess On + + # Enable XML and JSON parsing + SecRule REQUEST_HEADERS:Content-Type "(?:text|application(?:/soap\+|/)|application/xml)/" \ + "id:200000,phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" + + SecRule REQUEST_HEADERS:Content-Type "application/json" \ + "id:200001,phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" + + # Reject if larger (we could also let it pass with ProcessPartial) + SecRequestBodyLimitAction Reject + + # Send ModSecurity audit logs to the stdout (only for rejected requests) + SecAuditLog /dev/stdout + + # format the logs in JSON + SecAuditLogFormat JSON + + # could be On/Off/RelevantOnly + SecAuditEngine RelevantOnly + + # Add a volume for the plugins directory + extraVolumes: + - name: plugins + configMap: + name: modsecurity-plugins + + # override the /etc/nginx/enable-owasp-modsecurity-crs/plugins with your ConfigMap + extraVolumeMounts: + - name: plugins + mountPath: /etc/nginx/owasp-modsecurity-crs/plugins +``` diff --git a/images/nginx-1.25/rootfs/build.sh b/images/nginx-1.25/rootfs/build.sh index 2a666fc9e0..1ebce8efc1 100755 --- a/images/nginx-1.25/rootfs/build.sh +++ b/images/nginx-1.25/rootfs/build.sh @@ -41,8 +41,8 @@ export MODSECURITY_VERSION=v1.0.3 # Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.8...v3/master export MODSECURITY_LIB_VERSION=v3.0.12 -# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.5...main -export OWASP_MODSECURITY_CRS_VERSION=v3.3.5 +# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.5...v4.0/main +export OWASP_MODSECURITY_CRS_VERSION=v4.4.0 # Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/b5d1688ae722538ba4dc8a7ec08820a08abfb93d...master export LUA_NGX_VERSION=b5d1688ae722538ba4dc8a7ec08820a08abfb93d @@ -181,7 +181,7 @@ apk add \ c-ares-dev \ re2-dev \ grpc-dev \ - protobuf-dev + protobuf-dev # apk add -X http://dl-cdn.alpinelinux.org/alpine/edge/testing opentelemetry-cpp-dev @@ -388,17 +388,13 @@ mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-E mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf cd .. -# OWASP CRS v3 rules +# OWASP CRS v4 rules echo " Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf @@ -407,7 +403,7 @@ Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LF Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf -Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf @@ -418,6 +414,7 @@ Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.co Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-955-WEB-SHELLS.conf Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf