Merge pull request #2273 from Vincevrp/vhost-anomaly-override

Allow overriding CRS anomaly threshold per vhost

Author: david22swan

manifests/vhost.pp

@@ -552,6 +552,16 @@
 #   If none of those parameters are set, the global audit log is used 
 #   (`/var/log/httpd/modsec\_audit.log`; Debian and derivatives: `/var/log/apache2/modsec\_audit.log`; others: ).
 #
+# @param modsec_inbound_anomaly_threshold
+#   Override the global scoring threshold level of the inbound blocking rules
+#   for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule
+#   Set.
+#
+# @param modsec_outbound_anomaly_threshold
+#   Override the global scoring threshold level of the outbound blocking rules
+#   for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule
+#   Set.
+#
 # @param no_proxy_uris
 #   Specifies URLs you do not want to proxy. This parameter is meant to be used in combination 
 #   with [`proxy_dest`](#proxy_dest).
@@ -1901,6 +1911,8 @@
   Optional[Variant[Hash, Array]] $modsec_disable_msgs                                 = undef,
   Optional[Variant[Hash, Array]] $modsec_disable_tags                                 = undef,
   Optional[String] $modsec_body_limit                                                 = undef,
+  Optional[Integer[1, default]] $modsec_inbound_anomaly_threshold                     = undef,
+  Optional[Integer[1, default]] $modsec_outbound_anomaly_threshold                    = undef,
   Array[Hash] $jk_mounts                                                              = [],
   Boolean $auth_kerb                                                                  = false,
   Enum['on', 'off'] $krb_method_negotiate                                             = 'on',
@@ -2786,7 +2798,9 @@
   # - $modsec_disable_tags
   # - $modsec_body_limit
   # - $modsec_audit_log_destination
-  if $modsec_disable_vhost or $modsec_disable_ids or !empty($modsec_disable_ips) or $modsec_disable_msgs or $modsec_disable_tags or $modsec_audit_log_destination {
+  # - $modsec_inbound_anomaly_threshold
+  # - $modsec_outbound_anomaly_threshold
+  if $modsec_disable_vhost or $modsec_disable_ids or !empty($modsec_disable_ips) or $modsec_disable_msgs or $modsec_disable_tags or $modsec_audit_log_destination or ($modsec_inbound_anomaly_threshold and $modsec_outbound_anomaly_threshold) {
     concat::fragment { "${name}-security":
       target  => "${priority_real}${filename}.conf",
       order   => 320,

spec/defines/vhost_spec.rb

@@ -1202,6 +1202,33 @@
             )
           }
         end
+
+        context 'modsec_anomaly_threshold' do
+          let :params do
+            {
+              'docroot'                           => '/rspec/docroot',
+              'modsec_inbound_anomaly_threshold'  => 10_000,
+              'modsec_outbound_anomaly_threshold' => 10_000,
+            }
+          end
+
+          it { is_expected.to compile }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-security').with(
+              content: %r{
+                ^\s+SecAction\ \\\n
+                \s+\"id:900110,\\\n
+                \s+phase:1,\\\n
+                \s+nolog,\\\n
+                \s+pass,\\\n
+                \s+t:none,\\\n
+                \s+setvar:tx.inbound_anomaly_score_threshold=10000,\ \\\n
+                \s+setvar:tx.outbound_anomaly_score_threshold=10000"$
+              }x,
+            )
+          }
+        end
+
         context 'set only aliases' do
           let :params do
             {

templates/vhost/_security.erb

@@ -39,4 +39,14 @@
 <% if @modsec_body_limit -%>
   SecRequestBodyLimit <%= @modsec_body_limit %>
 <% end -%>
+<% if @modsec_inbound_anomaly_threshold and @modsec_outbound_anomaly_threshold -%>
+  SecAction \
+   "id:900110,\
+    phase:1,\
+    nolog,\
+    pass,\
+    t:none,\
+    setvar:tx.inbound_anomaly_score_threshold=<%= @modsec_inbound_anomaly_threshold -%>, \
+    setvar:tx.outbound_anomaly_score_threshold=<%= @modsec_outbound_anomaly_threshold -%>"
+<% end -%>
 </IfModule>