Merge pull request #2272 from Vincevrp/modsec-bodyaccess

david22swan · web-flow · commit 568ffa0f476b · 2022-08-04T09:45:20.000+01:00
Allow configuring SecRequestBodyAccess and SecResponseBodyAccess
diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp
@@ -95,6 +95,12 @@
 # @param secrequestbodyinmemorylimit
 #   Configures the maximum request body size that ModSecurity will store in memory.
 # 
+# @param secrequestbodyaccess
+#   Toggle SecRequestBodyAccess On or Off
+# 
+# @param secresponsebodyaccess
+#   Toggle SecResponseBodyAccess On or Off
+# 
 # @param manage_security_crs
 #   Toggles whether to manage ModSecurity Core Rule Set 
 #
@@ -132,6 +138,8 @@
   Integer $secrequestbodyinmemorylimit                  = 131072,
   Integer[1,4] $paranoia_level                          = 1,
   Integer[1,4] $executing_paranoia_level                = $paranoia_level,
+  Enum['On', 'Off'] $secrequestbodyaccess               = 'On',
+  Enum['On', 'Off'] $secresponsebodyaccess              = 'Off',
   Boolean $manage_security_crs                          = true,
 ) inherits apache::params {
   include apache
@@ -197,6 +205,8 @@
   # - secrequestbodylimit
   # - secrequestbodynofileslimit
   # - secrequestbodyinmemorylimit
+  # - secrequestbodyaccess
+  # - secresponsebodyaccess
   file { 'security.conf':
     ensure  => file,
     content => template('apache/mod/security.conf.erb'),
diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb
@@ -79,13 +79,17 @@
                 audit_log_type: 'Concurrent',
                 audit_log_storage_dir: '/var/log/httpd/audit',
                 secdefaultaction: 'deny,status:406,nolog,auditlog',
+                secrequestbodyaccess: 'Off',
+                secresponsebodyaccess: 'On',
               }
             end
 
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!01\|04\)\)"$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABCDZ$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogType Concurrent$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogStorageDir /var/log/httpd/audit$} }
+            it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecRequestBodyAccess Off$} }
+            it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecResponseBodyAccess On$} }
             it { is_expected.to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content %r{^\s*SecDefaultAction "phase:2,deny,status:406,nolog,auditlog"$} }
             it {
               is_expected.to contain_file('bar.conf').with(
@@ -227,6 +231,8 @@
                 audit_log_type: 'Concurrent',
                 audit_log_storage_dir: '/var/log/httpd/audit',
                 secdefaultaction: 'deny,status:406,nolog,auditlog',
+                secrequestbodyaccess: 'Off',
+                secresponsebodyaccess: 'On',
               }
             end
 
@@ -235,6 +241,8 @@
               it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!01\|04\)\)"$} }
               it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABCDZ$} }
               it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogStorageDir /var/log/httpd/audit$} }
+              it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecRequestBodyAccess Off$} }
+              it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecResponseBodyAccess On$} }
               it { is_expected.to contain_file('/etc/modsecurity/security_crs.conf').with_content %r{^\s*SecDefaultAction "phase:2,deny,status:406,nolog,auditlog"$} }
               it {
                 is_expected.to contain_file('bar.conf').with(
diff --git a/templates/mod/security.conf.erb b/templates/mod/security.conf.erb
@@ -1,7 +1,7 @@
 <IfModule mod_security2.c>
     # Default recommended configuration
     SecRuleEngine <%= @modsec_secruleengine %>
-    SecRequestBodyAccess On
+    SecRequestBodyAccess <%= @secrequestbodyaccess %>
   <%- if @custom_rules -%>
     Include <%= @modsec_dir %>/custom_rules/*.conf
   <%- end -%>
@@ -40,7 +40,7 @@
     SecRule TX:/^MSC_/ "!@streq 0" \
       "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
 
-    SecResponseBodyAccess Off
+    SecResponseBodyAccess <%= @secresponsebodyaccess %>
     SecResponseBodyMimeType text/plain text/html text/xml
     SecResponseBodyLimit 524288
     SecResponseBodyLimitAction ProcessPartial
