Merge pull request #2353 from Vincevrp/secresponsebodylimitaction

david22swan · web-flow · commit 75ad35540e19 · 2022-12-12T14:34:30.000Z
Parameterize SecRequestBodyLimitAction and SecResponseBodyLimitAction
diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp
@@ -98,8 +98,16 @@
 # @param secrequestbodyaccess
 #   Toggle SecRequestBodyAccess On or Off
 # 
+# @param secrequestbodylimitaction
+#   Controls what happens once a request body limit, configured with
+#   SecRequestBodyLimit, is encountered
+# 
 # @param secresponsebodyaccess
 #   Toggle SecResponseBodyAccess On or Off
+#
+# @param secresponsebodylimitaction
+#   Controls what happens once a response body limit, configured with
+#   SecResponseBodyLimitAction, is encountered. 
 # 
 # @param manage_security_crs
 #   Toggles whether to manage ModSecurity Core Rule Set 
@@ -124,44 +132,46 @@
 # @see https://coreruleset.org/docs/ for addional documentation
 #
 class apache::mod::security (
-  Stdlib::Absolutepath $logroot                         = $apache::params::logroot,
-  Integer $version                                      = $apache::params::modsec_version,
-  Optional[String] $crs_package                         = $apache::params::modsec_crs_package,
-  Array[String] $activated_rules                        = $apache::params::modsec_default_rules,
-  Boolean $custom_rules                                 = $apache::params::modsec_custom_rules,
-  Optional[Array[String]] $custom_rules_set             = $apache::params::modsec_custom_rules_set,
-  Stdlib::Absolutepath $modsec_dir                      = $apache::params::modsec_dir,
-  String $modsec_secruleengine                          = $apache::params::modsec_secruleengine,
-  String $audit_log_relevant_status                     = '^(?:5|4(?!04))',
-  String $audit_log_parts                               = $apache::params::modsec_audit_log_parts,
-  String $audit_log_type                                = $apache::params::modsec_audit_log_type,
-  Optional[Stdlib::Absolutepath] $audit_log_storage_dir = undef,
-  Integer $secpcrematchlimit                            = $apache::params::secpcrematchlimit,
-  Integer $secpcrematchlimitrecursion                   = $apache::params::secpcrematchlimitrecursion,
-  String $allowed_methods                               = 'GET HEAD POST OPTIONS',
-  String $content_types                                 = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf',
-  String $restricted_extensions                         = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',
-  String $restricted_headers                            = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',
-  String $secdefaultaction                              = 'deny',
-  Integer $inbound_anomaly_threshold                    = 5,
-  Integer $outbound_anomaly_threshold                   = 4,
-  Integer $critical_anomaly_score                       = 5,
-  Integer $error_anomaly_score                          = 4,
-  Integer $warning_anomaly_score                        = 3,
-  Integer $notice_anomaly_score                         = 2,
-  Integer $secrequestmaxnumargs                         = 255,
-  Integer $secrequestbodylimit                          = 13107200,
-  Integer $secrequestbodynofileslimit                   = 131072,
-  Integer $secrequestbodyinmemorylimit                  = 131072,
-  Integer[1,4] $paranoia_level                          = 1,
-  Integer[1,4] $executing_paranoia_level                = $paranoia_level,
-  Enum['On', 'Off'] $secrequestbodyaccess               = 'On',
-  Enum['On', 'Off'] $secresponsebodyaccess              = 'Off',
-  Boolean $manage_security_crs                          = true,
-  Boolean $enable_dos_protection                        = true,
-  Integer[1, default] $dos_burst_time_slice             = 60,
-  Integer[1, default] $dos_counter_threshold            = 100,
-  Integer[1, default] $dos_block_timeout                = 600,
+  Stdlib::Absolutepath $logroot                                = $apache::params::logroot,
+  Integer $version                                             = $apache::params::modsec_version,
+  Optional[String] $crs_package                                = $apache::params::modsec_crs_package,
+  Array[String] $activated_rules                               = $apache::params::modsec_default_rules,
+  Boolean $custom_rules                                        = $apache::params::modsec_custom_rules,
+  Optional[Array[String]] $custom_rules_set                    = $apache::params::modsec_custom_rules_set,
+  Stdlib::Absolutepath $modsec_dir                             = $apache::params::modsec_dir,
+  String $modsec_secruleengine                                 = $apache::params::modsec_secruleengine,
+  String $audit_log_relevant_status                            = '^(?:5|4(?!04))',
+  String $audit_log_parts                                      = $apache::params::modsec_audit_log_parts,
+  String $audit_log_type                                       = $apache::params::modsec_audit_log_type,
+  Optional[Stdlib::Absolutepath] $audit_log_storage_dir        = undef,
+  Integer $secpcrematchlimit                                   = $apache::params::secpcrematchlimit,
+  Integer $secpcrematchlimitrecursion                          = $apache::params::secpcrematchlimitrecursion,
+  String $allowed_methods                                      = 'GET HEAD POST OPTIONS',
+  String $content_types                                        = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf',
+  String $restricted_extensions                                = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',
+  String $restricted_headers                                   = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',
+  String $secdefaultaction                                     = 'deny',
+  Integer $inbound_anomaly_threshold                           = 5,
+  Integer $outbound_anomaly_threshold                          = 4,
+  Integer $critical_anomaly_score                              = 5,
+  Integer $error_anomaly_score                                 = 4,
+  Integer $warning_anomaly_score                               = 3,
+  Integer $notice_anomaly_score                                = 2,
+  Integer $secrequestmaxnumargs                                = 255,
+  Integer $secrequestbodylimit                                 = 13107200,
+  Integer $secrequestbodynofileslimit                          = 131072,
+  Integer $secrequestbodyinmemorylimit                         = 131072,
+  Integer[1,4] $paranoia_level                                 = 1,
+  Integer[1,4] $executing_paranoia_level                       = $paranoia_level,
+  Enum['On', 'Off'] $secrequestbodyaccess                      = 'On',
+  Enum['On', 'Off'] $secresponsebodyaccess                     = 'Off',
+  Enum['Reject', 'ProcessPartial'] $secrequestbodylimitaction  = 'Reject',
+  Enum['Reject', 'ProcessPartial'] $secresponsebodylimitaction = 'ProcessPartial',
+  Boolean $manage_security_crs                                 = true,
+  Boolean $enable_dos_protection                               = true,
+  Integer[1, default] $dos_burst_time_slice                    = 60,
+  Integer[1, default] $dos_counter_threshold                   = 100,
+  Integer[1, default] $dos_block_timeout                       = 600,
 ) inherits apache::params {
   include apache
 
@@ -228,6 +238,8 @@
   # - secrequestbodyinmemorylimit
   # - secrequestbodyaccess
   # - secresponsebodyaccess
+  # - secrequestbodylimitaction
+  # - secresponsebodylimitaction
   file { 'security.conf':
     ensure  => file,
     content => template('apache/mod/security.conf.erb'),
diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb
@@ -81,6 +81,8 @@
                 secdefaultaction: 'deny,status:406,nolog,auditlog',
                 secrequestbodyaccess: 'Off',
                 secresponsebodyaccess: 'On',
+                secrequestbodylimitaction: 'ProcessPartial',
+                secresponsebodylimitaction: 'Reject',
               }
             end
 
@@ -90,6 +92,8 @@
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogStorageDir /var/log/httpd/audit$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecRequestBodyAccess Off$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecResponseBodyAccess On$} }
+            it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecRequestBodyLimitAction ProcessPartial$} }
+            it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecResponseBodyLimitAction Reject$} }
             it { is_expected.to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content %r{^\s*SecDefaultAction "phase:2,deny,status:406,nolog,auditlog"$} }
             it {
               is_expected.to contain_file('bar.conf').with(
@@ -249,6 +253,8 @@
                 secdefaultaction: 'deny,status:406,nolog,auditlog',
                 secrequestbodyaccess: 'Off',
                 secresponsebodyaccess: 'On',
+                secrequestbodylimitaction: 'ProcessPartial',
+                secresponsebodylimitaction: 'Reject',
               }
             end
 
@@ -259,6 +265,8 @@
               it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogStorageDir /var/log/httpd/audit$} }
               it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecRequestBodyAccess Off$} }
               it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecResponseBodyAccess On$} }
+              it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecRequestBodyLimitAction ProcessPartial$} }
+              it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecResponseBodyLimitAction Reject$} }
               it { is_expected.to contain_file('/etc/modsecurity/security_crs.conf').with_content %r{^\s*SecDefaultAction "phase:2,deny,status:406,nolog,auditlog"$} }
               it {
                 is_expected.to contain_file('bar.conf').with(
diff --git a/templates/mod/security.conf.erb b/templates/mod/security.conf.erb
@@ -10,7 +10,7 @@
     SecRequestBodyLimit <%= @secrequestbodylimit %>
     SecRequestBodyNoFilesLimit <%= @secrequestbodynofileslimit %>
     SecRequestBodyInMemoryLimit <%= @secrequestbodyinmemorylimit %>
-    SecRequestBodyLimitAction Reject
+    SecRequestBodyLimitAction <%= @secrequestbodylimitaction %>
     SecRule REQBODY_ERROR "!@eq 0" \
       "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
     SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
@@ -43,7 +43,7 @@
     SecResponseBodyAccess <%= @secresponsebodyaccess %>
     SecResponseBodyMimeType text/plain text/html text/xml
     SecResponseBodyLimit 524288
-    SecResponseBodyLimitAction ProcessPartial
+    SecResponseBodyLimitAction <%= @secresponsebodylimitaction %>
     SecDebugLogLevel 0
     SecAuditEngine RelevantOnly
     SecAuditLogRelevantStatus "<%= @audit_log_relevant_status %>"
