Merge pull request #2270 from Vincevrp/crs-paranoia-level

david22swan · web-flow · commit 922c95ed7e74 · 2022-08-01T17:26:55.000+01:00
Allow configuring CRS paranoia level
diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp
@@ -75,6 +75,13 @@
 # @param notice_anomaly_score
 #   Sets the Anomaly Score for rules assigned with a notice severity.
 # 
+# @param paranoia_level
+#   Sets the paranoia level in the OWASP ModSecurity Core Rule Set.
+# 
+# @param executing_paranoia_level
+#   Sets the executing paranoia level in the OWASP ModSecurity Core Rule Set.
+#   The default is equal to, and cannot be lower than, $paranoia_level.
+# 
 # @param secrequestmaxnumargs
 #   Sets the maximum number of arguments in the request.
 # 
@@ -123,6 +130,8 @@
   Integer $secrequestbodylimit                          = 13107200,
   Integer $secrequestbodynofileslimit                   = 131072,
   Integer $secrequestbodyinmemorylimit                  = 131072,
+  Integer[1,4] $paranoia_level                          = 1,
+  Integer[1,4] $executing_paranoia_level                = $paranoia_level,
   Boolean $manage_security_crs                          = true,
 ) inherits apache::params {
   include apache
@@ -140,6 +149,10 @@
     fail('SLES 10 is not currently supported.')
   }
 
+  if ($executing_paranoia_level < $paranoia_level) {
+    fail('Executing paranoia level cannot be lower than paranoia level')
+  }
+
   case $version {
     1: {
       $mod_name = 'security'
@@ -248,6 +261,8 @@
     # - $notice_anomaly_score
     # - $inbound_anomaly_threshold
     # - $outbound_anomaly_threshold
+    # - $paranoia_level
+    # - $executing_paranoia_level
     # - $allowed_methods
     # - $content_types
     # - $restricted_extensions
diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb
@@ -130,6 +130,35 @@
             }
             it { is_expected.to contain_file('/etc/httpd/modsecurity.d/custom_rules/custom_01_rules.conf').with_content %r{^\s*.*"id:199999,phase:1,nolog,allow,ctl:ruleEngine=off"$} }
           end
+
+          describe 'with CRS parameters' do
+            let :params do
+              {
+                paranoia_level: 1,
+                executing_paranoia_level: 2,
+              }
+            end
+
+            it {
+              is_expected.to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content \
+                %r{^SecAction \\\n\s+\"id:900000,\\\n\s+phase:1,\\\n\s+nolog,\\\n\s+pass,\\\n\s+t:none,\\\n\s+setvar:tx.paranoia_level=1"$}
+              is_expected.to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content \
+                %r{^SecAction \\\n\s+\"id:900001,\\\n\s+phase:1,\\\n\s+nolog,\\\n\s+pass,\\\n\s+t:none,\\\n\s+setvar:tx.executing_paranoia_level=2"$}
+            }
+          end
+
+          describe 'with invalid CRS parameters' do
+            let :params do
+              {
+                paranoia_level: 2,
+                executing_paranoia_level: 1,
+              }
+            end
+
+            it {
+              is_expected.to compile.and_raise_error(%r{Executing paranoia level cannot be lower than paranoia level})
+            }
+          end
         end
       when 'Debian'
         context 'on Debian based systems' do
@@ -259,6 +288,35 @@
               )
             }
           end
+
+          describe 'with CRS parameters' do
+            let :params do
+              {
+                paranoia_level: 1,
+                executing_paranoia_level: 1,
+              }
+            end
+
+            it {
+              is_expected.to contain_file('/etc/modsecurity/security_crs.conf').with_content \
+                %r{^SecAction \\\n\s+\"id:900000,\\\n\s+phase:1,\\\n\s+nolog,\\\n\s+pass,\\\n\s+t:none,\\\n\s+setvar:tx.paranoia_level=1"$}
+              is_expected.to contain_file('/etc/modsecurity/security_crs.conf').with_content \
+                %r{^SecAction \\\n\s+\"id:900001,\\\n\s+phase:1,\\\n\s+nolog,\\\n\s+pass,\\\n\s+t:none,\\\n\s+setvar:tx.executing_paranoia_level=1"$}
+            }
+          end
+
+          describe 'with invalid CRS parameters' do
+            let :params do
+              {
+                paranoia_level: 2,
+                executing_paranoia_level: 1,
+              }
+            end
+
+            it {
+              is_expected.to compile.and_raise_error(%r{Executing paranoia level cannot be lower than paranoia level})
+            }
+          end
         end
       end
     end
diff --git a/templates/mod/security_crs.conf.erb b/templates/mod/security_crs.conf.erb
@@ -175,13 +175,13 @@ SecDefaultAction "phase:2,<%= @_secdefaultaction -%>"
 #
 # Uncomment this rule to change the default:
 #
-#SecAction \
-#  "id:900000,\
-#   phase:1,\
-#   nolog,\
-#   pass,\
-#   t:none,\
-#   setvar:tx.paranoia_level=1"
+SecAction \
+  "id:900000,\
+   phase:1,\
+   nolog,\
+   pass,\
+   t:none,\
+   setvar:tx.paranoia_level=<%= @paranoia_level -%>"
 
 
 # It is possible to execute rules from a higher paranoia level but not include
@@ -201,13 +201,13 @@ SecDefaultAction "phase:2,<%= @_secdefaultaction -%>"
 # level results in a performance impact that is equally high as setting
 # tx.paranoia_level to said level.
 #
-#SecAction \
-#  "id:900001,\
-#   phase:1,\
-#   nolog,\
-#   pass,\
-#   t:none,\
-#   setvar:tx.executing_paranoia_level=1"
+SecAction \
+  "id:900001,\
+   phase:1,\
+   nolog,\
+   pass,\
+   t:none,\
+   setvar:tx.executing_paranoia_level=<%= @executing_paranoia_level -%>"
 
 
 #
