cookbook 'mod_security2', '~> 0.3.2'
mod_security2 (3) Versions 0.3.2 Follow2
Installs/Configures mod_security2
cookbook 'mod_security2', '~> 0.3.2', :supermarket
knife supermarket install mod_security2
knife supermarket download mod_security2
mod_security2-cookbook
NOTICE:
I have not used this cookbook in production yet, and have no prior experience with mod_security
Please review the tests (which do pass) to ensure this cookbook meets your needs
Use at your own risk
Supported Platforms
- ubuntu 12.04
Usage
This cookbook is primarily designed to be used as an LWRP library cookbook. However, a
few recipes are provided for testing purposes, and for convenience in instances where minimal
customization is needed.
Attributes
These attributes are used as defaults for the LWRP while also being used directly by the convenience recipes
If you are using the LWRP, there is no need to override node attributes, as the LWRP give you full
controll of all of these items.
-
['mod_security2']['source']['revision']
- The git revision to use for pulling source. default = 'v2.8.0' -
['mod_security2']['source']['repo']
- The URL of the git repo for source. default = 'https://github.com/SpiderLabs/ModSecurity.git' -
['mod_security2']['source']['compile_flags']
- Flags to use when configuring mod_security. default = [] -
['mod_security2']['home']
- Home for ModSecurity installs. <home>/versions/<revision> will be used with a symlink from <home>/current to the current version. default = '/opt/ModSecurity' -
['mod_security2']['platform']
- the webserver platform we're installing mod_security for. default = :nginx <br /> <em>*currently only nginx is supported, but I'm happy to take a PR to add apache2 support</em>
Resources/Providers
mod_security2
Actions
The default action is [:install]
- :install - installs/compiles mod_security2 from source
- :delete - deletes a mod_security2 install. it does **not* remove mod_security from any webserver that may have built it in*
Attribute Parameters
- :version - String (name attribute) - default = node['mod_security2']['source']['revision']
- :home - String default =
node['mod_security2']['home']
-see documentation for node['mod_security2']['home'] - :platform - [String, Symbol] :default = :nginx - Currently only :nginx is supported
- :compile_flags - [Array, String] :default => []
- :repo - String default = node['mod_security2']['source']['repo']
mod_security2_config
Actions
The default action is `:create'
- :create - create a config file for mod_security
- :delete - delete a config file
Attribute Paramters
base_rules
, optional_rules
, experimental_rules
, and slr_rules
all refer to OWASP rule set
- path - where to put the config file
- custom_rules - a hash of custom rules (see details below)
- base_rules -
true
to include all base rules,false
to include none, and an array of filenames to include only some. - optional_rules - same as for base_rules
- experimental_rules - same as for base_rules
- slr_rules - same as for base_rules
- tarball_url - url for the OWASP ruleset. Default - https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
custom-rules
for custom rules, you provide a hash of rules to include. Each hash entry takes a name for the key, and hash for the value.
The hash includes:
* priority
- the priority of the rule from 0 to 99
* type
- :cookbook_file
, :template
, or :remote_file
- The type of resource to use for building this rule
* cookbook
- the cookbook that the template or cookbook file is found in (if :cookbook_file
or :template
type)
* source
- the template or cookbook_file source (if :cookbook_file
or :template
type)
* url
- the url for a remote_file
This cookbook includes a cookbook_file for enabling concurrent audit logs for mod_security
mod_security2_config '/etc/modsecurity/mod_security.conf' do base_rules true custom_rules :concurrent_logging => { :type => :cookbook_file, :cookbook => 'mod_security2', :source => 'concurrent_logging.conf', :priority => 99 } end
Templates and Files
This cookbook provides a couple of templates and files that are helpful for your application cookbook. Each
allows you to get some common functionality while maintaining your own controll of the resources.
mod_security_location
This template is used to create a mod_security location in your nginx configs. It is a full nginx vhost config
that simply listens on an http and https port, applies mod_security, and then proxies to a local non-ssl port.
variables
-
fqdn
totally optional, node['fqdn'] will be used otherwise. Just for a comment about chef managing this file -
server_name
- the server name to apply to this nginx vhost -
listen_port
- the http listen port (responds with a 301 redirect to the ssl port) -
ssl_listen_port
- the https port to listen on -
ssl_certificate
- the path to the ssl certificate -
ssl_certificate_key
- the path to the key for the ssl certificate -
modsecuriyt_config
- the path to the mod_security config file -
forward_port
- the port to forward traffic to.
mod_security_log_cleanup.rb.erb
This template creates a ruby script file to merge mod_security concurrent logs into a single combined log file.
variables
-
combined_log
- path to store the combined log at -
log_dir
- path of the directory containing the concurrent logs -
delete
- default to true. Do we delete the files after they are merged?
concurrent_logging.conf
This file can be used as a 'custom_rule' in mod_security2_config
resource to enable concurrent logging. If you do
use it, be sure to give it a priority above 10 so that it can override the serial logging that comes with OWASP.
Recipe usage
mod_security2::install
Installs mod_security2 from source.
Include mod_security2::install
in your node's run_list
:
{ "run_list": [ "recipe[mod_security2::install]" ] }
mod_security2::nginx_module
DO NOT use this recipe directly. This recipe should be used in conjunction with the nginx
cookbook by
adding mod_security2::nginx_module
to node['nginx']['source']['modules']
. By doing so, you are
instructing the nginx
cookbook to run this recipe at the appropriate time. You may also need to add mod_security2::default
to your runlist to ensure that the mod_security2
cookbook is available on your node at runtime.
Installs mod_security from source with the stand-alone-module flag.
Also updates the compile flags for nginx to ensure nginx is compiled with mod_security support.
mod_security2::default
This is a convenience recipe which does NOTHING, but by adding it to your run_list
you can
ensure the mod_security2
cookbook will be loaded on your node and available to other cookbooks
at runtime.
License and Authors
License: Apache 2.0
Author:: Tejay Cardon (tejay.cardon@gmail.com)
Dependent cookbooks
poise ~> 1.0 |
Contingent cookbooks
There are no cookbooks that are contingent upon this one.
0.3.2
added a template for the concurrent log cleanup
update Berksfile to use an BERKS_SOURCE as the source, if available, and then fall back to supermarket
0.3.0
Fixed a ton of stuff. This is the first version I've actually been comfortable using
0.1.0
Initial release of mod_security2
Collaborator Number Metric
0.3.2 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Contributing File Metric
0.3.2 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
0.3.2 failed this metric
FC064: Ensure issues_url is set in metadata: mod_security2/metadata.rb:1
FC065: Ensure source_url is set in metadata: mod_security2/metadata.rb:1
FC066: Ensure chef_version is set in metadata: mod_security2/metadata.rb:1
FC069: Ensure standardized license defined in metadata: mod_security2/metadata.rb:1
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
No Binaries Metric
0.3.2 passed this metric
Testing File Metric
0.3.2 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.3.2 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.3.2 failed this metric
0.3.2 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
0.3.2 failed this metric
FC064: Ensure issues_url is set in metadata: mod_security2/metadata.rb:1
FC065: Ensure source_url is set in metadata: mod_security2/metadata.rb:1
FC066: Ensure chef_version is set in metadata: mod_security2/metadata.rb:1
FC069: Ensure standardized license defined in metadata: mod_security2/metadata.rb:1
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
No Binaries Metric
0.3.2 passed this metric
Testing File Metric
0.3.2 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.3.2 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.3.2 failed this metric
FC065: Ensure source_url is set in metadata: mod_security2/metadata.rb:1
FC066: Ensure chef_version is set in metadata: mod_security2/metadata.rb:1
FC069: Ensure standardized license defined in metadata: mod_security2/metadata.rb:1
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
0.3.2 passed this metric
Testing File Metric
0.3.2 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
0.3.2 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
0.3.2 failed this metric
0.3.2 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number