Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

RSS

mod_security2 (3) Versions 0.3.2

Installs/Configures mod_security2

Policyfile
Berkshelf
Knife
cookbook 'mod_security2', '~> 0.3.2', :supermarket
cookbook 'mod_security2', '~> 0.3.2'
knife supermarket install mod_security2
knife supermarket download mod_security2
README
Dependencies
Changelog
Quality 17%

mod_security2-cookbook

NOTICE:

I have not used this cookbook in production yet, and have no prior experience with mod_security
Please review the tests (which do pass) to ensure this cookbook meets your needs
Use at your own risk

Supported Platforms

  • ubuntu 12.04

Usage

This cookbook is primarily designed to be used as an LWRP library cookbook. However, a
few recipes are provided for testing purposes, and for convenience in instances where minimal
customization is needed.

Attributes

These attributes are used as defaults for the LWRP while also being used directly by the convenience recipes
If you are using the LWRP, there is no need to override node attributes, as the LWRP give you full
controll of all of these items.

  • ['mod_security2']['source']['revision'] - The git revision to use for pulling source. default = 'v2.8.0'
  • ['mod_security2']['source']['repo'] - The URL of the git repo for source. default = 'https://github.com/SpiderLabs/ModSecurity.git'
  • ['mod_security2']['source']['compile_flags'] - Flags to use when configuring mod_security. default = []
  • ['mod_security2']['home'] - Home for ModSecurity installs. <home>/versions/<revision> will be used with a symlink from <home>/current to the current version. default = '/opt/ModSecurity'
  • ['mod_security2']['platform'] - the webserver platform we're installing mod_security for. default = :nginx <br /> <em>*currently only nginx is supported, but I'm happy to take a PR to add apache2 support</em>

Resources/Providers

mod_security2

Actions

The default action is [:install]

  • :install - installs/compiles mod_security2 from source
  • :delete - deletes a mod_security2 install. it does **not* remove mod_security from any webserver that may have built it in*

Attribute Parameters

  • :version - String (name attribute) - default = node['mod_security2']['source']['revision']
  • :home - String default = node['mod_security2']['home'] -see documentation for node['mod_security2']['home']
  • :platform - [String, Symbol] :default = :nginx - Currently only :nginx is supported
  • :compile_flags - [Array, String] :default => []
  • :repo - String default = node['mod_security2']['source']['repo']

mod_security2_config

Actions

The default action is `:create'

  • :create - create a config file for mod_security
  • :delete - delete a config file

Attribute Paramters

base_rules, optional_rules, experimental_rules, and slr_rules all refer to OWASP rule set

  • path - where to put the config file
  • custom_rules - a hash of custom rules (see details below)
  • base_rules - true to include all base rules, false to include none, and an array of filenames to include only some.
  • optional_rules - same as for base_rules
  • experimental_rules - same as for base_rules
  • slr_rules - same as for base_rules
  • tarball_url - url for the OWASP ruleset. Default - https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master

custom-rules

for custom rules, you provide a hash of rules to include. Each hash entry takes a name for the key, and hash for the value.
The hash includes:
* priority - the priority of the rule from 0 to 99
* type - :cookbook_file, :template, or :remote_file - The type of resource to use for building this rule
* cookbook - the cookbook that the template or cookbook file is found in (if :cookbook_file or :template type)
* source - the template or cookbook_file source (if :cookbook_file or :template type)
* url - the url for a remote_file

This cookbook includes a cookbook_file for enabling concurrent audit logs for mod_security

mod_security2_config '/etc/modsecurity/mod_security.conf' do
  base_rules true
  custom_rules :concurrent_logging => {
    :type => :cookbook_file,
    :cookbook => 'mod_security2',
    :source => 'concurrent_logging.conf',
    :priority => 99
  }
end

Templates and Files

This cookbook provides a couple of templates and files that are helpful for your application cookbook. Each
allows you to get some common functionality while maintaining your own controll of the resources.

mod_security_location

This template is used to create a mod_security location in your nginx configs. It is a full nginx vhost config
that simply listens on an http and https port, applies mod_security, and then proxies to a local non-ssl port.

variables

  • fqdn totally optional, node['fqdn'] will be used otherwise. Just for a comment about chef managing this file
  • server_name - the server name to apply to this nginx vhost
  • listen_port - the http listen port (responds with a 301 redirect to the ssl port)
  • ssl_listen_port - the https port to listen on
  • ssl_certificate - the path to the ssl certificate
  • ssl_certificate_key - the path to the key for the ssl certificate
  • modsecuriyt_config - the path to the mod_security config file
  • forward_port - the port to forward traffic to.

mod_security_log_cleanup.rb.erb

This template creates a ruby script file to merge mod_security concurrent logs into a single combined log file.

variables

  • combined_log - path to store the combined log at
  • log_dir - path of the directory containing the concurrent logs
  • delete - default to true. Do we delete the files after they are merged?

concurrent_logging.conf

This file can be used as a 'custom_rule' in mod_security2_config resource to enable concurrent logging. If you do
use it, be sure to give it a priority above 10 so that it can override the serial logging that comes with OWASP.

Recipe usage

mod_security2::install

Installs mod_security2 from source.

Include mod_security2::install in your node's run_list:

{
  "run_list": [
    "recipe[mod_security2::install]"
  ]
}

mod_security2::nginx_module

DO NOT use this recipe directly. This recipe should be used in conjunction with the nginx cookbook by
adding mod_security2::nginx_module to node['nginx']['source']['modules']. By doing so, you are
instructing the nginx cookbook to run this recipe at the appropriate time. You may also need to add mod_security2::default
to your runlist to ensure that the mod_security2 cookbook is available on your node at runtime.
Installs mod_security from source with the stand-alone-module flag.
Also updates the compile flags for nginx to ensure nginx is compiled with mod_security support.

mod_security2::default

This is a convenience recipe which does NOTHING, but by adding it to your run_list you can
ensure the mod_security2 cookbook will be loaded on your node and available to other cookbooks
at runtime.

License and Authors

License: Apache 2.0
Author:: Tejay Cardon (tejay.cardon@gmail.com)

Dependent cookbooks

poise ~> 1.0

Contingent cookbooks

There are no cookbooks that are contingent upon this one.

0.3.2

added a template for the concurrent log cleanup
update Berksfile to use an BERKS_SOURCE as the source, if available, and then fall back to supermarket

0.3.0

Fixed a ton of stuff. This is the first version I've actually been comfortable using

0.1.0

Initial release of mod_security2

Collaborator Number Metric
            

0.3.2 failed this metric

Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric
            

0.3.2 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file

Foodcritic Metric
            

0.3.2 failed this metric

FC064: Ensure issues_url is set in metadata: mod_security2/metadata.rb:1
FC065: Ensure source_url is set in metadata: mod_security2/metadata.rb:1
FC066: Ensure chef_version is set in metadata: mod_security2/metadata.rb:1
FC069: Ensure standardized license defined in metadata: mod_security2/metadata.rb:1
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any

No Binaries Metric
            

0.3.2 passed this metric

Testing File Metric
            

0.3.2 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file

Version Tag Metric
            

0.3.2 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number