-
Notifications
You must be signed in to change notification settings - Fork 7
/
modsecurity.yaml
186 lines (180 loc) · 7.51 KB
/
modsecurity.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
---
- name: ModSecurity Playbook
hosts: localhost
become: True
tasks:
- name: Prevent 'all' tag from running
fail: msg="This playbook must be run with either 'install_modsec', 'install_crs', or 'uninstall'"
tags: all
- name: ModSecurity Install
hosts: localhost
become: True
tasks:
- include: debian.yaml
when: ansible_os_family == 'Debian'
- include: redhat.yaml
when: ansible_os_family == 'RedHat'
# Try and install YAJL (which is sometimes in yum)
# TODO
- name: Create scratch directory
file: path="{{ ScratchLocation }}" state=directory
# Check if ssdeep is installed
- name: Check if ssdeep is installed
find: paths="/usr/bin,/usr/local,/usr/sbin" patterns=ssdeep recurse=yes
register: ssdeepInfo
# If it's not installed we need to donwload and install it
- name: Download ssdeep
get_url: url=http://downloads.sourceforge.net/project/ssdeep/ssdeep-2.13/ssdeep-2.13.tar.gz?r=&ts=1470792298&use_mirror=superb-sea2 dest="{{ ScratchLocation }}/ssdeep.tar.gz"
when: ssdeepInfo["matched"] == 0
- name: Unpack ssdeep
unarchive: src="{{ ScratchLocation }}/ssdeep.tar.gz" dest="{{ ScratchLocation }}"
when: ssdeepInfo["matched"] == 0
- name: configure ssdeep
command: ./configure chdir="{{ ScratchLocation }}/ssdeep-2.13"
when: ssdeepInfo["matched"] == 0
- name: Run ./make
command: make install chdir="{{ ScratchLocation }}/ssdeep-2.13"
when: ssdeepInfo["matched"] == 0
- include: modsecSetup.yaml
- include: getEnv.yaml
# Install modsecurity.conf and unicode.map
- name: Create modsecurity.d directory
file: path="{{ HttpServerRoot }}/modsecurity.d" state=directory
- name: Check if we have loaded the module
lineinfile:
dest="{{ HttpConfPath }}"
line="LoadModule security2_module {{ ModSecModulePath }}"
regexp="^\s*?LoadModule\ssecurity2_module\s.*?.so$"
state=present
insertafter=EOF
- name: Check if we have loaded the unique_id module
lineinfile:
dest="{{ HttpConfPath }}"
line="LoadModule unique_id_module {{ ModSecModulePath | dirname }}/mod_unique_id.so"
regexp="^\s*?LoadModule\sunique_id_module\s.*?.so$"
state=present
insertafter=EOF
- name: Check if we have added our include
lineinfile:
dest="{{ HttpConfPath }}"
line="IncludeOptional modsecurity.d/*.conf"
regexp="^IncludeOptional modsecurity\.d\/\*\.conf$"
state=present
insertafter=EOF
- name: Copy modsecurity.conf from git
copy: src="{{ ScratchLocation }}/ModSecurity/modsecurity.conf-recommended" dest="{{ HttpServerRoot }}/modsecurity.d/modsecurity.conf" remote_src=true
- name: Copy unicode.mapping from git
copy: src="{{ ScratchLocation }}/ModSecurity/unicode.mapping" dest="{{ HttpServerRoot }}/modsecurity.d/unicode.mapping" remote_src=true
# Remove the scratch
- name: get scratch stat info
stat: path="{{ ScratchLocation }}"
register: scratchStat
- name: Delete Scartch
file: path="{{ ScratchLocation }}" state=absent
when: scratchStat.stat.isdir is defined and scratchStat.stat.isdir == true
# Restart Apache
vars:
ScratchLocation: /opt/ansibleScratch
tags: modsec_install
- name: OWASP CRS Install
hosts: localhost
become: True
vars:
crs_version: v3.0/master
tasks:
- include: getEnv.yaml
- name: Check if we have loaded the module
lineinfile:
dest="{{ HttpConfPath }}"
line="LoadModule security2_module {{ ModSecModulePath }}"
regexp="^\s*?LoadModule\ssecurity2_module\s.*?.so$"
state=present
insertafter=EOF
- name: Check if we have added our include
lineinfile:
dest="{{ HttpConfPath }}"
line="IncludeOptional modsecurity.d/*.conf"
regexp="^IncludeOptional modsecurity\.d\/\*\.conf$"
state=present
insertafter=EOF
- name: Create modsecurity.d directory
file: path="{{ HttpServerRoot }}/modsecurity.d" state=directory
- name: Clone owasp CRS
git: repo=git://github.com/SpiderLabs/owasp-modsecurity-crs
dest={{ HttpServerRoot }}/modsecurity.d/owasp-crs/
version={{crs_version}}
update=no
- name: Check if example already renamed (v2)
stat: path="{{ HttpServerRoot }}/modsecurity.d/owasp-crs/modsecurity_crs_10_setup.conf.example"
register: exampleStat
- name: Check if example already renamed (v3)
stat: path="{{ HttpServerRoot }}/modsecurity.d/owasp-crs/crs-setup.conf.example"
register: exampleStatv3
- name: Rename setup.example to .conf (v2)
command: "mv {{ HttpServerRoot }}/modsecurity.d/owasp-crs/modsecurity_crs_10_setup.conf.example {{ HttpServerRoot }}/modsecurity.d/owasp-crs/modsecurity_crs_10_setup.conf"
when: exampleStat.stat.exists and crs_version == "v2.2/master"
- name: Rename setup.example to .conf (v3)
command: "mv {{ HttpServerRoot }}/modsecurity.d/owasp-crs/crs-setup.conf.example {{ HttpServerRoot }}/modsecurity.d/owasp-crs/modsecurity_crs_10_setup.conf"
when: exampleStatv3.stat.exists and crs_version == "v3.0/master"
- name: Check if includeOWASP.conf already written
stat: path="{{ HttpServerRoot }}/modsecurity.d/includeOWASP.conf"
register: owaspStat
- name: Add a script to load our CRS Rules (v3)
copy: content="Include modsecurity.d/owasp-crs/*.conf\nInclude modsecurity.d/owasp-crs/rules/*.conf" dest="{{ HttpServerRoot }}/modsecurity.d/includeOWASP.conf"
when: not owaspStat.stat.exists and crs_version == "v3.0/master"
- name: Add a script to load our CRS Rules (v2)
copy: content="Include modsecurity.d/owasp-crs/*.conf\nInclude modsecurity.d/owasp-crs/base_rules/*.conf" dest="{{ HttpServerRoot }}/modsecurity.d/includeOWASP.conf"
when: not owaspStat.stat.exists and crs_version == "v2.2/master"
tags: crs_install
- name: OWASP CRS uninstall
hosts: localhost
become: True
tasks:
- include: getEnv.yaml
- name: Check if we have our includeOWASP.conf
stat: path="{{ HttpServerRoot }}/modsecurity.d/includeOWASP.conf"
register: includeStat
- name: Delete includeOWASP.conf
file: path="{{ HttpServerRoot }}/modsecurity.d/includeOWASP.conf" state=absent
when: includeStat.stat.exists
- name: Check if our crs git is there
stat: path="{{ HttpServerRoot }}/modsecurity.d/owasp-crs/"
register: crsStat
- name: Delete CRS
file: path="{{ HttpServerRoot }}/modsecurity.d/owasp-crs/" state=absent
when: crsStat.stat.isdir is defined and crsStat.stat.isdir == true
tags: crs_uninstall
- name: modsec uninstall
hosts: localhost
become: True
tasks:
- include: getEnv.yaml
- name: delete mod_security2.so
debug: var=ModSecModulePath
- name: Check if we have our modsecurity_2.so
stat: path="{{ ModSecModulePath }}"
register: modsecStat
- name: Delete includeOWASP.conf
file: path="{{ ModSecModulePath }}" state=absent
when: modsecStat.stat.exists
# Remove the modsecurity.d folder
- name: Check if our modsecurity.d is there
stat: path="{{ HttpServerRoot }}/modsecurity.d"
register: modsecFolderStat
- name: Delete modsecurity.d
file: path="{{ HttpServerRoot }}/modsecurity.d" state=absent
when: modsecFolderStat.stat.isdir is defined and modsecFolderStat.stat.isdir == true
# Update our httpd.conf
- name: remove the LoadModule if it is there
lineinfile:
dest="{{ HttpConfPath }}"
line=""
regexp="^\s*?LoadModule\ssecurity2_module\s.*?.so$"
state=present
- name: Remove the include modsecurity.d if there
lineinfile:
dest="{{ HttpConfPath }}"
line=""
regexp="^IncludeOptional modsecurity\.d\/\*\.conf$"
state=present
tags: modsec_uninstall