modseccfg 0.0.9

Editor to tame mod_security rulesets

WARNING: THIS IS ALPHA STAGE QUALITY AND WILL MOST CERTAINLY DELETE YOUR APACHE CONFIGURATION (It doesn’t, but: no waranty and such.)

modseccfg

• Simple GUI editor for SecRuleDisableById settings

• Tries to suggest false positives from error and audit logs

• (And a few options to configure mod_security and CRS variables.)

• Obviously requires ssh -X forwarding, or preparing config rules on a local test setup, and *.conf files to be writable by current user (running as root is not advised).

Usage

You obviously should have Apache(2.x) + mod_security(2.9) + CRS(3.x) set up and running already (in DetectionOnly mode initially), to allow for log inspection and adapting rules.

1. start modseccfg (python3 -m modseccfg)

2. Select a configuration/vhost file to inspect + work on.

3. Pick the according error.log

4. Inspect the rules with a high error count.

5. [Disable] offending rules (if they’re not essential to CRS, or would likely poke holes into useful protections).

6. Thenceforth restart Apache after testing changes (apache2ctl -t).

Notes

• Preferrably do not edit default /etc/apache* files

• Work on separated /srv/web/conf.d/* configuration, if available

• And keep vhost settings in e.g. vhost.*.dir files, rather than multiple <VirtualHost> in one *.conf (else only the first section will be augmented).

Missing features

• Doesn’t process any audit.log yet.

• Can’t classify wrapped (<Location> or other directives) rules yet.

• No rule information dialog.

• No SecOption editor yet.

• No CRS settings (setvar:crs…) editor yet.

• Recipes are not worth using yet.

• No sudo usage.

• No support for nginx or mod_sec v3.

• No support for Windows setups. (Would work, but no interest in user support.)