I'm going to document mod_security setup.
- yum install mod_security
- mkdir /var/lib/httpd/mod_security
- add SecDataDir /var/lib/httpd/mod_security to /etc/httpd/modsecurity.d/modsecurity_localrules.conf
In my test this removed all messages from the error log in apache. I would recommend that we add the following configuration directives to put the logging in their own files in modsecurity_localrules.conf:
SecAuditLog logs/modsec_audit.log
Ok, so I got my proxy fully set up so I can now post through my proxy. I've updated the mod_security configuration to be:
# Drop your local rules in here. SecDataDir /var/lib/httpd/mod_security SecAuditEngine RelevantOnly SecAuditLog logs/modsec_audit.log SecAuditLogParts ABCFHZ SecAuditLogStorageDir /var/lib/httpd/modsec_logs SecAuditLogType Concurrent SecDebugLog /var/lib/httpd/modsec_logs/modsec_debug.log SecDebugLogLevel 0
Testing
To test mod_security I believe we should set it up in the staging environment. I think it should be deployed with individual audit logs because that provides the best performance at the cost of increased file io. It should be deployed in staging while we tweak the configuration rules to eliminate most false positives.
Deployment
Once the rule set has been optimized on the staging servers the configuration can be deployed to the production systems. I think it should be left in a detection only configuration while the configuration is further tweak from larger exposure. Once we are satisfied with the rule set we should then change it to enforcing.
0-day exploits
We could decide to use mod_security only as a means to hot-fix any potential exploits. This would involve creating a custom SecRule that matches the exploit and then blocks the access.