I have a very simple Policyfile which does nothing but include mod_security. Running kitchen converge works fine, builds up a CentOS box no problem. (Windows host, Vagrant).

When I follow your readme.md example and try to add a mod_secure_proxy directive, the kitchen converge fails.

The log states:

================================================================================
Error executing action `create` on resource 'template[/etc/httpd/sites-available/mytest.conf]'
================================================================================

Chef::Exceptions::FileNotFound
------------------------------
Cookbook 'mytest_aws_waf' (0.1.0) does not contain a file at any of these locations:
  templates/centos-7.3.1611/mod_secure_proxy.conf.erb
  templates/centos/mod_secure_proxy.conf.erb
  templates/default/mod_secure_proxy.conf.erb
  templates/mod_secure_proxy.conf.erb

Resource Declaration:
---------------------
# In /tmp/kitchen/cache/cookbooks/apache2/definitions/web_app.rb

 28:   template "#{node['apache']['dir']}/sites-available/#{application_name}.conf" do
 29:     source params[:template]
 30:     local params[:local]
 31:     owner 'root'
 32:     group node['apache']['root_group']
 33:     mode '0644'
 34:     cookbook params[:cookbook] if params[:cookbook]
 35:     variables(
 36:       application_name: application_name,
 37:       params: params
 38:     )
 39:     if ::File.exist?("#{node['apache']['dir']}/sites-enabled/#{application_name}.conf")
 40:       notifies :reload, 'service[apache2]', :delayed
 41:     end
 42:   end

Compiled Resource:
------------------
# Declared in /tmp/kitchen/cache/cookbooks/apache2/definitions/web_app.rb:28:in `block in from_file'

template("/etc/httpd/sites-available/mytest.conf") do
  params {:template=>"mod_secure_proxy.conf.erb", :local=>false, :enable=>true, :server_port=>80, :server_name=>"www.mytest.com", :server_aliases=>nil, :enable_https=>true, :name=>"mytest"}
  action [:create]
  default_guard_interpreter :default
  source "mod_secure_proxy.conf.erb"
  variables {:application_name=>"mytest", :params=>{:template=>"mod_secure_proxy.conf.erb", :local=>false, :enable=>true, :server_port=>80, :server_name=>"www.mytest.com", :server_aliases=>nil, :enable_https=>true, :name=>"mytest"}}
  declared_type :template
  cookbook_name "mytest_aws_waf"
  recipe_name "default"
  mode "0644"
  owner "root"
  group "root"
  path "/etc/httpd/sites-available/mytest.conf"
  verifications []
end

System Info:
------------
chef_version=13.0.118
platform=centos
platform_version=7.3.1611
ruby=ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]
program_name=chef-client worker: ppid=8165;start=21:40:05;
executable=/opt/chef/bin/chef-client

I don't want to copy your .erb template into my cookbook because that seems non-DRY.

Is there something I'm missing to allow chef to find your template?

Thanks.

@jro thanks to PR #40 by @shotty1 we now have AWS support.
I've incremented the version in metadata.yml

Can you upload this to the chef supermarket?

Frank

Just tried using this to install on a vagrant instance of CentOS7.0 and had (at least) two issues (I stopped after the second one appeared):

mod-security.load pointed to the wrong place for the module. Apparently at the time of writing the template "libdir" was null. So I manually set it (via the node[apache][libexecdir]) before including the recipe, and converged again.

The second time "http -M" failed under every id except root, because the none of the rules dirs apart from activated_rules allow pass-through for anyone but root (and since the activated_rules are links, it means none of the activated rules can be seen).

Not sure if the second one is properly your issue, but thought you should know about it, as well as do some controlling for libexecdir from apache2 being null

Our webservers usually don't have wide open internet access to pull the files directly from Github and it opens the door for parameterised templates.
Plan to do this for version 2.2.9 initially and later maybe 2.2.8 and 3.0.0

Hi,
Thanks v.much for creating this cookbook and keeping it up.

I've tried to use this cookbook on ubuntu 14.04, but unfortunately there is no package named libapache-mod-security, it's named libapache2-mod-security2

Tried to fix that by changing the code under the ubuntu case switch, but the case was unreachable because there is no platform_family named ubuntu according to ohai as noted here

It can't install a new version on top of the old one... It expected first to deinstall old version and then it can continue. From my perspective the msi should be able to upgrade or trace old version and remove it first (when this is a requirement) and then continue...
I receive the following message:

Recipe: mod_security::install_base_iis
  * windows_package[ModSecurity IIS] action install
  Recipe: <Dynamically Defined Resource>
    * remote_file[C:\chef\cache\package\ModSecurityIIS_2.9.1-64b.msi] action cre
ate (up to date)

    ============================================================================
====
    Error executing action `install` on resource 'windows_package[ModSecurity II
S]'
    ============================================================================
====

    Mixlib::ShellOut::ShellCommandFailed
    ------------------------------------
    Expected process to exit with [0], but received '1638'
    ---- Begin output of msiexec /qn /i "c:\chef\cache\package\modsecurityiis_2.
9.1-64b.msi"  /quiet /qn /passive ----
    STDOUT: A n o t h e r   v e r s i o n   o f   t h i s   p r o d u c t   i s
  a l r e a d y   i n s t a l l e d .     I n s t a l l a t i o n   o f   t h i
s   v e r s i o n   c a n n o t   c o n t i n u e .     T o   c o n f i g u r e
  o r   r e m o v e   t h e   e x i s t i n g   v e r s i o n   o f   t h i s
p r o d u c t ,   u s e   A d d / R e m o v e   P r o g r a m s   o n   t h e
C o n t r o l   P a n e l .
    STDERR:
    ---- End output of msiexec /qn /i "c:\chef\cache\package\modsecurityiis_2.9.
1-64b.msi"  /quiet /qn /passive ----
    Ran msiexec /qn /i "c:\chef\cache\package\modsecurityiis_2.9.1-64b.msi"  /qu
iet /qn /passive returned 1638

    Resource Declaration:
    ---------------------
    # In C:/chef/cache/cookbooks/mod_security/recipes/install_base_iis.rb

      9: windows_package node['mod_security']['package_name'] do
     10:   source node['mod_security']['url']
     11:   checksum node['mod_security']['checksum']
     12:   installer_type :msi
     13:   options "/quiet /qn /passive"
     14:   action :install
     15: end

Error

Syntax error on line 9 of /etc/httpd/mods-enabled/mod-security.conf: Could not open config directory /etc/httpd/mod_security/crs/rules: No such file or directory

mod-security.conf

<IfModule security2_module>
    # Include all the *.conf files in /etc/httpd/mod_security.
    # Keeping your local configuration in that directory
    # will allow for an easy upgrade of THIS file and
    # make your life easier
    Include "/etc/httpd/mod_security/*.conf"

    # Wildcard the mod_security settings file so that Apache doesn't break if missing
    Include /etc/httpd/mod_security/crs/rules/modsecurity_crs_*.conf

    # Core rule sets that have been activated
    Include /etc/httpd/mod_security/crs/rules/activated_rules/*.conf

    # User crafted rules
    Include /etc/httpd/mod_security/owasp_crs/*.conf
</IfModule>

Apache doc

The Include directive will fail with an error if a wildcard expression does not match any file. The IncludeOptional directive can be used if non-matching wildcards should be ignored.

Hi
I am getting this error:
Mixlib::ShellOut::ShellCommandFailed: service[httpd](uco-apache::default line 50) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
---- Begin output of /sbin/service httpd start ----
STDOUT: Starting httpd: [FAILED]
STDERR: httpd: Syntax error on line 140 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/mods-enabled/mod-security.load: Cannot load /usr/local/modsecurity/lib/mod_security2.so into server: /usr/local/modsecurity/lib/mod_security2.so: cannot open shared object file: No such file or directory

it tries to load .so file from /usr/local ..etc but when i go there there is no file..any ideas?

It's well overdue to have a new official release of the cookbook.

modsecurity_crs_35_bad_robots.data
modsecurity_crs_50_outbound.data

Seems like this is being fetched from sourceforge. Any one facing this similar issue?

Selected OS:
Amazon Linux AMI 2013.03.1 The Amazon Linux AMI is an EBS-backed, PV-GRUB image. It includes Linux 3.4, AWS tools, and repository access to multiple versions of MySQL, PostgreSQL, Python, Ruby, and Tomcat.

In templates/default/modsecurity.conf.erb, the bellow parameters are expecting 4 variables that doesn't declared in default atribute files, because the correct varible names has response_ sufix not, request_ sufix.

templates/default/modsecurity.conf.erb:

SecResponseBodyAccess <%= node[:mod_security][:request_body_access] %>
SecResponseBodyMimeType <%= node[:mod_security][:request_body_mime_type] %>
SecResponseBodyLimit <%= node[:mod_security][:request_body_limit] %>
SecResponseBodyLimitAction <%= node[:mod_security][:request_body_limit_action] %>

attributes/default.rb:

default[:mod_security][:response_body_access] = 'On'
default[:mod_security][:response_body_mime_type] = 'text/plain text/html text/xml'
default[:mod_security][:response_body_limit] = '524288'
default[:mod_security][:response_body_limit_action] = 'ProcessPartial'

Custom cookbooks are by default never generated in a spot where it is picked up by the configuration.

E.g. the rules for AVS (Automated Vulnerability Scanning) have the IP of the scanner in them. I would like to be aple to set these in a role or wrapper cookbook.

Again need #8 to do this

We need this to have better rule management and to use ModSecurity for virtual patching.

I think if the pullrequest by @lttmtins is accpted this is ready to be used in production

Just a heads-up, don't know if you actually want to control for SELinux contexts in this cookbook or leave that for those installing/using SELinux, but the context for the modsec audit logfile needs to be set properly. I did it (assuming /var/log/modsec_audit.log to be the audit log file) by executing these commands in the recipe after the mod_security cookbook is included:

semanage fcontext -a -t httpd_log_t '/var/log/modsec_audit.log'
restorecon -v '/var/log/modsec_audit.log'

Given the multiple available system security options, I can see not building in support for any of them in order to avoid a lot of headaches, but in case you want to, the above works.

Need #8 for this one.