1. If one enables the OWASP ruleset provided by cPanel, how does it affect the default ruleset in the module
The Apache module (that is ModSecurity for Apache/2.9.2) is an interpeter for modsecurity rule language.
It has no rules inherent in it.
If you have no rule sets enabled in Home » Security Center » ModSecurity™ Vendors » Manage Vendors, then no rules are being processed.
If you have a rule set enabled please copy its full name into your next post.
Please copy the full name of "the OWASP ruleset" you are asking about enabling.
To check the Apache Module modsecurity version number run the ssh command...
Code:
grep -i 'ModSecurity for Apache' /usr/local/apache/logs/error_log
It should return something like...
[Wed Aug 01 18:17:24.640083 2018] [:notice] [pid xx:tid xx] ModSecurity for Apache/2.9.2 (modsecurity.org) configured.
Apache logs the version to the error_log when it restarts.
2. The mention in the cPanel docs
OWASP renumbered the configuration files in 2016. We strongly recommend that you update your rulesets
If your server was provisioned before 2016/2017 then the older version of the owasp ruleset from before the renumbering would have been available (but not enabled by default) in the the Home » Security Center » ModSecurity™ Vendors » Manage Vendors section of WHM (named OWASP rule set).
After the renumbering a newer version of the ruleset named "OWASP ModSecurity Core Rule Set V3.0" also became available in Home » Security Center » ModSecurity™ Vendors » Manage Vendors section of WHM
So cPanel recommended that the older OWASP ruleset be disabled and OWASP ModSecurity Core Rule Set V3.0 be enabled, explaining the quote in your point 2.
3. If you turn on Update for a ruleset (say for instance OWASP ModSecurity Core Rule Set V3.0), then if you ALSO have cPanel Autoupdate turned on, then when upcp runs (once a day) the ruleset yaml file will be checked. If the distribution name-number has changed since last check, it will download the new ruleset zip file.
If you have cPanel Autoupdate turned off then the ruleset yaml file would only be checked when you ran cPanel Update manually.
If you set Update OFF for a ruleset it will not check at all.
upcp runs the command /usr/local/cpanel/scripts/modsec_vendor update --auto
You can run it manually any time to see if/how it is working.
Code:
/usr/local/cpanel/scripts/modsec_vendor update --auto
[2018-08-10 21:33:38 +1000] info [modsec_vendor] Updates are in progress for all of the installed ModSecurity vendors with automatic updates enabled.
[2018-08-10 21:33:38 +1000] info [modsec_vendor] You have not enabled the vendor "OWASP3". The vendor will not receive automatic updates.
[2018-08-10 21:33:38 +1000] info [modsec_vendor] You have not enabled the vendor "comodo_apache". The vendor will not receive automatic updates.
[2018-08-10 21:33:39 +1000] info [modsec_vendor] Restored modsec_cpanel_conf_datastore backup
[2018-08-10 21:33:40 +1000] info [modsec_vendor] The vendor "configserver" is already up to date.
OWASP3 and comodo_apache have updates turned OFF (they are not enabled either)
configserver had updates turned on, it checked the yaml file and the distribution had not changed.
Compatability for a ruleset is not with the Apache version, but with the modsecurity Apache Module version.
It is/should be handled in the yaml file providing a different ruleset download url for each likely version of modsecurity Apache Module to be encountered. This will make more sense if you read a yaml file...
Code:
http://httpupdate.cpanel.net/modsecurity-rules/meta_OWASP3.yaml
Might be a good time to manage your expectations too.
OWASP CRS is a generic rule set.
It has rules designed to detect generic attack vectors such as sql injection or directory traversal for instance.
It has no specific rules for any known or published web application vulnerabilities.
So updates are infrequent and not in direct response to newly found vulnerabilities.