Is it possible to get the most updated OWASP Core Rule Set on CentOS? We would like to implement ModSecurity rules that are available on the latest versions. We’re on version 3.0 and the current stable version is 3.3. Are there compatibility issues with cPanel for the latest version?
Hey there! We don't test versions besides what is available in the interface already. You're welcome to install alternative versions or providers, but we can't guarantee they'll work well on the system. The only way to know for sure would be to try it, preferably on a test system or a low-traffic machine before deciding to move that into a regular production system.
I did some additional testing on my end and found that the current version in EasyApache is 3.3. There are more details on installing this specific version here:
docs.cpanel.net
OWASP® ModSecurity CRS | cPanel & WHM Documentation
The OWASP (Open Web Application Security Project) ModSecurity CRS (Core Rule Set) is a set of rules that Apache®'s ModSecurity® module can use to help protect your server.
docs.cpanel.net
OK, so to update to the current version 3.3 I need to runI did some additional testing on my end and found that the current version in EasyApache is 3.3. There are more details on installing this specific version here:
OWASP® ModSecurity CRS | cPanel & WHM Documentation
The OWASP (Open Web Application Security Project) ModSecurity CRS (Core Rule Set) is a set of rules that Apache®'s ModSecurity® module can use to help protect your server.
yum install ea-modsec2-rules-owasp-crs?
So after running the script, it will show as "OWASP ModSecurity Core Rule Set V3.3" under WHM » Security Center » ModSecurity™ Vendors , correct? Does it automatically disable the previous V3.0 rule set?
OK. Will the
conf file still be in the same directory as before?
Code:
/etc/apache2/conf.d/modsec_vendor_configs/OWASP3Yes - when you install that package you'll see a few timestamps in that directory update. Here's a test I did just now:
Code:
[[email protected] OWASP3]# ll
total 228K
drwxr-xr-x 6 root root 4.0K May 5 14:14 .
drwx------. 3 root root 4.0K May 5 14:14 ..
-rw-r--r-- 1 root root 74K Apr 7 15:48 CHANGES
-rw-r--r-- 1 root root 7.7K Apr 7 15:48 CONTRIBUTING.md
-rw-r--r-- 1 root root 3.3K Apr 7 15:48 CONTRIBUTORS.md
-rw-r--r-- 1 root root 33K Apr 7 15:48 crs-setup.conf
-rw-r--r-- 1 root root 33K Apr 7 15:48 crs-setup.conf.example
drwxr-xr-x 3 root root 4.0K May 5 14:14 docs
-rw-r--r-- 1 root root 17K Apr 7 15:48 INSTALL
-rw-r--r-- 1 root root 2.8K Apr 7 15:48 KNOWN_BUGS
-rw-r--r-- 1 root root 12K Apr 7 15:48 LICENSE
-rw-r--r-- 1 root root 2.5K Apr 7 15:48 README.md
drwxr-xr-x 2 root root 4.0K May 5 14:14 rules
-rw-r--r-- 1 root root 2.2K Apr 7 15:48 SECURITY.md
drwxr-xr-x 4 root root 4.0K May 5 14:14 tests
drwxr-xr-x 10 root root 4.0K May 5 14:14 utilI successfully upgraded to OWASP CRS 3.3 today, thanks again for the help. However, I noticed OWASp only had
22/32 rules enabled. Was that on purpose?The disabled rules are listed below:
Code:
rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
rules/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
rules/REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf
rules/REQUEST-911-METHOD-ENFORCEMENT.conf
rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
rules/REQUEST-944-APPLICATION-ATTACK-JAVA.confThese rules are actually exclusion rules, designed to mitigate problems from false-positives in the ModSecurity system. In the past, you had to manually remove rules one at a time as they came up. In this case though, you could enable the rules/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf set because you're using these rules on a cPanel server.
However, if you're not seeing problems, you aren't required to enable any of these.
However, if you're not seeing problems, you aren't required to enable any of these.