What ModSecurity rules are in place with the new WHM module?

Hi! I've just upgraded and see an interesting new backend UI, showing some default settings and a Hit List. Nice. Really.
But I want more control: what rules are in place by default? Where can I find them? If I used the ConfigServer ModSecurity plugin and my host included some Atomicorp rules, are all both still available and in use? Can anybody confirm this? Does this new UI include internal functions replacing/overwriting/invalidating those abovementioned methods?

I'm wondering all this because 1) the UI allows to edit "Custom Rules" but doesn't mention if default basic rules are in place and 2) even your Documentation pages doesnt explain anything further that what one could easily infer by scanning the UI ... If my currently previously loaded rules are being used, the new UI should allow to edit them. While that's not a possibility, I'll stick to ConfigServer Mod Security plugin since it gives me FULL control on EVERY config for ModSecurity.

You may want to review and improve the current completeness of these pages:

• https://documentation.cpanel.net/display/ALD/ModSecurity+Configuration#ModSecurityConfiguration-Backendcompression-SecDisableBackendCompression
• https://documentation.cpanel.net/display/ALD/ModSecurity+Tools

It's just constructive criticism, but all the clarification you could bring to light will be acknowledged

 

BTW, I found the editor, a bit hidden for my taste, at... "scripts2/show_mod_security//editCustomRules" where you can see some settings, but not every one of them. Because there are files not present in the list, and that's worrying me:

This is what's shown in the new Custom Rules screen:

Code:

SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecResponseBodyLimitAction ProcessPartial
Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf

But these are the files I really have in place, visible thru the ConfigServer ModSec UI:

Code:

modsec2.conf
modsec2.cpanel.conf
modsec2.exploit.conf
modsec2.user.conf
modsec2.whitelist.conf
modsec_rules/00_asl_z_antievasion.conf
modsec_rules/00_asl_zz_strict.conf
modsec_rules/01_asl_content.conf
modsec_rules/01_asl_rules_special.conf
modsec_rules/03_asl_dos.conf
modsec_rules/09_asl_rules.conf
modsec_rules/10_asl_antimalware.conf
modsec_rules/10_asl_rules.conf
modsec_rules/11_asl_adv_rules.conf
modsec_rules/11_asl_data_loss.conf
modsec_rules/12_asl_brute.conf
modsec_rules/15_asl_paranoid_rules.conf
modsec_rules/20_asl_useragents.conf
modsec_rules/30_asl_antispam.conf
modsec_rules/31_asl_urispam.conf
modsec_rules/50_asl_rootkits.conf
modsec_rules/51_asl_rootkits.conf
modsec_rules/60_asl_recons.conf
modsec_rules/61_asl_recons_dlp.conf
modsec_rules/99_asl_jitp.conf
modsec_rules/domain-blacklist-local.txt
modsec_rules/domain-blacklist.txt
modsec_rules/domain-spam-whitelist.conf
modsec_rules/malware-blacklist.txt
modsec_rules/malware_names.txt
modsec_rules/spam.data
modsec_rules/sql.txt

So, what may be going wrong here? Is the new UI not seeing the full picture? or is it scanning just one location?

 

@quizknows: so,... you will be keeping this feature inactive until 11.48?

@InfoPro: sorry for the silly image, but it just brought your attention to the thread and some good links and answers were received in exchange And I deeply thank you for that. I'll follow up the thread you mentioned. And regarding the Release version and the webinars, I bet I'm in the category of the zillions of cPanel licensees who just cannot 1) have an available box to test Release/Edge versions to submit feedback and 2) nor even enough available time to accomodate for a webinar. Hopefully it's recorded and I can watch to it later this weekend.

I have a whole bunch of questions regarding this feature and will ask them in the abovementioned thread.

Thanks both of you for the comments.
Best regards

 

Man, I never said it: thank you for the video link (and the patience ).