openrat-cms

OpenRat Content Management System
git clone http://git.code.weiherhei.de/openrat-cms.git
Log | Files | Refs

mod-security.conf (8503B)


      1 
      2 # OpenRat content managegement system - mod-security
      3 # ..................................................
      4 #
      5 # This is a configuration file for mod-security users.
      6 # If you do not use mod-security, you do not need this file :)
      7 #
      8 # Status: In Arbeit.
      9 #
     10 # THIS CONFIGURATION IS IN WORK - DO NOT USE IT
     11 #
     12 # $Id$
     13 
     14 <IfModule mod_security.c>
     15 
     16     # Filter anschalten - kann per VHost (de-)aktiviert werden
     17     SecFilterEngine On 
     18     #SecFilterEngine DynamicOnly
     19     #
     20 
     21     # Pruefung von URL-Encoding aktivieren
     22     SecFilterCheckURLEncoding On
     23     
     24     # Unicode-Validierung aktivieren
     25     #SecFilterCheckUnicodeEncoding On
     26     
     27     # HTTP-POST-Daten verarbeiten
     28     SecFilterScanPOST On
     29     #SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data;)"
     30     SecFilterSelective HTTP_Content-Type "!(^$|^text/xml.*|^application/x-www-form-urlencoded$|^multipart/form-data;)"
     31 
     32     # Require Content-Length to be provided with
     33     # every POST request
     34     SecFilterSelective REQUEST_METHOD "^POST$" chain
     35     SecFilterSelective HTTP_Content-Length "^$"
     36 
     37     # Deaktivieren von "Chunked Transfer Encoding
     38     SecFilterSelective HTTP_Transfer-Encoding "!^$"
     39 
     40     #SecFilterForceByteRange 32 126
     41     #SecFilterForceByteRange 32 160
     42     SecFilterForceByteRange 10 255
     43     
     44     # Standard-Aktion für zutreffende Filterregeln
     45     SecFilterDefaultAction "deny,log,status:403"
     46     #SecFilterDefaultAction "deny,log,status:'Aktuelle sicherheitseinstellungen verbieten einen Zugriff auf diese Seite'"
     47 			   
     48     # Filterregeln aus mod-security.d einbinden
     49     # Include /etc/mod-security.d/[^.#]*
     50 
     51     SecAuditEngine RelevantOnly
     52     
     53     # don't forget to rotate the logfile.
     54     SecAuditLog /tmp/security-audit.log
     55 
     56     # ServerSignature fälschen - erfordert ServerTokens Full 
     57     #SecServerSignature "OpenRat Server"
     58 
     59     SecFilter /bin/sh
     60 
     61 
     62     # Bilder und andere statische Dateien
     63     SecFilterSelective REQUEST_FILENAME "^.*\.(png|jpe?g|gif|css|js)$" allow
     64     
     65     # Startseite
     66     SecFilterSelective REQUEST_URI "^.*/$" allow
     67     #SecFilterSelective SCRIPT_FILENAME "!^do\.php[3-5]?$"
     68 
     69 
     70 
     71     # Parameter Whitelist (to be done, need a good way)
     72     #SecFilterSelective ARGS_NAMES "!^(targetSubAction|subaction|action|oi|id)$" chain
     73     #SecFilterSelective ARGS_NAMES "!^(login_name|login_password)$" chain
     74     #SecFilterSelective ARGS_NAMES "!^(elementid|dbid|ok|screenwidth|src|text)$" chain
     75     #SecFilterSelective ARGS_NAMES "!^(obj[0-9]+|type|valueid|release|objectid1|objectid2|commit|ids)$" chain
     76     #SecFilterSelective ARGS_NAMES "!^(groupid|username|name|fullname|desc|description|templateid)$" chain
     77     #SecFilterSelective ARGS_NAMES "!^(tel|ldap_dn|style|is_admin|ok|act_password|password1?|password2|e?mail|random|timeout|code|confirm)$" chain
     78     #SecFilterSelective ARGS_NAMES "!^(addelement|addicon|addifempty|addifnotempty|elementid|iconid|ifemptyid|ifnotemptyid|with_icon|all_languages|writable|wiki|html|default_longtext|subtypes|subtype)$" chain
     79     #SecFilterSelective ARGS_NAMES "!^(target_dir|ftp_url|ftp_passive|cmd_after_publish|content_negotiation|cut_index)$"
     80     
     81     SecFilterSelective ARGS_NAMES "!^[a-z][a-z0-9_]*[0-9]*$" 
     82 
     83     # Einzelne Parameter
     84     SecFilterSelective ARG_id "!^[0-9-]*$"
     85 
     86     # Session-Id (ggf. anzupassen)    
     87     SecFilterSelective ARG_oi        "!^[a-f0-9]*$"
     88     SecFilterSelective ARG_PHPSESSID "!^[a-f0-9]*$"
     89     SecFilterSelective ARG_sessionid "!^[a-f0-9]*$"
     90     SecFilterSelective ARG_sid       "!^[a-f0-9]*$"
     91     
     92     SecFilterSelective ARG_login_name     "!^[A-Za-z0-9_-]*$"
     93     SecFilterSelective ARG_login_password "!^[A-Za-z0-9_-]*$"
     94     SecFilterSelective ARG_password1      "!^[A-Za-z0-9_-]*$"
     95     SecFilterSelective ARG_password2      "!^[A-Za-z0-9_-]*$"
     96     SecFilterSelective ARG_password       "!^[A-Za-z0-9_-]*$"
     97     
     98     SecFilterSelective ARG_action "!^[a-z]*$"
     99     SecFilterSelective ARG_subaction "!^[a-z]*$"
    100 
    101     SecFilterSelective ARG_elementid "!^[0-9]*$"
    102     SecFilterSelective ARG_objectid1 "!^[0-9]*$"
    103     SecFilterSelective ARG_objectid2 "!^[0-9]*$"
    104     SecFilterSelective ARG_dbid "!^[a-zA-Z0-9_-]*$"
    105     SecFilterSelective ARG_tel "!^[a-zA-Z0-9_ -]*$"
    106     SecFilterSelective ARG_desc "!^[a-zA-Z0-9_-]*$"
    107     SecFilterSelective ARG_mail "!^[a-zA-Z0-9_\.@-]*$"
    108 
    109     SecFilterSelective ARG_style "!^[a-zA-Z0-9_-]*$"
    110     SecFilterSelective ARG_ldap_dn "!^[a-zA-Z0-9_=;,-]*$"
    111     SecFilterSelective ARG_is_admin "!^1?$"
    112     SecFilterSelective ARG_email "!^1?$"
    113     SecFilterSelective ARG_random "!^1?$"
    114     SecFilterSelective ARG_timeout "!^1?$"
    115     SecFilterSelective ARG_cut_index "!^1?$"
    116     SecFilterSelective ARG_content_negotiation "!^1?$"
    117     SecFilterSelective ARG_ftp_passive "!^1?$"
    118     #SecFilterSelective ARG_cmd_after_publish "!^[a-zA-Z0-9_\/]+$"
    119 
    120 
    121     
    122     # Aktionen    
    123     SecFilterSelective ARG_action "^index$" chain
    124     SecFilterSelective ARG_subaction "^(|project|object|projectmenu|administration|changepassword|register|registercode|registercommit|password|showlogin|login|logout|setnewpassword)$" allow
    125 
    126     SecFilterSelective ARG_action "^folder$" chain
    127     SecFilterSelective ARG_subaction "^(|show|save|create|pub|prop|saveprop|rights|createfolder|createpage|createlink|createfile|createnewfolder|createnewpage|createnewlink|createnewfile|edit|changesequence|multiple|order|settop|setbottom|select)$" allow
    128 
    129     SecFilterSelective ARG_action "^(file|page|link|folder)$" chain
    130     SecFilterSelective ARG_subaction "^(|aclform|addacl|delacl|pubnow)$" allow
    131 
    132     SecFilterSelective ARG_action "^page$" chain
    133     SecFilterSelective ARG_subaction "^(|show|save|edit|el|pub|prop|src|rights|saveprop)$" allow
    134 
    135     SecFilterSelective ARG_action "^file$" chain
    136     SecFilterSelective ARG_subaction "^(|show|save|pub|prop|rights)$" allow
    137 
    138     SecFilterSelective ARG_action "^link$" chain
    139     SecFilterSelective ARG_subaction "^(|show|edit|save|pub|prop|rights)$" allow
    140 
    141     SecFilterSelective ARG_action "^pageelement$" chain
    142     SecFilterSelective ARG_subaction "^(|save|editlink|editlist|editdate|savedate|savelist|savelink|editlongtext|archivelink|archivelongtext|diff|savelongtext)$" allow
    143 
    144     SecFilterSelective ARG_action "^(main|mainmenu)$" chain
    145     SecFilterSelective ARG_subaction "^(folder|page|pageelement|file|link|template|language|model|search|project|user|group|element)$" allow
    146     
    147     SecFilterSelective ARG_action "^template$" chain
    148     SecFilterSelective ARG_subaction "^(|prop|el|listing|show|edit|src|srcaddelement)$" allow
    149     
    150     SecFilterSelective ARG_action "^tree$" chain
    151     SecFilterSelective ARG_subaction "^(load|open|close)$" allow
    152 
    153     SecFilterSelective ARG_action "^border$" chain
    154     SecFilterSelective ARG_subaction "^(|show)$" allow
    155 
    156     SecFilterSelective ARG_action "^background$" chain
    157     SecFilterSelective ARG_subaction "^(|show)$" allow
    158 
    159     SecFilterSelective ARG_action "^title$" chain
    160     SecFilterSelective ARG_subaction "^(|show)$" allow
    161 
    162     SecFilterSelective ARG_action "^treetitle$" chain
    163     SecFilterSelective ARG_subaction "^(|show)$" allow
    164 
    165     SecFilterSelective ARG_action "^model$" chain
    166     SecFilterSelective ARG_subaction "^(|list|setdefault|save|edit|remove)$" allow
    167 
    168     SecFilterSelective ARG_action "^language$" chain
    169     SecFilterSelective ARG_subaction "^(|listing|add|edit|remove)$" allow
    170 
    171     SecFilterSelective ARG_action "^search$" chain
    172     SecFilterSelective ARG_subaction "^(|prop|content)$" allow
    173 
    174     SecFilterSelective ARG_action "^project$" chain
    175     SecFilterSelective ARG_subaction "^(|listing|edit|save|add|remove|maintanance)$" allow
    176 
    177     SecFilterSelective ARG_action "^user$" chain
    178     SecFilterSelective ARG_subaction "^(|listing|edit|save|add|remove|groups|pw|rights|pwchange|addgrouptouser|adduser|delete)$" allow
    179 
    180     SecFilterSelective ARG_action "^group$" chain
    181     SecFilterSelective ARG_subaction "^(|listing|edit|save|add|remove|users)$" allow
    182 
    183     SecFilterSelective ARG_action "^profile$" chain
    184     SecFilterSelective ARG_subaction "^(|edit|saveprofile|savepw|pwchange)$" allow
    185 
    186     SecFilterSelective ARG_action "^element$" chain
    187     SecFilterSelective ARG_subaction "^(|properties|saveproperties|name|remove|type|delete)$" allow
    188 
    189 
    190 
    191     # Temporär alles loggen und erstmal trotzdem erlauben.
    192     SecFilter ".*" log,allow
    193     
    194     # Fallback: Alles ablehnen.
    195     SecFilter ".*"
    196 
    197 
    198 
    199     # Ausgabe-Filterung
    200     SecFilterScanOutput On
    201     SecFilterSelective OUTPUT "Fatal error:" deny,status:500
    202     SecFilterSelective OUTPUT "Parse error:" deny,status:500
    203     
    204 </IfModule>