Merge pull request #2280 from Vincevrp/dos-protection

david22swan · web-flow · commit bc9dc3e7854c · 2022-09-05T13:07:56.000+01:00
Parameterize CRS DOS protection
diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp
@@ -104,7 +104,24 @@
 # @param manage_security_crs
 #   Toggles whether to manage ModSecurity Core Rule Set 
 #
+# @param enable_dos_protection
+#   Toggles the optional OWASP ModSecurity Core Rule Set DOS protection rule
+#   (rule id 900700)
+#
+# @param dos_burst_time_slice
+#   Configures time in which a burst is measured for the OWASP ModSecurity Core Rule Set DOS protection rule
+#   (rule id 900700)
+#
+# @param dos_counter_threshold
+#   Configures the amount of requests that can be made within dos_burst_time_slice before it is considered a burst in
+#   the OWASP ModSecurity Core Rule Set DOS protection rule (rule id 900700)
+#
+# @param dos_block_timeout
+#   Configures how long the client should be blocked when the dos_counter_threshold is exceeded in the OWASP
+#   ModSecurity Core Rule Set DOS protection rule (rule id 900700)
+#
 # @see https://github.com/SpiderLabs/ModSecurity/wiki for additional documentation.
+# @see https://coreruleset.org/docs/ for addional documentation
 #
 class apache::mod::security (
   Stdlib::Absolutepath $logroot                         = $apache::params::logroot,
@@ -141,6 +158,10 @@
   Enum['On', 'Off'] $secrequestbodyaccess               = 'On',
   Enum['On', 'Off'] $secresponsebodyaccess              = 'Off',
   Boolean $manage_security_crs                          = true,
+  Boolean $enable_dos_protection                        = true,
+  Integer[1, default] $dos_burst_time_slice             = 60,
+  Integer[1, default] $dos_counter_threshold            = 100,
+  Integer[1, default] $dos_block_timeout                = 600,
 ) inherits apache::params {
   include apache
 
@@ -278,6 +299,10 @@
     # - $restricted_extensions
     # - $restricted_headers
     # - $secrequestmaxnumargs
+    # - $enable_dos_protection
+    # - $dos_burst_time_slice
+    # - $dos_counter_threshold
+    # - $dos_block_timeout
     file { "${modsec_dir}/security_crs.conf":
       ensure  => file,
       content => template('apache/mod/security_crs.conf.erb'),
diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb
@@ -140,6 +140,10 @@
               {
                 paranoia_level: 1,
                 executing_paranoia_level: 2,
+                enable_dos_protection: true,
+                dos_burst_time_slice: 30,
+                dos_counter_threshold: 120,
+                dos_block_timeout: 300,
               }
             end
 
@@ -148,6 +152,18 @@
                 %r{^SecAction \\\n\s+\"id:900000,\\\n\s+phase:1,\\\n\s+nolog,\\\n\s+pass,\\\n\s+t:none,\\\n\s+setvar:tx.paranoia_level=1"$}
               is_expected.to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content \
                 %r{^SecAction \\\n\s+\"id:900001,\\\n\s+phase:1,\\\n\s+nolog,\\\n\s+pass,\\\n\s+t:none,\\\n\s+setvar:tx.executing_paranoia_level=2"$}
+              is_expected.to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content \
+                %r{
+                  ^SecAction\ \\\n
+                  \s+\"id:900700,\\\n
+                  \s+phase:1,\\\n
+                  \s+nolog,\\\n
+                  \s+pass,\\\n
+                  \s+t:none,\\\n
+                  \s+setvar:'tx.dos_burst_time_slice=30',\\\n
+                  \s+setvar:'tx.dos_counter_threshold=120',\\\n
+                  \s+setvar:'tx.dos_block_timeout=300'"$
+              }x
             }
           end
 
@@ -302,6 +318,10 @@
               {
                 paranoia_level: 1,
                 executing_paranoia_level: 1,
+                enable_dos_protection: true,
+                dos_burst_time_slice: 30,
+                dos_counter_threshold: 120,
+                dos_block_timeout: 300,
               }
             end
 
@@ -310,6 +330,18 @@
                 %r{^SecAction \\\n\s+\"id:900000,\\\n\s+phase:1,\\\n\s+nolog,\\\n\s+pass,\\\n\s+t:none,\\\n\s+setvar:tx.paranoia_level=1"$}
               is_expected.to contain_file('/etc/modsecurity/security_crs.conf').with_content \
                 %r{^SecAction \\\n\s+\"id:900001,\\\n\s+phase:1,\\\n\s+nolog,\\\n\s+pass,\\\n\s+t:none,\\\n\s+setvar:tx.executing_paranoia_level=1"$}
+              is_expected.to contain_file('/etc/modsecurity/security_crs.conf').with_content \
+                %r{
+                  ^SecAction\ \\\n
+                  \s+\"id:900700,\\\n
+                  \s+phase:1,\\\n
+                  \s+nolog,\\\n
+                  \s+pass,\\\n
+                  \s+t:none,\\\n
+                  \s+setvar:'tx.dos_burst_time_slice=30',\\\n
+                  \s+setvar:'tx.dos_counter_threshold=120',\\\n
+                  \s+setvar:'tx.dos_block_timeout=300'"$
+              }x
             }
           end
 
diff --git a/templates/mod/security_crs.conf.erb b/templates/mod/security_crs.conf.erb
@@ -714,16 +714,17 @@ SecAction \
 #
 # Uncomment this rule to use this feature:
 #
+<% if @enable_dos_protection -%>
 SecAction \
  "id:900700,\
   phase:1,\
   nolog,\
   pass,\
   t:none,\
-  setvar:'tx.dos_burst_time_slice=60',\
-  setvar:'tx.dos_counter_threshold=100',\
-  setvar:'tx.dos_block_timeout=600'"
-
+  setvar:'tx.dos_burst_time_slice=<%= @dos_burst_time_slice %>',\
+  setvar:'tx.dos_counter_threshold=<%= @dos_counter_threshold %>',\
+  setvar:'tx.dos_block_timeout=<%= @dos_block_timeout %>'"
+<% end -%>
 
 #
 # -- [[ Check UTF-8 encoding ]] ------------------------------------------------
