commit: 15381ae65d3f18a94bc800fa5d049c83f533043e Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org> AuthorDate: Mon May 8 01:43:42 2017 +0000 Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org> CommitDate: Mon May 8 01:43:59 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15381ae6
www-apache/mod_security: new version 2.9.1 to fix some bugs. There are a few important changes in this version. First, there is a new USE flag "mlogc" for the audit log collector. USE=curl was too confusing. Oh, and it actually installs the log collector files now. Next, I've moved the SecDataDir under /var/lib to eliminate a QA warning. That's a better place for it anyway, because it doesn't hold cached data (we have no way to recreate the stuff if it disappears). I've dropped the code that enables/disables the GeoIP stuff in the configuration file. We don't need to sed our users' configurations based on USE flags: they'll set it to what they want, and we should leave it that way. The flag is still there to pull in the geoip libs. The configuration file is named 79_mod_security.conf now, for consistency. There are two completely new flags, USE=json and USE=fuzzyhash to enable new upstream features. Some missing dependencies were added, and the docs are being built with doxygen for now. The following users submitted code and/or suggestions that I've used. Thanks guys! * Chris Frederick * Graham E * Leho Kraav * Mario D. Santana Gentoo-Bug: 518828 Gentoo-Bug: 594720 Gentoo-Bug: 605496 Gentoo-Bug: 615294 Package-Manager: Portage-2.3.3, Repoman-2.3.1 www-apache/mod_security/Manifest | 1 + www-apache/mod_security/files/79_mod_security.conf | 11 +++ www-apache/mod_security/metadata.xml | 27 ++++-- www-apache/mod_security/mod_security-2.9.1.ebuild | 103 +++++++++++++++++++++ 4 files changed, 134 insertions(+), 8 deletions(-) diff --git a/www-apache/mod_security/Manifest b/www-apache/mod_security/Manifest index d2a730c6410..87fdeecacaa 100644 --- a/www-apache/mod_security/Manifest +++ b/www-apache/mod_security/Manifest @@ -1 +1,2 @@ +DIST modsecurity-2.9.1.tar.gz 4261212 SHA256 958cc5a7a7430f93fac0fd6f8b9aa92fc1801efce0cda797d6029d44080a9b24 SHA512 374733cbfc26e53d95b78c8f268a4e465d838163e9893fc24e33a9d272b114f1b287147bab6d0289575074cbbd94f48983e23fa59832cbcb32950046cea59269 WHIRLPOOL 5f41bebf032f8a269412d104b7632a06af4d4c495658c9cd1ebf69b82c10ce1bbcb34b9dd159a7b00e57348714a5e93ad3db19701dda51479accd3a9dc79a9cb DIST modsecurity-apache_2.7.7.tar.gz 1003835 SHA256 11e05cfa6b363c2844c6412a40ff16f0021e302152b38870fd1f2f44b204379b SHA512 859f72580b6acaae5db180f98ee32ad2cb0f3ef24321d0c2df20ddd9fcfbc6c09c98b672012dc4931a6fd14f3c21c38ed31ab8900940382fcb48b37f30005a7d WHIRLPOOL e70f09c6bf640733696e6c544b4e37702ab05b043bdf07266a081316620986e976d2dcf8c1552380e846132473718b3ae7f0cadd18953b08b22bef5de3a5b455 diff --git a/www-apache/mod_security/files/79_mod_security.conf b/www-apache/mod_security/files/79_mod_security.conf new file mode 100644 index 00000000000..bd88e88a977 --- /dev/null +++ b/www-apache/mod_security/files/79_mod_security.conf @@ -0,0 +1,11 @@ +<IfDefine SECURITY> + LoadModule security2_module modules/mod_security2.so + SecDataDir /var/lib/modsecurity + + # Enable looking up geolocation data from MaxMind's GeoIP database + # SecGeoLookupDb /usr/share/GeoIP/GeoIP.dat + + # Define here your http:BL API key if any + # see http://www.projecthoneypot.org/httpbl_api.php + #SecHttpBlKey xxxxxxxx +</IfDefine> diff --git a/www-apache/mod_security/metadata.xml b/www-apache/mod_security/metadata.xml index 0b434d6c669..1a8e39a420e 100644 --- a/www-apache/mod_security/metadata.xml +++ b/www-apache/mod_security/metadata.xml @@ -2,16 +2,14 @@ <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd";> <pkgmetadata> <use> - <flag name="geoip"> - Configure ModSecurity to query the GeoIP database from MaxMind, - provided by <pkg>dev-libs/geoip</pkg>. This flag only controls - the default configuration, as the GeoIP query code is part of - ModSecurity's source code. + <flag name="fuzzyhash"> + Support fuzzy hash computations (to detect malware, for example) + using the <pkg>app-crypt/ssdeep</pkg> package. </flag> - <flag name="curl"> - Build the ModSecurity Audit Log Collector (mlogc) that depends - on <pkg>net-misc/curl</pkg>. + <flag name="geoip"> + Pull in <pkg>dev-libs/geoip</pkg> for use by the SecGeoLookupDb + directive. </flag> <flag name="jit"> @@ -19,5 +17,18 @@ by <pkg>dev-libs/libpcre</pkg> with jit USE flag enabled. Might not be available on hardened systems. </flag> + + <flag name="json"> + Suppose JSON in the request body parser through + <pkg>dev-libs/yajl</pkg>. + </flag> + + <flag name="mlogc"> + Build and install the ModSecurity Audit Log Collector (mlogc). + </flag> </use> + + <upstream> + <remote-id type="github">SpiderLabs/ModSecurity</remote-id> + </upstream> </pkgmetadata> diff --git a/www-apache/mod_security/mod_security-2.9.1.ebuild b/www-apache/mod_security/mod_security-2.9.1.ebuild new file mode 100644 index 00000000000..c444dd2ecf3 --- /dev/null +++ b/www-apache/mod_security/mod_security-2.9.1.ebuild @@ -0,0 +1,103 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 + +inherit apache-module + +MY_PN=modsecurity +MY_P=${MY_PN}-${PV} + +DESCRIPTION="Application firewall and intrusion detection for Apache" +HOMEPAGE="http://www.modsecurity.org/"; +SRC_URI="http://www.modsecurity.org/tarball/${PV}/${MY_P}.tar.gz"; + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="doc fuzzyhash geoip jit json lua mlogc" + +COMMON_DEPEND="dev-libs/apr + dev-libs/apr-util[openssl] + dev-libs/libxml2 + dev-libs/libpcre[jit?] + fuzzyhash? ( app-crypt/ssdeep ) + json? ( dev-libs/yajl ) + lua? ( dev-lang/lua:0 ) + mlogc? ( net-misc/curl ) + www-servers/apache[apache2_modules_unique_id]" +DEPEND="${COMMON_DEPEND} + doc? ( app-doc/doxygen )" +RDEPEND="${COMMON_DEPEND} + geoip? ( dev-libs/geoip ) + mlogc? ( dev-lang/perl )" +PDEPEND=">=www-apache/modsecurity-crs-2.2.6-r1" + +S="${WORKDIR}/${MY_P}" + +APACHE2_MOD_FILE="apache2/.libs/${PN}2.so" +APACHE2_MOD_CONF="79_${PN}" +APACHE2_MOD_DEFINE="SECURITY" + +# Tests require symbols only defined within the Apache binary. +RESTRICT=test + +need_apache2 + +src_configure() { + econf --enable-shared \ + --disable-static \ + --with-apxs="${APXS}" \ + --enable-request-early \ + --with-pic \ + $(use_with fuzzyhash ssdeep) \ + $(use_with json yajl) \ + $(use_enable mlogc) \ + $(use_with lua) \ + $(use_enable lua lua-cache) \ + $(use_enable jit pcre-jit) +} + +src_compile() { + default + + # Building the docs is broken at the moment, see e.g. + # https://github.com/SpiderLabs/ModSecurity/issues/1322 + if use doc; then + doxygen doc/doxygen-apache.conf || die 'failed to build documentation' + fi +} + +src_install() { + apache-module_src_install + + dodoc CHANGES README.TXT modsecurity.conf-recommended + + if use doc; then + dodoc -r doc/apache/html + fi + + if use mlogc; then + insinto /etc/ + newins mlogc/mlogc-default.conf mlogc.conf + dobin mlogc/mlogc + dobin mlogc/mlogc-batch-load.pl + newdoc mlogc/INSTALL INSTALL-mlogc + fi + + # Use /var/lib instead of /var/cache. This stuff is "persistent," + # and isn't a cached copy of something that we can recreate. + # Bug 605496. + keepdir /var/lib/modsecurity + fowners apache:apache /var/lib/modsecurity + fperms 0770 /var/lib/modsecurity +} + +pkg_postinst() { + elog "The base configuration file has been renamed ${APACHE2_MOD_CONF}" + elog "so that you can put your own configuration in (for example)" + elog "90_modsecurity_local.conf." + elog "" + elog "That would be the correct place for site-global security rules." + elog "Note: 80_modsecurity_crs.conf is used by www-apache/modsecurity-crs" +}
