Jan 072010
 

For various reasons I have decided that I need to install mod_security2 on my personal web server. This is a Solaris zone running on an OpenSolaris global zone with various bits of software provisioned by OpenCSW. Unfortunately (or fortunately at least from the point of view that I get to do something interesting), mod_security2 is not something provided by OpenCSW.

For even more various reasons, I decided to “formalise” my notes on building, installing, and configuring mod_security2.

Before attempting to build mod_security2, it is important to have a functional build environment. This includes :-

  • Installing the apache2_devel package from OpenCSW (pkg-get -i apache2_devel)
  • Installing the gcc3 package from OpenCSW
  • Installing the following OpenSolaris packages (pkg install XXX) :- SUNWhea, SUNWarc, SUNWbtool
  • Installing the SunStudio package from Sun. It may be possible that gcc3 is not necessary with this installed, but I ended up with both so advise you too as well. In addition to installing it in the standard location (/opt/SUNWspro) it is also necessary to create a symlink in the place where the OpenCSW developer placed his/her copy of SunStudio :- mkdir -p /opt/studio/SOS11; ln -s /opt/SUNWspro /opt/studio/SOS11/SUNWspro

The next step is to setup a shell environment appropriate to configuring and compiling mod_studio2 :-

export PATH=$PATH:/opt/SUNWspro/bin
export PATH=$PATH:/opt/csw/bin
export PATH=$PATH:/usr/ccs/bin
export PATH=$PATH:/opt/csw/gcc3/bin
export CC=gcc

(The above presumes the use of a shell that understands the above syntax)

The next step is to unpack the module source code, and configure it  :-

cd /var/tmp
gunzip -c modsecurity-apache_2.5.11.tar.gz | tar xvf -
cd modsecurity-apache_2.5.11
cd apache2
./configure --with-apxs=/opt/csw/apache2/sbin/apxs \
   --with-pcre=/opt/csw \
   --with-apr=/opt/csw/apache2 \
   --with-apu=/opt/csw/apache2//bin/apu-config

That should successfully general a Makefile. Edit this makefile and remove all references to “-Wall” (for APSX_EXTRA_CFLAGS, also remove the proceeding “-Wc,”). This is because modules will compile with SunStudio’s compiler no matter what we try to do to stop it, and SunStudio does not understand “-Wall”.

Now finally you can compile the software :-

make
sudo make install

Now we are at the point where we can start configuring mod_security2.

In the main httpd.conf file, add the following two directives somewhere appropriate (i.e. close to the other “LoadModule” directives) :-

LoadFile /opt/csw/lib/libxml2.so
#   Check that this library is installed!
LoadModule unique_id_module libexec/mod_unique_id.so
#   This will be already in the file but may be commented out
LoadModule security2_module libexec/mod_security2.so
#   And this is the one we're interested in.

At this point, try a graceful restart (/opt/csw/apache2/sbin/apachectl graceful) to be sure that the relevant code loads. Now onto enabling the module and configuring it with the “Core Rule Set” …

First copy the rules subdirectory to an appropriate place and fix the permissions :-

cp -rp rules /opt/csw/apache2/etc/modsecurity
chown -R root:root /opt/csw/apache2/etc/modsecurity
chmod -R o+r /opt/csw/apache2/etc/modsecurity
find /opt/csw/apache2/etc/modsecurity -type d -exec chmod o+x {} \;

In the file modsecurity/modsecurity_crs_10_global_config.conf, change SecDataDir to /var/tmp.

In the file modsecurity/modsecurity_crs_10_config.conf :-

  1. Change SecAudditLog to var/log/modsec_audit.log
  2. Change SecDebugLog to var/log/modsec_debug.log

Now add the following to httpd.conf :-

Include etc/modsecurity/modsecurity_crs_10_global_config.conf
Include etc/modsecurity/modsecurity_crs_10_config.conf
Include etc/modsecurity/base_rules/*conf

And gracefully restart Apache.

At this point, mod_security2 is running and blocking stuff, but has not been finely “tweaked” to the local applications – at the very least it partially breaks WordPress, and may well break other applications.