For various reasons I have decided that I need to install mod_security2 on my personal web server. This is a Solaris zone running on an OpenSolaris global zone with various bits of software provisioned by OpenCSW. Unfortunately (or fortunately at least from the point of view that I get to do something interesting), mod_security2 is not something provided by OpenCSW.
For even more various reasons, I decided to “formalise” my notes on building, installing, and configuring mod_security2.
Before attempting to build mod_security2, it is important to have a functional build environment. This includes :-
- Installing the apache2_devel package from OpenCSW (pkg-get -i apache2_devel)
- Installing the gcc3 package from OpenCSW
- Installing the following OpenSolaris packages (pkg install XXX) :- SUNWhea, SUNWarc, SUNWbtool
- Installing the SunStudio package from Sun. It may be possible that gcc3 is not necessary with this installed, but I ended up with both so advise you too as well. In addition to installing it in the standard location (/opt/SUNWspro) it is also necessary to create a symlink in the place where the OpenCSW developer placed his/her copy of SunStudio :- mkdir -p /opt/studio/SOS11; ln -s /opt/SUNWspro /opt/studio/SOS11/SUNWspro
The next step is to setup a shell environment appropriate to configuring and compiling mod_studio2 :-
export PATH=$PATH:/opt/SUNWspro/bin export PATH=$PATH:/opt/csw/bin export PATH=$PATH:/usr/ccs/bin export PATH=$PATH:/opt/csw/gcc3/bin export CC=gcc
(The above presumes the use of a shell that understands the above syntax)
The next step is to unpack the module source code, and configure it :-
cd /var/tmp gunzip -c modsecurity-apache_2.5.11.tar.gz | tar xvf - cd modsecurity-apache_2.5.11 cd apache2 ./configure --with-apxs=/opt/csw/apache2/sbin/apxs \ --with-pcre=/opt/csw \ --with-apr=/opt/csw/apache2 \ --with-apu=/opt/csw/apache2//bin/apu-config
That should successfully general a Makefile. Edit this makefile and remove all references to “-Wall” (for APSX_EXTRA_CFLAGS, also remove the proceeding “-Wc,”). This is because modules will compile with SunStudio’s compiler no matter what we try to do to stop it, and SunStudio does not understand “-Wall”.
Now finally you can compile the software :-
make sudo make install
Now we are at the point where we can start configuring mod_security2.
In the main httpd.conf file, add the following two directives somewhere appropriate (i.e. close to the other “LoadModule” directives) :-
LoadFile /opt/csw/lib/libxml2.so # Check that this library is installed! LoadModule unique_id_module libexec/mod_unique_id.so # This will be already in the file but may be commented out LoadModule security2_module libexec/mod_security2.so # And this is the one we're interested in.
At this point, try a graceful restart (/opt/csw/apache2/sbin/apachectl graceful) to be sure that the relevant code loads. Now onto enabling the module and configuring it with the “Core Rule Set” …
First copy the rules subdirectory to an appropriate place and fix the permissions :-
cp -rp rules /opt/csw/apache2/etc/modsecurity chown -R root:root /opt/csw/apache2/etc/modsecurity chmod -R o+r /opt/csw/apache2/etc/modsecurity find /opt/csw/apache2/etc/modsecurity -type d -exec chmod o+x {} \;
In the file modsecurity/modsecurity_crs_10_global_config.conf, change SecDataDir to /var/tmp.
In the file modsecurity/modsecurity_crs_10_config.conf :-
- Change SecAudditLog to var/log/modsec_audit.log
- Change SecDebugLog to var/log/modsec_debug.log
Now add the following to httpd.conf :-
Include etc/modsecurity/modsecurity_crs_10_global_config.conf Include etc/modsecurity/modsecurity_crs_10_config.conf Include etc/modsecurity/base_rules/*conf
And gracefully restart Apache.
At this point, mod_security2 is running and blocking stuff, but has not been finely “tweaked” to the local applications – at the very least it partially breaks WordPress, and may well break other applications.