For various reasons I have decided that I need to install mod_security2 on my personal web server. This is a Solaris zone running on an OpenSolaris global zone with various bits of software provisioned by OpenCSW. Unfortunately (or fortunately at least from the point of view that I get to do something interesting), mod_security2 is not something provided by OpenCSW.
For even more various reasons, I decided to “formalise” my notes on building, installing, and configuring mod_security2.
Before attempting to build mod_security2, it is important to have a functional build environment. This includes :-
- Installing the apache2_devel package from OpenCSW (pkg-get -i apache2_devel)
- Installing the gcc3 package from OpenCSW
- Installing the following OpenSolaris packages (pkg install XXX) :- SUNWhea, SUNWarc, SUNWbtool
- Installing the SunStudio package from Sun. It may be possible that gcc3 is not necessary with this installed, but I ended up with both so advise you too as well. In addition to installing it in the standard location (/opt/SUNWspro) it is also necessary to create a symlink in the place where the OpenCSW developer placed his/her copy of SunStudio :- mkdir -p /opt/studio/SOS11; ln -s /opt/SUNWspro /opt/studio/SOS11/SUNWspro
The next step is to setup a shell environment appropriate to configuring and compiling mod_studio2 :-
export PATH=$PATH:/opt/SUNWspro/bin
export PATH=$PATH:/opt/csw/bin
export PATH=$PATH:/usr/ccs/bin
export PATH=$PATH:/opt/csw/gcc3/bin
export CC=gcc
(The above presumes the use of a shell that understands the above syntax)
The next step is to unpack the module source code, and configure it :-
cd /var/tmp
gunzip -c modsecurity-apache_2.5.11.tar.gz | tar xvf -
cd modsecurity-apache_2.5.11
cd apache2
./configure --with-apxs=/opt/csw/apache2/sbin/apxs \
--with-pcre=/opt/csw \
--with-apr=/opt/csw/apache2 \
--with-apu=/opt/csw/apache2//bin/apu-config
That should successfully general a Makefile. Edit this makefile and remove all references to “-Wall” (for APSX_EXTRA_CFLAGS, also remove the proceeding “-Wc,”). This is because modules will compile with SunStudio’s compiler no matter what we try to do to stop it, and SunStudio does not understand “-Wall”.
Now finally you can compile the software :-
make
sudo make install
Now we are at the point where we can start configuring mod_security2.
In the main httpd.conf file, add the following two directives somewhere appropriate (i.e. close to the other “LoadModule” directives) :-
LoadFile /opt/csw/lib/libxml2.so
# Check that this library is installed!
LoadModule unique_id_module libexec/mod_unique_id.so
# This will be already in the file but may be commented out
LoadModule security2_module libexec/mod_security2.so
# And this is the one we're interested in.
At this point, try a graceful restart (/opt/csw/apache2/sbin/apachectl graceful) to be sure that the relevant code loads. Now onto enabling the module and configuring it with the “Core Rule Set” …
First copy the rules subdirectory to an appropriate place and fix the permissions :-
cp -rp rules /opt/csw/apache2/etc/modsecurity
chown -R root:root /opt/csw/apache2/etc/modsecurity
chmod -R o+r /opt/csw/apache2/etc/modsecurity
find /opt/csw/apache2/etc/modsecurity -type d -exec chmod o+x {} \;
In the file modsecurity/modsecurity_crs_10_global_config.conf, change SecDataDir to /var/tmp.
In the file modsecurity/modsecurity_crs_10_config.conf :-
- Change SecAudditLog to var/log/modsec_audit.log
- Change SecDebugLog to var/log/modsec_debug.log
Now add the following to httpd.conf :-
Include etc/modsecurity/modsecurity_crs_10_global_config.conf
Include etc/modsecurity/modsecurity_crs_10_config.conf
Include etc/modsecurity/base_rules/*conf
And gracefully restart Apache.
At this point, mod_security2 is running and blocking stuff, but has not been finely “tweaked” to the local applications – at the very least it partially breaks WordPress, and may well break other applications.