{"id":685,"date":"2010-01-07T18:02:45","date_gmt":"2010-01-07T18:02:45","guid":{"rendered":"http:\/\/really.zonky.org\/?p=685"},"modified":"2010-01-30T18:17:12","modified_gmt":"2010-01-30T18:17:12","slug":"opensolaris-and-mod_security2","status":"publish","type":"post","link":"https:\/\/really.zonky.org\/?p=685","title":{"rendered":"OpenSolaris, and mod_security2"},"content":{"rendered":"<p>For various reasons I have decided that I need to install <em>mod_security2<\/em> on my personal web server. This is a Solaris zone running on an OpenSolaris global zone with various bits of software provisioned by OpenCSW. Unfortunately (or fortunately at least from the point of view that I get to do something interesting), mod_security2 is not something provided by OpenCSW.<\/p>\n<p>For even more various reasons, I decided to &#8220;formalise&#8221; my notes on building, installing, and configuring mod_security2.<\/p>\n<p>Before attempting to build mod_security2, it is important to have a functional build environment. This includes :-<\/p>\n<ul>\n<li>Installing the <em>apache2_devel<\/em> package from OpenCSW (pkg-get -i apache2_devel)<\/li>\n<li>Installing the <em>gcc3<\/em> package from OpenCSW<\/li>\n<li>Installing the following OpenSolaris packages (pkg install XXX) :- SUNWhea, SUNWarc, SUNWbtool<\/li>\n<li>Installing the SunStudio package from Sun. It <em>may<\/em> be possible that <em>gcc3<\/em> is not necessary with this installed, but I ended up with both so advise you too as well. In addition to installing it in the standard location (<em>\/opt\/SUNWspro<\/em>) it is also necessary to create a symlink in the place where the OpenCSW developer placed his\/her copy of SunStudio :- <em>mkdir -p \/opt\/studio\/SOS11; ln -s \/opt\/SUNWspro \/opt\/studio\/SOS11\/SUNWspro<\/em><\/li>\n<\/ul>\n<p>The next step is to setup a shell environment appropriate to configuring and compiling mod_studio2 :-<\/p>\n<pre>export PATH=$PATH:\/opt\/SUNWspro\/bin\r\nexport PATH=$PATH:\/opt\/csw\/bin\r\nexport PATH=$PATH:\/usr\/ccs\/bin\r\nexport PATH=$PATH:\/opt\/csw\/gcc3\/bin\r\nexport CC=gcc\r\n<\/pre>\n<p>(The above presumes the use of a shell that understands the above syntax)<\/p>\n<p>The next step is to unpack the module source code, and configure it\u00a0 :-<\/p>\n<pre>cd \/var\/tmp\r\ngunzip -c modsecurity-apache_2.5.11.tar.gz | tar xvf -\r\ncd modsecurity-apache_2.5.11\r\ncd apache2\r\n.\/configure --with-apxs=\/opt\/csw\/apache2\/sbin\/apxs \\\r\n   --with-pcre=\/opt\/csw \\\r\n   --with-apr=\/opt\/csw\/apache2 \\\r\n   --with-apu=\/opt\/csw\/apache2\/\/bin\/apu-config\r\n<\/pre>\n<p>That <em>should<\/em> successfully general a Makefile. Edit this makefile and remove all references to &#8220;-Wall&#8221; (for APSX_EXTRA_CFLAGS, also remove the proceeding &#8220;-Wc,&#8221;). This is because modules will compile with SunStudio&#8217;s compiler no matter what we try to do to stop it, and SunStudio does not understand &#8220;-Wall&#8221;.<\/p>\n<p>Now finally you can compile the software :-<\/p>\n<pre>make\r\nsudo make install\r\n<\/pre>\n<p>Now we are at the point where we can start configuring mod_security2.<\/p>\n<p>In the main <em>httpd.conf<\/em> file, add the following two directives somewhere appropriate (i.e. close to the other &#8220;LoadModule&#8221; directives) :-<\/p>\n<pre>LoadFile \/opt\/csw\/lib\/libxml2.so\r\n#   Check that this library is installed!\r\nLoadModule unique_id_module libexec\/mod_unique_id.so\r\n#   This will be already in the file but may be commented out\r\nLoadModule security2_module libexec\/mod_security2.so\r\n#   And this is the one we're interested in.\r\n<\/pre>\n<p>At this point, try a graceful restart (<em>\/opt\/csw\/apache2\/sbin\/apachectl graceful<\/em>) to be sure that the relevant code loads. Now onto enabling the module and configuring it with the &#8220;Core Rule Set&#8221; &#8230;<\/p>\n<p>First copy the rules subdirectory to an appropriate place and fix the permissions :-<\/p>\n<pre>cp -rp rules \/opt\/csw\/apache2\/etc\/modsecurity\r\nchown -R root:root \/opt\/csw\/apache2\/etc\/modsecurity\r\nchmod -R o+r \/opt\/csw\/apache2\/etc\/modsecurity\r\nfind \/opt\/csw\/apache2\/etc\/modsecurity -type d -exec chmod o+x {} \\;\r\n<\/pre>\n<p>In the file <em>modsecurity\/modsecurity_crs_10_global_config.conf<\/em>, change <em>SecDataDir<\/em> to <em>\/var\/tmp<\/em>.<\/p>\n<p>In the file <em>modsecurity\/modsecurity_crs_10_config.conf<\/em> :-<\/p>\n<ol>\n<li>Change <em>SecAudditLog<\/em> to <em>var\/log\/modsec_audit.log<\/em><\/li>\n<li>Change <em>SecDebugLog<\/em> to <em>var\/log\/modsec_debug.log<\/em><\/li>\n<\/ol>\n<p>Now add the following to <em>httpd.conf<\/em> :-<\/p>\n<pre>Include etc\/modsecurity\/modsecurity_crs_10_global_config.conf\r\nInclude etc\/modsecurity\/modsecurity_crs_10_config.conf\r\nInclude etc\/modsecurity\/base_rules\/*conf\r\n<\/pre>\n<p>And gracefully restart Apache.<\/p>\n<p>At this point, mod_security2 is running and blocking stuff, but has not been finely &#8220;tweaked&#8221; to the local applications &#8211; at the very least it partially breaks WordPress, and may well break other applications.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>For various reasons I have decided that I need to install mod_security2 on my personal web server. This is a Solaris zone running on an OpenSolaris global zone with various bits of software provisioned by OpenCSW. Unfortunately (or fortunately at least from the point of view that I get to do something interesting), mod_security2 is <a href='https:\/\/really.zonky.org\/?p=685' class='excerpt-more'>[&#8230;]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_share_on_mastodon":"0"},"categories":[4],"tags":[34,35,33,32],"class_list":["post-685","post","type-post","status-publish","format-standard","hentry","category-it","tag-apache","tag-opencsw","tag-solaris","tag-sun","category-4-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"share_on_mastodon":{"url":"","error":""},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p1f2KI-b3","_links":{"self":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/685","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=685"}],"version-history":[{"count":5,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/685\/revisions"}],"predecessor-version":[{"id":757,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/685\/revisions\/757"}],"wp:attachment":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=685"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}