%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}} %{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo 0-0)}} # /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4 %{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}} %{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}} %{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}} %define asl 1 %define cvs RC1 %define libxml2_version 2.6.29 %define libxml2_build_path %{_tmppath}/libxml2-%{libxml2_version} Summary: Security module for the Apache HTTP Server Name: mod_security Version: 2.9.1 Epoch: 1 Release: 33.1 License: ASL 2.0 URL: http://www.modsecurity.org/ Group: System Environment/Daemons Source0: //www.modsecurity.org/tarball/%{version}/modsecurity-%{version}.tar.gz Source1: 00_mod_security.conf Source200: libxml2-%{libxml2_version}.tar.gz Patch0: mod_security-2.9.1-logging.patch Patch1: waf-label.patch #Patch2: modsecurity-2.6.4-collections-logging.patch Patch3: 001-mod_security-concurrent_logging.patch Patch4: mod_security-2.8-bugfix706.patch Patch5: modsec-712.patch Patch6: fr1892.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) #Requires: httpd httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && cat %{_includedir}/httpd/.mmn || echo missing) #Requires: asl BuildRequires: ssdeep ssdeep-libs # el5 plesk? BuildRequires: expat-devel # ea4? Provides: ea-apache24-mod_security2 %if 0%{?rhel} <= 6 BuildRequires: atomic-yajl-yajl-devel %else BuildRequires: yajl-devel %endif BuildRequires: httpd-devel #Requires: httpd apr apr-util BuildRequires: atomic-curl-curl-devel atomic-curl-libcurl-devel Requires: atomic-curl-libcurl BuildRequires: lua-devel BuildRequires: pcre-devel # TODO: el5 libxml scl package %if 0%{?rhel} == 5 BuildRequires: e2fsprogs e2fsprogs-devel BuildRequires: openldap-devel %else BuildRequires: libxml2-devel %endif %description ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding web applications from attacks. %prep #%setup -n modsecurity-%{version}-%{cvs} %setup -n modsecurity-%{version} %patch0 -p1 %patch3 -p1 ##%patch4 -p1 # Alpha code at this point #%patch5 -p1 %patch6 -p1 #%if 0%{?rhel} == 5 ## This is only safe in a mock environment. #tar xfvz %{SOURCE200} #cd libxml2-%{libxml2_version} #./configure --prefix=%{libxml2_build_path} #make #make install #%endif %build #%if 0%{?rhel} >= 6 export CC="gcc -Wl,-rpath,/opt/atomic/atomic-yajl/root/usr/lib,-rpath,/opt/atomic/atomic-yajl/root/usr/lib64,-rpath,/opt/atomic/atomic-curl/root/usr/lib,-rpath,/opt/atomic/atomic-curl/root/usr/lib64" export LDFLAGS="-L/opt/atomic/atomic-yajl/root/usr/lib -L/opt/atomic/atomic-yajl/root/usr/lib64 -L/opt/atomic/atomic-curl/root/usr/lib -L/opt/atomic/atomic-curl/root/usr/lib64 -L/lib " export CFLAGS="-I/opt/atomic/atomic-yajl/root/usr/include -I/opt/atomic/atomic-curl/root/usr/include" export PKG_CONFIG_PATH="/opt/atomic/atomic-yajl/root/usr/lib/pkgconfig:/opt/atomic/atomic-yajl/root/usr/lib64/pkgconfig:/opt/atomic/atomic-curl/root/usr/lib/pkgconfig:/opt/atomic/atomic-curl/root/usr/lib64/pkgconfig:/usr/lib/pkgconfig/:/usr/lib64/pkgconfig/" #%endif #%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7 # --enable-pcre-jit \ #%endif %configure \ --enable-pcre-match-limit=no \ --enable-pcre-match-limit-recursion=no \ %if 0%{?rhel} == 5 --with-libxml=%{libxml2_build_path} \ %endif --disable-mlogc \ --enable-pcre-study \ --with-yajl \ --with-ssdeep \ --with-curl=/opt/atomic/atomic-curl/root/usr/ \ --enable-lua-cache \ --with-apxs=%{_httpd_apxs} make %{_smp_mflags} %install rm -rf %{buildroot} mkdir -p %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ mkdir -p %{buildroot}/%{_sysconfdir}/httpd/conf.d/ install -D -m755 apache2/.libs/mod_security2.so %{buildroot}/%{_libdir}/httpd/modules/mod_security2.so install -D -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/00_mod_security.conf %post if [ ! -f /etc/httpd/modsecurity.d/tortix_waf.conf ]; then touch /etc/httpd/modsecurity.d/tortix_waf.conf fi %clean rm -rf %{buildroot} %files %defattr (-,root,root) %doc CHANGES LICENSE README.* modsecurity* doc %{_libdir}/httpd/modules/mod_security2.so %config %{_sysconfdir}/httpd/conf.d/00_mod_security.conf %dir %{_sysconfdir}/httpd/modsecurity.d #%config(noreplace) %{_sysconfdir}/httpd/modsecurity.d/modsecurity_crs_10_config.conf %changelog * Wed Mar 9 2016 Support - 2.9.1-33 - Update to 2.9.1 * Tue Mar 1 2016 Support - 2.9.1-31 - Update to 2.9.1 RC1 * Fri Feb 19 2016 Support - 2.9.0-30 - Link against atomic-curl to isolate the curl/ssl issue with NSS (SSL connect error) issue with PHP curl when it is linked against the native curl library. * Sat Oct 10 2015 Scott R. Shinn - 2.9.0-26 - Add support for json on el6 * Mon Mar 2 2015 Scott R. Shinn - 2.9.0-25 - Update to 2.9.0 * Thu Jun 12 2014 Scott R. Shinn - 2.8.0-21 - Update to 2.8.0 - Bugfix #706- Fixes subnets representations using slash notation * Thu May 22 2014 Scott R. Shinn - 2.8.0-20 - Update to 2.7.7 * Wed Apr 16 2014 Scott R. Shinn - 2.8.0-19 - Update to 2.8.0 * Fri Apr 4 2014 Scott R. Shinn - 2.7.7-18 - Add mod_ruid2 concurrent logging patch - Initiate SuSE 12.3 build logic (incomplete) * Thu Dec 19 2013 Scott R. Shinn - 2.7.7-17 - Update to 2.7.7 * Tue Jul 30 2013 Scott R. Shinn - 2.7.4-16 - Update to 2.7.5 * Tue May 28 2013 Scott R. Shinn - 2.7.4-15 - Update to 2.7.4 * Mon Apr 1 2013 Scott R. Shinn - 2.7.3-14 - Update to 2.7.3 * Mon Jan 28 2013 Scott R. Shinn - 2.7.2-13 - Update to 2.7.2 * Wed Nov 14 2012 Scott R. Shinn - 2.7.1-12 - Update to 2.7.1 * Tue Nov 13 2012 Scott R. Shinn - 2.7.1-11 - Update to 2.7.1-rc1 * Thu Oct 18 2012 Scott R. Shinn - 2.7.0-10 - Update to 2.7.0 - Add dependency asl-libxml2 for el5 * Wed Oct 10 2012 Scott R. Shinn - 2.6.8-9 - Re-enabled ASL config * Tue Oct 9 2012 Scott R. Shinn - 2.6.8-8 - Enabled pcre study - Disabled config by default for non-ASL environments * Wed Sep 26 2012 Scott R. Shinn - 2.6.8-7 - Update to 2.6.8 * Thu Jul 26 2012 Scott R. Shinn - 2.6.7-3 - Update to 2.6.7 * Fri Jun 15 2012 Scott R. Shinn - 2.6.6-2 - Update to 2.6.6 * Fri Mar 23 2012 Scott R. Shinn - 2.6.5-1 - Update to 2.6.5 * Mon Mar 12 2012 Scott R. Shinn - 2.6.4-1 - Update to 2.6.4 - Modify logging sub-system to exclude spurious collection events unless we are in debug mode * Tue Jan 17 2012 Scott R. Shinn - 2.6.3-1 - Update to 2.6.3 * Tue Oct 11 2011 Scott R. Shinn - 2.6.2-1 - Update to 2.6.2 * Mon Aug 1 2011 Scott R. Shinn - 2.6.1-2 - Moved the asl-stream-client dependency to the ASL package * Tue Jul 19 2011 Scott R. Shinn - 2.6.1-1 - Update to 2.6.1 * Fri May 20 2011 Scott R. Shinn - 2.6.0-1 - Update to 2.6.0 final * Wed May 4 2011 Scott R. Shinn - 2.6.0-rc2-1 - Update to 2.6.0-rc2 * Tue Apr 19 2011 Scott R. Shinn - 2.6.0-rc1-1 - Update 2.6.0-rc1 * Wed Dec 1 2010 Scott R. Shinn - 2.5.13-1 - Update to 2.5.13 * Wed Aug 4 2010 Scott R. Shinn 2.5.12-4 - Changed the "Producer" tag to "WAF" * Tue Feb 9 2010 Scott R. Shinn 2.5.12-1 - Update to 2.5.12 * Fri Jan 8 2010 Scott R. Shinn 2.5.11-2 - Tagged the config file noreplace - Deprecated the blocking.d directory * Sat Nov 7 2009 Scott R. Shinn 2.5.11-1 - Update to 2.5.11 * Wed Sep 30 2009 Scott R. Shinn 2.5.10-1 - Update to 2.5.10 * Wed Apr 1 2009 Scott R. Shinn 2.5.9-2 - Deprecated modsec-clamscan.pl - Added in conditional logic for ASL vs. non-ASL builds * Mon Mar 9 2009 Scott R. Shinn 2.5.9-1 - update to 2.5.9 * Thu Oct 2 2008 Scott R. Shinn 2.5.7-1 - update to 2.5.7 * Tue Sep 9 2008 Scott R. Shinn 2.5.6-1 - Added lua-devel dependency, removed reference to libxmls LoadFile * Tue Aug 5 2008 Scott R. Shinn 2.5.6-1 - update to 2.5.6 * Mon Jun 9 2008 Scott R. Shinn 2.5.5-1 - update to 2.5.5 * Fri May 9 2008 Scott R. Shinn 2.5.4-1 - update to 2.5.4 * Mon Apr 21 2008 Scott R. Shinn 2.5.2-1 - update to 2.5.2 * Fri Mar 21 2008 Scott R. Shinn 2.5.1-1 - update to 2.5.1 * Mon Mar 3 2008 Scott R. Shinn 2.5.0-11 - update to 2.5.0 final - add in modsec-clamscan.pl * Wed Feb 13 2008 Scott R. Shinn 2.5.0-9 - update to 2.5.0-rc3 * Sun Dec 2 2007 Scott R. Shinn 2.5.0-8 - changes for the new rule layout. - Removed rules from the package, rule management is now handled by ASL directly * Sun Dec 2 2007 Scott R. Shinn 2.5.0-7 - disabled iframe protections * Tue Nov 27 2007 Scott R. Shinn 2.5.0-6 - fixed a bug with the iframe ruleset, where the remove-bad-iframes file was not being included * Thu Oct 18 2007 Scott R. Shinn 2.5.0-5 - added rbl ruleset - added iframe ruleset - added general rules ruleset - updated base rules * Fri Jul 20 2007 Scott R. Shinn 2.5.0-4 - update to 2.5.0 - added ASL rulesets anti-spam, output, jitp - changed audit_log format to remove GET request - disabled crs output rules - moved config file to load in position 00 * Sun Jun 10 2007 Scott R. Shinn 2.1.1-4 - additional logging format adjustments - added a default exclude.conf * Fri Jun 8 2007 Scott R. Shinn 2.1.1-3 - minor tweak to add some additional logging data in concurrent mode * Wed May 30 2007 Scott R. Shinn 2.1.1-2 - disable the 404 check * Sun May 27 2007 Scott R. Shinn 2.1.1-1 - update to 2.1.1 - updated core rules to 2.1.1-4 * Mon Apr 2 2007 Michael Fleming 2.1.0-3 - Sync with devel - Fix CVE-2007-1359 (bz #231728) - Automagically configure correct library path for libxml2 library. - Add LoadModule for mod_unique_id as the logging wants this at runtime * Mon Mar 26 2007 Michael Fleming 2.1.0-2 - Fix DSO permissions (bz#233733) * Tue Mar 13 2007 Michael Fleming 2.1.0-1 - New major release - 2.1.0 - Fix CVE-2007-1359 with a local rule courtesy of Ivan Ristic - Addition of core ruleset - (Build)Requires libxml2 and pcre added. * Sun Sep 3 2006 Michael Fleming 1.9.4-2 - Rebuild - Fix minor longstanding braino in included sample configuration (bz #203972) * Mon May 15 2006 Michael Fleming 1.9.4-1 - New upstream release * Tue Apr 11 2006 Michael Fleming 1.9.3-1 - New upstream release - Trivial spec tweaks * Wed Mar 1 2006 Michael Fleming 1.9.2-3 - Bump for FC5 * Fri Feb 10 2006 Michael Fleming 1.9.2-2 - Bump for newer gcc/glibc * Wed Jan 18 2006 Michael Fleming 1.9.2-1 - New upstream release * Fri Dec 16 2005 Michael Fleming 1.9.1-2 - Bump for new httpd * Thu Dec 1 2005 Michael Fleming 1.9.1-1 - New release 1.9.1 * Wed Nov 9 2005 Michael Fleming 1.9-1 - New stable upstream release 1.9 * Sat Jul 9 2005 Michael Fleming 1.8.7-4 - Add Requires: httpd-mmn to get the appropriate "module magic" version (thanks Ville Skytta) - Disabled an overly-agressive rule or two.. * Sat Jul 9 2005 Michael Fleming 1.8.7-3 - Correct Buildroot - Some sensible and safe rules for common apps in mod_security.conf * Thu May 19 2005 Michael Fleming 1.8.7-2 - Don't strip the module (so we can get a useful debuginfo package) * Thu May 19 2005 Michael Fleming 1.8.7-1 - Initial spin for Extras