Allow configuring CRS paranoia level

Vincevrp · Vincevrp · commit 8674fad50950 · 2022-08-01T17:11:59.000+02:00
diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp
@@ -75,6 +75,13 @@
 # @param notice_anomaly_score
 #   Sets the Anomaly Score for rules assigned with a notice severity.
 # 
+# @param paranoia_level
+#   Sets the paranoia level in the OWASP ModSecurity Core Rule Set.
+# 
+# @param executing_paranoia_level
+#   Sets the executing paranoia level in the OWASP ModSecurity Core Rule Set.
+#   The default is equal to, and cannot be lower than, $paranoia_level.
+# 
 # @param secrequestmaxnumargs
 #   Sets the maximum number of arguments in the request.
 # 
@@ -123,6 +130,8 @@
   Integer $secrequestbodylimit                          = 13107200,
   Integer $secrequestbodynofileslimit                   = 131072,
   Integer $secrequestbodyinmemorylimit                  = 131072,
+  Integer[1,4] $paranoia_level                          = 1,
+  Integer[1,4] $executing_paranoia_level                = $paranoia_level,
   Boolean $manage_security_crs                          = true,
 ) inherits apache::params {
   include apache
@@ -140,6 +149,10 @@
     fail('SLES 10 is not currently supported.')
   }
 
+  if ($executing_paranoia_level < $paranoia_level) {
+    fail('Executing paranoia level cannot be lower than paranoia level')
+  }
+
   case $version {
     1: {
       $mod_name = 'security'
@@ -248,6 +261,8 @@
     # - $notice_anomaly_score
     # - $inbound_anomaly_threshold
     # - $outbound_anomaly_threshold
+    # - $paranoia_level
+    # - $executing_paranoia_level
     # - $allowed_methods
     # - $content_types
     # - $restricted_extensions
diff --git a/templates/mod/security_crs.conf.erb b/templates/mod/security_crs.conf.erb
@@ -175,13 +175,13 @@ SecDefaultAction "phase:2,<%= @_secdefaultaction -%>"
 #
 # Uncomment this rule to change the default:
 #
-#SecAction \
-#  "id:900000,\
-#   phase:1,\
-#   nolog,\
-#   pass,\
-#   t:none,\
-#   setvar:tx.paranoia_level=1"
+SecAction \
+  "id:900000,\
+   phase:1,\
+   nolog,\
+   pass,\
+   t:none,\
+   setvar:tx.paranoia_level=<%= @paranoia_level -%>"
 
 
 # It is possible to execute rules from a higher paranoia level but not include
@@ -201,13 +201,13 @@ SecDefaultAction "phase:2,<%= @_secdefaultaction -%>"
 # level results in a performance impact that is equally high as setting
 # tx.paranoia_level to said level.
 #
-#SecAction \
-#  "id:900001,\
-#   phase:1,\
-#   nolog,\
-#   pass,\
-#   t:none,\
-#   setvar:tx.executing_paranoia_level=1"
+SecAction \
+  "id:900001,\
+   phase:1,\
+   nolog,\
+   pass,\
+   t:none,\
+   setvar:tx.executing_paranoia_level=<%= @executing_paranoia_level -%>"
 
 
 #
