I agree with Andreas and Klaubert. If this is the approach we take, the documentation should *strongly* recommend symlinks; otherwise, it will cause a major maintenance headache for admins, breaking auto-update. (I fear the step of _copying_ the files will often get forgotten or missed. Symlinks would address that issue to an extent.)
On Apr 14, 2011, at 8:28 AM, pfote wrote: > I'm using right now that > Include conf/modsecurity_crs/*.conf > Include conf/modsecurity_crs/base_rules/*.conf > Include conf/modsecurity_crs/optional_rules/*.conf > > > approach, wasn't aware of that problem (fairly new to modsecurity and owasp) > .. thanks for pointing out. > > However, i wouldn't copy but better symlink them, this way it's still > possible to have it auto-updated. > > cheers > Andreas >> Yes, I think this would be helpful. It might be worth explaining in >> the comments why the "proper order" is important, and thus where to >> put custom configuration settings and rules for each vhost/server. >> >> Colin >> >> On 14 April 2011 14:00, Ryan Barnett >> <[email protected]> >> wrote: >> >> >>> Any comments on this approach? Good idea? >>> >>> -Ryan >>> >>> >>> From: Ryan Barnett < >>> [email protected]<mailto:[email protected]> >>> > >>> Date: Tue, 12 Apr 2011 09:57:24 -0500 >>> To: " >>> [email protected]<mailto:[email protected]>" >>> >>> <[email protected]<mailto:[email protected]> >>> > >>> Subject: CRS Directory Format Question >>> >>> The current OWASP CRS archive has a number of directories that hold >>> different rules - >>> >>> * base_rules >>> * optional_rules >>> * slr_rules >>> * experimental_rules >>> >>> I am thinking that most ModSecurity users want to use Apache Include >>> wild-carding when activating rulesets - >>> >>> <IfModule security2_module> >>> Include conf/modsecurity_crs/*.conf >>> Include conf/modsecurity_crs/base_rules/*.conf >>> </IfModule> >>> >>> While this is certainly convenient, this does cause a problem. The various >>> rules files have a numbering scheme whose purpose to to help ensure that >>> the rules file are executed in the proper order when wild-carding with >>> includes. Activating these rules are challenging when separated into the >>> different directories. >>> >>> <IfModule security2_module> >>> Include conf/modsecurity_crs/*.conf >>> Include conf/modsecurity_crs/base_rules/*.conf >>> Include conf/modsecurity_crs/optional_rules/*.conf >>> >>> </IfModule> >>> >>> So, what I am thinking is that we should add an empty directory called - >>> >>> * activated_rules >>> >>> The sole purpose of this directory would be for the local Admin to copy all >>> files that they want to run into that one directory. When they do this, >>> then the file name numbering scheme will work and it will allow for easier >>> Include wild-carding - >>> >>> <IfModule security2_module> >>> Include conf/modsecurity_crs/*.conf >>> Include conf/modsecurity_crs/activated_rules/*.conf >>> </IfModule> >>> >>> How does this approach sound to everyone? >>> >>> -Ryan >>> >>> ________________________________ >>> This transmission may contain information that is privileged, confidential, >>> and/or exempt from disclosure under applicable law. If you are not the >>> intended recipient, you are hereby notified that any disclosure, copying, >>> distribution, or use of the information contained herein (including any >>> reliance thereon) is STRICTLY PROHIBITED. If you received this transmission >>> in error, please immediately contact the sender and destroy the material in >>> its entirety, whether in electronic or hard copy format. >>> >>> _______________________________________________ >>> Owasp-modsecurity-core-rule-set mailing list >>> >>> [email protected] >>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >>> >>> >>> >>> >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> >> [email protected] >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >> >> >> > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
