Merge branch 'ISSUE-1487' into 'master'

ISSUE-1487: Create a crs setup configmap to customize rules scoring See merge request !67

Merge branch 'ISSUE-1487' into 'master'
ISSUE-1487: Create a crs setup configmap to customize rules scoring See merge request !67
5aa5e520 · Juan Paulo Breinlinger · b3b196a8 · 4eca5cfb · 5aa5e520 · 5aa5e520
Commit 5aa5e520 authored 1 month ago by Juan Paulo Breinlinger
--- a/el9/templates/crs-setup-configmap.yaml
+++ b/el9/templates/crs-setup-configmap.yaml
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: crs-setup-config-{{ .Release.Name }}
+data:
+  crs-setup.conf: |
+    # This configuration will lower the default
+    # anomaly detection scores for critical, error, warning and notice.
+    # So that mod_security doesn't generate so many false possitives
+    # in our infrastructure. Check for reference:
+    # https://coreruleset.org/docs/2-how-crs-works/2-1-anomaly_scoring/#severity-levels
+    SecAction \
+        "id:900990,\
+        phase:1,\
+        pass,\
+        t:none,\
+        nolog,\
+        tag:'OWASP_CRS',\
+        ver:'OWASP_CRS/4.7.0',\
+        setvar:tx.crs_setup_version=470,\
+        setvar:tx.critical_anomaly_score=2,\
+        setvar:tx.error_anomaly_score=1,\
+        setvar:tx.warning_anomaly_score=0,\
+        setvar:tx.notice_anomaly_score=0"
--- a/el9/templates/deployment.yaml
+++ b/el9/templates/deployment.yaml
@@ -58,6 +58,7 @@ spec:
        webeos.cern.ch/webeos-site-path-regex: {{ .Values.webeosSitePathRegex | quote }}
        webeos.cern.ch/webeos-site-server-version: {{ .Values.webeosSiteServerVersion | quote }}
        # We need to redeploy the controllers in case any of the configMaps/secret changes.
+        checksum/crs-configmap: {{ include (print $.Template.BasePath "/crs-setup-configmap.yaml") . | sha256sum }}
        checksum/httpd-server-config: {{ include (print $.Template.BasePath "/httpd-configmap.yaml") . | sha256sum }}
        checksum/php-config: {{ include (print $.Template.BasePath "/php-configmap.yaml") . | sha256sum }}
        checksum/php-fpm-config: {{ include (print $.Template.BasePath "/php-fpm-configmap.yaml") . | sha256sum }}
@@ -146,6 +147,9 @@ spec:
          - name: eos
            mountPath: /eos
            mountPropagation: HostToContainer
+          - name: crs-setup-config
+            mountPath: /etc/httpd/conf.d/crs-setup.conf
+            subPath: crs-setup.conf
          - name: httpd-server-config
            mountPath: /etc/httpd/conf/httpd.conf
            # mount only `httpd.conf`, to avoid hiding other files installed by the image
@@ -328,6 +332,9 @@ spec:
        - name: httpd-server-config
          configMap:
            name: httpd-server-config-{{ .Release.Name}}
+        - name: crs-setup-config
+          configMap:
+            name: crs-setup-config-{{ .Release.Name}}
        - name: php-config
          configMap:
            name: php-config-{{ .Release.Name}}

--- a/el9/templates/httpd-configmap.yaml
+++ b/el9/templates/httpd-configmap.yaml
@@ -165,9 +165,9 @@ data:
    {{ if .Values.containers.httpd.webApplicationFirewall.enabled }}
    # Enable WAF
    Include conf.d/mod_security.conf
+    Include conf.d/crs-setup.conf
    # default ruleset
-    IncludeOptional /etc/crs4/crs-setup.conf
    IncludeOptional /etc/crs4/plugins/*-config.conf
    IncludeOptional /etc/crs4/plugins/*-before.conf
    IncludeOptional /etc/crs4/rules/*.conf