Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: improve rule configuration #313

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion apache/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,7 @@ COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
COPY src/bin/* /usr/local/bin/
COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/
COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
COPY src/opt/modsecurity/activate-*.sh /opt/modsecurity/
COPY src/opt/modsecurity/* /opt/modsecurity/
COPY apache/docker-entrypoint.sh /

RUN set -eux; \
Expand Down
3 changes: 2 additions & 1 deletion apache/Dockerfile-alpine
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,7 @@ COPY --from=build /usr/local/apache2/ModSecurity-${MODSEC2_VERSION}/unicode.mapp
COPY --from=crs_release /opt/owasp-crs /opt/owasp-crs
COPY src/etc/modsecurity.d/*.conf /etc/modsecurity.d/
COPY src/bin/* /usr/local/bin/
COPY src/opt/modsecurity/activate-*.sh /opt/modsecurity/
COPY src/opt/modsecurity/* /opt/modsecurity/
COPY apache/conf/extra/*.conf /usr/local/apache2/conf/extra/
COPY apache/docker-entrypoint.sh /

Expand All @@ -176,6 +176,7 @@ RUN set -eux; \
apk add --no-cache \
ca-certificates \
curl \
ed \
gnupg \
iproute2 \
libfuzzy2 \
Expand Down
2 changes: 1 addition & 1 deletion apache/docker-entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,6 @@
/usr/local/bin/check-low-port

. /opt/modsecurity/activate-plugins.sh
. /opt/modsecurity/activate-rules.sh
. /opt/modsecurity/configure-rules.sh

exec "$@"
5 changes: 3 additions & 2 deletions nginx/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,6 @@ ENV \
SSL_VERIFY=off \
WORKER_CONNECTIONS=1024 \
# CRS specific variables
PARANOIA=1 \
ANOMALY_INBOUND=5 \
ANOMALY_OUTBOUND=4 \
BLOCKING_PARANOIA=1
Expand All @@ -208,7 +207,8 @@ COPY src/etc/modsecurity.d/modsecurity-override.conf /etc/nginx/templates/modsec
COPY src/etc/modsecurity.d/setup.conf /etc/nginx/templates/modsecurity.d/setup.conf.template
COPY nginx/docker-entrypoint.d/*.sh /docker-entrypoint.d/
COPY src/opt/modsecurity/activate-plugins.sh /docker-entrypoint.d/94-activate-plugins.sh
COPY src/opt/modsecurity/activate-rules.sh /docker-entrypoint.d/95-activate-rules.sh
COPY src/opt/modsecurity/configure-rules.sh /docker-entrypoint.d/95-configure-rules.sh
COPY src/opt/modsecurity/configure-rules.conf /docker-entrypoint.d/
# We use the templating mechanism from the nginx image here.
COPY nginx/templates /etc/nginx/templates/
COPY src/bin/* /usr/local/bin/
Expand All @@ -221,6 +221,7 @@ RUN set -eux; \
LD_LIBRARY_PATH="" apt-get install -y -qq --no-install-recommends --no-install-suggests \
ca-certificates \
curl \
ed \
libcurl4-gnutls-dev \
libfuzzy2 \
liblua${LUA_VERSION} \
Expand Down
4 changes: 3 additions & 1 deletion nginx/Dockerfile-alpine
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,8 @@ COPY src/etc/modsecurity.d/modsecurity-override.conf /etc/nginx/templates/modsec
COPY src/etc/modsecurity.d/setup.conf /etc/nginx/templates/modsecurity.d/setup.conf.template
COPY nginx/docker-entrypoint.d/*.sh /docker-entrypoint.d/
COPY src/opt/modsecurity/activate-plugins.sh /docker-entrypoint.d/94-activate-plugins.sh
COPY src/opt/modsecurity/activate-rules.sh /docker-entrypoint.d/95-activate-rules.sh
COPY src/opt/modsecurity/configure-rules.sh /docker-entrypoint.d/95-configure-rules.sh
COPY src/opt/modsecurity/configure-rules.conf /docker-entrypoint.d/
# We use the templating mechanism from the nginx image here.
COPY nginx/templates /etc/nginx/templates/
COPY src/bin/* /usr/local/bin/
Expand All @@ -211,6 +212,7 @@ RUN set -eux; \
apk add --no-cache \
curl \
curl-dev \
ed \
libfuzzy2 \
libmaxminddb-dev \
libstdc++ \
Expand Down
4 changes: 3 additions & 1 deletion openresty/Dockerfile-alpine
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,8 @@ COPY src/etc/modsecurity.d/modsecurity.conf /usr/local/openresty/nginx/templates
COPY src/etc/modsecurity.d/modsecurity-override.conf /usr/local/openresty/nginx/templates/modsecurity.d/modsecurity-override.conf.template
COPY src/etc/modsecurity.d/setup.conf /usr/local/openresty/nginx/templates/modsecurity.d/setup.conf.template
COPY src/opt/modsecurity/activate-plugins.sh /docker-entrypoint.d/94-activate-plugins.sh
COPY src/opt/modsecurity/activate-rules.sh /docker-entrypoint.d/95-activate-rules.sh
COPY src/opt/modsecurity/configure-rules.sh /docker-entrypoint.d/95-configure-rules.sh
COPY src/opt/modsecurity/configure-rules.conf /docker-entrypoint.d/
COPY src/bin/* /usr/local/bin/

# Openresty specific block.
Expand All @@ -216,6 +217,7 @@ RUN set -eux; \
apk add --no-cache \
curl \
curl-dev \
ed \
libfuzzy2 \
libmaxminddb-dev \
libstdc++ \
Expand Down
28 changes: 28 additions & 0 deletions src/opt/modsecurity/activate-rules.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Format: <legacy (0|1)>|<env var>|<rule ID>|<tx var name>
# The octothorpe (#) designates a comment, comments are ignored

# Superceded by BLOCKING_PARANOIA
true|PARANOIA|900000|blocking_paranoia_level
true|PARANOIA|900001|detection_paranoia_level
false|BLOCKING_PARANOIA|900000|blocking_paranoia_level
# Superceded by DETECTION_PARANOIA
true|EXECUTING_PARANOIA|900001|executing_paranoia_level
false|DETECTION_PARANOIA|900001|detection_paranoia_level
false|ENFORCE_BODYPROC_URLENCODED|900010|enforce_bodyproc_urlencoded
false|INBOUND_ANOMALY|900110|inbound_anomaly_score_threshold
false|OUTBOUND_ANOMALY|900110|outbound_anomaly_score_threshold
false|ALLOWED_METHODS|900200|allowed_methods
false|ALLOWED_REQUEST_CONTENT_TYPE|900220|allowed_request_content_type
false|ALLOWED_REQUEST_CONTENT_TYPE_CHARSET|900280|allowed_request_content_type_charset
false|ALLOWED_HTTP_VERSIONS|900230|allowed_http_versions
false|RESTRICTED_EXTENSIONS|900240|restricted_extensions
false|RESTRICTED_HEADERS_BASIC|900250|restricted_headers_basic
false|RESTRICTED_HEADERS_EXTENDED|900255|restricted_headers_extended
false|MAX_NUM_ARGS|900300|max_num_args
false|ARG_NAME_LENGTH|900310|arg_name_length
false|ARG_LENGTH|900230|arg_length
false|TOTAL_ARG_LENGTH|900330|total_arg_length
false|MAX_FILE_SIZE|900340|max_file_size
false|COMBINED_FILE_SIZES|900350|combined_file_sizes
false|VALIDATE_UTF8_ENCODING|900950|crs_validate_utf8_encoding
false|REPORTING_LEVEL|900115|reporting_level
243 changes: 129 additions & 114 deletions src/opt/modsecurity/activate-rules.sh
Original file line number Diff line number Diff line change
@@ -1,137 +1,152 @@
#!/bin/sh -e
#!/bin/busybox sh

setup_conf_path="/etc/modsecurity.d/owasp-crs/crs-setup.conf"
set -e

DIRECTORY="$(dirname "$0")"

# Check if crs-setup.conf is overriden
if [ -n "${MANUAL_MODE}" ]; then
echo "Using manual config mode"
return; # Don't use exit on a sourced script
fi

# Paranoia Level
sed -z -E -i 's/#SecAction[^"]+"id:900000.*tx\.paranoia_level=1\"/SecAction \\\n \"id:900000, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.paranoia_level='"${PARANOIA}"'\"/' "${setup_conf_path}"

# Blocking Paranoia Level
if [ -n "${BLOCKING_PARANOIA}" ]; then
sed -z -E -i 's/#SecAction[^"]+"id:900000.*tx\.blocking_paranoia_level=1\"/SecAction \\\n \"id:900000, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.blocking_paranoia_level='"${BLOCKING_PARANOIA}"'\"/' "${setup_conf_path}"
fi

# Executing Paranoia Level
if [ -n "${EXECUTING_PARANOIA}" ]; then
sed -z -E -i 's/#SecAction[^"]+"id:900001.*tx\.executing_paranoia_level=1\"/SecAction \\\n \"id:900001, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.executing_paranoia_level='"${EXECUTING_PARANOIA}"'\"/' "${setup_conf_path}"
fi

# Detection Paranoia Level
if [ -n "${DETECTION_PARANOIA}" ]; then
sed -z -E -i 's/#SecAction[^"]+"id:900001.*tx\.detection_paranoia_level=1\"/SecAction \\\n \"id:900001, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.detection_paranoia_level='"${DETECTION_PARANOIA}"'\"/' "${setup_conf_path}"
fi

# Enforce Body Processor URLENCODED
if [ -n "${ENFORCE_BODYPROC_URLENCODED}" ]; then
sed -z -E -i 's/#SecAction[^"]+"id:900010.*tx\.enforce_bodyproc_urlencoded=1\"/SecAction \\\n \"id:900010, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.enforce_bodyproc_urlencoded='"${ENFORCE_BODYPROC_URLENCODED}"'\"/' "${setup_conf_path}"
fi

# Inbound and Outbound Anomaly Score
sed -z -E -i 's/#SecAction[^"]+"id:900110.*tx\.outbound_anomaly_score_threshold=4\"/SecAction \\\n \"id:900110, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.inbound_anomaly_score_threshold='"${ANOMALY_INBOUND}"', \\\n setvar:tx.outbound_anomaly_score_threshold='"${ANOMALY_OUTBOUND}"'\"/' "${setup_conf_path}"

# HTTP methods that a client is allowed to use.
if [ -n "${ALLOWED_METHODS}" ]; then
sed -z -E -i 's/#SecAction[^"]+"id:900200.*\x27tx\.allowed_methods=[[:upper:][:space:]]*\x27\"/SecAction \\\n \"id:900200, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.allowed_methods='"${ALLOWED_METHODS}"'\x27\"/' "${setup_conf_path}"
fi

# Content-Types that a client is allowed to send in a request.
if [ -n "${ALLOWED_REQUEST_CONTENT_TYPE}" ]; then
sed -z -E -i 's;#SecAction[^"]+"id:900220.*\x27tx\.allowed_request_content_type=[[:lower:][:space:]|+/-]*\x27\";SecAction \\\n \"id:900220, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.allowed_request_content_type='"${ALLOWED_REQUEST_CONTENT_TYPE}"'\x27\";' "${setup_conf_path}"
fi

# Content-Types charsets that a client is allowed to send in a request.
if [ -n "${ALLOWED_REQUEST_CONTENT_TYPE_CHARSET}" ]; then
sed -z -E -i 's/#SecAction[^"]+"id:900280.*\x27tx\.allowed_request_content_type_charset=[[:lower:][:digit:]|-]*\x27\"/SecAction \\\n \"id:900280, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.allowed_request_content_type_charset='"${ALLOWED_REQUEST_CONTENT_TYPE_CHARSET}"'\x27\"/' "${setup_conf_path}"
fi

# Allowed HTTP versions.
if [ -n "${ALLOWED_HTTP_VERSIONS}" ]; then
sed -z -E -i 's|#SecAction[^"]+"id:900230.*\x27tx\.allowed_http_versions=[HTP012[:space:]/.]*\x27\"|SecAction \\\n \"id:900230, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.allowed_http_versions='"${ALLOWED_HTTP_VERSIONS}"'\x27\"|' "${setup_conf_path}"
fi

# Forbidden file extensions.
if [ -n "${RESTRICTED_EXTENSIONS}" ]; then
sed -z -E -i 's|#SecAction[^"]+"id:900240.*\x27tx\.restricted_extensions=[[:lower:][:space:]./]*\/\x27\"|SecAction \\\n \"id:900240, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.restricted_extensions='"${RESTRICTED_EXTENSIONS}"'\x27\"|' "${setup_conf_path}"
fi

# Forbidden request headers basic.
if [ -n "${RESTRICTED_HEADERS_BASIC}" ]; then
sed -z -E -i 's|#SecAction[^"]+"id:900250.*\x27tx\.restricted_headers_basic=[[:lower:][:space:]/-]*\x27\"|SecAction \\\n \"id:900250, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.restricted_headers_basic='"${RESTRICTED_HEADERS_BASIC}"'\x27\"|' "${setup_conf_path}"
fi

# Forbidden request headers extended.
if [ -n "${RESTRICTED_HEADERS_EXTENDED}" ]; then
sed -z -E -i 's|#SecAction[^"]+"id:900255.*\x27tx\.restricted_headers_extended=[[:lower:][:space:]/-]*\x27\"|SecAction \\\n \"id:900255, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.restricted_headers_extended='"${RESTRICTED_HEADERS_EXTENDED}"'\x27\"|' "${setup_conf_path}"
fi

# File extensions considered static files.
if [ -n "${STATIC_EXTENSIONS}" ]; then
sed -z -E -i 's|#SecAction[^"]+"id:900260.*\x27tx\.static_extensions=/[[:lower:][:space:]/.]*\x27\"|SecAction \\\n \"id:900260, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:\x27tx.static_extensions='"${STATIC_EXTENSIONS}"'\x27\"|' "${setup_conf_path}"
fi

# Block request if number of arguments is too high
if [ -n "${MAX_NUM_ARGS}" ]; then
sed -z -E -i 's/#SecAction[^"]+"id:900300.*tx\.max_num_args=255\"/SecAction \\\n \"id:900300, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.max_num_args='"${MAX_NUM_ARGS}"'\"/' "${setup_conf_path}"
fi

# Block request if the length of any argument name is too high
if [ -n "${ARG_NAME_LENGTH}" ]; then
sed -z -E -i 's/#SecAction[^"]+"id:900310.*tx\.arg_name_length=100\"/SecAction \\\n \"id:900310, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.arg_name_length='"${ARG_NAME_LENGTH}"'\"/' "${setup_conf_path}"
# Don't use exit on a sourced script
return
fi

# Block request if the length of any argument value is too high
if [ -n "${ARG_LENGTH}" ]; then
sed -z -E -i 's/#SecAction[^"]+"id:900320.*tx\.arg_length=400\"/SecAction \\\n \"id:900320, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.arg_length='"${ARG_LENGTH}"'\"/' "${setup_conf_path}"
fi

# Block request if the total length of all combined arguments is too high
if [ -n "${TOTAL_ARG_LENGTH}" ]; then
sed -z -E -i 's/#SecAction[^"]+"id:900330.*tx\.total_arg_length=64000\"/SecAction \\\n \"id:900330, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.total_arg_length='"${TOTAL_ARG_LENGTH}"'\"/' "${setup_conf_path}"
fi

# Block request if the total length of all combined arguments is too high
if [ -n "${MAX_FILE_SIZE}" ]; then
sed -z -E -i 's/#SecAction[^"]+"id:900340.*tx\.max_file_size=1048576\"/SecAction \\\n \"id:900340, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.max_file_size='"${MAX_FILE_SIZE}"'\"/' "${setup_conf_path}"
fi

# Block request if the total size of all combined uploaded files is too high
if [ -n "${COMBINED_FILE_SIZES}" ]; then
sed -z -E -i 's/#SecAction[^"]+"id:900350.*tx\.combined_file_sizes=1048576\"/SecAction \\\n \"id:900350, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.combined_file_sizes='"${COMBINED_FILE_SIZES}"'\"/' "${setup_conf_path}"
fi
setup_conf_path="/etc/modsecurity.d/owasp-crs/crs-setup.conf"

# Activate UTF8 validation
if [ -n "${VALIDATE_UTF8_ENCODING}" ]; then
sed -z -E -i 's/#SecAction[^"]+"id:900950.*tx\.crs_validate_utf8_encoding=1\"/SecAction \\\n \"id:900950, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.crs_validate_utf8_encoding=1\"/' "${setup_conf_path}"
fi
set_value() {
local rule="${1}"
local var_name="${2}"
local tx_var_name="${3}"
local var_value="${4}"
echo "Configuring ${rule} for ${var_name} with ${tx_var_name}=${var_value}"

# For each rule, we do one pass to uncomment the rule (up to first blank line after the rule),
# then a second pass to set the variable. We do two separate passes since the rule might
# already be uncommented (by default in the file or due to having been uncommented in a previous step).
if grep -Eq "#.*id:${rule}" "${setup_conf_path}"; then
# commented, uncomment now
ed -s "${setup_conf_path}" <<EOF 2 > /dev/null
/id:${rule}/
-
.,/^$/ s/#//
wq
EOF
fi

# uncommented, set var
ed -s "${setup_conf_path}" <<EOF 2 > /dev/null
/id:${rule}/
/setvar:'\?tx\.${tx_var_name}=/
s/=.*"/=${var_value}"/
wq
EOF
}

should_set() {
test -n "${1}"
}

can_set() {
local rule="${1}"
local tx_var_name="${2}"

if ! grep -q "id:${rule}" "${setup_conf_path}"; then
return 1
elif ! grep -Eq "setvar:'?tx\.${tx_var_name}" "${setup_conf_path}"; then
return 1
else
return 0
fi
}

get_legacy() {
echo "${1}" | awk -F'\|' '{print $1}'
}

get_var_name() {
echo "${1}" | awk -F'\|' '{print $2}'
}

get_var_value() {
# Get the variable name, produce "${<var name>}" and use eval to expand
eval "echo $(echo "${1}" | awk -F'\|' '{print "${"$2"}"}')"
}

get_rule() {
echo "${1}" | awk -F'\|' '{print $3}'
}

get_tx_var_name() {
echo "${1}" | awk -F'\|' '{print $4}'
}

while read -r line; do
if [ -z "${line}" ] || echo "${line}" | grep -Eq "^#"; then
continue
fi

legacy="$(get_legacy "${line}")"
var_name="$(get_var_name "${line}")"
var_value="$(get_var_value "${line}")"
rule="$(get_rule "${line}")"
tx_var_name="$(get_tx_var_name "${line}")"

if should_set "${var_value}" "${tx_var_name}"; then
if ! can_set "${rule}" "${tx_var_name}"; then
if [ "${legacy}" = "true" ]; then
echo "Legacy variable set but nothing found to substitute. Skipping"
continue
fi
echo "Failed to find rule ${rule} to set ${tx_var_name}=${var_value} for ${var_name} in ${setup_conf_path}. Aborting"
exit 1
fi

set_value "${rule}" "${var_name}" "${tx_var_name}" "${var_value}"
fi
done < "${DIRECTORY}/configure-rules.conf"

# Add SecDefaultActions
if [ -n "${MODSEC_DEFAULT_PHASE1_ACTION}" ]; then
sed -z -E -i "s/SecDefaultAction \"phase:1,log,auditlog,pass\"/SecDefaultAction \"${MODSEC_DEFAULT_PHASE1_ACTION}\"/" "${setup_conf_path}"
var="${MODSEC_DEFAULT_PHASE1_ACTION}"
if should_set "${var}"; then
if ! grep -Eq "^SecDefaultAction.*phase:1" "${setup_conf_path}"; then
echo "Failed to find definition of SecDefaultAction for phase 1 in ${setup_conf_path}. Aborting"
exit 1
fi
ed -s "${setup_conf_path}" <<EOF 2 > /dev/null
/^SecDefaultAction.*phase:1/
s/".*"/"${var}"/
wq
EOF
fi

if [ -n "${MODSEC_DEFAULT_PHASE2_ACTION}" ]; then
sed -z -E -i "s/SecDefaultAction \"phase:2,log,auditlog,pass\"/SecDefaultAction \"${MODSEC_DEFAULT_PHASE2_ACTION}\"/" "${setup_conf_path}"
var="${MODSEC_DEFAULT_PHASE2_ACTION}"
if should_set "${var}"; then
if ! grep -Eq "^SecDefaultAction.*phase:2" "${setup_conf_path}"; then
echo "Failed to find definition of SecDefaultAction for phase 2 in ${setup_conf_path}. Aborting"
exit 1
fi
ed -s "${setup_conf_path}" <<EOF 2 > /dev/null
/^SecDefaultAction.*phase:2/
s/".*"/"${var}"/
wq
EOF
fi

# Substitute MODSEC_TAG
if [ -n "${MODSEC_TAG}" ]; then
sed -z -E -i "s/\\$\{MODSEC_TAG\}/${MODSEC_TAG}/g" "${setup_conf_path}"
fi
# Substitute MODSEC_TAG (part of the default phase actions above)
var="${MODSEC_TAG}"
if should_set "${var}"; then
if ! grep -q "MODSEC_TAG" "${setup_conf_path}"; then
echo "Failed to find definition of MODSEC_TAG in ${setup_conf_path}. Skipping"

# Reporting Level
if [ -n "${REPORTING_LEVEL}" ]; then
sed -z -E -i 's/#SecAction[^"]+"id:900115.*tx\.reporting_level=2\"/SecAction \\\n \"id:900115, \\\n phase:1, \\\n nolog, \\\n pass, \\\n t:none, \\\n setvar:tx.reporting_level='"${REPORTING_LEVEL}"'\"/' "${setup_conf_path}"
else
sed -z -E -i "s/\\$\{MODSEC_TAG\}/${var}/g" "${setup_conf_path}"
fi
fi


# Add marker rule for CRS test setup
# Add it only once
if [ -n "${CRS_ENABLE_TEST_MARKER}" ] && [ ${CRS_ENABLE_TEST_MARKER} -eq 1 ] && ! grep -q id:999999 "${setup_conf_path}"; then
if [ -n "${CRS_ENABLE_TEST_MARKER}" ] && [ "${CRS_ENABLE_TEST_MARKER}" -eq 1 ] && ! grep -q id:999999 "${setup_conf_path}"; then
cat <<EOF >> "${setup_conf_path}"


Expand Down
Loading