#!/bin/bash # +----+----+----+----+ # | | | | | # Author: Mark David Scott Cunningham | M | D | S | C | # +----+----+----+----+ # Created: 2016-11-21 # Updated: 2016-11-27 # # Purpose: Create and/or edit necessary includes for whitelisting modsec rules # # Argument parsing with getopt OPTIONS=$(getopt -o "d:i:hu:" -- "$@") eval set -- "$OPTIONS" while true; do case $1 in -d) domains="$( echo $2 | tr ',' ' ')"; shift;; -i) modsec_ids="$( echo $2 | tr ',' ' ')"; shift;; -h) echo -e "\n Usage: $0 [options] [arguments] -d ... Domains to whitelist the rules against If domain is omitted the rule will be whitelisted for the entire server. -i ... Modsec rule IDs for whitelisting -u ... to match against in a location match statement -h ... Print this help, and quit "; exit;; -- ) shift; break ;; esac; shift; done; # Add whitelist to include file add_whitelist(){ include=$1 filename=$2 id=$3 if [[ ! ${include}${filename} ]]; then echo "" echo " SecRuleRemoveByID $id" > ${include}${filename} echo "" else sed -i "s/\(.*IfModule mod_security.*\)/\1\n SecRuleRemoveByID $id/" ${include}${filename} fi } # Figure out what main config exists for Apache httpdconf=$(httpd -V | awk -F\" '/HTTPD_ROOT|SERVER_CONFIG_FILE/ {print $2}' | tr '\n' '/' | sed 's/\/$//g') # Loop through list of modsec_ids for rule in $modsec_ids; do # Loop through list of domains if specified if [[ $domains ]]; then for domain in $domains; do incdir=$(awk -F\" "/nclude.*\/$domain/"'{print $2}' $httpdconf | sed 's/\*\.conf//') for dir in $incdir; do add_whitelist $dir modsec.conf $rule #echo "whitelist :: $rule :: ${dir}modsec.conf" done done # Global whitelist if domain is omitted else dir="/usr/local/apache/conf/modsec2/" add_whitelist $dir whitelist.conf $rule #echo "whitelist :: $rule :: ${dir}whitelist.conf" fi done #echo "Checking and Restarting Apache ..." /scripts/rebuildhttpdconf && httpd -t && /scripts/restartsrv_httpd