I have a fresh installation of CentOS 8. I installed Apache 2.4.37 from the repo. Then installed the latest ModSecurity:
dnf install mod_security -y
Checked the installation
dnf info mod_security
Result:
Name : mod_security
Version : 2.9.2
The required Apache modules are available / loaded:
apachectl -M | grep security -> security2_module (shared)
apachectl -M | grep unique -> unique_id_module (shared)
Installed the core rule set from the repo:
dnf install mod_security_crs
which automatically links the rules into the apache folder
/etc/httpd/modsecurity.d/activated_rules
Rules have been checked / are at place.
The main config file
/etc/httpd/conf.d/mod_security.conf
includes necessary further config files, including the rules conf files themselves:
IncludeOptional /etc/httpd/modsecurity.d/crs-setup.conf
IncludeOptional /etc/httpd/modsecurity.d/activated_rules/*.conf
IncludeOptional /etc/httpd/modsecurity.d/local_rules/*.conf
(paths have been double-checked) and activates the rules engine:
SecRuleEngine On
The rules config file modsecurity.d/crs-setup.conf (which is included in mod_security.conf, see above) provides
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"
Apache httpd.conf calls ModSecurity:
SecStatusEngine On
A restart (apachectl restart) shows that ModSecurity was loaded successfully:
ModSecurity: StatusEngine call successfully sent. <-- including LUA etc.
Tests with manipulated URLs like a script insert:
/?q=%22%3E%3Cscript%3Ealert(1)%3C/script%3E%27
show no reaction whatsoever on ModSecurity's side. No entries at all in ModSecuritie's audit and debug log files (debug level was set to 3), no errors in Apache's log files.
I just omitted the inclusion of conf.d directory in the Apache httpd.conf. Thats why the ModSecurity engine could start, but read no rules.
I added the line
in httpd. conf, and everything runs as expected.