Gentoo - ModSecurity 2.9.1 lands in stable on amd64

Gentoo developers recently marked mod_security-2.9.1 and modsecurity-crs 3.0.2 as stable on amd64, thus allowing me to move on from the dormant ModSecurity 2.7.7 release. Good thing I got this update on a Sunday though as it turned out to be more than a simple drop in replacement.

After emerging ModSecurity 2.9.1, I noticed there was no message about any configuration file needing an update. Therefore, I issued rc-service apache2 configtest to see what Apache had to say about that:

Gentoo ModSecurity 2.9.1

Apache running a configuration file syntax test.

Interestingly, it looked like I was trying to load the ModSecurity module twice while my old base rules directory was nonexistent. By examining the contents of /etc/apache2/modules.d I discovered that there appeared to be a new naming scheme in place, resulting in “duplicate” configuration files.

79_modsecurity.conf (old)
79_mod_security.conf (new)
80_modsecurity-crs.conf (old)
80_mod_security-crs.conf (new)

The new configuration files (79_mod_security.conf and 80_mod_security-crs.conf) contain the new and required paths provided by the ebuild, so I just changed the extension for the old configuration files to get them out of the way. I then had a close look at the new recommended configuration for ModSecurity along with the latest core rule set (csr), and I decided it would be easier not to merge my old configuration.

For reference, the ModSecurity recommended configuration is installed under /usr/share/doc/mod_security-2.9.1-r1 (modsecurity.conf-recommended.bz2) while the example csr configuration is stored under /usr/share/doc/modsecurity-crs-3.0.2 (crs-setup.conf.example.bz2).

Anyhow, after tweaking the configuration and ruleset to my liking, I decided to check my configuration once more using rc-service apache2 configtest:

Gentoo ModSecurity Unicode Mapping

ModSecurity 2.9.1 on Gentoo Linux missing a unicode map file.

The missing unicode.mapping file is shipped with the ModSecurity tarball. Portage stores source code under /usr/portage/distfiles so I could just extract the missing file directly from the tarball:

tar -zxvf /usr/portage/distfiles/modsecurity-2.9.1.tar.gz -C /etc/apache2/modules.d/ modsecurity-2.9.1/unicode.mapping --strip-components=1
chown root:root /etc/apache2/modules.d/unicode.mapping
chmod 644 /etc/apache2/modules.d/unicode.mapping

I proceeded to issue a final rc-service apache2 configtest to confirm that there were no further issues (which there weren’t):

ModSecurity 2.9.1 on Gento Linux