The filter inheritance scheme in ModSecurity » Computer internet security  
Computer and internet security news
computer and networking security portal
 
|
|
|
News
|
Advertise
|
|
Products
|
Contact

The filter inheritance scheme in ModSecurity



Tuesday, November 20, 2007, 4:41
This news item was posted in ModSecurity category and has 0 Comments so far.

The filter inheritance scheme in ModSecurity follows the rules outlined below.

  • By default, all filters, together with their per-rule action lists, are inherited by child contexts.
  • The default action list is also inherited by child contexts.
  • Action lists, defined in the SecFilterSignatureAction directive (per-ruleset actions), are never inherited by child contexts.

It is possible to customize this scheme by using one or more of the directives SecFilterInheritance, SecFilterInheritanceMandatory, SecFilterImport, SecFilterRemove or by setting the per-rule action “mandatory” on a specific filter or filter chain.

SecFilterInheritance
Controls the inheritance of rules from the parent context. By default, its value is On. By setting it to Off in a context, eg virtualhost, none of the filters defined in parent contexts is inherited. This directive needs to be explicitly set in every context in which you do not want to inherit any rules. For example:

<Directory /path/to/some/dir>
    SecFilterInheritance Off
</Directory>
SecFilterImport

This directive works in conjuction with SecFilterInheritance and has a meaning only if the latter has been set to Off
in a particular context. It accepts a space-delimited list of rule IDs
and can be used to explicitly import filters from parent contexts.
 For example:
<Directory /path/to/some/dir>
    SecFilterInheritance Off
    SecFilterImport 1001 1002 1003
</Directory>
SecFilterRemove

This directive is the exact opposite of SecFilterImport. It has a meaning only if SecFilterInheritance
has not been disabled in a particular context and works only for
filters that have not been marked for mandatory inheritance (see
below). It accepts a space-delimited list of rule IDs and can be used
to explicitly disable inherited filters. For example:
<Directory /path/to/some/dir>
    SecFilterRemove 10 11 12
</Directory>
SecFilterInheritanceMandatory

Controls the inheritance of rules for the child contexts. By default, its value is Off. By setting it to On
in a context, eg virtualhost, all of the filters defined in this
particular context will be inherited by force by child contexts,
despite the fact that filter inheritance might be disabled in those
child contexts. This directive needs to be explicitly set in every
context whose filters need to be always in-effect in subcontexts.
For example:
 <Virtualhost 192.168.0.1:80>
	SecFilterInheritanceMandatory On
	SecFilter ".*admin.*" "id:10"
	<Directory /path/to/some/dir/in/this/vhost>
		SecFilterRemove 10
	</Directory>
</Virtualhost>

Related posts:

  1. Specifying action in modsecurity
  2. Basic configuration of modsecurity
  3. Apache Virtualhost ModSecurity Logging
  4. Enhancing apache with modsecurity
  5. Installing modsecurity
  6. Installing modsecurity

Related posts brought to you by Yet Another Related Posts Plugin.






You can leave a response, or trackback from your own site.

Leave a Reply





:::: Recent entries


 
Join My Community at MyBloglog!



My BlogCatalog BlogRank

Computers Blogs - Blog Top Sites