The filter inheritance scheme in ModSecurity
The filter inheritance scheme in ModSecurity follows the rules outlined below.
- By default, all filters, together with their per-rule action lists, are inherited by child contexts.
- The default action list is also inherited by child contexts.
- Action lists, defined in the SecFilterSignatureAction directive (per-ruleset actions), are never inherited by child contexts.
It is possible to customize this scheme by using one or more of the directives SecFilterInheritance, SecFilterInheritanceMandatory, SecFilterImport, SecFilterRemove or by setting the per-rule action “mandatory†on a specific filter or filter chain.
SecFilterInheritance
Controls the inheritance of rules from the parent context. By default, its value is On. By setting it to Off in a context, eg virtualhost, none of the filters defined in parent contexts is inherited. This directive needs to be explicitly set in every context in which you do not want to inherit any rules. For example:
<Directory /path/to/some/dir>
SecFilterInheritance Off
</Directory>
SecFilterImport This directive works in conjuction with SecFilterInheritance and has a meaning only if the latter has been set to Off in a particular context. It accepts a space-delimited list of rule IDs and can be used to explicitly import filters from parent contexts.
For example:
<Directory /path/to/some/dir>
SecFilterInheritance Off
SecFilterImport 1001 1002 1003
</Directory>
SecFilterRemove This directive is the exact opposite of SecFilterImport. It has a meaning only if SecFilterInheritance has not been disabled in a particular context and works only for filters that have not been marked for mandatory inheritance (see below). It accepts a space-delimited list of rule IDs and can be used to explicitly disable inherited filters. For example:
<Directory /path/to/some/dir>
SecFilterRemove 10 11 12
</Directory>
SecFilterInheritanceMandatory Controls the inheritance of rules for the child contexts. By default, its value is Off. By setting it to On in a context, eg virtualhost, all of the filters defined in this particular context will be inherited by force by child contexts, despite the fact that filter inheritance might be disabled in those child contexts. This directive needs to be explicitly set in every context whose filters need to be always in-effect in subcontexts.
For example:
<Virtualhost 192.168.0.1:80> SecFilterInheritanceMandatory On SecFilter ".*admin.*" "id:10" <Directory /path/to/some/dir/in/this/vhost> SecFilterRemove 10 </Directory> </Virtualhost>
