Understood and I agree.
On 4/14/11 9:35 AM, "Jim Riggs" <[email protected]> wrote: >I agree with Andreas and Klaubert. If this is the approach we take, the >documentation should *strongly* recommend symlinks; otherwise, it will >cause a major maintenance headache for admins, breaking auto-update. (I >fear the step of _copying_ the files will often get forgotten or missed. >Symlinks would address that issue to an extent.) > > >On Apr 14, 2011, at 8:28 AM, pfote wrote: > >> I'm using right now that >> Include conf/modsecurity_crs/*.conf >> Include conf/modsecurity_crs/base_rules/*.conf >> Include conf/modsecurity_crs/optional_rules/*.conf >> >> >> approach, wasn't aware of that problem (fairly new to modsecurity and >>owasp) .. thanks for pointing out. >> >> However, i wouldn't copy but better symlink them, this way it's still >>possible to have it auto-updated. >> >> cheers >> Andreas >>> Yes, I think this would be helpful. It might be worth explaining in >>> the comments why the "proper order" is important, and thus where to >>> put custom configuration settings and rules for each vhost/server. >>> >>> Colin >>> >>> On 14 April 2011 14:00, Ryan Barnett >>> <[email protected]> >>> wrote: >>> >>> >>>> Any comments on this approach? Good idea? >>>> >>>> -Ryan >>>> >>>> >>>> From: Ryan Barnett < >>>> [email protected]<mailto:[email protected]> >>>> > >>>> Date: Tue, 12 Apr 2011 09:57:24 -0500 >>>> To: " >>>> >>>>[email protected]<mailto:owasp-modsecurit >>>>[email protected]>" >>>><[email protected]<mailto:owasp-modsecuri >>>>[email protected]> >>>> > >>>> Subject: CRS Directory Format Question >>>> >>>> The current OWASP CRS archive has a number of directories that hold >>>>different rules - >>>> >>>> * base_rules >>>> * optional_rules >>>> * slr_rules >>>> * experimental_rules >>>> >>>> I am thinking that most ModSecurity users want to use Apache Include >>>>wild-carding when activating rulesets - >>>> >>>> <IfModule security2_module> >>>> Include conf/modsecurity_crs/*.conf >>>> Include conf/modsecurity_crs/base_rules/*.conf >>>> </IfModule> >>>> >>>> While this is certainly convenient, this does cause a problem. The >>>>various rules files have a numbering scheme whose purpose to to help >>>>ensure that the rules file are executed in the proper order when >>>>wild-carding with includes. Activating these rules are challenging >>>>when separated into the different directories. >>>> >>>> <IfModule security2_module> >>>> Include conf/modsecurity_crs/*.conf >>>> Include conf/modsecurity_crs/base_rules/*.conf >>>> Include conf/modsecurity_crs/optional_rules/*.conf >>>> >>>> </IfModule> >>>> >>>> So, what I am thinking is that we should add an empty directory >>>>called - >>>> >>>> * activated_rules >>>> >>>> The sole purpose of this directory would be for the local Admin to >>>>copy all files that they want to run into that one directory. When >>>>they do this, then the file name numbering scheme will work and it >>>>will allow for easier Include wild-carding - >>>> >>>> <IfModule security2_module> >>>> Include conf/modsecurity_crs/*.conf >>>> Include conf/modsecurity_crs/activated_rules/*.conf >>>> </IfModule> >>>> >>>> How does this approach sound to everyone? >>>> >>>> -Ryan >>>> >>>> ________________________________ >>>> This transmission may contain information that is privileged, >>>>confidential, and/or exempt from disclosure under applicable law. If >>>>you are not the intended recipient, you are hereby notified that any >>>>disclosure, copying, distribution, or use of the information contained >>>>herein (including any reliance thereon) is STRICTLY PROHIBITED. If you >>>>received this transmission in error, please immediately contact the >>>>sender and destroy the material in its entirety, whether in electronic >>>>or hard copy format. >>>> >>>> _______________________________________________ >>>> Owasp-modsecurity-core-rule-set mailing list >>>> >>>> [email protected] >>>> >>>>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-se >>>>t >>>> >>>> >>>> >>>> >>> _______________________________________________ >>> Owasp-modsecurity-core-rule-set mailing list >>> >>> [email protected] >>> >>>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >>> >>> >>> >> >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> [email protected] >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > >_______________________________________________ >Owasp-modsecurity-core-rule-set mailing list >[email protected] >https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
