6.7 Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled - Inbound Anomaly Threshold

Information

The OWASP ModSecurity Core Rule Set (CRS) is a set of open source web application defensive rules for the ModSecurity web application firewall (WAF). The OWASP ModSecurity CRS provides baseline protections in the following attack/threat categories:

- HTTP Protection - detecting violations of the HTTP protocol and a locally defined usage policy.
- Real-time Blacklist Lookups - utilizes 3rd Party IP Reputation
- HTTP Denial of Service Protections - defense against HTTP Flooding and Slow HTTP DoS Attacks.
- Common Web Attacks Protection - detecting common web application security attack.
- Automation Detection - Detecting bots, crawlers, scanners and other surface malicious activity.
- Integration with AV Scanning for File Uploads - detects malicious files uploaded through the web application.
- Tracking Sensitive Data - Tracks Credit Card usage and blocks leakages.
- Trojan Protection - Detecting access to Trojans horses.
- Identification of Application Defects - alerts on application misconfigurations.
- Error Detection and Hiding - Disguising error messages sent by the server.

**Note:** Like other application security/application firewall systems, Mod_Security requires a significant commitment of staff resources for initial tuning of the rules and handling alerts. In some cases, this may require additional time working with application developers/maintainers to modify applications based on analysis of the results of tuning and monitoring logs. After setup, an ongoing commitment of staff is required for monitoring logs and ongoing tuning, especially after upgrades/patches. Without this commitment to tuning and monitoring, installing Mod_Security may NOT be effective and may provide a false sense of security.

Rationale:

Installing, configuring, and enabling the OWASP ModSecurity Core Rule Set (CRS) provides additional baseline security defense and a good starting point to customize the monitoring and blocking of common web application attacks.

Solution

Install, configure and test the OWASP ModSecurity Core Rule Set:

1. Download the OWASP ModSecurity CRS from the project page [https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project](https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project).
2. Unbundle the archive and follow the instructions in the 'INSTALL' file.
3. The 'modsecurity_crs_10_setup.conf' file is required, and rules in the 'base_rules' directory are intended as a baseline useful for most applications.
4. Test the application for correct functionality after installing the CRS. Check web server error logs and the 'modsec_audit.log' file for blocked requests due to false positives.
5. It is also recommended to test the application response to malicious traffic such as an automated web application scanner to ensure the rules are active. The web server error log and 'modsec_audit.log' files should show logs of the attacks and the server's response codes.

See Also

https://workbench.cisecurity.org/files/2020

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|18.2

Plugin: Unix

Control ID: 60e871828a1cad00a070ae0c5dd1d1a23c2db675e6bc6c530ed0a371d7ce7ff6