Created
October 11, 2018 15:15
-
-
Save earnjam/49104e5e9921f4d9fbc0c2c295135e34 to your computer and use it in GitHub Desktop.
Ansible playbook for VCCW to install ModSecurity and setup the OWASP ModSecurity Core Rule Set
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - hosts: all | |
| become: yes | |
| tasks: | |
| - name: Install ModSecurity | |
| apt: | |
| name: libapache2-modsecurity | |
| update_cache: yes | |
| - name: Setup initial ModSec config | |
| command: mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf | |
| become: yes | |
| - name: Enable ModSecurity | |
| become: yes | |
| replace: | |
| dest: /etc/modsecurity/modsecurity.conf | |
| regexp: SecRuleEngine .* | |
| replace: "SecRuleEngine On" | |
| notify: | |
| - restart apache | |
| - name: Activate all ModSec base rules | |
| become: yes | |
| shell: for f in `ls /usr/share/modsecurity-crs/base_rules` ; do sudo ln -s /usr/share/modsecurity-crs/base_rules/$f /usr/share/modsecurity-crs/activated_rules/$f ; done | |
| - name: Add main ruleset to ModSec config | |
| become: yes | |
| lineinfile: | |
| path: /etc/modsecurity/modsecurity.conf | |
| line: "IncludeOptional /usr/share/modsecurity-crs/*.conf" | |
| - name: Add activated rulesets to ModSec config | |
| become: yes | |
| lineinfile: | |
| path: /etc/modsecurity/modsecurity.conf | |
| line: "IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf" | |
| notify: | |
| - restart apache | |
| handlers: | |
| - name: restart apache | |
| become: yes | |
| service: name=apache2 state=restarted |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment