www-apache/modsecurity-crs/modsecurity-crs-2.2.6-r1.ebuild - chromiumos/overlays/portage - Git at Google

 # Copyright 1999-2012 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 # $Id$

 EAPI=4

 GITHUB_USER=SpiderLabs
 GITHUB_PROJECT=owasp-${PN}

 DESCRIPTION="Core Rule Set for ModSecurity"
 HOMEPAGE="http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project"
 SRC_URI="https://github.com/${GITHUB_USER}/${GITHUB_PROJECT}/tarball/v${PV} -> ${P}.tar.gz"

 LICENSE="Apache-2.0"
 SLOT="0"
 KEYWORDS="amd64 ppc sparc x86"
 IUSE="lua geoip"

 RDEPEND=">=www-apache/mod_security-2.7[lua?,geoip?]"
 DEPEND=""

 S="${WORKDIR}/${P}"

 RULESDIR=/etc/modsecurity
 LUADIR=/usr/share/${PN}/lua

 src_unpack() {
 	default
 	mv "${WORKDIR}/${GITHUB_USER}-${GITHUB_PROJECT}-"* "${P}" || die
 }

 src_prepare() {
 	if ! use lua; then
 		# comment out this since it's in the same file as another one we want to keep
 		sed -i -e "/id:'96000[456]'/s:^:#:" \
 			experimental_rules/modsecurity_crs_61_ip_forensics.conf || die

 		# remove these that rely on the presence of the lua files
 		rm \
 			experimental_rules/modsecurity_crs_16_scanner_integration.conf \
 			experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf \
 			experimental_rules/modsecurity_crs_41_advanced_filters.conf \
 			experimental_rules/modsecurity_crs_55_response_profiling.conf \
 			experimental_rules/modsecurity_crs_56_pvi_checks.conf \
 			|| die
 	else
 		# fix up the path to the scripts; there seems to be no
 		# consistency at all on how the rules are loaded.
 		sed -i \
 			-e "s:/etc/apache2/modsecurity-crs/lua/:${LUADIR}/:" \
 			-e "s:profile_page_scripts.lua:${LUADIR}/\0:" \
 			-e "s:/usr/local/apache/conf/crs/lua/:${LUADIR}/:" \
 			-e "s:/usr/local/apache/conf/modsec_current/base_rules/:${LUADIR}/:" \
 			-e "s:/etc/apache2/modsecurity-crs/lua/:${LUADIR}/:" \
 			-e "s:\.\./lua/:${LUADIR}/:" \
 			*_rules/*.conf || die

 		# fix up the shebang on the scripts
 		sed -i -e "s:/opt/local/bin/lua:/usr/bin/lua:" \
 			lua/*.lua || die
 	fi

 	sed -i \
 		-e '/SecGeoLookupDb/s:^:#:' \
 		-e '/SecGeoLookupDb/a# Gentoo already defines it in 79_modsecurity.conf' \
 		experimental_rules/modsecurity_crs_61_ip_forensics.conf || die

 	if ! use geoip; then
 		if use lua; then
 			# only comment this out as the file is going to be used for other things
 			sed -i -e "/id:'960007'/,+1 s:^:#:" \
 				experimental_rules/modsecurity_crs_61_ip_forensics.conf || die
 		else
 			rm experimental_rules/modsecurity_crs_61_ip_forensics.conf || die
 		fi
 	fi
 }

 src_install() {
 	insinto "${RULESDIR}"
 	# slr_rules as of 2.2.6 have broken IDs that don't work with
 	# ModSecurity 2.7, but the rules require 2.7 to begin with.
 	doins -r base_rules optional_rules experimental_rules #slr_rules

 	insinto "${LUADIR}"
 	doins lua/*.lua

 	dodoc CHANGELOG README.md

 	(
 		cat - <<EOF
 <IfDefine SECURITY>
 EOF

 		cat modsecurity_crs_10_setup.conf.example

 		cat - <<EOF

 Include /etc/modsecurity/base_rules/*.conf

 # Include Trustwave SpiderLabs Research Team rules
 # Include /etc/modsecurity/slr_rules/*.conf
 # Not installed yet as of 2.2.6

 # Optionally use the other rules as well
 # Include /etc/modsecurity/optional_rules/*.conf
 # Include /etc/modsecurity/experimental_rules/*.conf
 </IfDefine>

 # -*- apache -*-
 # vim: ts=4 filetype=apache

 EOF
 	) > "${T}"/"80_${PN}.conf"

 	insinto /etc/apache2/modules.d/
 	doins "${T}"/"80_${PN}.conf"
 }

 pkg_postinst() {
 	elog
 	elog "If you want to enable further rules, check the following directories:"
 	elog "	${RULESDIR}/optional_rules"
 	elog "	${RULESDIR}/experimental_rules"
 	elog ""
 	elog "Starting from version 2.0.9, the default for the Core Rule Set is again to block"
 	elog "when rules hit. If you wish to go back to the 2.0.8 method of anomaly scoring, you"
 	elog "should change 80_${PN}.conf so that you have these settings enabled:"
 	elog ""
 	elog "    #SecDefaultAction \"phase:2,deny,log\""
 	elog "    SecAction \"phase:1,t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on\""
 	elog ""
 	elog "Starting from version 2.1.2 rules are installed, for consistency, under"
 	elog "/etc/modsecurity, and can be configured with the following file:"
 	elog "  /etc/apache2/modules.d/80_${PN}.conf"
 	elog ""
 }
	# Copyright 1999-2012 Gentoo Foundation
	# Distributed under the terms of the GNU General Public License v2
	# $Id$

	EAPI=4

	GITHUB_USER=SpiderLabs
	GITHUB_PROJECT=owasp-${PN}

	DESCRIPTION="Core Rule Set for ModSecurity"
	HOMEPAGE="http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project"
	SRC_URI="https://github.com/${GITHUB_USER}/${GITHUB_PROJECT}/tarball/v${PV} -> ${P}.tar.gz"

	LICENSE="Apache-2.0"
	SLOT="0"
	KEYWORDS="amd64 ppc sparc x86"
	IUSE="lua geoip"

	RDEPEND=">=www-apache/mod_security-2.7[lua?,geoip?]"
	DEPEND=""

	S="${WORKDIR}/${P}"

	RULESDIR=/etc/modsecurity
	LUADIR=/usr/share/${PN}/lua

	src_unpack() {
	default
	mv "${WORKDIR}/${GITHUB_USER}-${GITHUB_PROJECT}-"* "${P}" \|\| die
	}

	src_prepare() {
	if ! use lua; then
	# comment out this since it's in the same file as another one we want to keep
	sed -i -e "/id:'96000[456]'/s:^:#:" \
	experimental_rules/modsecurity_crs_61_ip_forensics.conf \|\| die

	# remove these that rely on the presence of the lua files
	rm \
	experimental_rules/modsecurity_crs_16_scanner_integration.conf \
	experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.1_request_exception.conf \
	experimental_rules/modsecurity_crs_41_advanced_filters.conf \
	experimental_rules/modsecurity_crs_55_response_profiling.conf \
	experimental_rules/modsecurity_crs_56_pvi_checks.conf \
	\|\| die
	else
	# fix up the path to the scripts; there seems to be no
	# consistency at all on how the rules are loaded.
	sed -i \
	-e "s:/etc/apache2/modsecurity-crs/lua/:${LUADIR}/:" \
	-e "s:profile_page_scripts.lua:${LUADIR}/\0:" \
	-e "s:/usr/local/apache/conf/crs/lua/:${LUADIR}/:" \
	-e "s:/usr/local/apache/conf/modsec_current/base_rules/:${LUADIR}/:" \
	-e "s:/etc/apache2/modsecurity-crs/lua/:${LUADIR}/:" \
	-e "s:\.\./lua/:${LUADIR}/:" \
	_rules/.conf \|\| die

	# fix up the shebang on the scripts
	sed -i -e "s:/opt/local/bin/lua:/usr/bin/lua:" \
	lua/*.lua \|\| die
	fi

	sed -i \
	-e '/SecGeoLookupDb/s:^:#:' \
	-e '/SecGeoLookupDb/a# Gentoo already defines it in 79_modsecurity.conf' \
	experimental_rules/modsecurity_crs_61_ip_forensics.conf \|\| die

	if ! use geoip; then
	if use lua; then
	# only comment this out as the file is going to be used for other things
	sed -i -e "/id:'960007'/,+1 s:^:#:" \
	experimental_rules/modsecurity_crs_61_ip_forensics.conf \|\| die
	else
	rm experimental_rules/modsecurity_crs_61_ip_forensics.conf \|\| die
	fi
	fi
	}

	src_install() {
	insinto "${RULESDIR}"
	# slr_rules as of 2.2.6 have broken IDs that don't work with
	# ModSecurity 2.7, but the rules require 2.7 to begin with.
	doins -r base_rules optional_rules experimental_rules #slr_rules

	insinto "${LUADIR}"
	doins lua/*.lua

	dodoc CHANGELOG README.md

	(
	cat - <<EOF
	<IfDefine SECURITY>
	EOF

	cat modsecurity_crs_10_setup.conf.example

	cat - <<EOF

	Include /etc/modsecurity/base_rules/*.conf

	# Include Trustwave SpiderLabs Research Team rules
	# Include /etc/modsecurity/slr_rules/*.conf
	# Not installed yet as of 2.2.6

	# Optionally use the other rules as well
	# Include /etc/modsecurity/optional_rules/*.conf
	# Include /etc/modsecurity/experimental_rules/*.conf
	</IfDefine>

	# -- apache --
	# vim: ts=4 filetype=apache

	EOF
	) > "${T}"/"80_${PN}.conf"

	insinto /etc/apache2/modules.d/
	doins "${T}"/"80_${PN}.conf"
	}

	pkg_postinst() {
	elog
	elog "If you want to enable further rules, check the following directories:"
	elog " ${RULESDIR}/optional_rules"
	elog " ${RULESDIR}/experimental_rules"
	elog ""
	elog "Starting from version 2.0.9, the default for the Core Rule Set is again to block"
	elog "when rules hit. If you wish to go back to the 2.0.8 method of anomaly scoring, you"
	elog "should change 80_${PN}.conf so that you have these settings enabled:"
	elog ""
	elog " #SecDefaultAction \"phase:2,deny,log\""
	elog " SecAction \"phase:1,t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on\""
	elog ""
	elog "Starting from version 2.1.2 rules are installed, for consistency, under"
	elog "/etc/modsecurity, and can be configured with the following file:"
	elog " /etc/apache2/modules.d/80_${PN}.conf"
	elog ""
	}