You may have noticed it's been a while since ModSecurity has had a major release. This does not mean I was lazy. I was working on it throughout, but for various reasons beyond my control, I had to postpone the 1.9 release from Spring 2005 to
SummerAutumn 2005. The other day I was compiling a list of new features for a client and I was amazed at the number of new features added. Below is a partial list. It will probably change slightly before the final release. Below is the final list of improvements.
- A brand new audit logging subsystem was added, aimed at supporting real-time audit log aggregation. This subsystem offers significantly better performance (the central audit log lock has been removed), records more information, and allows for log entries to be stored in a database or in flat files. It is now possible configure exactly what is being logged. In the Apache 2.x version of mod_security it is possible to log the response bodies too.
- Several new directives allow for a finer control of how rules are inherited between contexts:
- SecFilterImport - import rules (identified via their IDs) from the parent context
- SecFilterRemove - remove rules from the current context
- SecFilterInheritanceMandatory - force all rules in the current context to be inherited in child contexts. This is useful when distributed configuration (via .htaccess files) is used.
- Improvements to the way per-rule actions are configured:
- Directive SecFilterActionsRestricted which, when enabled, only allows meta-data actions (id, rev, message, severity) to be used as per-rule actions.
- Directive SecFilterSignatureAction can now be used as a template. The actions specified with this directive are inherited by the rules using per-rule actions. SecFilterSignatureAction can appear more than once in a configuration context, and this allows rules to be grouped according to how they respond to attacks. And it allows meta-data to be separated from policy, making it easier to rely on third-party rules.
- A new directive, SecGuardianLog, allows information on all request processed by the web server to be exported to one external process (via piped logging). This is used in mod_security 1.9 to connect Apache to httpd-guardian, a stateful Denial-of-Service defence tool that detects attacks across all Apache processes. When an attack is detected httpd-guardian can communicate with a firewall to restrict access from the IP address. In its default implementation httpd-guardian uses iptables, the Linux host-based firewall, for this purpose.
- New actions:
- setenv - create an environment variable, used to interact with other Apache modules, or applications
- setnote - create an Apache note, used to interact with other Apache modules
- auditlog - force request to be sent to the audit log
- noauditlog - forbid request from being recorded in the audit log
- id - assign unique ID to the rule
- rev - assign a rule revision
- message - assign message to the rule, the message will appear in the log entry (error log, audit log)
- severity - assign severity to the rule; the severity will appear in the log entry (error log, audit log)
- proxy - instead of processing the request locally, use the built-in reverse proxy to forward it to some other web server
- mandatory - mark a rule as mandatory for inheritance
- FILE_NAME_* -
- SCRIPT_UID - script user ID
Update (October 6): The list now includes all the features new to 1.9.