I enabled modsecurity: "true" and enable-owasp-modsecurity-crs: "true" via the configmap of the nginx ingresss controller according to this link . In the annotation of the ingress I set SecRuleEngine On. When I use nikto to do some scans and try to trigger the owasp rules I only see 400 responses in the ingress logging. I would expect 403 responses. Anyone any idea on what I am doing wrong or what to check?
Asked
Active
Viewed 3,846 times
3
-
What do you get if you disable modsecurity? – Rico Sep 27 '18 at 21:34
-
Hi Rico, will try that today. To see what that does. – bramvdk Oct 02 '18 at 10:51
-
whats the result with disabled modsecurity? – Vit Oct 05 '18 at 13:44
-
I got it to work with modsecurity and owasp enabled via the configmap. The only thing I changed was the annotation in the ingress: nginx.ingress.kubernetes.io/configuration-snippet: | modsecurity_rules ' SecRuleEngine On SecAuditLog /var/log/modsec/audit.log SecAuditLogParts ABCIJDEFHZ SecAuditEngine RelevantOnly SecRuleRemoveById 932140 '; I had to change "SecAuditLog /var/log/modsec/audit.log". Changed it to SecAuditLog /var/log/modsec_audit.log – bramvdk Oct 10 '18 at 13:55
1 Answers
1
Followed the instructions on: https://karlstoney.com/2018/02/23/nginx-ingress-modsecurity-and-secchatops/
The only thing I had to change was "SecAuditLog /var/log/modsec/audit.log". Changed it to SecAuditLog /var/log/modsec_audit.log
bramvdk
- 1,347
- 4
- 21
- 31