[mod-security-users] A Recommended Base Configuration
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <RBa...@tr...> - 2011-04-01 15:28:40
|
Greetings everyone, There has been a number of past email threads discussing the need for a recommended "base configuration" for ModSecurity configuration directives. These are settings that the local Admin uses to control the overall settings of ModSecurity (rule and audit engine, log files locations, whether to inspect request/response bodies, etc…). These are configurations that should not be included within 3rd party rule sets (such as the OWASP ModSecurity CRS). We have taken the main.conf file recommended by Ivan Ristic in this thread (https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2009-August/000052.html) and added it to the Reference Manual Wiki - https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#A_Recommended_Base_Configuration In order to have easier tracking, I will be sending out individual emails with the directive name in the subject line so that we can openly discuss what the community believes should be the recommended initial configuration. Based on the results, we will update the wiki and include this file within the upcoming ModSecurity 2.6 release. Thanks, Ryan |