Re: [mod-security-users] Building mod_security into a static Apache 2.2 build

[Brian Rectanus <Brian.Rectanus@br...>]

André Cruz wrote:
> On Tue, Sep 29, 2009 at 5:04 PM, Brian Rectanus
> <Brian.Rectanus@... <mailto:Brian.Rectanus@...>> wrote:
>
>         I've read several posts about how to compile mod_security with a
>         static
>         build of apache but none of them worked, the latest was
>         http://thread.gmane.org/gmane.comp.apache.mod-security.user/1840/focus=1841
>
>
>     Could you give your reasoning for building it static?  I have never
>     seen a need for it.  If there really is one, then maybe I can do
>     something to aide in this?
>
>
>  From a security standpoint it makes sense to only include the code that
> you're going to need. I know exactly which modules I need so I build my
> custom apache with only those modules and include them statically. The
> whole dynamic loading of modules is just another piece of code I can
> live without.
>
> I'm sure you'll agree this makes sense. Also, I sleep a little better
> knowing that rogue modules cannot be loaded into the web server. :)

No, I do not agree ;)  This is normally the response I get and I think 
it is a flawed argument.  Typically your entire system is based off of 
shared libraries, not just apache modules (unless you went to a lot of 
trouble).

* Do you build Apache completely static (not just apache modules, but 
all the libs it links to as well?  Otherwise any of those libs can be 
replaced as well.

* Replacing libs is actually a good thing as it allows the library to 
fix an issue without having to rebuild the rest of the app.  This would 
normally result in a faster fix time that requires a lot less work on 
your part.  Normally I build with vendor/distribution supplied libraries 
as they have the time (generally) to keep them more up-to-date than I do.

* If someone has the rights to install a rouge module, then they also 
generally have the rights to replace the httpd binary as well ;)

* Building ModSecurity in this fashion is unsupported and definitely 
untested, so you risk there being a problem with the install, 
potentially lessening your security standpoint.

* With static modules, you have no way to unload the module without 
rebuilding and that may take a while if there is something you discover 
later on in a production environment.  With the module dynamically 
loaded you can just unload it via config if there is an issue.  What 
would happen if there was an app change later on that exposed a false 
positive or other issue in ModSecurity.  This may take your site offline 
until you rebuild, potentially costing you a lot of revenue.

* I do agree you should not run with code you do not need, but that does 
not mean not building it as dynamic loadable modules.  And if you want, 
build all your required modules static, but leave the option open for 
other modules, which are sometimes needed for resolving problems and 
debugging issues.

thanks,
-B

-- 
Brian Rectanus
Breach Security

[mod-security-users] Building mod_security into a static Apache 2.2 build

[André Cruz <teste@ca...>]

Hello.

I've read several posts about how to compile mod_security with a static
build of apache but none of them worked, the latest was
http://thread.gmane.org/gmane.comp.apache.mod-security.user/1840/focus=1841

It failed here:
make[3]: Entering directory `/home/andre/httpd-2.2.13/modules/security2'
/home/andre/httpd-2.2.13/srclib/apr/libtool --silent --mode=compile gcc
-pthread  -I/usr/include/libxml2  -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE
-I/home/andre/httpd-2.2.13/srclib/pcre -I.
-I/home/andre/httpd-2.2.13/os/unix
-I/home/andre/httpd-2.2.13/server/mpm/worker
-I/home/andre/httpd-2.2.13/modules/http
-I/home/andre/httpd-2.2.13/modules/filters
-I/home/andre/httpd-2.2.13/modules/proxy -I/home/andre/httpd-2.2.13/include
-I/home/andre/httpd-2.2.13/modules/generators
-I/home/andre/httpd-2.2.13/modules/mappers
-I/home/andre/httpd-2.2.13/modules/database
-I/home/andre/httpd-2.2.13/srclib/apr/include
-I/home/andre/httpd-2.2.13/srclib/apr-util/include
-I/home/andre/httpd-2.2.13/modules/proxy/../generators
-I/home/andre/httpd-2.2.13/modules/security2/../generators
-I/servers/openssl/include -I/home/andre/httpd-2.2.13/modules/ssl
-I/home/andre/httpd-2.2.13/modules/dav/main  -prefer-non-pic -static -c
msc_multipart.c && touch msc_multipart.lo
msc_multipart.c:22:34: error: mod_security2_config.h: No such file or
directory

Is this file generated by mod_security's configure script? I couldn't run it
because it complained of the static build of apache...

configure: looking for Apache module support via DSO through APXS
apxs:Error: Sorry, no shared object support for Apache.
apxs:Error: available under your platform. Make sure.
apxs:Error: the Apache module mod_so is compiled into.
apxs:Error: your server binary `/servers/httpd-2.2.13/bin/httpd'..

Best regards,
André Cruz

Re: [mod-security-users] Building mod_security into a static Apache 2.2 build

[Brian Rectanus <Brian.Rectanus@br...>]

André Cruz wrote:
> Hello.
>
> I've read several posts about how to compile mod_security with a static
> build of apache but none of them worked, the latest was
> http://thread.gmane.org/gmane.comp.apache.mod-security.user/1840/focus=1841

Could you give your reasoning for building it static?  I have never seen 
a need for it.  If there really is one, then maybe I can do something to 
aide in this?


> It failed here:
> make[3]: Entering directory `/home/andre/httpd-2.2.13/modules/security2'
> /home/andre/httpd-2.2.13/srclib/apr/libtool --silent --mode=compile gcc
> -pthread  -I/usr/include/libxml2  -DLINUX=2 -D_REENTRANT
> -D_GNU_SOURCE    -I/home/andre/httpd-2.2.13/srclib/pcre -I.
> -I/home/andre/httpd-2.2.13/os/unix
> -I/home/andre/httpd-2.2.13/server/mpm/worker
> -I/home/andre/httpd-2.2.13/modules/http
> -I/home/andre/httpd-2.2.13/modules/filters
> -I/home/andre/httpd-2.2.13/modules/proxy
> -I/home/andre/httpd-2.2.13/include
> -I/home/andre/httpd-2.2.13/modules/generators
> -I/home/andre/httpd-2.2.13/modules/mappers
> -I/home/andre/httpd-2.2.13/modules/database
> -I/home/andre/httpd-2.2.13/srclib/apr/include
> -I/home/andre/httpd-2.2.13/srclib/apr-util/include
> -I/home/andre/httpd-2.2.13/modules/proxy/../generators
> -I/home/andre/httpd-2.2.13/modules/security2/../generators
> -I/servers/openssl/include -I/home/andre/httpd-2.2.13/modules/ssl
> -I/home/andre/httpd-2.2.13/modules/dav/main  -prefer-non-pic -static -c
> msc_multipart.c && touch msc_multipart.lo
> msc_multipart.c:22:34: error: mod_security2_config.h: No such file or
> directory
>
> Is this file generated by mod_security's configure script? I couldn't
> run it because it complained of the static build of apache...

Yes, this is auto-generated by the configure script.

>
> configure: looking for Apache module support via DSO through APXS
> apxs:Error: Sorry, no shared object support for Apache.
> apxs:Error: available under your platform. Make sure.
> apxs:Error: the Apache module mod_so is compiled into.
> apxs:Error: your server binary `/servers/httpd-2.2.13/bin/httpd'..

You just need to build Apache with --enable-so so that you can load modules.

-B


-- 
Brian Rectanus
Breach Security

Re: [mod-security-users] Building mod_security into a static Apache 2.2 build

[André Cruz <teste@ca...>]

On Tue, Sep 29, 2009 at 5:04 PM, Brian Rectanus
<Brian.Rectanus@...>wrote:

> I've read several posts about how to compile mod_security with a static
>> build of apache but none of them worked, the latest was
>>
>> http://thread.gmane.org/gmane.comp.apache.mod-security.user/1840/focus=1841
>>
>
> Could you give your reasoning for building it static?  I have never seen a
> need for it.  If there really is one, then maybe I can do something to aide
> in this?


>From a security standpoint it makes sense to only include the code that
you're going to need. I know exactly which modules I need so I build my
custom apache with only those modules and include them statically. The whole
dynamic loading of modules is just another piece of code I can live without.

I'm sure you'll agree this makes sense. Also, I sleep a little better
knowing that rogue modules cannot be loaded into the web server. :)

Best regards,
André Cruz

Re: [mod-security-users] Building mod_security into a static Apache 2.2 build

[yersinia <yersinia.spiros@gm...>]

On Tue, Sep 29, 2009 at 8:36 PM, André Cruz <teste@...> wrote:

> On Tue, Sep 29, 2009 at 5:04 PM, Brian Rectanus <Brian.Rectanus@...
> > wrote:
>
>>  I've read several posts about how to compile mod_security with a static
>>> build of apache but none of them worked, the latest was
>>>
>>> http://thread.gmane.org/gmane.comp.apache.mod-security.user/1840/focus=1841
>>>
>>
>> Could you give your reasoning for building it static?  I have never seen a
>> need for it.  If there really is one, then maybe I can do something to aide
>> in this?
>
>
> From a security standpoint it makes sense to only include the code that
> you're going to need.
>
The glibc mantainer think  different about security & static linking
http://people.redhat.com/drepper/no_static_linking.html
FWIW i think the same

Regards

> I know exactly which modules I need so I build my custom apache with only
> those modules and include them statically. The whole dynamic loading of
> modules is just another piece of code I can live without.
>
> I'm sure you'll agree this makes sense. Also, I sleep a little better
> knowing that rogue modules cannot be loaded into the web server. :)
>
> Best regards,
> André Cruz
>
>
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
>
>

Re: [mod-security-users] Building mod_security into a static Apache 2.2 build

[Brian Rectanus <Brian.Rectanus@br...>]

André Cruz wrote:
> On Tue, Sep 29, 2009 at 5:04 PM, Brian Rectanus
> <Brian.Rectanus@... <mailto:Brian.Rectanus@...>> wrote:
>
>         I've read several posts about how to compile mod_security with a
>         static
>         build of apache but none of them worked, the latest was
>         http://thread.gmane.org/gmane.comp.apache.mod-security.user/1840/focus=1841
>
>
>     Could you give your reasoning for building it static?  I have never
>     seen a need for it.  If there really is one, then maybe I can do
>     something to aide in this?
>
>
>  From a security standpoint it makes sense to only include the code that
> you're going to need. I know exactly which modules I need so I build my
> custom apache with only those modules and include them statically. The
> whole dynamic loading of modules is just another piece of code I can
> live without.
>
> I'm sure you'll agree this makes sense. Also, I sleep a little better
> knowing that rogue modules cannot be loaded into the web server. :)

No, I do not agree ;)  This is normally the response I get and I think 
it is a flawed argument.  Typically your entire system is based off of 
shared libraries, not just apache modules (unless you went to a lot of 
trouble).

* Do you build Apache completely static (not just apache modules, but 
all the libs it links to as well?  Otherwise any of those libs can be 
replaced as well.

* Replacing libs is actually a good thing as it allows the library to 
fix an issue without having to rebuild the rest of the app.  This would 
normally result in a faster fix time that requires a lot less work on 
your part.  Normally I build with vendor/distribution supplied libraries 
as they have the time (generally) to keep them more up-to-date than I do.

* If someone has the rights to install a rouge module, then they also 
generally have the rights to replace the httpd binary as well ;)

* Building ModSecurity in this fashion is unsupported and definitely 
untested, so you risk there being a problem with the install, 
potentially lessening your security standpoint.

* With static modules, you have no way to unload the module without 
rebuilding and that may take a while if there is something you discover 
later on in a production environment.  With the module dynamically 
loaded you can just unload it via config if there is an issue.  What 
would happen if there was an app change later on that exposed a false 
positive or other issue in ModSecurity.  This may take your site offline 
until you rebuild, potentially costing you a lot of revenue.

* I do agree you should not run with code you do not need, but that does 
not mean not building it as dynamic loadable modules.  And if you want, 
build all your required modules static, but leave the option open for 
other modules, which are sometimes needed for resolving problems and 
debugging issues.

thanks,
-B

-- 
Brian Rectanus
Breach Security

Re: [mod-security-users] Building mod_security into a static Apache 2.2 build

[André Cruz <teste@ca...>]

On Tue, Sep 29, 2009 at 8:09 PM, Brian Rectanus
<Brian.Rectanus@...>wrote:

>
> No, I do not agree ;)  This is normally the response I get and I think it
> is a flawed argument.  Typically your entire system is based off of shared
> libraries, not just apache modules (unless you went to a lot of trouble).
>
> * Do you build Apache completely static (not just apache modules, but all
> the libs it links to as well?  Otherwise any of those libs can be replaced
> as well.
>

Yes, that is true. It's just one less place that can happen.


> * Replacing libs is actually a good thing as it allows the library to fix
> an issue without having to rebuild the rest of the app.  This would normally
> result in a faster fix time that requires a lot less work on your part.
>  Normally I build with vendor/distribution supplied libraries as they have
> the time (generally) to keep them more up-to-date than I do.
>

Security fixes are normally applied quckly to vendor packages but the
version of these libraries is usually pretty old (I use Debian stable) so I
tend to build apache and it's modules by myself. I have automated processes
for this so rebuilding everything if a module changes is pretty fast.


> * If someone has the rights to install a rouge module, then they also
> generally have the rights to replace the httpd binary as well ;)
>

Generally, but not always. :)

* Building ModSecurity in this fashion is unsupported and definitely
> untested, so you risk there being a problem with the install, potentially
> lessening your security standpoint.
>

The bottom line is that I thought it would be just a question of putting the
files in the correct place so that apache could be built with the module
included. If the interfaces are different and if it implies code changes
then don't worry about it. Maybe I'm the only one running an apache without
dso support.

Best regards,
André Cruz