I enabled modsecurity: "true" and enable-owasp-modsecurity-crs: "true" via the configmap of the nginx ingresss controller according to this link . In the annotation of the ingress I set SecRuleEngine On. When I use nikto to do some scans and try to trigger the owasp rules I only see 400 responses in the ingress logging. I would expect 403 responses. Anyone any idea on what I am doing wrong or what to check?
3
votes
What do you get if you disable modsecurity?
- Rico
Hi Rico, will try that today. To see what that does.
- bramvdk
whats the result with disabled modsecurity?
- Vit
I got it to work with modsecurity and owasp enabled via the configmap. The only thing I changed was the annotation in the ingress: nginx.ingress.kubernetes.io/configuration-snippet: | modsecurity_rules ' SecRuleEngine On SecAuditLog /var/log/modsec/audit.log SecAuditLogParts ABCIJDEFHZ SecAuditEngine RelevantOnly SecRuleRemoveById 932140 '; I had to change "SecAuditLog /var/log/modsec/audit.log". Changed it to SecAuditLog /var/log/modsec_audit.log
- bramvdk
1 Answers
1
votes
Followed the instructions on: https://karlstoney.com/2018/02/23/nginx-ingress-modsecurity-and-secchatops/
The only thing I had to change was "SecAuditLog /var/log/modsec/audit.log". Changed it to SecAuditLog /var/log/modsec_audit.log
