1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.9
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# Template rules for login/audit rules.
# Uncomment the following lines and specify the path or specific login resource for protection
#
#<LocationMatch "^/(?:(admin|account\/login\.jsp$))">
#
# Identify/Set the UserID name and collection
# Must correctly specify the parameter name that holds the username data (example ARGS:username)
#
#SecRule ARGS:username ".*" "phase:2,id:'981075',t:none,pass,nolog,noauditlog,capture,setvar:session.username=%{TX.0},setuid:%{TX.0}"
#
# Password Complexity Check
# Must correctly specify the parameter name that holds the password data (example ARGS:password)
# The regex below requires 8 length, one upper, one lower, and one number.
#
#SecRule ARGS:password "^(?=[a-zA-Z0-9]*?[A-Z])(?=[a-zA-Z0-9]*?[a-z])(?=[a-zA-Z0-9]*?[0-9])[a-zA-Z0-9]{8,}$" "phase:2,id:'981076',t:none,block,log,msg:'Password does meet complexity requirements.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-POLICY-%{matched_var_name}=%{matched_var}"
#
# Sanitize the user's password data in the audit logs
# Set the appropriate password parameter name
#SecAction "phase:5,id:'981077',t:none,pass,nolog,sanitiseArg:password"
#</LocationMatch>
|
