Update to OWASP CRS Ruleset running CWP and Apache on AlmaLinux 8 / 9


INTRODUCTION

First see our article on how to update your ModSecurity version, if this is not done, updating the OWASP ruleset will not work.

Update ModSecurity running CWP and Apache on AlmaLinux 8 / 9 – Starburst Services Knowledge Base


This will also give you access to the ‘latest’ OWASP CRS ruleset (currently at 4.11.0) as of the writing of this article, without needing CWPpro.

You can also use the Previous Major ruleset 3.3.7, if you wish.


READ ME FIRST

This article is provided as a courtesy.
Installing, configuring, and troubleshooting third-party applications is outside the scope of basic support provided by Starburst Services.

We are not liable for any damages and/or data loss.

AS ALWAYS, BEFORE MAKING ANY CRITICAL CHANGE, MAKE A BACKUP OR SNAPSHOT OF THE SERVER


REQUIRMENTS

  • SSH Client (e.g. Bitvise)
  • SSH credentials to login as Root
  • Working CWP Installation
  • Text editor of your choice. (The example uses nano)

PROCEDURE

Update ModSecurity >2.9.8, if not already updated.

The below screens are from the current version (0.9.8.1190) at the writing of this article.


Log into your admin panel.

e.g. https://yourserver.name:2031


Using the left side menu, select Security


Now from the open pulldown menu, select Mod Security


If you are running CWPpro, move the slider to select OWASP old, and then the Blue button to Save configuration.


OK, we are done with the CWP GUI, now for some CLI.

The instructions below will install OWASP CRS ruleset 4.11.0

You can view the OWASP rulesets at: https://coreruleset.org/


Let’s create the new directory for the OWASP ruleset:

cd /usr/local/apache/
mkdir modsecurity-owasp-latest
cd modsecurity-owasp-latest

Download the latest ruleset (as of the writing of this article, the latest version is 4.11.0).

wget https://github.com/coreruleset/coreruleset/releases/download/v4.11.0/coreruleset-4.11.0-minimal.tar.gz
tar -xvzf coreruleset-4.11.0-minimal.tar.gz
rm coreruleset-4.11.0-minimal.tar.gz
cd coreruleset-4.11.0
cp crs-setup.conf.example crs-setup.conf

Create a new file named owasp.conf:

nano owasp.conf

Add these 3 lines in owasp.conf:

Include /usr/local/apache/modsecurity-owasp-latest/coreruleset-4.11.0/crs-setup.conf
Include /usr/local/apache/modsecurity-owasp-latest/coreruleset-4.11.0/rules/*.conf
Include /usr/local/apache/modsecurity-owasp-latest/coreruleset-4.11.0/global_disabled_rules.conf

Save & Exit


touch global_disabled_rules.conf

global_disabled_rules.conf is for rule id’s which you want to ModSecurity to ignore server wide.


Now we need to update ModSecuirty:

nano /usr/local/apache/conf.d/mod_security.conf

Change the line:

Include "/usr/local/apache/modsecurity-owasp-old/owasp.conf"

to:

Include "/usr/local/apache/modsecurity-owasp-latest/coreruleset-4.11.0/owasp.conf"

Save & Exit


Now restart Apache (httpd):

systemctl restart httpd

Thanks for learning with Starburst Services.

Learn more about our services


Did you found this Knowledge Base Article useful?

Please considering thanking our SysOp Team.


KB Article Written: 2025-02-01

people found this article helpful. What about you?