(MODULES-11851) Restore ModSecurity engine on RHEL 10 via EPEL#2635
Merged
Conversation
PR #2629 (MODULES-11739) marked apache::mod::security unsupported on RHEL 10 to stop acceptance tests failing on the missing mod_security_crs package. That was broader than necessary: the ModSecurity engine itself is available on EL10 via EPEL (2.9.9); only the OWASP CRS rules are the genuine gap. Re-scope EL10 support to engine-only: - params.pp: on EL10 set $modsec_crs_package to undef and $modsec_default_rules to []. The engine package (mod_security) still installs; CRS is simply not managed. $modsec_crs_path keeps the EL8+ default since it is only referenced when rules are activated (none on EL10). - security.pp: replace the "Unsupported platforms: RedHat: 10" @note with an explanatory engine-only note. This re-enables both the unit specs and the existing acceptance test (guarded by mod_supported_on_platform?) on RHEL 10. With crs_package undef and activated_rules empty, the engine-only apply is clean (no CRS package, no rule_link symlinks; IncludeOptional globs tolerate the empty dir). - security_spec.rb: make the mod_security_crs package and CRS rule_link expectations conditional on major < 10, and add an explicit RedHat 10 context with hardcoded facts (FacterDB ships no RedHat-named EL10 factset yet, so on_supported_os cannot generate one). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Re-scopes apache::mod::security support on RHEL/EL 10 to be engine-only (ModSecurity engine available via EPEL) while leaving OWASP CRS unmanaged due to the missing mod_security_crs package on EL10.
Changes:
- Adjusts EL10 defaults to avoid managing the CRS package and to activate no default CRS rules.
- Updates
apache::mod::securitydocs to explain the EL10 engine-only behavior and EPEL prerequisite. - Updates unit specs to make CRS expectations conditional and adds an explicit RedHat 10 facts context.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
manifests/params.pp |
Sets EL10 defaults for CRS package/rules to enable engine-only behavior. |
manifests/mod/security.pp |
Replaces “unsupported” note with an EL10 engine-only/EPEL documentation note. |
spec/classes/mod/security_spec.rb |
Makes CRS expectations conditional and adds a dedicated RedHat 10 context. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| $secpcrematchlimitrecursion = 1500 | ||
| $modsec_secruleengine = 'On' | ||
| if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '7') <= 0 { | ||
| if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '10') >= 0 { |
| $secpcrematchlimitrecursion = 1500 | ||
| $modsec_secruleengine = 'On' | ||
| if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '7') <= 0 { | ||
| if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '10') >= 0 { |
Comment on lines
+36
to
+41
| if facts[:os]['release']['major'].to_i >= 10 | ||
| # EL10 ships the engine via EPEL but not the mod_security_crs package. | ||
| it { is_expected.not_to contain_package('mod_security_crs') } | ||
| else | ||
| it { is_expected.to contain_package('mod_security_crs') } | ||
| end |
Comment on lines
+81
to
85
| if facts[:os]['release']['major'].to_i >= 10 | ||
| # EL10 is engine-only (no CRS package), so no rules are activated. | ||
| it { is_expected.not_to contain_apache__security__rule_link('rules/crawlers-user-agents.data') } | ||
| elsif facts[:os]['release']['major'].to_i <= 7 | ||
| it { is_expected.to contain_apache__security__rule_link('base_rules/modsecurity_35_bad_robots.data') } |
shubhamshinde360
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to MODULES-11739 / #2629. That PR marked the whole
apache::mod::securityclass unsupported on RHEL 10, which was broader than necessary. The ModSecurity engine (mod_security) is available on RHEL 10 via EPEL 10 (2.9.9) — only the OWASP CRS rules package (mod_security_crs) is the genuine gap there.This re-scopes EL10 support to engine-only: the engine installs and enables, and CRS is simply left unmanaged on EL10.
Changes
manifests/params.pp— on EL10, set$modsec_crs_packagetoundefand$modsec_default_rulesto[]. The engine package (mod_security) still installs; CRS is not managed.$modsec_crs_pathkeeps the EL8+ default (only referenced when rules are activated, of which there are none on EL10).manifests/mod/security.pp— replace the@note Unsupported platforms: RedHat: 10with an explanatory engine-only note. This re-enables both the unit specs and the existing acceptance test (guarded bymod_supported_on_platform?) on RHEL 10. Withcrs_packageundef andactivated_rulesempty, the engine-only apply is clean: no CRS package, norule_linksymlinks, and theIncludeOptionalglobs tolerate the emptyactivated_rulesdir.spec/classes/mod/security_spec.rb— make themod_security_crspackage and CRSrule_linkexpectations conditional on major< 10, and add an explicit RedHat 10 context with hardcoded facts (FacterDB ships no RedHat-named EL10 factset yet, soon_supported_oscannot generate one).Notes
mod_securityengine package; this is documented in the class@note.Checklist
security_spec.rb,modsec_link_spec.rb,vhost_spec.rbmodsec contexts all green; lint + rubocop clean).Package[mod_security]present and nomod_security_crs).