Skip to content

(MODULES-11851) Restore ModSecurity engine on RHEL 10 via EPEL#2635

Merged
SugatD merged 1 commit into
mainfrom
MODULES-11851
Jun 26, 2026
Merged

(MODULES-11851) Restore ModSecurity engine on RHEL 10 via EPEL#2635
SugatD merged 1 commit into
mainfrom
MODULES-11851

Conversation

@SugatD

@SugatD SugatD commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Summary

Follow-up to MODULES-11739 / #2629. That PR marked the whole apache::mod::security class unsupported on RHEL 10, which was broader than necessary. The ModSecurity engine (mod_security) is available on RHEL 10 via EPEL 10 (2.9.9) — only the OWASP CRS rules package (mod_security_crs) is the genuine gap there.

This re-scopes EL10 support to engine-only: the engine installs and enables, and CRS is simply left unmanaged on EL10.

Changes

  • manifests/params.pp — on EL10, set $modsec_crs_package to undef and $modsec_default_rules to []. The engine package (mod_security) still installs; CRS is not managed. $modsec_crs_path keeps the EL8+ default (only referenced when rules are activated, of which there are none on EL10).
  • manifests/mod/security.pp — replace the @note Unsupported platforms: RedHat: 10 with an explanatory engine-only note. This re-enables both the unit specs and the existing acceptance test (guarded by mod_supported_on_platform?) on RHEL 10. With crs_package undef and activated_rules empty, the engine-only apply is clean: no CRS package, no rule_link symlinks, and the IncludeOptional globs tolerate the empty activated_rules dir.
  • spec/classes/mod/security_spec.rb — make the mod_security_crs package and CRS rule_link expectations conditional on major < 10, and add an explicit RedHat 10 context with hardcoded facts (FacterDB ships no RedHat-named EL10 factset yet, so on_supported_os cannot generate one).

Notes

  • The module does not manage EPEL. RHEL 10 users must enable EPEL themselves to get the mod_security engine package; this is documented in the class @note.
  • OWASP CRS support on EL10 (CRS v4) is tracked separately and is out of scope here.

Checklist

  • 🟢 Spec tests (security_spec.rb, modsec_link_spec.rb, vhost_spec.rb modsec contexts all green; lint + rubocop clean).
  • 🟢 Acceptance tests (engine-only apply on RHEL 10 — to be validated in CI).
  • Manually verified (RHEL 10 catalog compiles with Package[mod_security] present and no mod_security_crs).

PR #2629 (MODULES-11739) marked apache::mod::security unsupported on
RHEL 10 to stop acceptance tests failing on the missing mod_security_crs
package. That was broader than necessary: the ModSecurity engine itself
is available on EL10 via EPEL (2.9.9); only the OWASP CRS rules are the
genuine gap.

Re-scope EL10 support to engine-only:

- params.pp: on EL10 set $modsec_crs_package to undef and
  $modsec_default_rules to []. The engine package (mod_security) still
  installs; CRS is simply not managed. $modsec_crs_path keeps the EL8+
  default since it is only referenced when rules are activated (none on
  EL10).
- security.pp: replace the "Unsupported platforms: RedHat: 10" @note
  with an explanatory engine-only note. This re-enables both the unit
  specs and the existing acceptance test (guarded by
  mod_supported_on_platform?) on RHEL 10. With crs_package undef and
  activated_rules empty, the engine-only apply is clean (no CRS package,
  no rule_link symlinks; IncludeOptional globs tolerate the empty dir).
- security_spec.rb: make the mod_security_crs package and CRS rule_link
  expectations conditional on major < 10, and add an explicit RedHat 10
  context with hardcoded facts (FacterDB ships no RedHat-named EL10
  factset yet, so on_supported_os cannot generate one).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@SugatD SugatD marked this pull request as ready for review June 23, 2026 12:23
@SugatD SugatD requested review from a team, bastelfreak, ekohl and smortex as code owners June 23, 2026 12:23
@shubhamshinde360 shubhamshinde360 requested a review from Copilot June 23, 2026 12:56

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Re-scopes apache::mod::security support on RHEL/EL 10 to be engine-only (ModSecurity engine available via EPEL) while leaving OWASP CRS unmanaged due to the missing mod_security_crs package on EL10.

Changes:

  • Adjusts EL10 defaults to avoid managing the CRS package and to activate no default CRS rules.
  • Updates apache::mod::security docs to explain the EL10 engine-only behavior and EPEL prerequisite.
  • Updates unit specs to make CRS expectations conditional and adds an explicit RedHat 10 facts context.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
manifests/params.pp Sets EL10 defaults for CRS package/rules to enable engine-only behavior.
manifests/mod/security.pp Replaces “unsupported” note with an EL10 engine-only/EPEL documentation note.
spec/classes/mod/security_spec.rb Makes CRS expectations conditional and adds a dedicated RedHat 10 context.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread manifests/params.pp
$secpcrematchlimitrecursion = 1500
$modsec_secruleengine = 'On'
if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '7') <= 0 {
if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '10') >= 0 {
Comment thread manifests/params.pp
$secpcrematchlimitrecursion = 1500
$modsec_secruleengine = 'On'
if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '7') <= 0 {
if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '10') >= 0 {
Comment on lines +36 to +41
if facts[:os]['release']['major'].to_i >= 10
# EL10 ships the engine via EPEL but not the mod_security_crs package.
it { is_expected.not_to contain_package('mod_security_crs') }
else
it { is_expected.to contain_package('mod_security_crs') }
end
Comment on lines +81 to 85
if facts[:os]['release']['major'].to_i >= 10
# EL10 is engine-only (no CRS package), so no rules are activated.
it { is_expected.not_to contain_apache__security__rule_link('rules/crawlers-user-agents.data') }
elsif facts[:os]['release']['major'].to_i <= 7
it { is_expected.to contain_apache__security__rule_link('base_rules/modsecurity_35_bad_robots.data') }
@SugatD SugatD merged commit fc68fed into main Jun 26, 2026
23 of 26 checks passed
@SugatD SugatD deleted the MODULES-11851 branch June 26, 2026 04:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants