Projects

Found useful tools or tips? Think about donating some $$ to support our free tools...

>> Donation

Web Policy Compiler

This project is an implementation of a compiler for translating high-level specifications into rules for the ModSecurity module. The web policy compiler is a simple Java based tool that is distributed as a single jar file.

The project is in an early stage, but provides support for transforming some basic building blocks into rules. The concept of building blocks is described below.

This page basically is about the Web Policy Compiler. For an introduction to positive security models and Web Policies/Web Profiles see for example my recent blog post Abstracting ModSecurity Rules.

Web Policies & Building Blocks

The basic concept of web policies is to describe a set of properties, which basically define aspects of the application. All these aspects are contained within a single WebPolicy XML element.

Extending the concept of the Web Profile Language, the compiler provides a set of templates, which are used to transform parts of a policy into ModSecurity rules. Thus it is just an extension of the positive security model approach as defined by the Web Profile Language.

The difference between these two approaches is mainly that I initially intended the profiles to be full descriptions of all resources/facets of a web application. Since this is most of the time not yet completely doable, I started the development to break this down into small fractions, subsequently referred to as building block. These blocks in a sense reflect partial aspects of complete positive security model.

For instance, the first step was modifying the rule templates to make it possible to generate rules without a catch-all rule. This default template is called weak and will generate rules for resources and methods, following a positive security model as described in my blog post Positive Security Models and ModSecurity.

It is intended to be the perfect starting point to get into positive security models with the Web Policy Language/ModSecurity as it allows positive rules to be included in your setup as additional checks.

Building Blocks

In order to gain more flexibility, I introduced the concept of basic building blocks, which are simply templates that generate rules for only a partial aspect of a web policy.

A good introduction on the use of a first building block for session tracking can be found in another blog post Abstracting ModSecurity Rules. This template is also already part of the distributed jar file above.

To generate the session tracking rules using this building block (called session), you need to define the session tracker element (see the blog post) and call the compiler with the -t or --template option:

   java -jar wpc.jar -t session  policy.xml  session.conf

As written in the blog post, I plan for adding more specific templates, i.e. building blocks to this site, which can then be included in local wpc setups, in order to allow customizing your abstract policy environment.

Download

The complete Web Policy Compiler is distributed within a single jar file. Below you find a link to the latest binary release of the web policy compiler.

wpc.jar (450k)

The jar archive is directly usable, some hints for a more convenient usage can be found on the installation page.

Usage

As the jar file contains all neccessary classes and defines a main class for executing, it can simply be run from the jar archive, by issuing

   java -jar wpc.jar [OPTIONS] input.xml [outfile]

or, if you have followed the install instructions:

   wpc -t session policy.xml session.conf  # in case you set up the wpc script as above

If no output file is given, the compiler will write all generated rules to a file named after the input-file, except for replacing the ".xml" extension with .rules. Thus running the command

   java -jar wpc.jar --template session  policy.xml

will result in rules being generated according to the session template. These rules will be written to the file policy.rules.

Options

Below you find the list of options, which are provided by the web policy compiler:


WebPolicyCompiler

USAGE

         wpc [OPTIONS] INFILE [OUTFILE]
     or           
         java -jar wpc.jar  [OPTIONS] INFILE [OUTFILE]
      

  This is the  WebPolicyCompiler  of jwall.org.  It allows transforming XML 
  based web profiles into ModSecurity rules. The  rule generation is highly
  customizable and  offers  several  alternative types  of rulesets  to  be 
  generated ("scrict", "loose",...).
   
  The  WebPolicyCompiler  is used by calling the "wpc" skript and specifying
  an XML file that is to  be compiled.  Additionally the wpc skript provides
  some options for rule generation:
  

OPTIONS
  
  The WebPolicyCompiler  provides some options for adjusting the generation
  of ModSecurity rules:
  
    -h, --help     This simply prints this help screen and exits.
    
    -v, --version  Print version and exit.
    
    -f, --force-overwrite 
    
        Forces the compiler to overwrite any existing files. This might be 
        useful if the compiler is run automatically.
    
    -t TEMPLATE, --template TEMPLATE
    
        Use a specific template for rule generation. TEMPLATE can either be
        an URL referencing a template file or an alias, which is separately 
        defined in the properties file.
        For details, see:  http://www.jwall.org/web/policy/wpc.html
                 
        The default setup of the  WebPolicyCompiler  provides the templates 
        "strict" and "weak", the later being the default template.
                   
    -l, --list-templates
    
        This prints out a list of all templates and aliases currently known
        to the WebPolicyCompiler. 
                   
  The INFILE  is the XML file to compile, the optional OUTFILE will contain 
  the rules.  If OUTFILE  is not given, it will be  determined by replacing
  "xml" with "rules" in the INFILE name.