# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.8
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under 
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


#
# Template rules for login/audit rules.
# Uncomment the following lines and specify the path or specific login resource for protection
#
#<LocationMatch "^/(?:(admin|account\/login\.jsp$))">
#
# Identify/Set the UserID name and collection
# Must correctly specify the parameter name that holds the username data (example ARGS:username)
#
#SecRule ARGS:username ".*" "phase:2,id:'981075',t:none,pass,nolog,noauditlog,capture,setvar:session.username=%{TX.0},setuid:%{TX.0}"

#
# Password Complexity Check
# Must correctly specify the parameter name that holds the password data (example ARGS:password)
# The regex below requires 8 length, one upper, one lower, and one number.
#
#SecRule ARGS:password "^(?=[a-zA-Z0-9]*?[A-Z])(?=[a-zA-Z0-9]*?[a-z])(?=[a-zA-Z0-9]*?[0-9])[a-zA-Z0-9]{8,}$" "phase:2,id:'981076',t:none,block,log,msg:'Password does meet complexity requirements.',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-POLICY-%{matched_var_name}=%{matched_var}"

#
# Sanitize the user's password data in the audit logs
# Set the appropriate password parameter name
#SecAction "phase:5,id:'981077',t:none,pass,nolog,sanitiseArg:password"

#</LocationMatch>