Phasing out SecStatusEngine

[vloup]

A small discussion happened on the Slack #project-modsecurity from OWASP where I pointed out that, with TW changing ownership to OWASP of modsecurity, the domain name might need to be transmitted so that the SecStatusEngine option (https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secstatusengine), if this is still used, is still working as expected.

According to @fzipi, this option should be disabled since a long time ago. This has been done in the default config 2 months ago by @airween (https://github.com/owasp-modsecurity/ModSecurity/commit/f850932f83d47a68137ab207e6db0f217152c707).

@dune73 mentioned that this domain will be still in the hands of TW until Summer 2024, and that TW is not having their status engine in operation for quite some time.

That being said, we all pretty much agree that:

• TW status engine will not come back.
• This is now disabled by default, so very little people are going to turn it on.
• This option will not be useful anymore, and will just pollute (if enabled) the DNS.
• This options is not supported in v3 (https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#secstatusengine), and will not be created.
• Functionally, it does not bring anything to the end user.

This is where I'm proposing removal of this option from v2, while knowing this operation should be carefully considered so that no configuration gets broken.

Probably we could first warn about this option being deprecated, following by removing the actual logic while keeping the warning, and finally removing this option altogether from the parsing logic and the documentations.

[airween]

Hi @vloup, thanks for this suggestion. I think this is a useful plan, and a good idea.

[vloup]

I think we can manage to do two steps in one, and that sounds better to me as well:

• Deprecate this option and add a warning message.
• We directly remove all the code related to this option.