Skip to main content

/var/log/apache2/modsec_audit

dont_panic
I am running through the list of security recommendations in this guide: to confirm that ModSecurity is enabled for my domain. Everything looks fine, and AFAIK none of the default settings in any of the WHM ModSecurity pages have ever been changed. The Apache error log shows (the timestamps match the last reboot): [Sat Aug 24 01:05:09.772388 2019] [:notice] [pid 2645:tid 140642821273568] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured. [Sat Aug 24 01:05:09.790478 2019] [:notice] [pid 2645:tid 140642821273568] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0" [Sat Aug 24 01:05:09.790498 2019] [:notice] [pid 2645:tid 140642821273568] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" [Sat Aug 24 01:05:09.790505 2019] [:notice] [pid 2645:tid 140642821273568] ModSecurity: LUA compiled version="Lua 5.1" [Sat Aug 24 01:05:09.790509 2019] [:notice] [pid 2645:tid 140642821273568] ModSecurity: LIBXML compiled version="2.9.7" [Sat Aug 24 01:05:09.790513 2019] [:notice] [pid 2645:tid 140642821273568] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
Grepping the Apache logs I don't see any other mentions of ModSecurity. Some Googling turned up /var/log/apache2/modsec_audit
dir for, considering it is empty? Should it really be world-writeable? Thank you.

Comments

5 comments

Date Votes
  • quietFinn
    ModSecurity's log file is /var/log/apache2/modsec_audit.log, can't remember what is the directory /var/log/apache2/modsec_audit for, seems to be empty in our servers.
    0
  • cPanelLauren
    The permissions of the modsec_audit directory are 1733 - this is exampled by the drwx-wx-wt - this is standard on my server as well. # stat modsec_audit File: "modsec_audit" Size: 4096 Blocks: 8 IO Block: 4096 directory Device: fd01h/64769d Inode: 655616 Links: 3 Access: (1733/drwx-wx-wt) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2019-08-05 21:55:47.000000000 -0500 Modify: 2019-08-05 21:55:47.000000000 -0500 Change: 2019-08-23 09:58:43.737696325 -0500 Birth: -
    d=directory r=readable w=writeable x=executable t=execute + sticky bit - in this instance it's referring to a directory in which anyone can create a file. So: User: drwx Group: wx Other: wt Essentially this means that any user can access the directory to add to files in this folder which is necessary for the IP counts modsec uses in some of the connection tracking/DDoS prevention they have. The most common user that you'll see creating files in here is nobody if you're using these rules - nobody being the apache user.
    0
  • dont_panic
    Thanks @cPanelLauren. I'm aware of what the permissions mean, my concern was *why* the dir is world-writable. I can't find it again now, but while investigating this I came across a comment in a config file somewhere on the system which said that directory is created by Apache only in "multi-uid environments". I assume that WHM/CPanel is such an environment (WHM allows creating/managing sites with their own users, though we don't use it for this), and it seems logical that to allow each of those multiple user IDs to write there, the dir must be world-writable. In any case, thank you for confirming your system is the same. It seems perms are as they should be and there is nothing I can do about it.
    0
  • cPanelLauren
    Hello @dont_panic
    I came across a comment in a config file somewhere on the system which said that directory is created by Apache only in "multi-uid environments". I assume that WHM/CPanel is such an environment (WHM allows creating/managing sites with their own users, though we don't use it for this)

    cPanel/WHM is indeed a multi-UID environment. This is only present in the event you're using ModSecurity, you noted that you're not using cPanel for creating/managing with separate users, do you host sites or have a use for ModSecurity?
    0
  • dont_panic
    Yes, we're a single-user/site server with a public web application, and see continuous http requests probing for vulnerabilities. My understanding is Modsecurity can detect and filter those, adding a layer of protection.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post