No new entries in modsec_audit.log for many days after EasyApache run

Archmactrix

• March 30, 2014 05:45

I did run EasyApache 4 days ago, that resolved incompatibility between ModRuid2 and ModSecurity. Now I don't see any new entries in the modsec_audit.log since then. There were about 10 default rule matches entries this week over two days before the easyapache run (not counting the mutex entries). I think it's unlikely that the rules are not triggered, so I'm concerned. I don't know how I can test this and trigger a rule match, so I need advice.

• 

  es2alna

  • March 30, 2014 13:51

  To check your mod_security, add the rule: SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
  Call your site with: domain.com/ You should get a access denied Source: [url=http://www.apachelounge.com/viewtopic.php?t=2520]Apache :: Simple check, if your mod_security is working

  0
• 

  quizknows

  • March 30, 2014 20:07

  I believe modsecparse.pl (the cPanel cron) empties the audit log pretty regularly. Most rule sets should trigger something if you go to yourdomain.com/index.php?../../../../../proc/self/environ If you don't get audit log data, but that does trip something, look at the response code (i.e. 500, 403) and add something like this to /usr/local/apache/conf/modsec2.user.conf SecAuditLogRelevantStatus 500 SecAuditLogRelevantStatus is documented here:

  0
• 

  Shavaun

  • March 31, 2014 12:20

  In order to resolve the issues with Mod Security and Mod Ruid2, we had to adjust the way Mod Security handles logging. If you install mod_ruid2 and mod_security, the [new] mod_security log location is: /usr/local/apache/logs/modsec_audit/[user]/YYYYMMDD/YYYYMMDD-HHmm/YYYYMMDD-HHmmSS-[unique_id] This information (and more about changes to Mod Security) can be found here:

  0
• 

  Archmactrix

  • March 31, 2014 13:35

  That must explain a lot I think as I have mod_ruid2 installed as might be gathered from my original post. But the newly created /usr/local/apache/logs/modsec_audit/ directory is empty. :confused: I'm unsure if es2alna and quizknows replies have a solution to this problem in light of these changes. The link you provided cPShavaun doesn't provide any information about this directory change that might be needed, at least in my case, as the directory is empty. The modsecurity documentation on the new cPanel documentation site doesn't provide any helpful information either.

  0
• 

  Shavaun

  • March 31, 2014 14:11

  When you say you ran EasyApache, did you uninstall Mod Security and then reinstall it, or just run it to update? If you uninstalled and then reinstalled it, EA would have defaulted the Mod Security setting in your httpd.conf file to be set to Off. Just to be certain, you might want to double check to make sure that the setting inside your httpd.conf file for Mod Security didn't get changed when you ran EA. It should look like this: SecRuleEngine On If it says SecRuleEngine Off, then change it to SecRuleEngine On. Don't forget to run the distiller, and restart Apache after you change that setting: /usr/local/cpanel/bin/apache_conf_distiller --update service httpd restart

  0
• 

  Archmactrix

  • March 31, 2014 14:39

  Yes thank you Shavaun, SecRuleEngine was Off I ran easyapache last week only to update.

  0
• 

  Shavaun

  • March 31, 2014 14:56

  Great, I'm glad it fixed the issue! If you run into any further issues with the logging changes, please let us know. I will be updating the Mod Security documentation to be more helpful soon.

  0
• 

  quizknows

  • March 31, 2014 19:05

  So have the issues between RUID2 and ModSecurity finally been straightened out? This would be great news.

  0
• 

  Shavaun

  • March 31, 2014 19:25

  Yes, that is correct. EasyApache version 3.24.13 includes the fix for the compatibility issues between Mod Ruid2 and Mod Security. Keep in mind you do need to run EA to update to the latest version for the compatibility issues to be resolved.

  0
• 

  es2alna

  • March 31, 2014 22:06

  Glad to hear that your problem has been solved. Even the mod_ruid2 is good but I don't suggest working with it on a production server as its still marked as Experimental.

  0
• 

  Archmactrix

  • April 02, 2014 06:53

  I only got this in the directory: /usr/local/apache/logs/modsec_audit/nobody/20140331/20140331-1433 The only entry there is probably from the time when I did 'service httpd status' after restarting apache on monday. Modsecurity doesn't like it when I check the status of apache. :) There should be a lot more entries.

  0
• 

  Shavaun

  • April 02, 2014 12:40

  Just to be clear, with SecRuleEngine set to Off, the Mod Security rules are not in effect. So you would have no log entries from the period that it was set to Off. It sounds like the logging is working. If you haven't already, I'd recommend trying the previous suggestions in the thread again now that Mod Security is set to On (or searching for other rules you can add that will provide a convenient way to test the logging). If you are certain that other rules are being triggered but not logged, and you can reproduce the issue, please open a support ticket with us via the following link:

  0
• 

  Archmactrix

  • April 04, 2014 11:12

  SecRuleEngine was set to Off again when I ran easyapache in case it might solve this. I'm sure I changed it earlier this week to SecRuleEngine On and running the distiller and restarting httpd. I'm using Apache 2.4 [quote="cPShavaun, post: 1610402"> If you are certain that other rules are being triggered but not logged, and you can reproduce the issue, please open a support ticket with us via the following link:

  0
• 

  Archmactrix

  • April 11, 2014 08:37

  This looked to be an issue with concurrent logging with mod_security according to cPanel technical analyst, changing it to serial logging solved this (which made creation of subdirectories possible if I understand this correctly). But there is still a problem with modsecurity when running EasyApache and just to update, as SecRuleEngine is set to Off. I change it to On and run the distiller: /usr/local/cpanel/bin/apache_conf_distiller --update and restart apache. Next time EasyApache is run, and just to update, the SecRuleEngine is set to Off again.

  0
• 

  Shavaun

  • April 11, 2014 16:01

  I apologize, I was mistaken about the location of that setting. This entry exists in two locations by default: SecRuleEngine Off It is inside the httpd.conf file for the default virtualhost, and set to Off. This ONLY affects the default virtualhost. It is also inside the /usr/local/apache/conf/modsec2.conf file, which EasyApache should be adding as an include file inside your httpd.conf. This is what affects the rest of your domains. I'm very sorry for the confusion.

  0
• 

  coolice

  • April 20, 2014 04:17

  [quote="Archmactrix, post: 1608041">I did run EasyApache 4 days ago, that resolved incompatibility between ModRuid2 and ModSecurity. Now I don't see any new entries in the modsec_audit.log since then. There were about 10 default rule matches entries this week over two days before the easyapache run (not counting the mutex entries). I think it's unlikely that the rules are not triggered, so I'm concerned. I don't know how I can test this and trigger a rule match, so I need advice.
  notice the same on a clean install, on all machines that have ConfigServer ModSecurity Control (cmc) it work ok

  0
• 

  cPanelMichael

  • April 22, 2014 18:03

  [quote="coolice, post: 1625291">notice the same on a clean install, on all machines that have ConfigServer ModSecurity Control (cmc) it work ok
  Hello :) Were you able to review the other posts to this thread to see if any of them helped to answer this question? For instance, here is a snippet from Shavaun's earlier post on this thread: [QUOTE]If you install mod_ruid2 and mod_security, the [new] mod_security log location is: /usr/local/apache/logs/modsec_audit/[user]/YYYYMMDD/YYYYMMDD-HHmm/YYYYMMDD-HHmmSS-[unique_id]
  Thank you.

  0

Please sign in to leave a comment.