New EA4, modruid2 apache jailshell and modsec issue
Because the location of the modsec_audit folder has changed with EA4 to be in the new apache folder under /etc/apache2/logs rather than under /usr/local where it was in EA3, if you use the combination of apache jailshell, modruid2 and EA4, modsecurity can't access the modsec_audit folder to write the audit logs, since it's not mounted in virtfs for the site's user. The modsec rules themselves still work, just the audit logs can't be created.
This is a different issue to the dbm file conflict with ruid2/itk and modsec which I understand is a spiderlabs issue. This issue was introduced with EA4.
I tried all day to find a solution other than disabling apache jailshell or rolling back to EA3 (both if which work for different reasons). Changing SecAuditLogStorageDir in modsec to point back to the old path under /usr/local doesn't work, since the logs folder in there is a symlink to the real folder under /etc. I also tried adding a custom virtfs mount, be they only work as read only. I would guess that if cpanel adds a new virtfs mount for the new apache logs folder under /etc it would solve it, but obviously I can't test that.
Is this a known issue and is there a workaround?
-
Hello, Internal case EA-4835 is open to address reports of error messages like this when enabling both Mod_Ruid2 and Mod_Security: ModSecurity: Audit log: Failed to create subdirectories: /etc/apache2/logs/modsec_audit
The current workaround is to disable Mod_Security or Mod_Ruid2. I'll provide more information on the status of this case as it becomes available. Thank you.0 -
Excellent, thank you. 0 -
Looks like this is fixed in 58.0.30, although I had to switch all users to normal shell then back to jailshell for it to take effect. 0 -
Looks like this is fixed in 58.0.30, although I had to switch all users to normal shell then back to jailshell for it to take effect.
Which part is fixed?0 -
Which part is fixed?
Hello, The resolution for this issue was published with cPanel version 58.0.30: Fixed case CPANEL-8332: ModSecurity now logs events for jailshell users in EA4. This allows ModSecurity to log correctly on systems using EasyApache 4 and cPanel's experimental Apache jailshell. Thank you.0 -
Did it also fix the issue with ModSecurity rules that use initcol, setsid, and setuid not being able to write to the DBM files in /var/cpanel/secdatadir when Apache jailshell and mod_ruid2 are in use? 0 -
New Did it also fix the issue with ModSecurity rules that use initcol, setsid, and setuid not being able to write to the DBM files in /var/cpanel/secdatadir when Apache jailshell and mod_ruid2 are in use?
No, I believe the issue you are referring to is discussed at: ModSecurity + MPM ITK compatibility - inconsistent documentation Thank you.0 -
Thanks, Michael. The specific post in that thread that mentions what I was inquiring about is this one. What I take home from reading that thread and others is that with EA4, mod_security and mod_ruid2 with the Tweak Settings jailshell Apache are still not completely compatible, even with cPanel 58.0.30, because ModSecurity rules that attempt persistent storage using DBM will fail, though with 58.0.30 the issue with ModSecurity not being able to write to the audit logs is fixed. The discussion over at GitHub makes it sound like the folks at ModSecurity are working on a fix for the persistent storage issue that may be included in ModSecurity 3. 0
Please sign in to leave a comment.
Comments
8 comments