The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Modsecurity Use SecDataDir to define data directory first

Discussion in 'Security' started by fuzioneer, Apr 7, 2010.

  1. fuzioneer

    fuzioneer Well-Known Member

    Joined:
    Dec 12, 2003
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    I get the above error in Modsec log

    Any ideas on how to stop it ?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. fuzioneer

    fuzioneer Well-Known Member

    Joined:
    Dec 12, 2003
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    but afaik i do not have asl installed, in fact if i run asl -s -f the command is not found

    I checked and I do have a file: /home/cpeasyapache/src/modsecurity-apache_2.5.9/rules/modsecurity_crs_10_config.conf

    in that file I have the line:
    SecDataDir /tmp
     
  4. saweb

    saweb Member

    Joined:
    Jul 15, 2005
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Same issues here....

    Here is what I did to 'apparently' resolve this..

    edit modsec2.conf and add:

    SecDataDir /tmp

    Because this file has the directive and it point's to /tmp, i assumed i could use the same path.

    /home/cpeasyapache/src/modsecurity-apache_2.5.9/rules/modsecurity_crs_10_config.conf

    However, can someone at cPanel please confirm if this is correct?

    From the modsecurity.org website:

    -----

    SecDataDir

    Description: Path where persistent data (e.g. IP address data, session data, etc) is to be stored.

    Syntax: SecDataDir /path/to/dir

    Example Usage: SecDataDir /usr/local/apache/logs/data

    Processing Phase: N/A

    Scope: Main

    Dependencies/Notes: This directive is needed when initcol, setsid an setuid are used. Must be writable by the web server user.

    -----

    So, what i am asking is whether the SecDataDir should be pointed to /tmp or whether it should be pointed to a place where logs are stored.

    Once i added the directive to modsec2.conf everything *appears* to be working correctly, however i would hate to *think* that modsec is working when it actually is not.

    Please can someone familiar with cPanel and ModSec on cPanel boxes look into this SecDataDir directive and tell me what it *should* be set to.

    This *issue* only started recently, like a couple of days ago.

    Thanks.
     
  5. Secmas

    Secmas Well-Known Member

    Joined:
    Feb 18, 2005
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    You can't write anything to your modsec2.conf as this will be over written on the next easyapche that you use. It is better to write the DataSecDir in your modsec2.user.conf, please visit my site http://www.puntapirata.com/ModSec-Updater.php

    The DataSecDir is used by ASL (owners of GotRoot rules) to save in there all the info that their rules generate. They don't store this in a /tmp file they save the rules info in SecDataDir /var/asl/data/msa and you have to create that directory.

    Also, if you check in my site, you will see that there are a lot of commands in the modsec2.user.conf that has to be written as well.

    All this info has been documented in ASL forum atomicorp.com • View topic - Announcing the standalone rule updater and here at
    http://forums.cpanel.net/f185/modsecurity-auto-updater-147745.html

    FYI:
    ASL or GOTROOT needs the following directories to work properly:

    SecUploadDir /var/asl/data/suspicious
    SecDataDir /var/asl/data/msa
    SecTmpDir /tmp
    SecAuditLogStorageDir /var/asl/data/audit

    Them are used to save all the rules that have been triggered; so, in case you need to check any triggered rule, all the info will be saved there. But, if you set this to work, cpanel will not register any activity on his own Mod Security addon nor CSF will be able to check modsecurity errors.

    If you want to try what I am telling, you will need to set the following two lines in your modsec2.user.conf (DO IT AT YOUR OWN RISK, I DON'T ASSUME ANY RESPONSABILITY):

    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogType Concurrent

    If you set this two lines to work, your WHM MODSECURITY ADDON will not save any modsec activities at all, instead you will be saving all the info in the directories that I mentioned before and they will fill very fast.

    Regards,

    Sergio
     
Loading...

Share This Page