Modsecurity Use SecDataDir to define data directory first

[fuzioneer]

I get the above error in Modsec log

Any ideas on how to stop it ?

 

[Infopro]

Your problem may be related to this thread over at atomicorp.
atomicorp.com • View topic - ModSecurity: Unable to retrieve collection

 

[fuzioneer]

but afaik i do not have asl installed, in fact if i run asl -s -f the command is not found

I checked and I do have a file: /home/cpeasyapache/src/modsecurity-apache_2.5.9/rules/modsecurity_crs_10_config.conf

in that file I have the line:
SecDataDir /tmp

 

[saweb]

Same issues here....

Here is what I did to 'apparently' resolve this..

edit modsec2.conf and add:

SecDataDir /tmp

Because this file has the directive and it point's to /tmp, i assumed i could use the same path.

/home/cpeasyapache/src/modsecurity-apache_2.5.9/rules/modsecurity_crs_10_config.conf

However, can someone at cPanel please confirm if this is correct?

From the modsecurity.org website:

-----

SecDataDir

Description: Path where persistent data (e.g. IP address data, session data, etc) is to be stored.

Syntax: SecDataDir /path/to/dir

Example Usage: SecDataDir /usr/local/apache/logs/data

Processing Phase: N/A

Scope: Main

Dependencies/Notes: This directive is needed when initcol, setsid an setuid are used. Must be writable by the web server user.

-----

So, what i am asking is whether the SecDataDir should be pointed to /tmp or whether it should be pointed to a place where logs are stored.

Once i added the directive to modsec2.conf everything *appears* to be working correctly, however i would hate to *think* that modsec is working when it actually is not.

Please can someone familiar with cPanel and ModSec on cPanel boxes look into this SecDataDir directive and tell me what it *should* be set to.

This *issue* only started recently, like a couple of days ago.

Thanks.

 

[Secmas]

You can't write anything to your modsec2.conf as this will be over written on the next easyapche that you use. It is better to write the DataSecDir in your modsec2.user.conf, please visit my site http://www.puntapirata.com/ModSec-Updater.php

The DataSecDir is used by ASL (owners of GotRoot rules) to save in there all the info that their rules generate. They don't store this in a /tmp file they save the rules info in SecDataDir /var/asl/data/msa and you have to create that directory.

Also, if you check in my site, you will see that there are a lot of commands in the modsec2.user.conf that has to be written as well.

All this info has been documented in ASL forum atomicorp.com • View topic - Announcing the standalone rule updater and here at
http://forums.cpanel.net/f185/modsecurity-auto-updater-147745.html

FYI:
ASL or GOTROOT needs the following directories to work properly:

SecUploadDir /var/asl/data/suspicious
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit

Them are used to save all the rules that have been triggered; so, in case you need to check any triggered rule, all the info will be saved there. But, if you set this to work, cpanel will not register any activity on his own Mod Security addon nor CSF will be able to check modsecurity errors.

If you want to try what I am telling, you will need to set the following two lines in your modsec2.user.conf (DO IT AT YOUR OWN RISK, I DON'T ASSUME ANY RESPONSABILITY):

SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogType Concurrent

If you set this two lines to work, your WHM MODSECURITY ADDON will not save any modsec activities at all, instead you will be saving all the info in the directories that I mentioned before and they will fill very fast.

Regards,

Sergio