The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

need help, No entries found in /usr/local/apache/logs/modsec_audit.log

Discussion in 'Security' started by sean2045, Jul 15, 2012.

  1. sean2045

    sean2045 Member

    Joined:
    Jul 1, 2012
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
  2. voshka

    voshka Active Member

    Joined:
    Apr 4, 2010
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Hi, sean2045

    Please provide me what you have configured in
    /usr/local/apache/conf/modsec2.user.conf

    Thanks
     
  3. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Can you also please check the following log for entries:

    Code:
    tail -500 /usr/local/apache/logs/modsec_debug_log
    If mod_security isn't working, you'll probably see errors in that log file.
     
  4. borgia

    borgia Member

    Joined:
    Jun 27, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Did you test if is running?

    HTML:
    apachectl -t -D DUMP_MODULES
    
    ...and check if "security2_module" is on the list. After if is loaded test in browser with a directive and check logs.


    Regards
     
  5. sean2045

    sean2045 Member

    Joined:
    Jul 1, 2012
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you guys

    this is what i have in /usr/local/apache/conf/modsec2.user.conf

    # ConfigServer ModSecurity whitelist file
    Include /usr/local/apache/conf/modsec2.whitelist.conf

    SecPcreMatchLimit 50000
    SecPcreMatchLimitRecursion 50000
    SecRequestBodyAccess On
    SecResponseBodyAccess On
    SecResponseBodyMimeType (null) text/html text/plain text/xml
    SecResponseBodyLimit 220621440
    SecServerSignature Apache
    SecUploadDir /var/asl/data/suspicious
    SecUploadKeepFiles Off
    SecAuditLogParts ABIFHZ
    SecArgumentSeparator "&"
    SecCookieFormat 0
    SecRequestBodyLimit 220621440
    SecRequestBodyInMemoryLimit 220621440
    LimitRequestBody 0
    LimitRequestBody 25097152
    SecDataDir /var/asl/data/msa
    SecTmpDir /tmp
    SecAuditLogStorageDir /var/asl/data/audit
    SecResponseBodyLimitAction ProcessPartial
    # ConfigServer ModSecurity whitelist file
    Include /usr/local/apache/conf/modsec2.whitelist.conf
    # ASL/GOTROOT Rules
    Include /usr/local/apache/conf/modsec_rules/*asl*.conf


    there is nothing in tail -500 /usr/local/apache/logs/modsec_debug_log,


    after i run apachectl -t -D DUMP_MODULES


    core_module (static)
    authn_file_module (static)
    authn_default_module (static)
    authz_host_module (static)
    authz_groupfile_module (static)
    authz_user_module (static)
    authz_default_module (static)
    auth_basic_module (static)
    include_module (static)
    filter_module (static)
    log_config_module (static)
    logio_module (static)
    env_module (static)
    expires_module (static)
    headers_module (static)
    unique_id_module (static)
    setenvif_module (static)
    version_module (static)
    proxy_module (static)
    proxy_connect_module (static)
    proxy_ftp_module (static)
    proxy_http_module (static)
    proxy_scgi_module (static)
    proxy_ajp_module (static)
    proxy_balancer_module (static)
    ssl_module (static)
    mpm_prefork_module (static)
    http_module (static)
    mime_module (static)
    status_module (static)
    autoindex_module (static)
    asis_module (static)
    info_module (static)
    suexec_module (static)
    cgi_module (static)
    negotiation_module (static)
    dir_module (static)
    actions_module (static)
    userdir_module (static)
    alias_module (static)
    rewrite_module (static)
    so_module (static)
    bwlimited_module (shared)
    suphp_module (shared)
    security2_module (shared)
    Syntax OK




    it has this security2_module (shared), so it's running? what else is wrong?

    modsecparse.pl is disabled.

    Thanks

    Sean
     
    #5 sean2045, Jul 15, 2012
    Last edited: Jul 15, 2012
  6. borgia

    borgia Member

    Joined:
    Jun 27, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Do you have those lines:

    in modsec2.conf ?

    regards
     
  7. sean2045

    sean2045 Member

    Joined:
    Jul 1, 2012
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    this is what i have in modsec2.conf

    LoadFile /opt/xml2/lib/libxml2.so
    # LoadFile /opt/lua/lib/liblua.so
    LoadModule security2_module modules/mod_security2.so
    <IfModule mod_security2.c>
    SecRuleEngine On
    # See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
    # "Add the rules that will do exactly the same as the directives"
    # SecFilterCheckURLEncoding On
    # SecFilterForceByteRange 0 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/modsec_audit.log
    SecDebugLog logs/modsec_debug_log
    SecDebugLogLevel 0
    SecDefaultAction "phase:2,deny,log,status:406"
    SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
    Include "/usr/local/apache/conf/modsec2.user.conf"
    </IfModule>
     
  8. voshka

    voshka Active Member

    Joined:
    Apr 4, 2010
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Your configuration seems to be fine

    go to this directory

    /var/asl/data/audit

    do you see any thing loged and also being updated?

    also use
    tail -f /usr/local/apache/logs/modsec_audit.log

    do you see any updates to that file?

    the last thing also is that have you restart the Apache after installing the Rule Sets
     
  9. sean2045

    sean2045 Member

    Joined:
    Jul 1, 2012
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    there are nothing in /var/asl/data/audit and /usr/local/apache/logs/modsec_audit.log, i restarted apache and reboot my server, it still nothing shows on any those logs.
     
  10. sean2045

    sean2045 Member

    Joined:
    Jul 1, 2012
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    from /usr/local/apache/logs/error_log


    [Sun Jul 15 19:15:00 2012] [notice] Graceful restart requested, doing restart
    [Sun Jul 15 19:15:01 2012] [notice] SSL FIPS mode disabled
    [Sun Jul 15 19:15:01 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_bwlimited/1.4 Apache configured -- resuming normal operations
    [Sun Jul 15 20:27:52 2012] [notice] Graceful restart requested, doing restart
    [Sun Jul 15 20:27:53 2012] [notice] SSL FIPS mode disabled
    [Sun Jul 15 20:27:53 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_bwlimited/1.4 Apache configured -- resuming normal operations
    [Sun Jul 15 20:52:49 2012] [notice] caught SIGTERM, shutting down
    [Sun Jul 15 20:52:52 2012] [notice] SSL FIPS mode disabled
    [Sun Jul 15 20:52:52 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
    [Sun Jul 15 20:52:52 2012] [notice] ModSecurity for Apache/2.6.5 (ModSecurity: Open Source Web Application Firewall) configured.
    [Sun Jul 15 20:52:52 2012] [notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5"
    [Sun Jul 15 20:52:52 2012] [notice] ModSecurity: PCRE compiled version="8.21"; loaded version="8.21 2011-12-12"
    [Sun Jul 15 20:52:52 2012] [notice] ModSecurity: LIBXML compiled version="2.7.8"
    [Sun Jul 15 20:52:52 2012] [notice] Original server signature: Apache
    [Sun Jul 15 20:52:53 2012] [notice] SSL FIPS mode disabled
    [Sun Jul 15 20:52:53 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_bwlimited/1.4 Apache configured -- resuming normal operations
    [Sun Jul 15 20:53:23 2012] [notice] caught SIGTERM, shutting down
    [Sun Jul 15 20:53:32 2012] [notice] SSL FIPS mode disabled
    [Sun Jul 15 20:53:32 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
    [Sun Jul 15 20:53:32 2012] [notice] ModSecurity for Apache/2.6.5 (ModSecurity: Open Source Web Application Firewall) configured.
    [Sun Jul 15 20:53:32 2012] [notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5"
    [Sun Jul 15 20:53:32 2012] [notice] ModSecurity: PCRE compiled version="8.21"; loaded version="8.21 2011-12-12"
    [Sun Jul 15 20:53:32 2012] [notice] ModSecurity: LIBXML compiled version="2.7.8"
    [Sun Jul 15 20:53:32 2012] [notice] Original server signature: Apache
    [Sun Jul 15 20:53:33 2012] [notice] SSL FIPS mode disabled
    [Sun Jul 15 20:53:33 2012] [notice] Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fips mod_bwlimited/1.4 Apache configured -- resuming normal operations

    looks like mod_security is running, what could be wrong?
     
  11. sean2045

    sean2045 Member

    Joined:
    Jul 1, 2012
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have a question, since the audit log path is this /usr/local/apache/logs/modsec_audit.log

    so where can i find what define this path /usr/local/apache/logs/modsec_audit.log?

    after I recheck the configuration Configuring cPanel ModSecurity with Atomic ModSecurity Rules | UKHost4u Blog

    Only this last part /usr/local/apache/conf/modsec2.user.conf, add those

    SecPcreMatchLimit 50000
    SecPcreMatchLimitRecursion 50000
    SecRequestBodyAccess On
    SecResponseBodyAccess On
    SecResponseBodyMimeType (null) text/html text/plain text/xml
    SecResponseBodyLimit 220621440
    SecServerSignature Apache
    SecUploadDir /var/asl/data/suspicious
    SecUploadKeepFiles Off
    SecAuditLogParts ABIFHZ
    SecArgumentSeparator "&"
    SecCookieFormat 0
    SecRequestBodyLimit 220621440
    SecRequestBodyInMemoryLimit 220621440
    LimitRequestBody 0
    LimitRequestBody 25097152
    SecDataDir /var/asl/data/msa
    SecTmpDir /tmp
    SecAuditLogStorageDir /var/asl/data/audit
    SecResponseBodyLimitAction ProcessPartial
    # ConfigServer ModSecurity whitelist file
    Include /usr/local/apache/conf/modsec2.whitelist.conf
    # ASL/GOTROOT Rules
    Include /usr/local/apache/conf/modsec_rules/*asl*.conf

    to connect the rules to mod_security.
     
  12. sean2045

    sean2045 Member

    Joined:
    Jul 1, 2012
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    After I submitted a ticket, the problem was solved,

    so for anyone who has the the problems

    in in modsec2.conf

    LoadFile /opt/xml2/lib/libxml2.so
    # LoadFile /opt/lua/lib/liblua.so
    LoadModule security2_module modules/mod_security2.so
    <IfModule mod_security2.c>
    SecRuleEngine On
    # See ModSecurity: Open Source Web Application Firewall
    # "Add the rules that will do exactly the same as the directives"
    # SecFilterCheckURLEncoding On
    # SecFilterForceByteRange 0 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/modsec_audit.log
    SecDebugLog logs/modsec_debug_log
    SecDebugLogLevel 0
    SecDefaultAction "phase:2,deny,log,status:406"
    SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
    Include "/usr/local/apache/conf/modsec2.user.conf"
    </IfModule>

    change SecAuditEngine RelevantOnly to SecAuditEngine On


    Sean
     
  13. borgia

    borgia Member

    Joined:
    Jun 27, 2012
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I am not using "SecAuditEngine On" and everything "RelevantOnly" is logged. The problem with you is that you didn't have events "RelevantOnly" to be logged at that time.


    regards
     
Loading...

Share This Page