The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New EA4, modruid2 apache jailshell and modsec issue

Discussion in 'EasyApache' started by Recifier, Aug 3, 2016.

  1. Recifier

    Recifier Member

    Joined:
    Jan 28, 2015
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Because the location of the modsec_audit folder has changed with EA4 to be in the new apache folder under /etc/apache2/logs rather than under /usr/local where it was in EA3, if you use the combination of apache jailshell, modruid2 and EA4, modsecurity can't access the modsec_audit folder to write the audit logs, since it's not mounted in virtfs for the site's user. The modsec rules themselves still work, just the audit logs can't be created.

    This is a different issue to the dbm file conflict with ruid2/itk and modsec which I understand is a spiderlabs issue. This issue was introduced with EA4.

    I tried all day to find a solution other than disabling apache jailshell or rolling back to EA3 (both if which work for different reasons). Changing SecAuditLogStorageDir in modsec to point back to the old path under /usr/local doesn't work, since the logs folder in there is a symlink to the real folder under /etc. I also tried adding a custom virtfs mount, be they only work as read only. I would guess that if cpanel adds a new virtfs mount for the new apache logs folder under /etc it would solve it, but obviously I can't test that.

    Is this a known issue and is there a workaround?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Internal case EA-4835 is open to address reports of error messages like this when enabling both Mod_Ruid2 and Mod_Security:

    Code:
    ModSecurity: Audit log: Failed to create subdirectories: /etc/apache2/logs/modsec_audit
    The current workaround is to disable Mod_Security or Mod_Ruid2. I'll provide more information on the status of this case as it becomes available.

    Thank you.
     
  3. Recifier

    Recifier Member

    Joined:
    Jan 28, 2015
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Excellent, thank you.
     
  4. Recifier

    Recifier Member

    Joined:
    Jan 28, 2015
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Looks like this is fixed in 58.0.30, although I had to switch all users to normal shell then back to jailshell for it to take effect.
     
  5. linux4me

    linux4me Member

    Joined:
    Jul 14, 2007
    Messages:
    20
    Likes Received:
    1
    Trophy Points:
    1
    Which part is fixed?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The resolution for this issue was published with cPanel version 58.0.30:

    Fixed case CPANEL-8332: ModSecurity now logs events for jailshell users in EA4.

    This allows ModSecurity to log correctly on systems using EasyApache 4 and cPanel's experimental Apache jailshell.

    Thank you.
     
  7. linux4me

    linux4me Member

    Joined:
    Jul 14, 2007
    Messages:
    20
    Likes Received:
    1
    Trophy Points:
    1
    Did it also fix the issue with ModSecurity rules that use initcol, setsid, and setuid not being able to write to the DBM files in /var/cpanel/secdatadir when Apache jailshell and mod_ruid2 are in use?
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    No, I believe the issue you are referring to is discussed at:

    ModSecurity + MPM ITK compatibility - inconsistent documentation

    Thank you.
     
  9. linux4me

    linux4me Member

    Joined:
    Jul 14, 2007
    Messages:
    20
    Likes Received:
    1
    Trophy Points:
    1
    Thanks, Michael. The specific post in that thread that mentions what I was inquiring about is this one.

    What I take home from reading that thread and others is that with EA4, mod_security and mod_ruid2 with the Tweak Settings jailshell Apache are still not completely compatible, even with cPanel 58.0.30, because ModSecurity rules that attempt persistent storage using DBM will fail, though with 58.0.30 the issue with ModSecurity not being able to write to the audit logs is fixed.

    The discussion over at GitHub makes it sound like the folks at ModSecurity are working on a fix for the persistent storage issue that may be included in ModSecurity 3.
     
    cPanelMichael likes this.
Loading...

Share This Page