No new entries in modsec_audit.log for many days after EasyApache run

[Archmactrix]

I did run EasyApache 4 days ago, that resolved incompatibility between ModRuid2 and ModSecurity.

Now I don't see any new entries in the modsec_audit.log since then. There were about 10 default rule matches entries this week over two days before the easyapache run (not counting the mutex entries).

I think it's unlikely that the rules are not triggered, so I'm concerned.

I don't know how I can test this and trigger a rule match, so I need advice.

 

[es2alna]

To check your mod_security, add the rule:

 SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"

Call your site with:
domain.com/

You should get a access denied

Source: Apache :: Simple check, if your mod_security is working

 

[quizknows]

I believe modsecparse.pl (the cPanel cron) empties the audit log pretty regularly.

Most rule sets should trigger something if you go to

yourdomain.com/index.php?../../../../../proc/self/environ

If you don't get audit log data, but that does trip something, look at the response code (i.e. 500, 403) and add something like this to /usr/local/apache/conf/modsec2.user.conf

SecAuditLogRelevantStatus 500

SecAuditLogRelevantStatus is documented here:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLogRelevantStatus

 

[Shavaun]

In order to resolve the issues with Mod Security and Mod Ruid2, we had to adjust the way Mod Security handles logging.

If you install mod_ruid2 and mod_security, the [new] mod_security log location is: /usr/local/apache/logs/modsec_audit/[user]/YYYYMMDD/YYYYMMDD-HHmm/YYYYMMDD-HHmmSS-[unique_id]

This information (and more about changes to Mod Security) can be found here:
http://documentation.cpanel.net/display/EA/Apache+Module:+ModSecurity

 

[Archmactrix]

That must explain a lot I think as I have mod_ruid2 installed as might be gathered from my original post.

But the newly created /usr/local/apache/logs/modsec_audit/ directory is empty.

I'm unsure if es2alna and quizknows replies have a solution to this problem in light of these changes.

The link you provided cPShavaun doesn't provide any information about this directory change that might be needed, at least in my case, as the directory is empty. The modsecurity documentation on the new cPanel documentation site doesn't provide any helpful information either.

 

[Shavaun]

When you say you ran EasyApache, did you uninstall Mod Security and then reinstall it, or just run it to update? If you uninstalled and then reinstalled it, EA would have defaulted the Mod Security setting in your httpd.conf file to be set to Off.

Just to be certain, you might want to double check to make sure that the setting inside your httpd.conf file for Mod Security didn't get changed when you ran EA.

It should look like this:

<IfModule mod_security2.c>
SecRuleEngine On
</IfModule>


If it says SecRuleEngine Off, then change it to SecRuleEngine On.

Don't forget to run the distiller, and restart Apache after you change that setting:
/usr/local/cpanel/bin/apache_conf_distiller --update
service httpd restart

 

[Archmactrix]

Yes thank you Shavaun,

SecRuleEngine was Off

I ran easyapache last week only to update.

 

[Shavaun]

Great, I'm glad it fixed the issue! If you run into any further issues with the logging changes, please let us know.

I will be updating the Mod Security documentation to be more helpful soon.

 

[quizknows]

So have the issues between RUID2 and ModSecurity finally been straightened out? This would be great news.

 

[Shavaun]

Yes, that is correct. EasyApache version 3.24.13 includes the fix for the compatibility issues between Mod Ruid2 and Mod Security.

Keep in mind you do need to run EA to update to the latest version for the compatibility issues to be resolved.

 

[es2alna]

Glad to hear that your problem has been solved.

Even the mod_ruid2 is good but I don't suggest working with it on a production server as its still marked as Experimental.

 

[Archmactrix]

I only got this in the directory:

/usr/local/apache/logs/modsec_audit/nobody/20140331/20140331-1433

The only entry there is probably from the time when I did 'service httpd status' after restarting apache on monday. Modsecurity doesn't like it when I check the status of apache.

There should be a lot more entries.

 

[Shavaun]

Just to be clear, with SecRuleEngine set to Off, the Mod Security rules are not in effect. So you would have no log entries from the period that it was set to Off.

It sounds like the logging is working. If you haven't already, I'd recommend trying the previous suggestions in the thread again now that Mod Security is set to On (or searching for other rules you can add that will provide a convenient way to test the logging).

If you are certain that other rules are being triggered but not logged, and you can reproduce the issue, please open a support ticket with us via the following link:

http://go.cpanel.net/supportrequest

 

[Archmactrix]

SecRuleEngine was set to Off again when I ran easyapache in case it might solve this. I'm sure I changed it earlier this week to SecRuleEngine On and running the distiller and restarting httpd.

I'm using Apache 2.4

If you are certain that other rules are being triggered but not logged, and you can reproduce the issue, please open a support ticket with us via the following link:

http://go.cpanel.net/supportrequest

I think I'm going to open a support ticket.

Update:

Ticked support ID:
4769001

 

[Archmactrix]

This looked to be an issue with concurrent logging with mod_security according to cPanel technical analyst, changing it to serial logging solved this (which made creation of subdirectories possible if I understand this correctly).

But there is still a problem with modsecurity when running EasyApache and just to update, as SecRuleEngine is set to Off. I change it to On and run the distiller:

/usr/local/cpanel/bin/apache_conf_distiller --update

and restart apache.

Next time EasyApache is run, and just to update, the SecRuleEngine is set to Off again.

 

[Shavaun]

I apologize, I was mistaken about the location of that setting.
This entry exists in two locations by default:

<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>

It is inside the httpd.conf file for the default virtualhost, and set to Off. This ONLY affects the default virtualhost.

It is also inside the /usr/local/apache/conf/modsec2.conf file, which EasyApache should be adding as an include file inside your httpd.conf. This is what affects the rest of your domains.

I'm very sorry for the confusion.

 

[coolice]

I did run EasyApache 4 days ago, that resolved incompatibility between ModRuid2 and ModSecurity.

Now I don't see any new entries in the modsec_audit.log since then. There were about 10 default rule matches entries this week over two days before the easyapache run (not counting the mutex entries).

I think it's unlikely that the rules are not triggered, so I'm concerned.

I don't know how I can test this and trigger a rule match, so I need advice.

notice the same on a clean install, on all machines that have ConfigServer ModSecurity Control (cmc) it work ok

 

[cPanelMichael]

notice the same on a clean install, on all machines that have ConfigServer ModSecurity Control (cmc) it work ok

Hello

Were you able to review the other posts to this thread to see if any of them helped to answer this question? For instance, here is a snippet from Shavaun's earlier post on this thread:

If you install mod_ruid2 and mod_security, the [new] mod_security log location is: /usr/local/apache/logs/modsec_audit/[user]/YYYYMMDD/YYYYMMDD-HHmm/YYYYMMDD-HHmmSS-[unique_id]

Thank you.