No new entries in modsec_audit.log for many days after EasyApache run

Archmactrix

Well-Known Member
Jan 20, 2012
138
2
68
cPanel Access Level
Root Administrator
I did run EasyApache 4 days ago, that resolved incompatibility between ModRuid2 and ModSecurity.

Now I don't see any new entries in the modsec_audit.log since then. There were about 10 default rule matches entries this week over two days before the easyapache run (not counting the mutex entries).

I think it's unlikely that the rules are not triggered, so I'm concerned.

I don't know how I can test this and trigger a rule match, so I need advice.
 

es2alna

Well-Known Member
Mar 30, 2014
67
0
6
Egypt
cPanel Access Level
Root Administrator

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I believe modsecparse.pl (the cPanel cron) empties the audit log pretty regularly.

Most rule sets should trigger something if you go to

yourdomain.com/index.php?../../../../../proc/self/environ

If you don't get audit log data, but that does trip something, look at the response code (i.e. 500, 403) and add something like this to /usr/local/apache/conf/modsec2.user.conf

SecAuditLogRelevantStatus 500

SecAuditLogRelevantStatus is documented here:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLogRelevantStatus
 

Shavaun

Well-Known Member
Aug 15, 2013
106
0
91
cPanel Access Level
Root Administrator
In order to resolve the issues with Mod Security and Mod Ruid2, we had to adjust the way Mod Security handles logging.

If you install mod_ruid2 and mod_security, the [new] mod_security log location is: /usr/local/apache/logs/modsec_audit/[user]/YYYYMMDD/YYYYMMDD-HHmm/YYYYMMDD-HHmmSS-[unique_id]

This information (and more about changes to Mod Security) can be found here:
http://documentation.cpanel.net/display/EA/Apache+Module:+ModSecurity
 

Archmactrix

Well-Known Member
Jan 20, 2012
138
2
68
cPanel Access Level
Root Administrator
That must explain a lot I think as I have mod_ruid2 installed as might be gathered from my original post.

But the newly created /usr/local/apache/logs/modsec_audit/ directory is empty. :confused:

I'm unsure if es2alna and quizknows replies have a solution to this problem in light of these changes.

The link you provided cPShavaun doesn't provide any information about this directory change that might be needed, at least in my case, as the directory is empty. The modsecurity documentation on the new cPanel documentation site doesn't provide any helpful information either.
 

Shavaun

Well-Known Member
Aug 15, 2013
106
0
91
cPanel Access Level
Root Administrator
When you say you ran EasyApache, did you uninstall Mod Security and then reinstall it, or just run it to update? If you uninstalled and then reinstalled it, EA would have defaulted the Mod Security setting in your httpd.conf file to be set to Off.

Just to be certain, you might want to double check to make sure that the setting inside your httpd.conf file for Mod Security didn't get changed when you ran EA.

It should look like this:

<IfModule mod_security2.c>
SecRuleEngine On
</IfModule>


If it says SecRuleEngine Off, then change it to SecRuleEngine On.

Don't forget to run the distiller, and restart Apache after you change that setting:
/usr/local/cpanel/bin/apache_conf_distiller --update
service httpd restart
 
Last edited:

Shavaun

Well-Known Member
Aug 15, 2013
106
0
91
cPanel Access Level
Root Administrator
Great, I'm glad it fixed the issue! If you run into any further issues with the logging changes, please let us know.

I will be updating the Mod Security documentation to be more helpful soon.
 

Shavaun

Well-Known Member
Aug 15, 2013
106
0
91
cPanel Access Level
Root Administrator
Yes, that is correct. EasyApache version 3.24.13 includes the fix for the compatibility issues between Mod Ruid2 and Mod Security.

Keep in mind you do need to run EA to update to the latest version for the compatibility issues to be resolved.
 

Archmactrix

Well-Known Member
Jan 20, 2012
138
2
68
cPanel Access Level
Root Administrator
I only got this in the directory:

/usr/local/apache/logs/modsec_audit/nobody/20140331/20140331-1433

The only entry there is probably from the time when I did 'service httpd status' after restarting apache on monday. Modsecurity doesn't like it when I check the status of apache. :)

There should be a lot more entries.
 

Shavaun

Well-Known Member
Aug 15, 2013
106
0
91
cPanel Access Level
Root Administrator
Just to be clear, with SecRuleEngine set to Off, the Mod Security rules are not in effect. So you would have no log entries from the period that it was set to Off.

It sounds like the logging is working. If you haven't already, I'd recommend trying the previous suggestions in the thread again now that Mod Security is set to On (or searching for other rules you can add that will provide a convenient way to test the logging).

If you are certain that other rules are being triggered but not logged, and you can reproduce the issue, please open a support ticket with us via the following link:

http://go.cpanel.net/supportrequest
 

Archmactrix

Well-Known Member
Jan 20, 2012
138
2
68
cPanel Access Level
Root Administrator
SecRuleEngine was set to Off again when I ran easyapache in case it might solve this. I'm sure I changed it earlier this week to SecRuleEngine On and running the distiller and restarting httpd.

I'm using Apache 2.4

If you are certain that other rules are being triggered but not logged, and you can reproduce the issue, please open a support ticket with us via the following link:

http://go.cpanel.net/supportrequest
I think I'm going to open a support ticket.

Update:

Ticked support ID:
4769001
 
Last edited:

Archmactrix

Well-Known Member
Jan 20, 2012
138
2
68
cPanel Access Level
Root Administrator
This looked to be an issue with concurrent logging with mod_security according to cPanel technical analyst, changing it to serial logging solved this (which made creation of subdirectories possible if I understand this correctly).

But there is still a problem with modsecurity when running EasyApache and just to update, as SecRuleEngine is set to Off. I change it to On and run the distiller:

/usr/local/cpanel/bin/apache_conf_distiller --update

and restart apache.

Next time EasyApache is run, and just to update, the SecRuleEngine is set to Off again.
 

Shavaun

Well-Known Member
Aug 15, 2013
106
0
91
cPanel Access Level
Root Administrator
I apologize, I was mistaken about the location of that setting.
This entry exists in two locations by default:

<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>

It is inside the httpd.conf file for the default virtualhost, and set to Off. This ONLY affects the default virtualhost.

It is also inside the /usr/local/apache/conf/modsec2.conf file, which EasyApache should be adding as an include file inside your httpd.conf. This is what affects the rest of your domains.

I'm very sorry for the confusion.
 
Last edited:

coolice

Registered
Mar 2, 2014
4
0
1
cPanel Access Level
Root Administrator
I did run EasyApache 4 days ago, that resolved incompatibility between ModRuid2 and ModSecurity.

Now I don't see any new entries in the modsec_audit.log since then. There were about 10 default rule matches entries this week over two days before the easyapache run (not counting the mutex entries).

I think it's unlikely that the rules are not triggered, so I'm concerned.

I don't know how I can test this and trigger a rule match, so I need advice.
notice the same on a clean install, on all machines that have ConfigServer ModSecurity Control (cmc) it work ok
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
notice the same on a clean install, on all machines that have ConfigServer ModSecurity Control (cmc) it work ok
Hello :)

Were you able to review the other posts to this thread to see if any of them helped to answer this question? For instance, here is a snippet from Shavaun's earlier post on this thread:

If you install mod_ruid2 and mod_security, the [new] mod_security log location is: /usr/local/apache/logs/modsec_audit/[user]/YYYYMMDD/YYYYMMDD-HHmm/YYYYMMDD-HHmmSS-[unique_id]
Thank you.