The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

No new entries in modsec_audit.log for many days after EasyApache run

Discussion in 'Security' started by Archmactrix, Mar 30, 2014.

  1. Archmactrix

    Archmactrix Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    132
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I did run EasyApache 4 days ago, that resolved incompatibility between ModRuid2 and ModSecurity.

    Now I don't see any new entries in the modsec_audit.log since then. There were about 10 default rule matches entries this week over two days before the easyapache run (not counting the mutex entries).

    I think it's unlikely that the rules are not triggered, so I'm concerned.

    I don't know how I can test this and trigger a rule match, so I need advice.
     
  2. es2alna

    es2alna Well-Known Member

    Joined:
    Mar 30, 2014
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I believe modsecparse.pl (the cPanel cron) empties the audit log pretty regularly.

    Most rule sets should trigger something if you go to

    yourdomain.com/index.php?../../../../../proc/self/environ

    If you don't get audit log data, but that does trip something, look at the response code (i.e. 500, 403) and add something like this to /usr/local/apache/conf/modsec2.user.conf

    SecAuditLogRelevantStatus 500

    SecAuditLogRelevantStatus is documented here:

    https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLogRelevantStatus
     
  4. Shavaun

    Shavaun Well-Known Member

    Joined:
    Aug 15, 2013
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    In order to resolve the issues with Mod Security and Mod Ruid2, we had to adjust the way Mod Security handles logging.

    If you install mod_ruid2 and mod_security, the [new] mod_security log location is: /usr/local/apache/logs/modsec_audit/[user]/YYYYMMDD/YYYYMMDD-HHmm/YYYYMMDD-HHmmSS-[unique_id]

    This information (and more about changes to Mod Security) can be found here:
    http://documentation.cpanel.net/display/EA/Apache+Module:+ModSecurity
     
  5. Archmactrix

    Archmactrix Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    132
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    That must explain a lot I think as I have mod_ruid2 installed as might be gathered from my original post.

    But the newly created /usr/local/apache/logs/modsec_audit/ directory is empty. :confused:

    I'm unsure if es2alna and quizknows replies have a solution to this problem in light of these changes.

    The link you provided cPShavaun doesn't provide any information about this directory change that might be needed, at least in my case, as the directory is empty. The modsecurity documentation on the new cPanel documentation site doesn't provide any helpful information either.
     
  6. Shavaun

    Shavaun Well-Known Member

    Joined:
    Aug 15, 2013
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    When you say you ran EasyApache, did you uninstall Mod Security and then reinstall it, or just run it to update? If you uninstalled and then reinstalled it, EA would have defaulted the Mod Security setting in your httpd.conf file to be set to Off.

    Just to be certain, you might want to double check to make sure that the setting inside your httpd.conf file for Mod Security didn't get changed when you ran EA.

    It should look like this:

    <IfModule mod_security2.c>
    SecRuleEngine On
    </IfModule>


    If it says SecRuleEngine Off, then change it to SecRuleEngine On.

    Don't forget to run the distiller, and restart Apache after you change that setting:
    /usr/local/cpanel/bin/apache_conf_distiller --update
    service httpd restart
     
    #6 Shavaun, Mar 31, 2014
    Last edited: Mar 31, 2014
  7. Archmactrix

    Archmactrix Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    132
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Yes thank you Shavaun,

    SecRuleEngine was Off

    I ran easyapache last week only to update.
     
  8. Shavaun

    Shavaun Well-Known Member

    Joined:
    Aug 15, 2013
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Great, I'm glad it fixed the issue! If you run into any further issues with the logging changes, please let us know.

    I will be updating the Mod Security documentation to be more helpful soon.
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    So have the issues between RUID2 and ModSecurity finally been straightened out? This would be great news.
     
  10. Shavaun

    Shavaun Well-Known Member

    Joined:
    Aug 15, 2013
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Yes, that is correct. EasyApache version 3.24.13 includes the fix for the compatibility issues between Mod Ruid2 and Mod Security.

    Keep in mind you do need to run EA to update to the latest version for the compatibility issues to be resolved.
     
  11. es2alna

    es2alna Well-Known Member

    Joined:
    Mar 30, 2014
    Messages:
    67
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Egypt
    cPanel Access Level:
    Root Administrator
    Glad to hear that your problem has been solved.

    Even the mod_ruid2 is good but I don't suggest working with it on a production server as its still marked as Experimental.
     
  12. Archmactrix

    Archmactrix Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    132
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I only got this in the directory:

    /usr/local/apache/logs/modsec_audit/nobody/20140331/20140331-1433

    The only entry there is probably from the time when I did 'service httpd status' after restarting apache on monday. Modsecurity doesn't like it when I check the status of apache. :)

    There should be a lot more entries.
     
  13. Shavaun

    Shavaun Well-Known Member

    Joined:
    Aug 15, 2013
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Just to be clear, with SecRuleEngine set to Off, the Mod Security rules are not in effect. So you would have no log entries from the period that it was set to Off.

    It sounds like the logging is working. If you haven't already, I'd recommend trying the previous suggestions in the thread again now that Mod Security is set to On (or searching for other rules you can add that will provide a convenient way to test the logging).

    If you are certain that other rules are being triggered but not logged, and you can reproduce the issue, please open a support ticket with us via the following link:

    http://go.cpanel.net/supportrequest
     
  14. Archmactrix

    Archmactrix Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    132
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    SecRuleEngine was set to Off again when I ran easyapache in case it might solve this. I'm sure I changed it earlier this week to SecRuleEngine On and running the distiller and restarting httpd.

    I'm using Apache 2.4

    I think I'm going to open a support ticket.

    Update:

    Ticked support ID:
    4769001
     
    #14 Archmactrix, Apr 4, 2014
    Last edited: Apr 4, 2014
  15. Archmactrix

    Archmactrix Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    132
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    This looked to be an issue with concurrent logging with mod_security according to cPanel technical analyst, changing it to serial logging solved this (which made creation of subdirectories possible if I understand this correctly).

    But there is still a problem with modsecurity when running EasyApache and just to update, as SecRuleEngine is set to Off. I change it to On and run the distiller:

    /usr/local/cpanel/bin/apache_conf_distiller --update

    and restart apache.

    Next time EasyApache is run, and just to update, the SecRuleEngine is set to Off again.
     
  16. Shavaun

    Shavaun Well-Known Member

    Joined:
    Aug 15, 2013
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I apologize, I was mistaken about the location of that setting.
    This entry exists in two locations by default:

    <IfModule mod_security2.c>
    SecRuleEngine Off
    </IfModule>

    It is inside the httpd.conf file for the default virtualhost, and set to Off. This ONLY affects the default virtualhost.

    It is also inside the /usr/local/apache/conf/modsec2.conf file, which EasyApache should be adding as an include file inside your httpd.conf. This is what affects the rest of your domains.

    I'm very sorry for the confusion.
     
    #16 Shavaun, Apr 11, 2014
    Last edited: Apr 11, 2014
  17. coolice

    coolice Registered

    Joined:
    Mar 2, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    notice the same on a clean install, on all machines that have ConfigServer ModSecurity Control (cmc) it work ok
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Were you able to review the other posts to this thread to see if any of them helped to answer this question? For instance, here is a snippet from Shavaun's earlier post on this thread:

    Thank you.
     
Loading...

Share This Page