store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Jul 31, 2015 7:21 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: ModSecurity: Audit log: Failed to create subdirectories
Unread postPosted: Wed Jul 03, 2013 8:05 am 
Offline
New Forum User
New Forum User

Joined: Wed Jul 03, 2013 7:53 am
Posts: 1
Location: Spain
Hi there, I am having a problem getting rid of these errors in the apache error log:

ModSecurity: Audit log: Failed to create subdirectories: /var/asl/data/audit/20130703/20130703-1247 (Permission denied) [hostname "blah.com"]

I have carefully followed the installation instructions at https://www.atomicorp.com/wiki/index.ph ... ith_cpanel, and also at http://puntapirata.com/How-to-Install-ModSec-Rules.php

Here is my modsec2.user.conf:

Code:
SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000
SecAuditLogType Concurrent
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 20621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyLimit 20621440
SecRequestBodyInMemoryLimit 2062144
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

# ADD THE FOLLOWING LINE ONLY IF YOU HAVE CXS INSTALLED!
# cxs web script scanning
#SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" "log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101'"

SecAuditLogDirMode 0777
SecAuditLogFileMode 0777

#WORDPRESS BRUTE FORCE LOGIN PROTECTION
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
    # Setup brute force detection.
    # React if block flag has been set.
    SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 8 hours, more than 6 login attempts in 1 hour.'"
 
    # Tracking - 302 means that the login was successful and the user is being redirected. in this case we reset the counter to 0
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
   
    # 200 means we're staying on the login page, therefore login was unsuccessful.
    # increment the counter by 1, decrementing it by 1 every hour (60 x 60 = 3600)
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/3600,id:5000137"
   
    # check for > 6 on the counter. if > 6 then set the block flag to prevent further access,
    # set the block flag to expire in 8 hours (60 * 60 *8 = 28800). reset the counter to 0
    SecRule ip:bf_counter "@gt 6" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=28800,setvar:ip.bf_counter=0"
</Locationmatch>


# ASL/GOTROOT Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf


It seems to me that the SecAuditLogDirMode and SecAuditLogFileMode directives are being ignored.

Here is a directory listing for /var/asl/data/audit:

Code:
drwxrwxrwx  6 nobody   nobody   4096 Jul  3 00:55 ./
drwxr-xr-x  5 root     root     4096 Jun 28 17:05 ../
drwxr-xr-x  3 profi??? profi??? 4096 Jun 28 19:07 20130628/
drwxr-xr-x  3 ben??? bent??? 4096 Jul  1 15:29 20130701/
drwxr-xr-x 15 use???  use???  4096 Jul  2 19:23 20130702/
drwxr-xr-x  6 use???  use???  4096 Jul  3 10:29 20130703/


I have run the following chown commands several times but it does not solve the problem:

Code:
chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*


This updates the directory listing to:

Code:
drwxrwx-w-  6 nobody   nobody   4096 Jul  3 00:55 ./
drwxr-xr-x  5 root     root     4096 Jun 28 17:05 ../
drwxrwx---  3 profi??? profi??? 4096 Jun 28 19:07 20130628/
drwxrwx---  3 ben??? ben??? 4096 Jul  1 15:29 20130701/
drwxrwx--- 15 use???  use???  4096 Jul  2 19:23 20130702/
drwxrwx---  6 use???  use???  4096 Jul  3 10:29 20130703/


New entries still get the same error

I am using ModSecurity for Apache/2.7.3, on top of cPanel 11.38 with mod_ruid2 enabled.

Any help greatly appreciated!


Top
 Profile  
 
 Post subject: Re: ModSecurity: Audit log: Failed to create subdirectories
Unread postPosted: Thu Jul 04, 2013 3:34 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3750
Location: Chantilly, VA
https://www.atomicorp.com/wiki/index.ph ... irectories

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group