ModSecurity: Audit log: Failed to create subdirectories

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
benArrayx
New Forum User
New Forum User
Posts: 1
Joined: Wed Jul 03, 2013 7:53 am
Location: Spain

ModSecurity: Audit log: Failed to create subdirectories

Unread post by benArrayx »

Hi there, I am having a problem getting rid of these errors in the apache error log:

ModSecurity: Audit log: Failed to create subdirectories: /var/asl/data/audit/20130703/20130703-1247 (Permission denied) [hostname "blah.com"]

I have carefully followed the installation instructions at https://www.atomicorp.com/wiki/index.ph ... ith_cpanel, and also at http://puntapirata.com/How-to-Install-ModSec-Rules.php

Here is my modsec2.user.conf:

Code: Select all

SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000
SecAuditLogType Concurrent
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 20621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&" 
SecCookieFormat 0
SecRequestBodyLimit 20621440
SecRequestBodyInMemoryLimit 2062144
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

# ADD THE FOLLOWING LINE ONLY IF YOU HAVE CXS INSTALLED!
# cxs web script scanning
#SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" "log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101'"

SecAuditLogDirMode 0777
SecAuditLogFileMode 0777

#WORDPRESS BRUTE FORCE LOGIN PROTECTION
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
    # Setup brute force detection. 
    # React if block flag has been set.
    SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 8 hours, more than 6 login attempts in 1 hour.'"
 
    # Tracking - 302 means that the login was successful and the user is being redirected. in this case we reset the counter to 0
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
    
    # 200 means we're staying on the login page, therefore login was unsuccessful. 
    # increment the counter by 1, decrementing it by 1 every hour (60 x 60 = 3600)
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/3600,id:5000137"
    
    # check for > 6 on the counter. if > 6 then set the block flag to prevent further access, 
    # set the block flag to expire in 8 hours (60 * 60 *8 = 28800). reset the counter to 0
    SecRule ip:bf_counter "@gt 6" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=28800,setvar:ip.bf_counter=0"
</Locationmatch>


# ASL/GOTROOT Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf
It seems to me that the SecAuditLogDirMode and SecAuditLogFileMode directives are being ignored.

Here is a directory listing for /var/asl/data/audit:

Code: Select all

drwxrwxrwx  6 nobody   nobody   4096 Jul  3 00:55 ./
drwxr-xr-x  5 root     root     4096 Jun 28 17:05 ../
drwxr-xr-x  3 profi??? profi??? 4096 Jun 28 19:07 20130628/
drwxr-xr-x  3 ben??? bent??? 4096 Jul  1 15:29 20130701/
drwxr-xr-x 15 use???  use???  4096 Jul  2 19:23 20130702/
drwxr-xr-x  6 use???  use???  4096 Jul  3 10:29 20130703/
I have run the following chown commands several times but it does not solve the problem:

Code: Select all

chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*
This updates the directory listing to:

Code: Select all

drwxrwx-w-  6 nobody   nobody   4096 Jul  3 00:55 ./
drwxr-xr-x  5 root     root     4096 Jun 28 17:05 ../
drwxrwx---  3 profi??? profi??? 4096 Jun 28 19:07 20130628/
drwxrwx---  3 ben??? ben??? 4096 Jul  1 15:29 20130701/
drwxrwx--- 15 use???  use???  4096 Jul  2 19:23 20130702/
drwxrwx---  6 use???  use???  4096 Jul  3 10:29 20130703/
New entries still get the same error

I am using ModSecurity for Apache/2.7.3, on top of cPanel 11.38 with mod_ruid2 enabled.

Any help greatly appreciated!
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: ModSecurity: Audit log: Failed to create subdirectories

Unread post by mikeshinn »

Post Reply