Page 1 of 1

ModSecurity: Audit log: Failed to create subdirectories

Posted: Wed Jul 03, 2013 8:05 am
by benArrayx
Hi there, I am having a problem getting rid of these errors in the apache error log:

ModSecurity: Audit log: Failed to create subdirectories: /var/asl/data/audit/20130703/20130703-1247 (Permission denied) [hostname "blah.com"]

I have carefully followed the installation instructions at https://www.atomicorp.com/wiki/index.ph ... ith_cpanel, and also at http://puntapirata.com/How-to-Install-ModSec-Rules.php

Here is my modsec2.user.conf:

Code: Select all

SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000
SecAuditLogType Concurrent
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 20621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&" 
SecCookieFormat 0
SecRequestBodyLimit 20621440
SecRequestBodyInMemoryLimit 2062144
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

# ADD THE FOLLOWING LINE ONLY IF YOU HAVE CXS INSTALLED!
# cxs web script scanning
#SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" "log,auditlog,deny,severity:2,phase:2,t:none,id:'1010101'"

SecAuditLogDirMode 0777
SecAuditLogFileMode 0777

#WORDPRESS BRUTE FORCE LOGIN PROTECTION
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
    # Setup brute force detection. 
    # React if block flag has been set.
    SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 8 hours, more than 6 login attempts in 1 hour.'"
 
    # Tracking - 302 means that the login was successful and the user is being redirected. in this case we reset the counter to 0
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
    
    # 200 means we're staying on the login page, therefore login was unsuccessful. 
    # increment the counter by 1, decrementing it by 1 every hour (60 x 60 = 3600)
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/3600,id:5000137"
    
    # check for > 6 on the counter. if > 6 then set the block flag to prevent further access, 
    # set the block flag to expire in 8 hours (60 * 60 *8 = 28800). reset the counter to 0
    SecRule ip:bf_counter "@gt 6" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=28800,setvar:ip.bf_counter=0"
</Locationmatch>


# ASL/GOTROOT Rules
Include /usr/local/apache/conf/modsec_rules/*asl*.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf
It seems to me that the SecAuditLogDirMode and SecAuditLogFileMode directives are being ignored.

Here is a directory listing for /var/asl/data/audit:

Code: Select all

drwxrwxrwx  6 nobody   nobody   4096 Jul  3 00:55 ./
drwxr-xr-x  5 root     root     4096 Jun 28 17:05 ../
drwxr-xr-x  3 profi??? profi??? 4096 Jun 28 19:07 20130628/
drwxr-xr-x  3 ben??? bent??? 4096 Jul  1 15:29 20130701/
drwxr-xr-x 15 use???  use???  4096 Jul  2 19:23 20130702/
drwxr-xr-x  6 use???  use???  4096 Jul  3 10:29 20130703/
I have run the following chown commands several times but it does not solve the problem:

Code: Select all

chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*
This updates the directory listing to:

Code: Select all

drwxrwx-w-  6 nobody   nobody   4096 Jul  3 00:55 ./
drwxr-xr-x  5 root     root     4096 Jun 28 17:05 ../
drwxrwx---  3 profi??? profi??? 4096 Jun 28 19:07 20130628/
drwxrwx---  3 ben??? ben??? 4096 Jul  1 15:29 20130701/
drwxrwx--- 15 use???  use???  4096 Jul  2 19:23 20130702/
drwxrwx---  6 use???  use???  4096 Jul  3 10:29 20130703/
New entries still get the same error

I am using ModSecurity for Apache/2.7.3, on top of cPanel 11.38 with mod_ruid2 enabled.

Any help greatly appreciated!

Re: ModSecurity: Audit log: Failed to create subdirectories

Posted: Thu Jul 04, 2013 3:34 pm
by mikeshinn