Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

ModSecurity: Audit log: Failed to create subdirectories #1

Closed
benArrayx opened this Issue · 2 comments

2 participants

@benArrayx

Hi there, I'm running mod_ruid 0.9.7 on Apache 2.2 with ModSecurity 2.7.3 and the GotRoot/Atomicorp delayed ruleset, all on cPanel 11.38. I am unable to get ModSecurity to successfully log it's activities since mod_ruid is causing audit directories and logs to be created with the username of the running process, and more importantly with permissions for that user only, overriding a specific setting in the ModSecurity conf to create audit folders and logs to be created world-writable.

I have documented my setup here: https://www.atomicorp.com/forum/viewtopic.php?f=15&t=6932&sid=23c91691756075ec7fc5cfe86a6630d1

Is there any way that mod_ruid can be configured or patched such that it can work with ModSecurity?

Regards, Ben

@mind04
Owner

This is not a mod_ruid2 problem. Mod_ruid2 is only doing it's job...

The problem is that mod_security create file handles/directories for logging during a request (which is wrong). And these are owned by the current user and group. If mod_security did his logging in the special ap_hook_log_transaction() hook there was no problem with permissions as mod_ruid2 is switching back to the default user before this hook is called.

Maybe you can work around the problem if you make the log directory group writable for apache and add apache to R_Groups for every user.

@mind04 mind04 closed this
@benArrayx

Hi Kees, many thanks for that.

I followed your suggestion, however the folders are still being created with owner-only write permissions:

drwxr-xr-x 2 usets usets 4096 Jul 10 16:43 20130710-1643/

As you can see there's a new folder every minute.

Therefore even if the user is in a common group with other users, the other users still can't write to that folder.

I have the ModSec directives regarding permissions set as follows:

SecAuditLogDirMode 0777
SecAuditLogFileMode 0777

Do you have any other suggestions, or should I go over to the ModSecurity forums?!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.