Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Any body know how to get SecRule to work with mod_security2.c ? I kept on getting this error message when I start my apache-2.2.3 server:
...
[truong@gendev-lnx 2.2.3]$ ./restart
Syntax error on line 41 of /home/truong/apache/2.2.3/conf/hole/mod_security2.conf:
Internal Error: Failed to add rule to the ruleset.
httpd not running, trying to start
...
And here is line 41 of my mod_security.conf file:
...
39 # Turn on Rule Engine
40 SecRuleEngine On
41 SecRule REQUEST_URI dirty
...
Is there something I have to turn on (e.g SecFilterEngine On) ?
<IfModule mod_security2.c>
# Maximum request body size we will
# accept for buffering
SecRequestBodyAccess On
SecRequestBodyLimit 131072
# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072
# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyAccess Off
SecResponseBodyLimit 524288
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHZ
SecAuditLogType Serial
# The name of the audit log file
SecAuditLog logs/modsec_audit.log
# Default action set
SecDefaultAction "deny,log,auditlog,status:403"
# Turn on Rule Engine
SecRuleEngine On
SecRule REQUEST_URI dirty
</IfModule>
Thus, nothing ever got written to my audit logfile.
Yes, indeed.
No, I mean what does *modsec_debug.log* say?
Anyway. With httpd-2.0.46-61 (CentOS) and modsecurity-apache2-2.0.2 (RHEL) modsecurity.conf get sourced from
/etc/httpd/conf.d/ and the modsecurity2 rules are in /etc/httpd/conf.d/modsecurity2/. I added a line "SecRule REQUEST_URI|QUERY_STRING dirty" at the bottom of modsecurity.conf and tripped it with "http://localhost/dirty.rpm" allright. Notice my modsecurity.conf starts with "SecRuleEngine On" and not at the bottom:
Code:
# Basic configuration options
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
# Handling of file uploads
# TODO Choose a folder private to Apache.
# SecUploadDir /opt/apache-frontend/tmp/
SecUploadKeepFiles Off
# Debug log
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 1
# Serial audit log
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHZ
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log
# Maximum request body size we will
# accept for buffering
SecRequestBodyLimit 131072
# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072
# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyLimit 524288
SecRule REQUEST_URI|QUERY_STRING dirty
Hello, thanks for your help. By moving the 'SecRuleEngine On' to the top of the configuration file, it works! The apache's error message is so miss-guided, I would not guess it.
thanks so much for your help.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.