5

apache mod_security logs F12

view full story
linux-howto

http://forums.fedoraforum.org – A new rpm for mode_security F12 simplified the rules to get it started. In the conf files the logs directive say to specify the path to the dir and make sure it exits. As this dir list shows ther are several. The suggested top dir is /var/log/msa # cd /var/log/msa [root@Jovette-14 msa]# ls -laZ drw-------. apache apache system_u:object_r:var_log_t:s0 . drwxr-xr-x. root root system_u:object_r:var_log_t:s0 .. drwxr-x---. apache apache system_u:object_r:var_log_t:s0 SecAuditLog drwxr-x---. apache apache system_u:object_r:var_log_t:s0 SecAuditLogStorageDir drwxr-x---. apache apache system_u:object_r:var_log_t:s0 SecDataDir drwxr-x---. apache apache unconfined_u:object_r:var_log_t:s0 SecDebugLog drwxr-x---. apache apache system_u:object_r:var_log_t:s0 SecTmpDir drwxr-x---. apache apache system_u:object_r:var_log_t:s0 SecUploadDir After starting httpd and doing some web pages only the SecAuditLog and SecDebugLog had a log file and data. from the next list all looks good but as the previous list shows, selinux needs some work. # ls -l total 24 drwxr-x---. 2 apache apache 4096 2009-11-07 07:24 SecAuditLog drwxr-x---. 2 apache apache 4096 2009-10-26 05:28 SecAuditLogStorageDir drwxr-x---. 2 apache apache 4096 2009-10-26 05:28 SecDataDir drwxr-x---. 2 apache apache 4096 2009-11-07 07:36 SecDebugLog drwxr-x---. 2 apache apache 4096 2009-10-26 05:28 SecTmpDir drwxr-x---. 2 apache apache 4096 2009-10-26 05:28 SecUploadDir to create the Dir's I used root and then cd /var/log/msa chown -R apache:apache SecAuditLog (for each dir name) chmod 750 SecAuditLog (for each dir name) These two are mutually exclusive (one or the other is used) but I created both to toggle the conf. SecDataDir SecAuditLogStorageDir SecTempDir is defaulted to /tmp - I put it in msa to track it better. SecUploadDir - this may need to move The next list shows the two logs that were created. # ls -laZ drwxr-x---. apache apache system_u:object_r:var_log_t:s0 . drw-------. apache apache system_u:object_r:var_log_t:s0 .. -rw-r-----. root root unconfined_u:object_r:httpd_log_t:s0 SecAuditLog.log [root@Jovette-14 SecAuditLog]# ls -l total 56 -rw-r-----. 1 root root 56203 2009-11-07 07:50 SecAuditLog.log [root@Jovette-14 SecAuditLog]# cd ../SecDebugLog [root@Jovette-14 SecDebugLog]# ls -laZ drwxr-x---. apache apache unconfined_u:object_r:var_log_t:s0 . drw-------. apache apache system_u:object_r:var_log_t:s0 .. -rw-r-----. root root unconfined_u:object_r:httpd_log_t:s0 SecDebugLog.log [root@Jovette-14 SecDebugLog]# ls -l total 4 -rw-r-----. 1 root root 1484 2009-11-07 07:37 SecDebugLog.log The next list is the end of the modsecurity_crs_10_config.conf file to set log files. This shows debug and temp. The point here is, YES, the "path/to/logdir" may include the log file name "path/to/logdir/logfile.log" But you only create the dir, not the log as apache will create the log. (And as it does, the selinux must be correct.) But temp (non-log) is just a dir/path # Whether to send ModSecurity messages to a separate debug log. # # Debug messages are very useful for, well, debugging. The default # setting here copies (they always appear in the Apache error log) # only the most important messages (errors and warnings). # # NOTE Debug logging is generally very slow. You should never # use values greater than "3" in production. # SecDebugLog /var/log/msa/SecDebugLog/SecDebugLog.log SecDebugLogLevel 3 # Configures the directory where temporary files will be created. SecTmpDir /var/log/msa/SecTmpDir/SecTmpDir Finally the httpd is started and the memory requirements has also increased, along with the child processes. Tasks: 146 total, 1 running, 145 sleeping, 0 stopped, 0 zombie Cpu(s): 1.3%us, 1.0%sy, 0.0%ni, 97.7%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 1027172k total, 942948k used, 84224k free, 48632k buffers Swap: 2064376k total, 0k used, 2064376k free, 657428k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 10546 root 20 0 62704 35m 8716 S 0.0 3.6 0:02.17 httpd 10549 apache 20 0 62704 31m 4020 S 0.0 3.2 0:00.39 httpd 10555 apache 20 0 62704 31m 4032 S 0.0 3.2 0:00.45 httpd 10550 apache 20 0 62704 30m 2900 S 0.0 3.0 0:00.11 httpd 10553 apache 20 0 62704 30m 2900 S 0.0 3.0 0:00.08 httpd 10556 apache 20 0 62704 30m 2892 S 0.0 3.0 0:00.09 httpd 10558 apache 20 0 62704 30m 2712 S 0.0 3.0 0:00.12 httpd 10554 apache 20 0 62704 30m 2704 S 0.0 3.0 0:00.13 httpd 10552 apache 20 0 62704 30m 2576 S 0.0 3.0 0:00.21 httpd 10551 apache 20 0 62704 30m 2576 S 0.0 3.0 0:00.20 httpd 10548 apache 20 0 62624 28m 816 S 0.0 2.8 0:00.00 httpd Now the questions are how to put into log rotate and what program to to use to processs the log information. SJ (HowTos)