Ben,

You can try to set it into /etc/profile ?
It works for me :

root@ubuntu:/home/brenosilva# ls -lisa /var/log/apache2/20130720/20130720-1140/20130720-114050-UerZscCoAGUAAFcXJFcAAAAe
194655 4 -rwxrwxrwx 1 www-data www-data 3342 2013-07-22 11:40 /var/log/apache2/20130722/20130722-1140/20130722-114050-UerZscCoAGUAAFcXJFcAAAAe



On Mon, Jul 22, 2013 at 12:07 AM, Ben Empson <ben@arrayx.co.uk> wrote:

Hi Breno,

 

I tried:

SecAuditLogDirMode 0000
SecAuditLogFileMode 0000

But on Apache restart I got the following error: “ModSecurity: Invalid value for SecAuditLogDirMode: 0000”. So I reset these 2 values to 0777.

 

Then I went to /var/asl/data and did

 

umask 0000

 

However I’m still getting errors in the Apache log: “ModSecurity: Audit log: Failed to create file: /var/asl/data/audit0722/20130722-0756/20130722-075623-UezXl1nIjfEAAHYWJ@oAAAAK (Permission denied)”

 

Note that the first website to get an error in each minute creates the audit folder and there are logs for that site. However any subsequent requests for other websites (and therefore users) get the error above since they don’t have write permissions, eg:

 

drwxr-xr-x  2 use11  use11   4096 Jul 22 07:55 20130722-0755/

drwxr-xr-x  2 use22  use22   4096 Jul 22 07:56 20130722-0756/

 

Regards, Ben

 

From: Breno Silva [mailto:breno.silva@gmail.com]
Sent: 21 July 2013 15:59


To: mod-security-developers
Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2

 

Try as a test set umask 0000 and check the directory/file permissions. Let me know what happens

 

Thanks

 

Breno

 

On Sun, Jul 21, 2013 at 6:25 AM, Ben Empson <ben@arrayx.co.uk> wrote:

Hi Breno, thanks for the reply :)

 

Are you referring to these directives:

 

SecAuditLogDirMode 0777
SecAuditLogFileMode 0777

 

?? As you can see they’re setup for full perms. However mod_ruid2 is overriding these directives. The mod_ruid2 developer says that if ModSecurity used the ap_hook_log_transaction() hook this would not happen since at the time that hook is called mod_ruid2 has returned the process to the nobody user, as such permissions for nobody would not be an issue.

 

The mod_ruid2 developer says that this problem is occurring because ModSecurity is not using the ap_hook_log_transaction() hook to write the audit logs, and hence the audit log is being written as the user account relevant to the website being served.

 

Regards, Ben

 

==============================================================================

 

= Array[x] =

= professional technical outsourcing =

= www.arrayx.co.uk = = ben@arrayx.co.uk =

= t UK: +44 (0)20 8144 9102 =

= t ES: +34 938 021 278 =

= m ES: +34 667 065 397 =

= Paseig Sant Joan 25 3-1, 08010, Barcelona, Spain =

 

Array[x] and Profitable Web Projects are trademarks of Profitable Web Projects SL of Passeig Sant Joan 25 3-1, 08010 Barcelona, Spain, which is inscribed in the Mercantile Register of Barcelona; Tomo 40322, Folio 59, Hoja B363676, Company registration number B64798101. This message may contain information that is legally privileged, confidential or exempt from disclosure. If you are not an intended recipient or an employee or agent responsible for delivering this message to an intended recipient, please notify us immediately and permanently destroy this message and any copies you may have.  Any dissemination or copying of this message by anyone other than the intended recipient is strictly prohibited. Prices exclude taxes and are valid for one month unless otherwise stated.

 

From: Breno Silva [mailto:breno.silva@gmail.com]
Sent: 20 July 2013 20:46
To: mod-security-developers
Subject: Re: [Mod-security-developers] Compatibility with mod_ruid2

 

Hello Ben,

 

Take a look how your umask is set. Maybe you need to change it to have the permission you want.

 

Thanks

 

Breno

 

On Sat, Jul 20, 2013 at 11:04 AM, Ben Empson <ben@arrayx.co.uk> wrote:

Hi there, is there any chance of getting a response on this? This is a critical issue for all users of mod_ruid2 and ModSecurity…

 

Regards, Ben

 

==============================================================================

 

= Array[x] =

= professional technical outsourcing =

= www.arrayx.co.uk = = ben@arrayx.co.uk =

= t UK: +44 (0)20 8144 9102 =

= t ES: +34 938 021 278 =

= m ES: +34 667 065 397 =

= Paseig Sant Joan 25 3-1, 08010, Barcelona, Spain =

 

Array[x] and Profitable Web Projects are trademarks of Profitable Web Projects SL of Passeig Sant Joan 25 3-1, 08010 Barcelona, Spain, which is inscribed in the Mercantile Register of Barcelona; Tomo 40322, Folio 59, Hoja B363676, Company registration number B64798101. This message may contain information that is legally privileged, confidential or exempt from disclosure. If you are not an intended recipient or an employee or agent responsible for delivering this message to an intended recipient, please notify us immediately and permanently destroy this message and any copies you may have.  Any dissemination or copying of this message by anyone other than the intended recipient is strictly prohibited. Prices exclude taxes and are valid for one month unless otherwise stated.

 

From: Ben Empson
Sent: 10 July 2013 18:09
To: 'mod-security-developers@lists.sourceforge.net'
Subject: Compatibility with mod_ruid2

 

Hi there, I'm running mod_ruid 0.9.7 on Apache 2.2 with ModSecurity 2.7.3 and the GotRoot/Atomicorp delayed ruleset, all on cPanel 11.38. I am unable to get ModSecurity to successfully log it's activities since mod_ruid is causing audit directories and logs to be created with the username of the running process, and more importantly with permissions for that user only, overriding a specific setting in the ModSecurity conf to create audit folders and logs to be created world-writable.

 

I have documented my setup here: https://www.atomicorp.com/forum/viewtopic.php?f=15&t=6932&sid=23c91691756075ec7fc5cfe86a6630d1

 

I also posted this to the mod_ruid2 forums: https://github.com/mind04/mod-ruid2/issues/1

 

One of the mod_ruid2 developers has suggested that ModSecurity should be using the special ap_hook_log_transaction() hook which would mean in my configuration that ModSecurity would try to write it’s audit logs as nobody, which would not cause permissions issues.

 

I did follow the suggestion of the developer in terms of “Maybe you can work around the problem if you make the log directory group writable for apache and add apache to R_Groups for every user.” but this did not fix the problem since new log folders are still created without group write permissions.

 

It seems as though the only possible fix is that ModSecurity uses the ap_hook_log_transaction() hook. It is certain that I’m not the only person suffering this problem: http://www.google.co.uk/search?q=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&{google:acceptedSuggestion}oq=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&sourceid=chrome&ie=UTF-8

 

Is there any chance of this getting fixed / changed?

 

Regards, Ben


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-developers mailing list
mod-security-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php

 


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-developers mailing list
mod-security-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php

 


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-developers mailing list
mod-security-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php