Re: [mod-security-users] Any good guides to installing modsecurity console?
Brought to you by:
victorhora,
zimmerletw
From: Stephen S. <ss...@gm...> - 2009-03-17 20:42:39
|
Brian, sorry for the second message. I realized I only replied to you rather than the group. Here's the original response again. Thanks for the quick responses. > The ModSecurity Console should be running on port 8888 with SSL enabled. > You should first verify you can access this port. > > Now you need to build/install mlogc, configure mlogc.conf to use the same > values you used in the modsecurity config (using comments in the example > file as a guide) as well as user/pass for the sensor. Then configure > modsecurity to use concurrent audit logging and mlogc as a piped logger for > SecAuditLog. The console is up and running. I can navigate to it fine from a browser on the same network (i.e. https://modsecsandbox.byu.edu:8888/). Mlogc has been compiled. Setup u/n and p/d in both the mlog.conf file and in the new sensor created in the console to be identical. The last step is where we've run into problems. Here are sanitized versions of the conf files: ########################################################################## # Required configuration # At a minimum, the items in this section will need to be adjusted to # fit your environment. The remaining options are optional. ########################################################################## # Points to the root of the installation. All relative # paths will be resolved with the help of this path. CollectorRoot "/var/log/mlogc" # ModSecurity Console receiving URI. You can change the host # and the port parts but leave everything else as is. ConsoleURI "https://127.0.0.1:8888/rpc/auditLogReceiver" # Sensor credentials SensorUsername "sandbox" SensorPassword "sandbox1" # Base directory where the audit logs are stored. This can be specified # as a path relative to the CollectorRoot, or a full path. LogStorageDir "/var/log/mlogc/data" # Transaction log will contain the information on all log collector # activities that happen between checkpoints. The transaction log # is used to recover data in case of a crash (or if Apache kills # the process). TransactionLog "mlogc-transaction.log" # The file where the pending audit log entry data is kept. This file # is updated on every checkpoint. QueuePath "mlogc-queue.log" # The location of the error log. ErrorLog "mlogc-error.log" # The location of the lock file. LockFile "mlogc.lck" # Keep audit log entries after sending? (0=false 1=true) # NOTE: This is required to be set in SecAuditLog mlogc config if you # are going to use a secondary console via SecAuditLog2. KeepEntries 1 The optional configuration below this point has not been touched You'll notice the console uri is the localhost. I'm trying to get a working version on this VM before deploying it to our production server. This VM has apache, the modsecurity module, and the console all running on it. Here is the relevant part of the modsecurity conf file (if I'm wrong on what's relevant I can supply more): # Serial audit log SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^5 SecAuditLogParts ABIDEFGHZ #SecAuditLogType Serial #SecAuditLog logs/modsec_audit.log SecAuditLogStorageDir /var/log/mlogc/data/modsec_audit.log SecAuditLogType Concurrent SecAuditLog "|/var/log/mlogc/mlogc /var/log/mlogc/mlogc-customized.conf" Here's the debugging I've done on my end. Before editing the module's conf file for use with mlogc (see the commented out sections), output went to * apache_dir*/logs/modsec_audit.log. If I typed in: http://modsecsandbox.byu.edu/?var=<script>This is a test</script> I could see it in the log file. Now, if I set up as above, do a /etc/init.d/apache2 restart and do http://modsecsandbox.byu.edu/?var=<script>This is a second test for what happens after modifying the modules conf file</script> I still sees its appropriate log in the *apache_dir*/logs/modsec_audit.log file. I don't know why this is, or if there's something I'm missing somewhere. As for why it's not getting to the console, I thought maybe there was a problem with the pipe command or with my mlogc.conf file. I tried taking a log file and piping it through the exact command to see what I would get, and to see if I could any data to the console. cat *apache_dir*/logs/modsec_audit.log | /var/log/mlogc/mlogc /var/log/mlogc/mlogc-customized.conf There are no errors after in the terminal. Navigating to the modsecurity console web interface still shows zero data. Checking the mlogc-error.log I get the following (edited down to be more concise) ... [Tue Mar 17 14:28:05 2009] [3] [19397/0] ModSecurity Audit Log Collector 2.5.7 delaying startup for 1000ms [Tue Mar 17 14:28:06 2009] [3] [19397/0] ModSecurity Audit Log Collector 2.5.7 started. ... [Tue Mar 17 14:28:07 2009] [2] [19397/97a5b98] Invalid entry (failed to match regex): --16272f51-A-- [Tue Mar 17 14:28:07 2009] [2] [19397/97a5b98] Invalid entry (failed to match regex): [Tue Mar 17 14:28:07 2009] [2] [19397/97a5b98] Invalid entry (failed to match regex): --e95d0660-Z-- [Tue Mar 17 14:28:07 2009] [2] [19397/97a5ed0] Invalid entry (failed to match regex): GET /?var=%3Cscript%3EThis%20is%20the%20real%20test%20for%20what%20happens%20when%20mod%20script%20is%20configured%20for%20mlogc%3C/script%3E HTTP/1.1 [Tue Mar 17 14:28:07 2009] [2] [19397/97a5ed0] Invalid entry (failed to match regex): --16272f51-B-- [Tue Mar 17 14:28:07 2009] [2] [19397/97a5ed0] Invalid entry (failed to match regex): [17/Mar/2009:14:14:58 --0600] ScAEwn8AAAEAAEsLAWcAAAAA 10.5.13.130 52354 10.5.13.211 80 [Tue Mar 17 14:28:07 2009] [2] [19397/97a66e8] Invalid entry (failed to match regex): Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [Tue Mar 17 14:28:07 2009] [2] [19397/97a66e8] Invalid entry (failed to match regex): User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.7) Gecko/2009030422 Ubuntu/8.10 (intrepid) Firefox/3.0.7 [Tue Mar 17 14:28:07 2009] [2] [19397/97a66e8] Invalid entry (failed to match regex): Host: modsecsandbox.byu.edu [Tue Mar 17 14:28:07 2009] [2] [19397/97b4650] Invalid entry (failed to match regex): Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 [Tue Mar 17 14:28:07 2009] [2] [19397/97b4650] Invalid entry (failed to match regex): Accept-Encoding: gzip,deflate [Tue Mar 17 14:28:07 2009] [2] [19397/97b4650] Invalid entry (failed to match regex): Accept-Language: en-us,en;q=0.5 [Tue Mar 17 14:28:07 2009] [2] [19397/97b6a70] Invalid entry (failed to match regex): Cookie: JSESSIONID=****************** [Tue Mar 17 14:28:07 2009] [2] [19397/97b6a70] Invalid entry (failed to match regex): Connection: keep-alive [Tue Mar 17 14:28:07 2009] [2] [19397/97b6a70] Invalid entry (failed to match regex): Keep-Alive: 300 [Tue Mar 17 14:28:07 2009] [2] [19397/97b6d90] Invalid entry (failed to match regex): HTTP/1.1 200 OK [Tue Mar 17 14:28:07 2009] [2] [19397/97b6d90] Invalid entry (failed to match regex): --16272f51-F-- ... (You get the idea I'm sure) [Tue Mar 17 14:28:07 2009] [3] [19397/0] No more data to read, emptying buffer: End of file found [Tue Mar 17 14:28:07 2009] [3] [19397/95cbc70] Running final transaction checkpoint. [Tue Mar 17 14:28:07 2009] [3] [19397/0] ModSecurity Audit Log Collector 2.5.7 terminating normally. and that's the end of the file mlogc-queue.log contains an integer and mlogc-transaction.log is empty. I'm not sure if this is useful to you or not. I have no idea whether piping a log file to mlogc should even work, but it appeared to be what the modules conf file did anyways so I thought it was worth a try. This has been baffling me for over a week now. Let me know your thoughts, and if you need any more info. Thank you so much for your help. Stephen Stroup College of Life Sciences Brigham Young University On Tue, Mar 17, 2009 at 2:06 PM, Brian Rectanus <Bri...@br...>wrote: > > Jason Haar wrote: > > Brian Rectanus wrote: > >> Now you need to build/install mlogc, configure mlogc.conf to use the > >> same values you used in the modsecurity config (using comments in the > >> example file as a guide) as well as user/pass for the sensor. Then > >> configure modsecurity to use concurrent audit logging and mlogc as a > >> piped logger for SecAuditLog. > >> > > Speaking of which - is there a way to get mlogic working in a chroot > > environment? Perhaps modsecurity needs a "pipe to unix socket" option - > > so that mlogic could run on that socket outside the jail instead? > > You should be able to do this using socat or similar. Something like > this (untested): > > SecAuditLog "|socat - UNIX-CLIENT:/tmp/.foo" > > And somewhere else run the server portion: > > socat UNIX-LISTEN:/tmp/.foo,fork \ > EXEC:'chroot /mychroot /bin/mlogc /etc/mlogc.conf' > > Probably would need to add the capability to change uid/gid in mlogc > code or use su or it would run as root, though. > > You could use any protocol that socat supports (pretty endless > possibilities here). > > -B > > -- > Brian Rectanus > Breach Security > > > ------------------------------------------------------------------------------ > Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are > powering Web 2.0 with engaging, cross-platform capabilities. Quickly and > easily build your RIAs with Flex Builder, the Eclipse(TM)based development > software that enables intelligent coding and step-through debugging. > Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > -- Stephen Stroup |