Re: [mod-security-users] mlogc and selinux
Brought to you by:
victorhora,
zimmerletw
From: Arthur D. <mis...@bl...> - 2010-08-22 07:53:23
|
On Sat, 2010-08-21 at 20:21 -0700, Brian Rectanus wrote: > On Sat, Aug 21, 2010 at 12:54 PM, Arthur Dent > <mis...@bl...> wrote: > > On Mon, 2010-08-16 at 10:46 +0100, Arthur Dent wrote: > >> On Mon, 2010-08-16 at 00:33 -0700, Brian Rectanus wrote: > >> > On Sun, Aug 15, 2010 at 12:32 PM, Arthur Dent > >> > <mis...@bl...> wrote: > >> > > On Sun, 2010-08-15 at 12:25 -0700, Brian Rectanus wrote: > >> > >> Syntax looks correct. Try adding a "set -x" on a line just after the > >> > >> #!/bin/sh line which will show all the commands being executed with > >> > >> vars substituted and may show the issue. > >> > >> > >> > >> -B > >> > > > >> > > Sorry - that didn't help... > >> > > >> > Ahh, but it did :) > >> > > >> > > > >> > > # ./mlogc-strace.sh > >> > > + REAL_MLOGC=/usr/bin/mlogc > >> > > + LOGFILE=/tmp/mlogc-strace.log > >> > > + exec strace -f -e trace=open,close,read,write -s 8192 -o /tmp/mlogc-strace.log > >> > > >> > It shows that the email wrapped my script and put the > >> > > >> > $REAL_MLOGC "$@" > >> > > >> > On a line by itself (ie not executed after the exec), when it was > >> > supposed to be at the end of the strace line. Try this version with > >> > the line continuations :) > >> > > >> > #!/bin/sh > >> > REAL_MLOGC=/usr/local/bin/mlogc > >> > LOGFILE=/tmp/mlogc-strace.log > >> > exec strace \ > >> > -f -e trace=open,close,read,write \ > >> > -s 8192 -o $LOGFILE \ > >> > $REAL_MLOGC "$@" > >> > > >> > -B > >> > >> OK - Brilliant! > >> > >> Sorry that was my bad. I misunderstood what that line was doing. > >> > >> Now. I'm afraid I'm just about to leave for the airport, so I won't have > >> a chance to try this until I'm back next weekend. I could try to ssh > >> into my server from an internet cafe somewhere, but there is a very real > >> possibility that my wife will divorce me. So... I'll report back next > >> week... > > > > Right... Back from my hols... > > Hope you had fun. > > > > > OK - So the the line continuations this is what I get... > > > > ====================8<===================================== > > > > # ./mlogc-strace.sh > > + REAL_MLOGC=/usr/bin/mlogc > > + LOGFILE=/tmp/mlogc-strace.log > > + exec /usr/bin/strace -f -e trace=open,close,read,write -s 8192 -o /tmp/mlogc-strace.log /usr/bin/mlogc > > ModSecurity Log Collector (mlogc) v2.5.12 > > Usage: mlogc [options] /path/to/the/mlogc.conf > > > > Options: > > -f Force depletion of queue on exit > > -v Version information > > -h This help > > > > ====================8<===================================== > > > > > > Right - so I change the REAL_MLOGC variable to read: > > REAL_MLOGC="/usr/bin/mlogc /etc/mlogc.conf" > > No, no, that was correct. Don't add the conf file in the file - it is > already added from the commandline (ie the "$@"). You should have > run: > > ./mlogc-strace.sh /etc/mlogc.conf OK - That works - but what about the SecAuditlog command? (see below). How does ModSec know to use mlogc for logging unless the SecAuditlog command is invoked from modsecurity_crs_10_config.conf - which is where mlogc is normally started? I only tried running the script directly from the command line when restarting apache failed. (calling the wrapper script instead of the normal call to mlogc in modsecurity_crs_10_config.conf) > > > Now the script works, but when used as a wrapper to the original call > > in /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf (i.e. > > #SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf" > > SecAuditLog "|/root/scripts/testdir/mlogc-strace.sh /etc/mlogc.conf" > > > > (where the commented out line is the original call to mlogc) restarting > > apache fails: > > # service httpd restart > > Stopping httpd: [OK] > > Starting httpd: [FAILED] > > > > What should I try next? > > Yeah, it added the conf file twice (once in the script and then again > when "$@" expanded to it :) > > > > > Thanks again for all your help so far. > > No prob. > > -B |