Re: [mod-security-users] Empty logfile/dirlog when changing auditlog from serial to concurrent with nginx

[Breno S. <bre...@gm...>]

Hello David,

Could you attach the debug.log ?

Thanks

Breno


On Fri, Jul 19, 2013 at 9:08 AM, David Guimaraes <sk...@gm...> wrote:

> I had a problem using the ModSecurity with nginx. The serial log had the
> following error message: Audit log: Failed to lock global mutex: Permission
> denied. Breno told me it was because of the serial mode and the solution
> would be to switch to concurrent mode or to run nginx with root. I made
> this, then the audit file index and audit log directory, both were empty.
>
> Anyone ever experienced this?
>
> # nginx -V
> nginx version: nginx/1.4.1
> built by gcc 4.7.2 (Debian 4.7.2-5)
> TLS SNI support enabled
> configure arguments:
> --add-module=/usr/src/modsecurity-apache_2.7.4/nginx/modsecurity/
> --add-module=/usr/local/nginx-1.4.1/nginx-upstream-fair/
> --add-module=/usr/local/nginx-1.4.1/nginx-auth-ldap --prefix=/etc/nginx
> --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
> --http-client-body-temp-path=/var/lib/nginx/body
> --http-fastcgi-temp-path=/var/lib/nginx/fastcgi
> --http-log-path=/var/log/nginx/access.log
> --http-proxy-temp-path=/var/lib/nginx/proxy
> --http-scgi-temp-path=/var/lib/nginx/scgi
> --http-uwsgi-temp-path=/var/lib/nginx/uwsgi
> --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid
> --with-pcre-jit --with-debug --with-http_addition_module
> --with-http_dav_module --with-http_geoip_module
> --with-http_gzip_static_module --with-http_image_filter_module
> --with-http_realip_module --with-http_stub_status_module
> --with-http_ssl_module --with-http_sub_module --with-http_xslt_module
> --with-ipv6 --with-sha1=/usr/include/openssl
> --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module
>
> # grep -Ev "^#" /etc/nginx/modsecurity.conf  | uniq
>
> SecRuleEngine On
> SecDataDir /tmp/
> SecTmpDir /tmp/
>
> SecDefaultAction "log,deny,phase:1"
>
> SecRequestBodyAccess On
> SecResponseBodyMimeType (null) text/html text/plain text/xml
>
> SecRequestBodyLimit 13107200
> SecRequestBodyNoFilesLimit 131072
>
> SecRequestBodyInMemoryLimit 131072
>
> SecRequestBodyLimitAction ProcessPartial
>
> SecRule REQBODY_ERROR "!@eq 0" "id:'200001', phase:2,t:none,log,deny, \
>   status:400,msg:'Failed to parse request
> body.',logdata:'%{reqbody_error_msg}',severity:2"
>
> SecRule FILES_TMPNAMES "@inspectFile /etc/nginx/modsec-clamscan.pl" \
>       "id:'200002', t:none,log,block"
>
> SecUploadKeepFiles On
>
> SecUploadFileMode 0640
>
> SecAuditLogType Concurrent
> SecAuditEngine RelevantOnly
> SecAuditLog /var/log/nginx/modsec_audit_concurrent.log
> SecAuditLogRelevantStatus "^(?:5|4(?!04))"
>
> SecAuditLogParts ABCDEFGHZ
>
> SecAuditLogStorageDir /var/log/nginx/audit/
>
>  #  "phase:2,log,deny,status:500"
>
> SecComponentSignature "OWASP_CRS/2.2.8"
>
> SecAction \
>   "id:'900001', \
>   phase:1, \
>   t:none, \
>   setvar:tx.critical_anomaly_score=5, \
>   setvar:tx.error_anomaly_score=4, \
>   setvar:tx.warning_anomaly_score=3, \
>   setvar:tx.notice_anomaly_score=2, \
>   nolog, \
>   pass"
>
> SecAction \
>   "id:'900002', \
>   phase:1, \
>   t:none, \
>   setvar:tx.anomaly_score=0, \
>   setvar:tx.sql_injection_score=0, \
>   setvar:tx.xss_score=0, \
>   setvar:tx.inbound_anomaly_score=0, \
>   setvar:tx.outbound_anomaly_score=0, \
>   nolog, \
>   pass"
>
> SecAction \
>   "id:'900003', \
>   phase:1, \
>   t:none, \
>   setvar:tx.inbound_anomaly_score_level=5, \
>   setvar:tx.outbound_anomaly_score_level=4, \
>   nolog, \
>   pass"
>
>   "id:'900004', \
>   phase:1, \
>   t:none, \
>   setvar:tx.anomaly_score_blocking=on, \
>   nolog, \
>   pass"
>
>   "id:'900005', \
>   phase:1, \
>   t:none, \
>   ctl:ruleEngine=DetectionOnly, \
>   setvar:tx.regression_testing=1, \
>   nolog, \
>   pass"
>
> SecAction \
>   "id:'900006', \
>   phase:1, \
>   t:none, \
>   setvar:tx.max_num_args=255, \
>   nolog, \
>   pass"
>
>   "id:'900007', \
>   phase:1, \
>   t:none, \
>   setvar:tx.arg_name_length=100, \
>   nolog, \
>   pass"
>
>   "id:'900008', \
>   phase:1, \
>   t:none, \
>   setvar:tx.arg_length=400, \
>   nolog, \
>   pass"
>
>   "id:'900009', \
>   phase:1, \
>   t:none, \
>   setvar:tx.total_arg_length=64000, \
>   nolog, \
>   pass"
>
>   "id:'900010', \
>   phase:1, \
>   t:none, \
>   setvar:tx.max_file_size=1048576, \
>   nolog, \
>   pass"
>
>   "id:'900011', \
>   phase:1, \
>   t:none, \
>   setvar:tx.combined_file_sizes=1048576, \
>   nolog, \
>   pass"
>
> SecAction \
>   "id:'900012', \
>   phase:1, \
>   t:none, \
>   setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
>
> setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json',
> \
>   setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
>   setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/
> .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/
> .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/
> .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/
> .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/
> .webinfo/ .xsd/ .xsx/', \
>   setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/
> /Content-Range/ /Translate/ /via/ /if/', \
>   nolog, \
>   pass"
>
>   "id:'900013', \
>   phase:1, \
>   t:none, \
>   setvar:tx.csp_report_only=1, \
>   setvar:tx.csp_report_uri=/csp_violation_report, \
>   setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.
> yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com;
> script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \
>   nolog, \
>   pass"
>
>   "id:'900014', \
>   phase:1, \
>   t:none, \
>   setvar:'tx.brute_force_protected_urls=#/login.jsp#
> #/partner_login.php#', \
>   setvar:'tx.brute_force_burst_time_slice=60', \
>   setvar:'tx.brute_force_counter_threshold=10', \
>   setvar:'tx.brute_force_block_timeout=300', \
>   nolog, \
>   pass"
>
>   "id:'900015', \
>   phase:1, \
>   t:none, \
>   setvar:'tx.dos_burst_time_slice=60', \
>   setvar:'tx.dos_counter_threshold=100', \
>   setvar:'tx.dos_block_timeout=600', \
>   nolog, \
>   pass"
>
>   "id:'900016', \
>   phase:1, \
>   t:none, \
>   setvar:tx.crs_validate_utf8_encoding=1, \
>   nolog, \
>   pass"
>
> SecRule REQUEST_HEADERS:Content-Type "text/xml" \
>   "id:'900017', \
>   phase:1, \
>   t:none,t:lowercase, \
>   nolog, \
>   pass, \
>   chain"
>     SecRule REQBODY_PROCESSOR "!@streq XML" \
>       "ctl:requestBodyProcessor=XML"
>
> SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \
>   "id:'900018', \
>   phase:1, \
>   t:none,t:sha1,t:hexEncode, \
>   setvar:tx.ua_hash=%{matched_var}, \
>   nolog, \
>   pass"
>
> SecRule REQUEST_HEADERS:x-forwarded-for
> "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \
>   "id:'900019', \
>   phase:1, \
>   t:none, \
>   capture, \
>   setvar:tx.real_ip=%{tx.1}, \
>   nolog, \
>   pass"
>
> SecRule &TX:REAL_IP "!@eq 0" \
>   "id:'900020', \
>   phase:1, \
>   t:none, \
>   initcol:global=global, \
>   initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \
>   nolog, \
>   pass"
>
> SecRule &TX:REAL_IP "@eq 0" \
>   "id:'900021', \
>   phase:1, \
>   t:none, \
>   initcol:global=global, \
>   initcol:ip=%{remote_addr}_%{tx.ua_hash}, \
>   setvar:tx.real_ip=%{remote_addr}, \
>   nolog, \
>   pass"
>
> Include modsecurity/base_rules/exceptions.conf
> Include modsecurity/base_rules/modsecurity_crs_20_protocol_violations.conf
> Include modsecurity/base_rules/modsecurity_crs_21_protocol_anomalies.conf
> Include modsecurity/base_rules/modsecurity_crs_23_request_limits.conf
> Include modsecurity/base_rules/modsecurity_crs_30_http_policy.conf
> Include modsecurity/base_rules/modsecurity_crs_35_bad_robots.conf
> Include modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf
> Include
> modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
> Include modsecurity/base_rules/modsecurity_crs_41_xss_attacks.conf
> Include modsecurity/base_rules/modsecurity_crs_42_tight_security.conf
> Include modsecurity/base_rules/modsecurity_crs_45_trojans.conf
> Include modsecurity/base_rules/modsecurity_crs_47_common_exceptions.conf
> Include modsecurity/base_rules/modsecurity_crs_49_inbound_blocking.conf
> Include modsecurity/base_rules/modsecurity_crs_50_outbound.conf
> Include modsecurity/base_rules/modsecurity_crs_59_outbound_blocking.conf
> Include modsecurity/base_rules/modsecurity_crs_60_correlation.conf
>
>
> --
> David Gomes Guimarães
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>