Re: [Mod-security-developers] Compatibility with mod_ruid2

[Breno S. <bre...@gm...>]

Ben,

You can try to set it into /etc/profile ?
It works for me :

root@ubuntu:/home/brenosilva# ls -lisa
/var/log/apache2/20130720/20130720-1140/20130720-114050-UerZscCoAGUAAFcXJFcAAAAe
194655 4 -rwxrwxrwx 1 www-data www-data 3342 2013-07-22 11:40
/var/log/apache2/20130722/20130722-1140/20130722-114050-UerZscCoAGUAAFcXJFcAAAAe



On Mon, Jul 22, 2013 at 12:07 AM, Ben Empson <be...@ar...> wrote:

>  Hi Breno, ****
>
> ** **
>
> I tried:****
>
> SecAuditLogDirMode 0000
> SecAuditLogFileMode 0000****
>
> But on Apache restart I got the following error: “ModSecurity: Invalid
> value for SecAuditLogDirMode: 0000”. So I reset these 2 values to 0777.***
> *
>
> ** **
>
> Then I went to /var/asl/data and did****
>
> ** **
>
> umask 0000****
>
> ** **
>
> However I’m still getting errors in the Apache log: “ModSecurity: Audit
> log: Failed to create file:
> /var/asl/data/audit0722/20130722-0756/20130722-075623-UezXl1nIjfEAAHYWJ@oAAAAK(Permission denied)”
> ****
>
> ** **
>
> Note that the first website to get an error in each minute creates the
> audit folder and there are logs for that site. However any subsequent
> requests for other websites (and therefore users) get the error above since
> they don’t have write permissions, eg:****
>
> ** **
>
> drwxr-xr-x  2 use11  use11   4096 Jul 22 07:55 20130722-0755/****
>
> drwxr-xr-x  2 use22  use22   4096 Jul 22 07:56 20130722-0756/****
>
> ** **
>
> Regards, Ben****
>
> ** **
>
> *From:* Breno Silva [mailto:bre...@gm...]
> *Sent:* 21 July 2013 15:59
>
> *To:* mod-security-developers
> *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2****
>
> ** **
>
> Try as a test set umask 0000 and check the directory/file permissions. Let
> me know what happens****
>
> ** **
>
> Thanks****
>
> ** **
>
> Breno****
>
> ** **
>
> On Sun, Jul 21, 2013 at 6:25 AM, Ben Empson <be...@ar...> wrote:****
>
>  Hi Breno, thanks for the reply :)****
>
>  ****
>
> Are you referring to these directives:****
>
>  ****
>
> SecAuditLogDirMode 0777
> SecAuditLogFileMode 0777****
>
>  ****
>
> ?? As you can see they’re setup for full perms. However mod_ruid2 is
> overriding these directives. The mod_ruid2 developer says that if
> ModSecurity used the ap_hook_log_transaction() hook this would not happen
> since at the time that hook is called mod_ruid2 has returned the process to
> the nobody user, as such permissions for nobody would not be an issue.****
>
>  ****
>
> The mod_ruid2 developer says that this problem is occurring because
> ModSecurity is not using the ap_hook_log_transaction() hook to write the
> audit logs, and hence the audit log is being written as the user account
> relevant to the website being served.****
>
>  ****
>
> Regards, Ben****
>
>  ****
>
>
> ==============================================================================
> ****
>
>  ****
>
> = Array[x] =****
>
> = professional technical outsourcing =****
>
> = www.arrayx.co.uk = = be...@ar... =****
>
> = t UK: +44 (0)20 8144 9102 = ****
>
> = t ES: +34 938 021 278 = ****
>
> = m ES: +34 667 065 397 =****
>
> = Paseig Sant Joan 25 3-1, 08010, Barcelona, Spain =****
>
>  ****
>
> Array[x] and Profitable Web Projects are trademarks of Profitable Web
> Projects SL of Passeig Sant Joan 25 3-1, 08010 Barcelona, Spain, which is
> inscribed in the Mercantile Register of Barcelona; Tomo 40322, Folio 59,
> Hoja B363676, Company registration number B64798101. This message may
> contain information that is legally privileged, confidential or exempt from
> disclosure. If you are not an intended recipient or an employee or agent
> responsible for delivering this message to an intended recipient, please
> notify us immediately and permanently destroy this message and any copies
> you may have.  Any dissemination or copying of this message by anyone other
> than the intended recipient is strictly prohibited. Prices exclude taxes
> and are valid for one month unless otherwise stated.****
>
>  ****
>
> *From:* Breno Silva [mailto:bre...@gm...]
> *Sent:* 20 July 2013 20:46
> *To:* mod-security-developers
> *Subject:* Re: [Mod-security-developers] Compatibility with mod_ruid2****
>
>  ****
>
> Hello Ben,****
>
>  ****
>
> Take a look how your umask is set. Maybe you need to change it to have the
> permission you want.****
>
>  ****
>
> Thanks****
>
>  ****
>
> Breno****
>
>  ****
>
> On Sat, Jul 20, 2013 at 11:04 AM, Ben Empson <be...@ar...> wrote:****
>
>  Hi there, is there any chance of getting a response on this? This is a
> critical issue for all users of mod_ruid2 and ModSecurity…****
>
>  ****
>
> Regards, Ben ****
>
>  ****
>
>
> ==============================================================================
> ****
>
>  ****
>
> = Array[x] =****
>
> = professional technical outsourcing =****
>
> = www.arrayx.co.uk = = be...@ar... =****
>
> = t UK: +44 (0)20 8144 9102 = ****
>
> = t ES: +34 938 021 278 = ****
>
> = m ES: +34 667 065 397 =****
>
> = Paseig Sant Joan 25 3-1, 08010, Barcelona, Spain =****
>
>  ****
>
> Array[x] and Profitable Web Projects are trademarks of Profitable Web
> Projects SL of Passeig Sant Joan 25 3-1, 08010 Barcelona, Spain, which is
> inscribed in the Mercantile Register of Barcelona; Tomo 40322, Folio 59,
> Hoja B363676, Company registration number B64798101. This message may
> contain information that is legally privileged, confidential or exempt from
> disclosure. If you are not an intended recipient or an employee or agent
> responsible for delivering this message to an intended recipient, please
> notify us immediately and permanently destroy this message and any copies
> you may have.  Any dissemination or copying of this message by anyone other
> than the intended recipient is strictly prohibited. Prices exclude taxes
> and are valid for one month unless otherwise stated.****
>
>  ****
>
> *From:* Ben Empson
> *Sent:* 10 July 2013 18:09
> *To:* 'mod...@li...'
> *Subject:* Compatibility with mod_ruid2****
>
>  ****
>
> Hi there, I'm running mod_ruid 0.9.7 on Apache 2.2 with ModSecurity 2.7.3
> and the GotRoot/Atomicorp delayed ruleset, all on cPanel 11.38. I am unable
> to get ModSecurity to successfully log it's activities since mod_ruid is
> causing audit directories and logs to be created with the username of the
> running process, and more importantly with permissions for that user only,
> overriding a specific setting in the ModSecurity conf to create audit
> folders and logs to be created world-writable.****
>
>  ****
>
> I have documented my setup here:
> https://www.atomicorp.com/forum/viewtopic.php?f=15&t=6932&sid=23c91691756075ec7fc5cfe86a6630d1
> ****
>
>  ****
>
> I also posted this to the mod_ruid2 forums:
> https://github.com/mind04/mod-ruid2/issues/1****
>
>  ****
>
> One of the mod_ruid2 developers has suggested that ModSecurity should be
> using the special ap_hook_log_transaction() hook which would mean in my
> configuration that ModSecurity would try to write it’s audit logs as
> nobody, which would not cause permissions issues.****
>
>  ****
>
> I did follow the suggestion of the developer in terms of “Maybe you can
> work around the problem if you make the log directory group writable for
> apache and add apache to R_Groups for every user.” but this did not fix the
> problem since new log folders are still created without group write
> permissions.****
>
>  ****
>
> It seems as though the only possible fix is that ModSecurity uses the
> ap_hook_log_transaction() hook. It is certain that I’m not the only person
> suffering this problem:
> http://www.google.co.uk/search?q=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&{google:acceptedSuggestion}oq=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&sourceid=chrome&ie=UTF-8<http://www.google.co.uk/search?q=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&%7bgoogle:acceptedSuggestion%7doq=ModSecurity%3A+Audit+log%3A+Failed+to+create+subdirectories&sourceid=chrome&ie=UTF-8>
> ****
>
>  ****
>
> Is there any chance of this getting fixed / changed?****
>
>  ****
>
> Regards, Ben****
>
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php****
>
>   ****
>
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php****
>
>  ** **
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>