[Mod-security-developers] libmodsecurity and nginx, possible bug with audit.log

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I'm running v3 with the source of 12.12.16 just fine.

Now I had to troubleshoot some stuff found out that the audit.log was 
full of logs. So I decided to set SecAuditLogRelevantStatus "403" and 
restarted nginx. The result was the same! Then I set "SecAuditEngine 
Off", restarted nginx and again, the audit.log gets new entries.

Nginx is N+ based on 1.11.5

nginx version: nginx/1.11.5 (nginx-plus-r11)
built by gcc 4.9.2 (Debian 4.9.2-10)
built with OpenSSL 1.0.1t  3 May 2016
TLS SNI support enabled
configure arguments: --build=nginx-plus-r11 --prefix=/etc/nginx 
--sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules 
--conf-path=/etc/nginx/nginx.conf 
--error-log-path=/var/log/nginx/error.log 
--http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid 
--lock-path=/var/run/nginx.lock 
--http-client-body-temp-path=/var/cache/nginx/client_temp 
--http-proxy-temp-path=/var/cache/nginx/proxy_temp 
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp 
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp 
--http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx 
--group=nginx --with-compat --with-file-aio --with-threads 
--with-http_addition_module --with-http_auth_jwt_module 
--with-http_auth_request_module --with-http_dav_module 
--with-http_f4f_module --with-http_flv_module --with-http_gunzip_module 
--with-http_gzip_static_module --with-http_hls_module 
--with-http_mp4_module --with-http_random_index_module 
--with-http_realip_module --with-http_secure_link_module 
--with-http_session_log_module --with-http_slice_module 
--with-http_ssl_module --with-http_stub_status_module 
--with-http_sub_module --with-http_v2_module --with-mail 
--with-mail_ssl_module --with-stream --with-stream_realip_module 
--with-stream_ssl_module --with-stream_ssl_preread_module 
--with-cc-opt='-g -O2 -fstack-protector-strong -Wformat 
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' 
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed'

I have multiple vhosts and enable it via:

server {
     listen XXX:80;
     server_name XXX;
     modsecurity on;
     modsecurity_rules_file /etc/nginx/modsec/main.conf;
         modsecurity_rules 'SecRuleRemoveById 200002
                        SecRuleRemoveById 980130
                        SecRuleRemoveById 920130
                         ...

Main.conf is:

Include "/etc/nginx/modsec/modsecurity.conf"

# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"

# OWASP CRS v3 rules
#Include "/etc/nginx/modsec/owasp-v3-3/crs-setup.conf"
#Include "/etc/nginx/modsec/owasp-v3-3/rules_own2/*.conf"

Include "/etc/nginx/modsec/owasp-modsecurity-crs-3.0.0/crs-setup.conf"
Include "/etc/nginx/modsec/owasp-modsecurity-crs-3.0.0/rules/*.conf"

And in modsecurity.conf:

...

# -- Audit log configuration 
-------------------------------------------------

# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditEngine Off
#SecAuditEngine RelevantOnly
#SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogRelevantStatus "403"

# Log everything we know about a transaction.
#SecAuditLogParts ABIJDEFHZ
SecAuditLogParts ABCDEFHIJKZ

# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log

...

This is how I restart it:

nginx -s stop
nginx

Any ideas?

Michael

-- 
www.routerperformance.net
- Cisco, Linux, Networks