Re: [mod-security-users] @inspectFile script does not write to files
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] @inspectFile script does not write to files
|
From: Osama E. <oel...@gm...> - 2018-10-02 19:43:14
|
To add to Christian’s suggestion, as you are on Ubuntu 18.04, you might have an AppArmor profile loaded for Apache2 (a profile doesn't come by default in 18.04 but is included in either apparmor-profiles or apparmor-profiles-extra - don't remember which one). This could be the reason the command isn’t executed. Run the following to see if it is the culprit. If so, update it to allow execution of your bash script: grep -i "apparmor=\"DENIED\"" /var/log/audit/audit.log | grep -i "<path_to_binary>" -- Osama Elnaggar On October 3, 2018 at 4:28:49 AM, Christian Folini ( chr...@ne...) wrote: Hey Thorsten, I can't confirm. I'm getting the tmp file as expected. Do you have permissions restricting the www-data user from writing to /tmp? The next thing I would do is calling apache via $> strace httpd -X and then look for the write operation. (Did not do this myself, but I reckon is should be visible). Ahoj, Christian On Tue, Oct 02, 2018 at 08:05:29PM +0200, Thorsten Kampe wrote: > Hi, > > I have a script that inspects files for viruses (like in "Inspecting > Files" from https://www.feistyduck.com/library/modsecurity% > 2dhandbook%2dfree/online/ch04-logging.html). > > This script works fine - although any file that I want to write to or > create from this script is neither created nor modified. > > See this simple example script: > > ### > #! /usr/bin/env bash > > touch /tmp/MODSECURITY-WAS-HERE.txt > > printf '0 THREAD DETECTED\n' > ### > > This scripts denies all Uploads via Apache but no file "MODSECURITY- > WAS-HERE.txt" is created. > > This are the relevant lines from modsecurity.conf > ### (line break in line 2) > SecRuleEngine On > > SecTmpSaveUploadedFiles On > > SecRule FILES_TMPNAMES "@inspectFile /opt/sophos-av/runav.sh" > "id:'1',log,auditlog,deny,severity:2,phase:2,t:none" > ### > > This is mod-security 2.9.2 on Ubuntu 18.04. > > > Thorsten > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
