Thread: [mod-security-users] @inspectFile script does not write to files
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Thorsten K. <tho...@th...> - 2018-10-02 18:07:31
|
Hi, I have a script that inspects files for viruses (like in "Inspecting Files" from https://www.feistyduck.com/library/modsecurity% 2dhandbook%2dfree/online/ch04-logging.html). This script works fine - although any file that I want to write to or create from this script is neither created nor modified. See this simple example script: ### #! /usr/bin/env bash touch /tmp/MODSECURITY-WAS-HERE.txt printf '0 THREAD DETECTED\n' ### This scripts denies all Uploads via Apache but no file "MODSECURITY- WAS-HERE.txt" is created. This are the relevant lines from modsecurity.conf ### (line break in line 2) SecRuleEngine On SecTmpSaveUploadedFiles On SecRule FILES_TMPNAMES "@inspectFile /opt/sophos-av/runav.sh" "id:'1',log,auditlog,deny,severity:2,phase:2,t:none" ### This is mod-security 2.9.2 on Ubuntu 18.04. Thorsten |
|
From: Christian F. <chr...@ne...> - 2018-10-02 18:27:06
|
Hey Thorsten, I can't confirm. I'm getting the tmp file as expected. Do you have permissions restricting the www-data user from writing to /tmp? The next thing I would do is calling apache via $> strace httpd -X and then look for the write operation. (Did not do this myself, but I reckon is should be visible). Ahoj, Christian On Tue, Oct 02, 2018 at 08:05:29PM +0200, Thorsten Kampe wrote: > Hi, > > I have a script that inspects files for viruses (like in "Inspecting > Files" from https://www.feistyduck.com/library/modsecurity% > 2dhandbook%2dfree/online/ch04-logging.html). > > This script works fine - although any file that I want to write to or > create from this script is neither created nor modified. > > See this simple example script: > > ### > #! /usr/bin/env bash > > touch /tmp/MODSECURITY-WAS-HERE.txt > > printf '0 THREAD DETECTED\n' > ### > > This scripts denies all Uploads via Apache but no file "MODSECURITY- > WAS-HERE.txt" is created. > > This are the relevant lines from modsecurity.conf > ### (line break in line 2) > SecRuleEngine On > > SecTmpSaveUploadedFiles On > > SecRule FILES_TMPNAMES "@inspectFile /opt/sophos-av/runav.sh" > "id:'1',log,auditlog,deny,severity:2,phase:2,t:none" > ### > > This is mod-security 2.9.2 on Ubuntu 18.04. > > > Thorsten > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Osama E. <oel...@gm...> - 2018-10-02 19:43:14
|
To add to Christian’s suggestion, as you are on Ubuntu 18.04, you might have an AppArmor profile loaded for Apache2 (a profile doesn't come by default in 18.04 but is included in either apparmor-profiles or apparmor-profiles-extra - don't remember which one). This could be the reason the command isn’t executed. Run the following to see if it is the culprit. If so, update it to allow execution of your bash script: grep -i "apparmor=\"DENIED\"" /var/log/audit/audit.log | grep -i "<path_to_binary>" -- Osama Elnaggar On October 3, 2018 at 4:28:49 AM, Christian Folini ( chr...@ne...) wrote: Hey Thorsten, I can't confirm. I'm getting the tmp file as expected. Do you have permissions restricting the www-data user from writing to /tmp? The next thing I would do is calling apache via $> strace httpd -X and then look for the write operation. (Did not do this myself, but I reckon is should be visible). Ahoj, Christian On Tue, Oct 02, 2018 at 08:05:29PM +0200, Thorsten Kampe wrote: > Hi, > > I have a script that inspects files for viruses (like in "Inspecting > Files" from https://www.feistyduck.com/library/modsecurity% > 2dhandbook%2dfree/online/ch04-logging.html). > > This script works fine - although any file that I want to write to or > create from this script is neither created nor modified. > > See this simple example script: > > ### > #! /usr/bin/env bash > > touch /tmp/MODSECURITY-WAS-HERE.txt > > printf '0 THREAD DETECTED\n' > ### > > This scripts denies all Uploads via Apache but no file "MODSECURITY- > WAS-HERE.txt" is created. > > This are the relevant lines from modsecurity.conf > ### (line break in line 2) > SecRuleEngine On > > SecTmpSaveUploadedFiles On > > SecRule FILES_TMPNAMES "@inspectFile /opt/sophos-av/runav.sh" > "id:'1',log,auditlog,deny,severity:2,phase:2,t:none" > ### > > This is mod-security 2.9.2 on Ubuntu 18.04. > > > Thorsten > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
|
From: Thorsten K. <tho...@th...> - 2018-10-04 16:45:47
|
* Christian Folini (Tue, 2 Oct 2018 20:26:53 +0200) > I can't confirm. I'm getting the tmp file as expected. > > Do you have permissions restricting the www-data user from writing to /tmp? It was actually a permissions issue (kind of). Apache was obviosly able to write to /tmp because that's were the scanned files were temporarily stored. I switched the log directory for my shell script from /tmp to /var/log/apache2. This is where Apache writes its log files so I could not expect any permission issues. Despite of that Apache's error.log now showed permission errors. There were no error log entries when I used /tmp. I created a new directory and made www-data the owner. Now everything works fine. Thanks, guys Thorsten |
|
From: Reindl H. <h.r...@th...> - 2018-10-04 16:55:08
|
Am 04.10.18 um 18:45 schrieb Thorsten Kampe: > * Christian Folini (Tue, 2 Oct 2018 20:26:53 +0200) >> I can't confirm. I'm getting the tmp file as expected. >> >> Do you have permissions restricting the www-data user from writing to /tmp? > > It was actually a permissions issue (kind of). Apache was obviosly > able to write to /tmp because that's were the scanned files were > temporarily stored. > > I switched the log directory for my shell script from /tmp to > /var/log/apache2. This is where Apache writes its log files so I > could not expect any permission issues. Despite of that Apache's > error.log now showed permission errors. There were no error log > entries when I used /tmp. > > I created a new directory and made www-data the owner. Now everything > works fine the native httpd logs are opened at start as root anything else runs by the user after drop privileges from the workers |
Thanks for helping keep SourceForge clean.
X