Fedora Linux Support Community & Resources Center
Sections ›› Home | Forums | Guidelines | Forum Help | Fedora FAQ | Fedora News 

Go Back   FedoraForum.org > Fedora Support > Security
Reload this Page apache mod_security logs F12
Register FAQ Calendar Search Today's Posts Mark Forums Read

Security Let's be paranoid and secure our penguins.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 2009-11-07, 10:14 AM CST
SlowJet Offline
Registered User
  
Join Date: Jan 2005
Posts: 4,139
linuxfedorafirefox
apache mod_security logs F12
A new rpm for mode_security F12 simplified the rules to get it started.
In the conf files the logs directive say to specify the path to the dir and make sure it exits.
As this dir list shows ther are several.
The suggested top dir is /var/log/msa

# cd /var/log/msa
[root@Jovette-14 msa]# ls -laZ
drw-------. apache apache system_u:object_r:var_log_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_log_t:s0 ..
drwxr-x---. apache apache system_u:object_r:var_log_t:s0 SecAuditLog
drwxr-x---. apache apache system_u:object_r:var_log_t:s0 SecAuditLogStorageDir
drwxr-x---. apache apache system_u:object_r:var_log_t:s0 SecDataDir
drwxr-x---. apache apache unconfined_u:object_r:var_log_t:s0 SecDebugLog
drwxr-x---. apache apache system_u:object_r:var_log_t:s0 SecTmpDir
drwxr-x---. apache apache system_u:object_r:var_log_t:s0 SecUploadDir

After starting httpd and doing some web pages only the SecAuditLog and SecDebugLog had a log file and data.
from the next list all looks good but as the previous list shows, selinux needs some work.

# ls -l
total 24
drwxr-x---. 2 apache apache 4096 2009-11-07 07:24 SecAuditLog
drwxr-x---. 2 apache apache 4096 2009-10-26 05:28 SecAuditLogStorageDir
drwxr-x---. 2 apache apache 4096 2009-10-26 05:28 SecDataDir
drwxr-x---. 2 apache apache 4096 2009-11-07 07:36 SecDebugLog
drwxr-x---. 2 apache apache 4096 2009-10-26 05:28 SecTmpDir
drwxr-x---. 2 apache apache 4096 2009-10-26 05:28 SecUploadDir

to create the Dir's I used root and then
cd /var/log/msa
chown -R apache:apache SecAuditLog (for each dir name)
chmod 750 SecAuditLog (for each dir name)

These two are mutually exclusive (one or the other is used) but I created both to toggle the conf.
SecDataDir SecAuditLogStorageDir
SecTempDir is defaulted to /tmp - I put it in msa to track it better.
SecUploadDir - this may need to move

The next list shows the two logs that were created.

# ls -laZ
drwxr-x---. apache apache system_u:object_r:var_log_t:s0 .
drw-------. apache apache system_u:object_r:var_log_t:s0 ..
-rw-r-----. root root unconfined_u:object_r:httpd_log_t:s0 SecAuditLog.log
[root@Jovette-14 SecAuditLog]# ls -l
total 56
-rw-r-----. 1 root root 56203 2009-11-07 07:50 SecAuditLog.log
[root@Jovette-14 SecAuditLog]# cd ../SecDebugLog
[root@Jovette-14 SecDebugLog]# ls -laZ
drwxr-x---. apache apache unconfined_u:object_r:var_log_t:s0 .
drw-------. apache apache system_u:object_r:var_log_t:s0 ..
-rw-r-----. root root unconfined_u:object_r:httpd_log_t:s0 SecDebugLog.log
[root@Jovette-14 SecDebugLog]# ls -l
total 4
-rw-r-----. 1 root root 1484 2009-11-07 07:37 SecDebugLog.log

The next list is the end of the modsecurity_crs_10_config.conf file to set log files.
This shows debug and temp.
The point here is, YES, the "path/to/logdir" may include the log file name "path/to/logdir/logfile.log"
But you only create the dir, not the log as apache will create the log.
(And as it does, the selinux must be correct.)
But temp (non-log) is just a dir/path

# Whether to send ModSecurity messages to a separate debug log.
#
# Debug messages are very useful for, well, debugging. The default
# setting here copies (they always appear in the Apache error log)
# only the most important messages (errors and warnings).
#
# NOTE Debug logging is generally very slow. You should never
# use values greater than "3" in production.
#
SecDebugLog /var/log/msa/SecDebugLog/SecDebugLog.log
SecDebugLogLevel 3

# Configures the directory where temporary files will be created.
SecTmpDir /var/log/msa/SecTmpDir/SecTmpDir

Finally the httpd is started and the memory requirements has also increased, along with the child processes.

Tasks: 146 total, 1 running, 145 sleeping, 0 stopped, 0 zombie
Cpu(s): 1.3%us, 1.0%sy, 0.0%ni, 97.7%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 1027172k total, 942948k used, 84224k free, 48632k buffers
Swap: 2064376k total, 0k used, 2064376k free, 657428k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
10546 root 20 0 62704 35m 8716 S 0.0 3.6 0:02.17 httpd
10549 apache 20 0 62704 31m 4020 S 0.0 3.2 0:00.39 httpd
10555 apache 20 0 62704 31m 4032 S 0.0 3.2 0:00.45 httpd
10550 apache 20 0 62704 30m 2900 S 0.0 3.0 0:00.11 httpd
10553 apache 20 0 62704 30m 2900 S 0.0 3.0 0:00.08 httpd
10556 apache 20 0 62704 30m 2892 S 0.0 3.0 0:00.09 httpd
10558 apache 20 0 62704 30m 2712 S 0.0 3.0 0:00.12 httpd
10554 apache 20 0 62704 30m 2704 S 0.0 3.0 0:00.13 httpd
10552 apache 20 0 62704 30m 2576 S 0.0 3.0 0:00.21 httpd
10551 apache 20 0 62704 30m 2576 S 0.0 3.0 0:00.20 httpd
10548 apache 20 0 62624 28m 816 S 0.0 2.8 0:00.00 httpd

Now the questions are how to put into log rotate and what program to to use to processs the log information.

SJ
__________________
Do the Math
Last edited by SlowJet; 2009-11-07 at 10:19 AM CST.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fedora 10 Apache 2 mod_security problems j.smith1981 Servers 2 2009-11-03 04:30 AM CST
Apache: how to autoindex with mod_security ? LaKing Security 3 2009-05-16 01:51 PM CDT
Blocking referer spam using Apache and mod_security icydog Guides & Solutions (No Questions) 1 2008-09-07 12:39 AM CDT
Convert Apache-logs to IIS-logs locodude Servers 3 2007-11-29 10:55 AM CST
Help with apache logs hdcleaver Servers 6 2005-05-01 02:22 PM CDT

Automatic Translations (Powered by Powered by Google):
Afrikaans Albanian Arabic Belarusian Bulgarian Catalan Chinese Croatian Czech Danish Dutch English Estonian Filipino Finnish French Galician German Greek Hebrew Hindi Hungarian Icelandic Indonesian Italian Japanese Korean Latvian Lithuanian Macedonian Malay Maltese Norwegian Persian Polish Portuguese Romanian Russian Serbian Slovak Slovenian Spanish Swahili Swedish Taiwanese Thai Turkish Ukrainian Vietnamese Yiddish

All times are GMT -7. The time now is 06:24 AM CST.

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
Hosting provided by ThePlanet



All trademarks, and forum posts in this site are property of their respective owner(s).

FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact | Founding Members
Designed By Ewdison Then | Powered by vBulletin ©2000-2009, Jelsoft Enterprises Ltd.
 FedoraForum is Powered by Open Source Projects and Products
Translated to other languages thanks to NLP-er