Modsecurity is not available after rules update.

Created:

2016-11-16 12:51:47 UTC

Modified:

2017-05-14 06:08:50 UTC

1

Was this article helpful?


Have more questions?

Submit a request

Modsecurity is not available after rules update.

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk

Symptoms

After Apache restart modsecurity started to work with the following notice in /var/log/apache2/error.log :

    [Thu Dec 03 08:04:29.924152 2015] [mpm_event:notice] [pid 2590:tid 140591013660544] AH00491: caught SIGTERM, shutting down
...
[Thu Dec 03 08:04:31.044987 2015] [:notice] [pid 2926:tid 140285121394560] ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/) configured.
[Thu Dec 03 08:04:31.044995 2015] [:notice] [pid 2926:tid 140285121394560] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1"
[Thu Dec 03 08:04:31.045000 2015] [:notice] [pid 2926:tid 140285121394560] ModSecurity: PCRE compiled version="8.35 "; loaded version="8.35 2014-04-04"
[Thu Dec 03 08:04:31.045004 2015] [:notice] [pid 2926:tid 140285121394560] ModSecurity: LUA compiled version="Lua 5.1"
[Thu Dec 03 08:04:31.045007 2015] [:notice] [pid 2926:tid 140285121394560] ModSecurity: LIBXML compiled version="2.9.1"
[Thu Dec 03 08:04:31.045010 2015] [:notice] [pid 2926:tid 140285121394560] ModSecurity: Original server signature: Apache
[Thu Dec 03 08:04:31.045014 2015] [:notice] [pid 2926:tid 140285121394560] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.

The following error can be found in /var/log/modsec_audit.log :

    Message: collections_remove_stale: Failed to access DBM file "/var/asl/data/msa/global": Permission denied
Stopwatch: 1449217642627822 3506 (- - -)
Stopwatch2: 1449217642627822 3506; combined=1324, p1=108, p2=838, p3=39, p4=70, p5=145, sr=13, sw=1, l=0, gc=123
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); 201512011451.
Server: Apache
Engine-Mode: "ENABLED"

Cause

Incorrect permissions of the /var/asl/data directory.

Resolution

  1. Check under what user run Apache service:

RedHat-like distributions

    # ps auxwww | grep httpd
root 509 0.0 2.1 430432 44872 ? Ss 11:33 0:01 /usr/sbin/httpd -DFOREGROUND
apache 623 0.0 1.6 430292 33760 ? S 11:33 0:00 /usr/sbin/httpd -DFOREGROUND
apache 625 0.0 1.6 430432 34124 ? S 11:33 0:00 /usr/sbin/httpd -DFOREGROUND
root 20434 0.0 0.0 112604 1064 pts/0 S+ 22:15 0:00 grep --color=auto httpd

Debian-like distributions

    # ps auxwww | grep apache2 
root 5243 0.0 0.2 390536 95608 ? Ss 10:15 0:02 /usr/sbin/apache2 -k start
www-data 5249 0.0 0.2 385736 86504 ? S 10:15 0:02 /usr/sbin/apache2 -k start
www-data 24197 0.1 0.2 391456 92472 ? S 17:19 0:02 /usr/sbin/apache2 -k start
www-data 24207 0.0 0.2 391316 92356 ? S 17:19 0:01 /usr/sbin/apache2 -k start
www-data 25137 0.0 0.2 391036 91648 ? S 17:51 0:00 /usr/sbin/apache2 -k start
root 25404 0.0 0.0 8816 788 pts/2 S+ 17:58 0:00 grep apache2
  1. Set correct ones as following, e.g. for Debian-like distributions:
    # chown www-data.www-data /var/asl/data/msa
    # chown www-data.www-data /var/asl/data/audit
    # chown www-data.www-data /var/asl/data/suspicious
    # chmod 770 -R /var/asl/data/*
Have more questions? Submit a request
Please sign in to leave a comment.