Apache failing due to Mod_security SecAuditLogFormat JSON

[SteveN2020]

Hi all,

The file

./custombuild/configure/ap2/conf/extra/httpd-modsecurity.conf

was updated on 19th June, and I am now unable to start apache due to

Invalid command 'SecAuditLogFormat', perhaps misspelled or defined by a module

. Removing the line

SecAuditLogFormat JSON

from

/etc/httpd/conf/extra/httpd-modsecurity.conf

solves this, but on a rebuild of conf or mod_security the problem returns, presumably due to the template file.

I have seen this bug-fix : https://forum.directadmin.com/threads/changelog.60248/

2509 - Fix "SecAuditLogFormat JSON" support in ModSecurity 2.9 (used for Apache). Requires recompilation of ModSecurity.

But can't find the original bug. Has this issue regressed back into the code base? Anyone else having similar problems?

Thanks.

 

[smtalk]

“./build modsecurity” should be enough to fix it.

 

[SteveN2020]

Thanks, running that puts the offending line back in

 

[smtalk]

Thanks, running that puts the offending line back in

And it does not cause any issues anymore no?

 

[SteveN2020]

Yes it does, same problem :

make[1]: Leaving directory '/usr/local/directadmin/custombuild/modsecurity-2.9.3'
ModSecurity has been installed successfully.
Installing OWASP Core Rule Set for ModSecurity...
Copying custom ModSecurity rules to /etc/modsecurity.d/...
Installation of ModSecurity Rule Set has been finished.
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.

 

[smtalk]

Yes it does, same problem :

make[1]: Leaving directory '/usr/local/directadmin/custombuild/modsecurity-2.9.3'
ModSecurity has been installed successfully.
Installing OWASP Core Rule Set for ModSecurity...
Copying custom ModSecurity rules to /etc/modsecurity.d/...
Installation of ModSecurity Rule Set has been finished.
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xe" for details.

Anything in custom/modsecurity? Are you sure you’re running latest version of CustomBuild? Any errors when building modsecurity? What’s the OS there, does it have yajl library installed?

 

[SteveN2020]

Anything in custom/modsecurity? Are you sure you’re running latest version of CustomBuild? Any errors when building modsecurity? What’s the OS there, does it have yajl library installed?

Custombuild 2.0.0 (rev: 2510), Centos 8.1.1911, only a couple of rule customisations to disable the engine based on some IPs, errors in modsecurity build are :

No match for argument: lua-devel
Error: Unable to find a match: lua-devel
Last metadata expiration check: 0:14:03 ago on Sun Jun 21 20:57:29 2020.
No match for argument: yajl-devel
Error: Unable to find a match: yajl-devel

I'll hunt them down and see if that helps. Looks like that might be the issue.

 

[SteveN2020]

All sorted, I was missing those dependencies. On Cenots 8 I needed to:

dnf config-manager --set-enabled PowerTools
dnf install yajl-devel lua-devel

Thanks for your help.

 

[thehostservers]

We are facing this same issue.

Tried "./build modsecurity", but no luck.

Please advise.

root@srv [/]# ./build modsecurity
-bash: ./build: No such file or directory
root@srv [/]#

 

[smtalk]

You need to do this first:

cd /usr/local/directadmin/custombuild

 

[thehostservers]

You need to do this first:

cd /usr/local/directadmin/custombuild

Now able to run ' ./build modsecurity', but it's showing many errors including following and server went offline.

dm-0: write failed, user file limit reached.

sh: -c: line 0: syntax error near unexpected token `(' sh: -c: line 0: `/usr/local/cwaf/scripts/suid /usr/local/cwaf/scripts/cwaf-wrapper.pl da_get_aliases LANGUAGE = (unset), 2>&1'

 

[smtalk]

I'd suggest trying owasp ruleset (default). /usr/local/cwaf/scripts/cwaf-wrapper.pl comes from Comodo (3rd party script).

 

[arun.kumar]

I'd suggest trying owasp ruleset (default). /usr/local/cwaf/scripts/cwaf-wrapper.pl comes from Comodo (3rd party script).

I'm facing same issue. Could you please explain how to do this exactly? I'm new to server administration. If possible, please advise with exact steps or commands to sole this issue.