Apache/ModSecurity issue. Invalid command 'SecAuditLogFormat' error

[needhelppp]

So I guess updating the PHP version is what started all this mess for me? ;/

 

[smtalk]

The same situation here, ./build modsecurity , fix the problem, but we discover the problem after:

- Install new versions of php
- Change the IP of a server (using the script of DA for this)

I think if the apache template file of the modsecurity included in custombuild changes but a recompile of modsecurity isnt included or forced, you will face the problem with any action related to the apache config, and the ./build rewrite_confs is a very popular command to face a problem or any change.

Regards

This use-case might be possible. I've fixed it in CB 2.0 rev. 2522 (no requirement of ./build modsecurity on update time when confs are rewritten).

 

[ju5t]

"./build update_versions" shouldn't update modsecurity config if no related items got updated. What was updated in the list? Didn't you run "./build rewrite_confs"?

Thank you for the information!

It has updated the following:

2020-07-03 20:17:29 vpn: DirectAdmin update requested
2020-07-03 20:17:31 vpn: Lego 3.8.0 installed
2020-07-03 20:17:32 vpn: Let's Encrypt client update requested
2020-07-03 20:18:30 vpn: Proftpd 1.3.6d installed
2020-07-03 20:18:49 vpn: nghttp2 1.41.0 installed
2020-07-03 20:19:13 vpn: pcre2 10.35 installed
2020-07-03 20:19:15 vpn: Awstats 7.8 installed
2020-07-03 20:19:15 vpn: awstats_process.sh updated to 2.9
2020-07-03 20:19:34 vpn: EasySpamFighter 1.31 installed
2020-07-03 20:19:35 vpn: exim.conf installed
2020-07-03 20:19:35 vpn: Exim 4.94 installed
2020-07-03 20:19:36 vpn: composer 1.10.8 installed
2020-07-03 20:20:18 vpn: s-nail 14.9.19 installed
2020-07-03 20:21:34 vpn: zstd 1.4.5 installed
2020-07-03 20:26:28 vpn: Ioncube 10.4.0 installed
2020-07-03 20:26:51 vpn: PHP 7.3.19 installed
2020-07-03 20:26:53 vpn: called: php_expert 7.3 php-fpm
2020-07-03 20:26:56 vpn: RoundCube 1.4.5 installed
2020-07-03 20:26:57 vpn: called: update_versions

This will be the same on all servers as the ones we updated in this batch all have the same configuration.

I initially thought we didn't have this issue on CentOS 8 but it was not part of yesterday's upgrades. I've just did a CentOS 8 server by hand and it has the exact same issue.

I noticed the issue should have been fixed in 2522. The CentOS 8 server I tested this morning runs 2523. It doesn't work.

We get:
No match for argument: yajl-devel
Error: Unable to find a match: yajl-devel

It has the following repositories:

# yum repolist
repo id                                                                                          repo name
AppStream                                                                                        CentOS-8 - AppStream
BaseOS                                                                                           CentOS-8 - Base
Zabbix_8_x86_64                                                                                  Zabbix_8_x86_64
Zabbix_nonsupported_8_x86_64                                                                     Zabbix_nonsupported_8_x86_64
epel                                                                                             Extra Packages for Enterprise Linux 8 - x86_64
epel-modular                                                                                     Extra Packages for Enterprise Linux Modular 8 - x86_64
extras                                                                                           CentOS-8 - Extras

As you can see, we don't have the PowerTools repository on this server. We don't remove repositories from our servers so this is a base installation.

Sorry, but I think this feature hasn't been tested good enough. Please pull it until a 100% fix is deployed.

 

[hendrik250874]

Was it yajl-devel? CentOS6? If it's centos6, the one you installed is too old, and CB needs to be used for it.

Hello, a lot got said since, but as a reply;
I'm running CentOS 8.2
I searched for the yajl-devel, but it can't be found.

./build modsecurity didn't fix it, and I can this in the output;
No match for argument: lua-devel
Error: Unable to find a match: lua-devel
Last metadata expiration check: 2:29:36 ago on Sat Jul 4 07:25:09 2020.
No match for argument: yajl-devel
Error: Unable to find a match: yajl-devel

 

[hendrik250874]

Hello, a lot got said since, but as a reply;
I'm running CentOS 8.2
I searched for the yajl-devel, but it can't be found.

./build modsecurity didn't fix it, and I can this in the output;
No match for argument: lua-devel
Error: Unable to find a match: lua-devel
Last metadata expiration check: 2:29:36 ago on Sat Jul 4 07:25:09 2020.
No match for argument: yajl-devel
Error: Unable to find a match: yajl-devel

Sorry for the double post.
I enabled the powertools repo. Then it could find the yajl-devel package. Then did the ./build update_versions and modesecurity was build.
Everything seems to be back to normal now

 

[smtalk]

Sorry for the double post.
I enabled the powertools repo. Then it could find the yajl-devel package. Then did the ./build update_versions and modesecurity was build.
Everything seems to be back to normal now

I've detected a typo in a variable which should enable PowerTools on CentOS8, fixed in CB 2.0 rev. 2524, thank you for the report.

 

[ju5t]

2524 has solved it for us. Thanks for fixing this during the weekend.

Is this something we can prevent in the future? Are there any beta's that people can test before things like these hit production?

 

[smtalk]

2524 has solved it for us. Thanks for fixing this during the weekend.

Is this something we can prevent in the future? Are there any beta's that people can test before things like these hit production?

I'm sorry, bugs are natural in software... This doesn't mean the software shouldn't be tested throughly. There is a reason why giants like Android or iOS release updates with bugfixes, the same must be done by your OS. It doesn't mean we're not testing it through, some bugs just go through the testing phase and go unnoticed for a longer time even in production, and I guess everyone is affected (linux kernel, windows, macos, you name it)

 

[needhelppp]

In the CustomBuild - Build tab i see option to Build ModSecurity and an option to Build libModsecurity (which does not have any setting in Edit tab). What are those Modsecurities, why is there two? And if they are different, what are their purposes?

 

[smtalk]

In the CustomBuild - Build tab i see option to Build ModSecurity and an option to Build libModsecurity (which does not have any setting in Edit tab). What are those Modsecurities, why is there two? And if they are different, what are their purposes?

Yes, they are different. See https://www.modsecurity.org. ModSecurity 3.0 (libModsecurity) has no stable version for Apache yet, thus ModSecurity 2.9 is used.

 

[needhelppp]

So to clarify this small question:
If Im using Apache, I need to Build only ModSecurity and OWASP (or buggy COMODO) ruleset?
If Im using Nginx, then I need to select and Build libModSecurity and OWASP only, without ModSecurity (COMODO wont work with Nginx at all)?

Am I even close to right understanding here? I think all this could be a little bit more clear... ;/

 

[smtalk]

Right, but if you click "Build ModSecurity" on nginx - it'd automatically build libmodsecurty for you. "Build ModSecurity" should work with all the webservers and detect what should it build. Regarding rulesets - comodo ruleset should also work fine with nginx. However, due to their dependencies for the plugin, and native ModSecurity integration in DA, we've switched the default to OWASP CRS lately.

 

[ju5t]

I'm sorry, bugs are natural in software... This doesn't mean the software shouldn't be tested throughly. There is a reason why giants like Android or iOS release updates with bugfixes, the same must be done by your OS. It doesn't mean we're not testing it through, some bugs just go through the testing phase and go unnoticed for a longer time even in production, and I guess everyone is affected (linux kernel, windows, macos, you name it)

Yes and no. Bugs are natural, testing is too though. Do you feature test or is it all manual? I believe the CentOS 8 bug was 100% preventable with some automated testing. The upgrade would have been harder.

 

[harro]

Since 1 am this morning the httpd on two servers stopped working with the same error:

AH00526: Syntax error on line 12 of /etc/httpd/conf/extra/httpd-modsecurity.conf:
Invalid command 'SecAuditLogFormat', perhaps misspelled or defined by a module not included in the server configuration

I tried to update mod_security (./build modsecurity) but get the following final status messages during the build:

make[2]: Leaving directory `/usr/local/directadmin/custombuild/modsecurity-2.9.3'
make[1]: Leaving directory `/usr/local/directadmin/custombuild/modsecurity-2.9.3'
ModSecurity has been installed successfully.
AH00526: Syntax error on line 12 of /etc/httpd/conf/extra/httpd-modsecurity.conf:
Invalid command 'SecAuditLogFormat', perhaps misspelled or defined by a module not included in the server configuration
Installing Comodo Rule Set for ModSecurity...
Updating to latest CWAF client version
current version is up to date
update process finished!
Defaulting to Comodo WAF SecDefaultAction...
Installation of ModSecurity Rule Set has been finished.
AH00526: Syntax error on line 12 of /etc/httpd/conf/extra/httpd-modsecurity.conf:
Invalid command 'SecAuditLogFormat', perhaps misspelled or defined by a module not included in the server configuration

Is this requirement for the yajl library new? And why does this only happen on some servers?


When I try to install this yajl-devel I get the following error:

custombuild]# yum install yajl-devel
Loaded plugins: fastestmirror
Setting up Install Process
Determining fastest mirrors
YumRepo Error: All mirror URLs are not using ftp, http or file.
Eg. Invalid release/repo/arch combination/
removing mirrorlist with no valid mirrors: /var/cache/yum/i386/6/centos-sclo-rh/mirrorlist.txt
Error: Cannot find a valid baseurl for repo: centos-sclo-rh

 

[smtalk]

It seems your yum is broken, when you fix it - “./build modsecurity” should work.

 

[medaguru]

Hello all, I started seeing this a few months ago and has happened 3 times since fixing it.
Today the fix will not work though and not sure why as I have received the same result from the terminal each time.

systemd[1]: Starting The Apache HTTP Server...
httpd[3143246]: AH00526: Syntax error on line 12 of /etc/httpd/conf/extra/httpd-modsecurity.conf:
httpd[3143246]: Invalid command 'SecAuditLogFormat', perhaps misspelled or defined by a module not included in the server configuration
systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE

Any insight to why this keeps reverting back would be helpful.
Thank you

 

[LawsHosting]

I had a Debian 7 instance, and this change broke it due to 7 being EOL so it couldn't install the required dependencies for this JSON change.

 

[websterPL]

So the best solution for that problem is to disable modsecurity and build apache.

cd /usr/local/directadmin/custombuild
./build set modsecurity no
./build apache