How to resolve 403 errors after upgrading to Monitor 8.1.3

----------------------

The content of this FAQ has been updated and migrated to the following topics in docs.itrsgroup.com. Refer to the following:

https://docs.itrsgroup.com/docs/op5-monitor/8.2.0/topics/troubleshoot/managing-modsecurity.html

We recommend that you always use the latest document version in https://docs.itrsgroup.com/ to keep you up-to-date.

-----------------------



With the release of OP5 Monitor version 8.1.3, we are bundling the Apache module mod_security with our product. This will serve to filter every request done to the Apache web server and apply the OWASP ModSecurity Core Rule Set and allow/deny requests based on that ruleset. 

We have included a tailor-made config for mod_security which disables some of the rules which break Monitor. Clients with customized httpd (Apache) environments may experience issues. 

See also: How to handle false positives and create exclusions.

The HTTP response given if a rule is triggered is mostly: 403 forbidden. 

To find out what rule might be causing the issue, make sure you have audit logging turned on. This is described in "How to troubleshoot mod_security security rules".

Logs are located in:  

• /var/log/httpd/ 

• modsec_audit.log -- this logs every rule encountered, useful for finding out what rules are causing the error 

• modsec_debug.log -- logs everything if debug is enabled. 

Enable debugging 

In /etc/httpd/conf.d/mod_security.conf 

Set SecDebugLogLevel to desired level.  
9 is everything. 

Log levels can be found here.

Disabling mod_security

First, run the following to confirm mod_security is loaded (called "security2_module")

# apachectl -M | grep sec

Disabling mod_security can be done by opening up:

/etc/httpd/conf.modules.d/10-mod_security.conf

Comment out everything in that file and then restart httpd. Run the above apachectl command again to confirm the output has changed, meaning the module is no longer loaded.