----------------------
The content of this FAQ has been updated and migrated to the following topics in docs.itrsgroup.com. Refer to the following:
https://docs.itrsgroup.com/docs/op5-monitor/8.2.0/topics/troubleshoot/managing-modsecurity.html
We recommend that you always use the latest document version in https://docs.itrsgroup.com/ to keep you up-to-date.
-----------------------
With the release of OP5 Monitor version 8.1.3, we are bundling the Apache module mod_security with our product. This will serve to filter every request done to the Apache web server and apply the OWASP ModSecurity Core Rule Set and allow/deny requests based on that ruleset.
We have included a tailor-made config for mod_security which disables some of the rules which break Monitor. Clients with customized httpd (Apache) environments may experience issues.
See also: How to handle false positives and create exclusions.
The HTTP response given if a rule is triggered is mostly: 403 forbidden.
To find out what rule might be causing the issue, make sure you have audit logging turned on. This is described in "How to troubleshoot mod_security security rules".
Logs are located in:
- /var/log/httpd/
- modsec_audit.log -- this logs every rule encountered, useful for finding out what rules are causing the error
- modsec_debug.log -- logs everything if debug is enabled.
Enable debugging
In /etc/httpd/conf.d/mod_security.conf
Set SecDebugLogLevel to desired level.
9 is everything.
Log levels can be found here.
Disabling mod_security
First, run the following to confirm mod_security is loaded (called "security2_module")
# apachectl -M | grep sec
Disabling mod_security can be done by opening up:
/etc/httpd/conf.modules.d/10-mod_security.conf
Comment out everything in that file and then restart httpd. Run the above apachectl command again to confirm the output has changed, meaning the module is no longer loaded.
You may only need to disable mod_security temporarily
While you may have issues in creating new checks, or running "test this check", mod_security will not hinder existing services/commands from running. We therefore recommend that you only disable mod_security temporarily. We are working on a permanent fix for this issue.-
Tags:
- Apache
- httpd
- 403
- mod_security
Comments
0 comments
Please sign in to leave a comment.