Results 1 to 5 of 5
  1. #1
    Join Date
    Sep 2005
    Posts
    170

    How to disable people being able to use SecAuditLog in htaccess?

    Does anyone know how to disable people being able to define the location of SecAuditLog in htaccess files?

    Thanks,
    Dan

    SecAuditLog is a mod_security setting. E.g. SecAuditLog /sec.log

  2. #2
    Join Date
    Sep 2005
    Posts
    170
    Hi,

    I have discovered how, but it has forced me to disable my security logging peroid.

    Is there a way to have it but at the same time disallow it to be modified in htaccess?

    Thanks for your time.

  3. #3
    Join Date
    May 2002
    Location
    UK
    Posts
    1,622
    See here: http://www.modsecurity.org/documenta...iguration.html

    Filter inheritance In multiuser environments

    When you are deploying ModSecurity in multi-user environments, and your users are allowed to use the rules in their .htaccess files, you may not wish to allow them to not inherit the rules from the parent context. There are two ways to achieve this.

    Note

    If you do not trust your users (e.g. running in a web hosting environment) then you should never allow them access to ModSecurity. The .htaccess facility is useful for limited administration control decentralisation, keeping ModSecurity configuration with the application code. But it is not meant to be used in situations when the users may want to subvert the configuration. If you are running a hostile environment you should turn off the .htaccess facility completely by custom-compiling ModSecurity with the -DDISABLE_HTACCESS_CONFIG switch.

    First, you can mark certain rules mandatory using the mandatory action. Such rules will always be inherited in the child context.

    The other way is to use the SecFilterInheritanceMandatory directive to simply make all rules in the context mandatory for all child contexts.

    SecFilterInheritanceMandatory On
    For what it's worth, we use the -DDISABLE_HTACCESS_CONFIG flag at compile time on all our servers so that our server wide ruleset is applied to all virtualhosts regardless of their htaccess file. A lot of work goes into the maintenance of our rulesets and the object of this is defeated if users are able to just turn checking off.
    Chief brew-maker at several hosting brands since 2002.

    FLXI | UK based, cPanel/WHM reseller hosting
    Pay-as-you-go billing, why pay for what you don't use?

  4. #4
    Join Date
    Sep 2005
    Posts
    170
    Hi,

    Ok thanks. That should work for me I'll give it a shot later.

    Here's an idea of my dilema though:

    On my server I allow htaccess. I see why you disable it, but for me nothing in my mod_security is mission critical, I could even do with having the mod on at all.

    It's just something extra I added because it seemed effective.

    A lot of my default rulesheet is there to purely protect the users site from sql injections and the like. If they don't want it for whatever reason, it's fine by me.

    I also don't mind them adding their own rules, because that would serve pretty effective instead of me tacking a bunch of rules on for everyone, even where its not needed.

    The main problem I had with the log thing was.... someone in htaccess could do:

    SecAuditLog "../sec.php" then, add some php into their headers, trigger one, and boom they got php above the root directory. I use open_base_dir with chdir disabled and the like, so this was not good. Fixed now though, I think.

    Thanks for your time,
    Dan
    Last edited by Jcink; 05-04-2006 at 01:38 PM.

  5. #5
    Join Date
    Sep 2005
    Posts
    170
    ok, nevermind, it doent work

    I realized shutting SecAuditEngine off doesn't work. People can just turn it on.

    The Mandatory thing doesn't help. Settings just get over written (I know this is the point of htaccess but from what I had before I AM able to set a master value that cant be changed no matter what.

    Code:
    SecAuditEngine On
    SecAuditLog "C:\Apache\www\lol.log"
    This is very dangerous, so this is why I gotta know if there is some way to just disable the logging or at least disable JUST that directive

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •