Results 1 to 5 of 5
-
05-02-2006, 08:09 PM #1WHT Addict
- Join Date
- Sep 2005
- Posts
- 170
How to disable people being able to use SecAuditLog in htaccess?
Does anyone know how to disable people being able to define the location of SecAuditLog in htaccess files?
Thanks,
Dan
SecAuditLog is a mod_security setting. E.g. SecAuditLog /sec.log
-
05-03-2006, 03:57 PM #2WHT Addict
- Join Date
- Sep 2005
- Posts
- 170
Hi,
I have discovered how, but it has forced me to disable my security logging peroid.
Is there a way to have it but at the same time disallow it to be modified in htaccess?
Thanks for your time.
-
05-03-2006, 08:42 PM #3Web Hosting Master
- Join Date
- May 2002
- Location
- UK
- Posts
- 1,622
See here: http://www.modsecurity.org/documenta...iguration.html
Filter inheritance In multiuser environments
When you are deploying ModSecurity in multi-user environments, and your users are allowed to use the rules in their .htaccess files, you may not wish to allow them to not inherit the rules from the parent context. There are two ways to achieve this.
Note
If you do not trust your users (e.g. running in a web hosting environment) then you should never allow them access to ModSecurity. The .htaccess facility is useful for limited administration control decentralisation, keeping ModSecurity configuration with the application code. But it is not meant to be used in situations when the users may want to subvert the configuration. If you are running a hostile environment you should turn off the .htaccess facility completely by custom-compiling ModSecurity with the -DDISABLE_HTACCESS_CONFIG switch.
First, you can mark certain rules mandatory using the mandatory action. Such rules will always be inherited in the child context.
The other way is to use the SecFilterInheritanceMandatory directive to simply make all rules in the context mandatory for all child contexts.
SecFilterInheritanceMandatory OnChief brew-maker at several hosting brands since 2002.
≡ FLXI | UK based, cPanel/WHM reseller hosting
≡ Pay-as-you-go billing, why pay for what you don't use?
-
05-04-2006, 01:28 PM #4WHT Addict
- Join Date
- Sep 2005
- Posts
- 170
Hi,
Ok thanks. That should work for me I'll give it a shot later.
Here's an idea of my dilema though:
On my server I allow htaccess. I see why you disable it, but for me nothing in my mod_security is mission critical, I could even do with having the mod on at all.
It's just something extra I added because it seemed effective.
A lot of my default rulesheet is there to purely protect the users site from sql injections and the like. If they don't want it for whatever reason, it's fine by me.
I also don't mind them adding their own rules, because that would serve pretty effective instead of me tacking a bunch of rules on for everyone, even where its not needed.
The main problem I had with the log thing was.... someone in htaccess could do:
SecAuditLog "../sec.php" then, add some php into their headers, trigger one, and boom they got php above the root directory. I use open_base_dir with chdir disabled and the like, so this was not good. Fixed now though, I think.
Thanks for your time,
DanLast edited by Jcink; 05-04-2006 at 01:38 PM.
-
05-07-2006, 01:48 PM #5WHT Addict
- Join Date
- Sep 2005
- Posts
- 170
ok, nevermind, it doent work
I realized shutting SecAuditEngine off doesn't work. People can just turn it on.
The Mandatory thing doesn't help. Settings just get over written (I know this is the point of htaccess but from what I had before I AM able to set a master value that cant be changed no matter what.
Code:SecAuditEngine On SecAuditLog "C:\Apache\www\lol.log"