-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support audit log rotation on SIGHUP and SIGUSR1 #198
base: master
Are you sure you want to change the base?
Support audit log rotation on SIGHUP and SIGUSR1 #198
Conversation
It makes sense this one is failing CI because the changes it relies on aren't yet in ModSecurity. |
Thank you @brandonpayton! |
@defanator can you have a look at it ? |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days |
Any updates on this? Still waiting for fix, log file doesn't change after rotation without nginx restart, which is very inconvenient. |
@github-actions please re-open this. There are many people waiting for this pull request to be merged. |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days |
That bot is annoying.... help @zimmerle |
Can we add the |
Indeed. Part of a bigger plan. We are doing the fining tuning. Sorry for the inconvenience. |
Sure.
This patch depends on some changes on libModSecurity as stated at owasp-modsecurity/ModSecurity#2304; Without the changes in the linked issues, this is not functional. The review will be started as soon as we got owasp-modsecurity/ModSecurity#2304 merged. |
Thanks for the comments @zimmerle ! Now we have a better picture 👍 |
This pull request depends on a pull request in the ModSecurity repository: owasp-modsecurity/ModSecurity#2304 |
On our systems I've been patching ModSecurity to support rotation, as well as applying this patch to ModSecurity-nginx. One side effect is that every time the nginx log is rotated, by calling invoke-rc.d nginx rotate (whether manually or from logrotate), my /dev/null ends up being owned by nginx instead of root. Am I doing something wrong? |
Hi @XanC,
How looks like your logrotate config? |
Thanks for taking a look! /var/log/www/nginx/*.log { If I manually run |
Update: I'm working around the problem by adding a file at /etc/systemd/system/logrotate.d/override.conf: It looks like this patch on line 629 of ngx_http_modsecurity_module.c reopens /dev/null. I'm not sure why it's doing that, but that's probably why it ends up being owned by nginx. |
This is a PR that uses owasp-modsecurity/ModSecurity#2304 to support audit log rotation when nginx reloads config or reopens log files.
Thanks to @defanator for providing a proof-of-concept!
I tested this by:
lsof
to observe nginx has the audit log openlsof
to confirm the nginx now references the moved filenginx -s reload
andnginx -s reopen
When I wasn't convinced of the thread-safety of audit log writes and log reopen within nginx, I also attempted to test it with the following script using GNU parallel:
parallel -j+0 ./test-reopen.sh ::: {1..10000}
This test didn't hurt, but due to nginx's primarily single-threaded architecture, I believe log reopen is thread-safe here by default.
resolves #121