ModSecurity-nginx icon indicating copy to clipboard operation
ModSecurity-nginx copied to clipboard
verified publisher icon owasp-modsecurity

Support audit log rotation on SIGHUP and SIGUSR1

Open brandonpayton opened this issue 5 years ago • 19 comments

This is a PR that uses SpiderLabs/ModSecurity#2304 to support audit log rotation when nginx reloads config or reopens log files.

Thanks to @defanator for providing a proof-of-concept!

I tested this by:

  1. Using lsof to observe nginx has the audit log open
  2. Moving the audit log file
  3. Using lsof to confirm the nginx now references the moved file
  4. Signaling the nginx master process with SIGHUP or SIGUSR1.
  5. Testing the same things with nginx -s reload and nginx -s reopen

When I wasn't convinced of the thread-safety of audit log writes and log reopen within nginx, I also attempted to test it with the following script using GNU parallel: parallel -j+0 ./test-reopen.sh ::: {1..10000}

#!/bin/bash

set -euo pipefail

read s < /dev/urandom
TEST=$(( ${#s} % 11 ))

if [[ TEST -eq 0 ]]; then
	echo "$1 reopen with SIGUSR1"
	kill -USR1 "$(pgrep -P1 nginx)"
elif [[ TEST -eq 1 ]]; then
	echo "$1 reload with SIGHUP"
	kill -HUP "$(pgrep -P1 nginx)"
else
	echo "$1 triggering modsec logging"
	# Matches a silly rule created for testing
	curl --silent http://localhost/index.html?asdf 2>&1 >/dev/null &
fi

pgrep -d", " nginx

This test didn't hurt, but due to nginx's primarily single-threaded architecture, I believe log reopen is thread-safe here by default.

resolves #121

brandonpayton avatar May 01 '20 03:05 brandonpayton

It makes sense this one is failing CI because the changes it relies on aren't yet in ModSecurity.

brandonpayton avatar May 01 '20 16:05 brandonpayton

Thank you @brandonpayton!

zimmerle avatar May 16 '20 00:05 zimmerle

@defanator can you have a look at it ?

zimmerle avatar May 16 '20 00:05 zimmerle

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Jun 16 '20 00:06 github-actions[bot]

Any updates on this? Still waiting for fix, log file doesn't change after rotation without nginx restart, which is very inconvenient.

jatgh avatar Jun 16 '20 07:06 jatgh

@github-actions please re-open this. There are many people waiting for this pull request to be merged.

nikolas avatar Jun 22 '20 01:06 nikolas

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Jul 23 '20 00:07 github-actions[bot]

That bot is annoying.... help @zimmerle

nikolas avatar Jul 23 '20 00:07 nikolas

Can we add the no-stale tag? What is needed to merge this one?

fzipi avatar Aug 21 '20 14:08 fzipi

That bot is annoying.... help @zimmerle

Indeed. Part of a bigger plan. We are doing the fining tuning. Sorry for the inconvenience.

zimmerle avatar Aug 21 '20 15:08 zimmerle

Can we add the no-stale tag?

Sure.

What is needed to merge this one?

This patch depends on some changes on libModSecurity as stated at SpiderLabs/ModSecurity#2304; Without the changes in the linked issues, this is not functional. The review will be started as soon as we got SpiderLabs/ModSecurity#2304 merged.

zimmerle avatar Aug 21 '20 16:08 zimmerle

Thanks for the comments @zimmerle ! Now we have a better picture :+1:

fzipi avatar Aug 21 '20 16:08 fzipi

This pull request depends on a pull request in the ModSecurity repository: https://github.com/SpiderLabs/ModSecurity/pull/2304 Is Modsecurity pull request 2304 getting attention?

mike-mckenna avatar Apr 29 '22 18:04 mike-mckenna