Apache cannot access mod_security log

Question

I have an Apache2 server that cannot access the mod-security log:

prim@x.x.x.x:~$ apachectl -V
AH00526: Syntax error on line 196 of /etc/modsecurity/modsecurity.conf:
ModSecurity: Failed to open the audit log file: /var/log/apache2/modsec_audit.log
Action '-V' failed.
The Apache error log may have more information.
prim@x.x.x.x:~$ sudo ls -la /var/log/apache2/modsec_audit.log
-rw-rwxrwx 1 root www-data 101792 Oct 22 16:37 /var/log/apache2/modsec_audit.log

I am a bit puzzled, because everyone (owner, group, others) have rights to open the log file.

edit:

prim@x.x.x.:/var/log/unattended-upgrades$ sudo -u www-data touch /var/log/apache2/modsec_audit.log
touch: cannot touch '/var/log/apache2/modsec_audit.log': Permission denied

This gets stranger...

edit2:

prim@x.x.x.x:/var/log/unattended-upgrades$ sudo ls -la /var/log/apache2/
total 1015752
drw-r--r--  2 root adm          12288 Oct 22 15:55 .

edit3:

ls -la /var/log|grep apache
drw-r--r--  2 root     adm       12288 Oct 22 15:55 apache2

sudo -u www-data touch /path/to/modsecurity.log. Does it works? I think you might have another error in your modsecurity.conf config file, would you share it? — Marco, Oct 22 '17 at 18:10
I tried to touch with sudo. I dont have permissions. modesecurity.conf is 1 year running and no issues until now. Should I share? — caliph, Oct 22 '17 at 18:20
Check the permissions and ownership of the /var/log/apache2 (This should be a comment) — egthomas, Oct 22 '17 at 18:13

score 2 · Answer 1 · answered Feb 14 '19 at 16:09

You couldn't touch modsec_audit.log, i.e.

sudo -u www-data touch /var/log/apache2/modsec_audit.log

because the log directory belongs to root:adm. www-data is not root, nor, most likely, it belongs to group adm. Group and Others can only read in your log directory. Only root:adm can actually write.

I ran into the same problem on CentOS 7 where the main httpd process is started as root and then it spawns a number of child processes that are running as apache:apache. On Debian/Ubuntu it must be the same, except for the difference in apache vs www-data.

Here, on CentOS 7, I can only run apachectl, httpd, etc. as root. Otherwise, same "Syntax error" occurs. Also, this happens only if mod_security is installed.

This is basically apachectl/httpd/etc. calling mod_security as an unprivileged user to check its configuration for syntax errors but it, mod_security, is apparently taking security seriously :) and fails to open the log files on behalf of your calling user that has no permission to do so.

So, just run

sudo apachectl -V

Alternatively, you could

add the prim user to adm group (assuming log files are owned by root:adm and Group is allowed to read and/or write)
chown root:prim your log files (this is a really bad idea but is listed here as a way to demonstrate that it is a basic file permissions problem).

Having the same issue multiple times, however my primary user is obviously already in the adm group. So what should I do? And why does the same problem keep cropping up? — Maestro223, Aug 07 '20 at 03:37

Apache cannot access mod_security log

1 Answers1