[SOLVED] Client Agent Installer Cannot Find ModSecurity

linux4me · July 20, 2020, 10:13pm

I’m using the latest version of the CWAF installer, and when I run it on a CentOS7/Apache/Interworx server to try to do a standalone installation, I get the error message that ModSecurity cannot be found:

cat /tmp/cwaf_install.log.17906
20-07-2020 17:34:55 Starting the installation
20-07-2020 17:35:20 ----------------Checking Apache-----------------------
20-07-2020 17:35:20 Found APACHE2CTL ‘/usr/sbin/apachectl’
20-07-2020 17:35:20 Found APACHE version 2.4.41
20-07-2020 17:35:20 Failed to aquire MODSECURITY version
20-07-2020 17:35:23 ---------------Checking LiteSpeed---------------------
20-07-2020 17:35:23 LiteSpeed binary /usr/local/lsws/bin/lshttpd not found!
20-07-2020 17:35:31 -----------------Checking Nginx-----------------------
20-07-2020 17:35:31 Nginx binary /usr/local/nginx/sbin/nginx not found!
20-07-2020 17:35:34 ------------------------------------------------------

ModSecurity is definitely installed and running. If I look in the ModSecurity audit log, I can see my custom rule is working.

The odd thing is that I ran the installer successfully yesterday. I made the apparent mistake of uninstalling CWAF to move it to another folder.

I saw this five-year-old thread, but the fix it describes (killing orphaned httpd processes) didn’t work for me.

How do I get the Client Agent installer to realize that ModSecurity is installed so I can complete the installation?

Thanks!

Serhyo · July 21, 2020, 1:21pm

Hi, what version of modsecurity do you have?
Is modsecurity loaded as a module or is it compiled with the webserver?
Make sure that you have proper access right before start installer

linux4me · July 21, 2020, 6:49pm

Thanks for the quick reply!

Here is the ModSecurity version info:


[root@host ~]# rpm -qa | grep security
mod_security-2.9.2-2.el7.x86_64
lp-security-scripts-2.0-13.noarch
redhat-lsb-submod-security-4.1-27.el7.centos.1.x86_64

ModSecurity is installed as a module:


[root@host ~]# httpd -M | grep security
 security2_module (shared)

I have been running the installer as root:


[root@host ~]# bash cwaf_client_install.sh

The odd thing is that I was able to run the installer without any issues a couple of days ago, but now I cannot. I made the mistake of uninstalling it to move it to another directory, thinking the re-installation would go as smoothly as the first one.

linux4me · July 22, 2020, 9:17pm

I did a little testing with the code in the “check_modsec” function from the installer.sh script I found in the working CWAF installation I got from backup, hoping that it would help me identify the cause of my installation problem.

It turns out line 838 of installer.sh appears to be causing the problem:

PROC_ID=$(ps axo pid,args | awk '{print $1 " " $2}' | egrep -e '/(httpd|httpd2|apache|apache2)' | grep -v grep | head -n1 | awk '{print $1}')

It returns a process ID of 14263 for HTTPD on my server, which doesn’t even show up when I run the command:

pstree -p | grep httpd

I don’t know if it’s an orphaned process or what; I haven’t looked into that. Instead, I worked on finding a command that identified the correct HTTPD parent process to see if the other code in check_modsec could find ModSecurity.

I ended up going with the command:

PROC_ID=$(ps hf -opid -C httpd,httpd2,apache,apache2 | awk '{ print $1; exit }')

That command identifies the same parent HTTPD process I found with pstree, 23633.

I built a little test script that I used to test the check_modsec function with either the original command to find the process ID or my new one.

If I run the test script and choose my alternative command, it is able to find ModSecurity and get the ModSecurity version, so it appears to be a workaround for my server, at least, but I’m making a major–and possibly incorrect–assumption that the code used in the cwaf_client_install.sh script is the same as what I found in installer.sh.

Now that I think I’ve identified the problem, is there some way I can get a copy of cwaf_client_install.sh that I can edit in order to try the alternative command, or is there a way to install using the installer.sh script?

linux4me · July 22, 2020, 10:30pm

I finally got the CWAF client agent installer to work.

What I did was to restart Apache and run my test script, repeating the process until my test script showed that the PID that the original command retrieved was the same as my alternative command. Once they matched, I was able to run the installer, it found ModSecurity, and the installation completed successfully.

Here’s my test script if anyone needs it down the line:


#!/bin/bash

# You can run this script from /root with the following command to see if CWAF can detect ModSecurity:
# bash text_cwaf_modsec_chk.sh

APACHECTL_BIN=`which apachectl 2>/dev/null`
APACHE2CTL_BIN=`which apache2ctl 2>/dev/null`
if [ -x "$APACHE2CTL_BIN" ]; then
    APACHECTL_BIN="$APACHE2CTL_BIN"
fi
if [ -x "$APACHECTL_BIN" ]; then
    APACHECTL_BIN="$APACHECTL_BIN"
fi

echo "APACHECTL_BIN = $APACHECTL_BIN"

# check for apache syntax
APACHE_SYNTAX=$($APACHECTL_BIN -t 2>&1 | grep 'Syntax OK')
if [ -z "$APACHE_SYNTAX" ]; then
	echo  "WARNING: Syntax error in Apache config file. Exiting test script."
	exit 1
else
	echo "Apache syntax check passed, checking to see if Apache is running..."
fi

# check if apache running
  APACHE_RUNNING=$(\
    ps axo args | \
    awk '{print $1}' | \
    egrep -w '(httpd|httpd2|apache|apache2)' \
  )
  if [ -z "$APACHE_RUNNING" ]; then
  	echo  "WARNING: Apache does not appear to be running. Exiting test script."
  	exit 1
  else
  	echo "Apache is running. Checking for ModSecurity..."
  fi
  
  # check for modsecurity
  if ! ($APACHECTL_BIN -M 2>&1 | grep -qw 'security2_module'); then
    echo "ModSecurity security2_module was not detected. Exiting test script."
    exit 1
  else
  	echo "ModSecurity security2_module was detected. Attempting to get the process ID..."
  fi
  
  # Get process ID using original, installer.sh command.
  PROC_ID=$(ps axo pid,args | awk '{print $1 " " $2}' | egrep -e '/(httpd|httpd2|apache|apache2)' | grep -v grep | head -n1 | awk '{print $1}')
  echo "PROC_ID using original command = $PROC_ID"
  
  # Test alternatives to their command.
  PROC_ID2=$(ps hf -opid -C httpd,httpd2,apache,apache2 | awk '{ print $1; exit }')
  echo "PROC_ID using alternative command = $PROC_ID2"
  
  # Choose which PROC_ID to use.
  echo "PROC_ID to test? (0 = original or 1 = alternative, default = 0)"
  read whichprocid
  if [ -z $whichprocid ]; then
  	whichprocid=0
  fi
	if [ $whichprocid -ne 0 ]; then
		PROC_ID="$PROC_ID2"
		echo "Testing with PROC_ID from alternative command, $PROC_ID"
	else
		echo "Testing with PROC_ID from original command, $PROC_ID"
	fi
  
	# Test by getting the parent httpd process.
	#PROC_ID=$(ps hf -opid -C httpd | awk '{ print $1; exit }')
	#echo "PROC_ID using your command = $PROC_ID"
  
  # time for backup plan
  if [ -z "$PROC_ID" ]; then
    PROC_ID=$(ps axo pid,args | awk '{print $1 " " $2}' | egrep -w '(httpd|httpd2|apache|apache2)' | grep -v grep | grep -v nimbus | head -n1 | awk '{print $1}')
  fi
  # get mod_security library
  if [ $(uname) == 'FreeBSD' ]; then
    MODSEC_LIB=$(grep '/mod_security2.so' /proc/${PROC_ID}/map | head -n1 | awk '{print $13}')
  else
    MODSEC_LIB=$(grep '/mod_security2.so' /proc/${PROC_ID}/maps | head -n1 | awk '{print $6}')
  fi

	echo "MODSEC_LIB = $MODSEC_LIB"  
  
  # get mod_security version
  if [ -n "$MODSEC_LIB" ]; then
    MODSEC_VERSION=$(strings ${MODSEC_LIB} | grep 'ModSecurity for Apache/' | head -n1 | cut -d/ -f2 | awk '{print $1}')
    echo "MODSEC_VERSION is $MODSEC_VERSION"
  else
  	echo "MODSEC_VERSION was not found."
  fi