Overview
Beginning OP5 Monitor 8.1.3, ModSecurity has been introduced to enhance security and prevent cross-site scripting (XSS) attempts.
Since this feature introduces many changes across OP5 Monitor, this topic walks you through common errors you may encounter in your implementation, as well some best practices that have been identified moving forward.
How ModSecurity works
ModSecurity is an open-source web application firewall that is bundled with the Apache module. This filters every request made to the Apache web server and applies the OWASP ModSecurity Core Rule Set as a basis for allowing or denying the request.
Monitor uses a tailor-made core rule set to ensure a seamless experience. If you are using a customised httpd environment, then you may experience issues. Errors messages you may encounter with ModSecurity include Forbidden or You don't have permission to access <file>.
Configuration files
In OP5 Monitor, the following configuration files can be found in /etc/httpd/:
conf.modules.d/10-mod_security.conf— loads themod_securitymodule. Only change when disabling ModSecurity. For guidance, see Disable ModSecurity.conf.d/monitor-mod_security.conf— contains your changes tomod_security. This file takes precedence overconf.d/mod_security.conf. For guidance, see Enable audit logging and Enable debugging.conf.d/mod_security.conf— default configuration for mod_security. Do not change this file unless instructed by ITRS Support.
Log files
In OP5 Monitor, the following logs can be found in /var/log/httpd/:
modsec_audit.log— if audit logging is set up, logs every rule encountered. This is useful for finding out which rules are causing errors. For guidance, see Enable audit logging.modsec_debug.log— if debug is enabled, logs everything. For guidance, see Enable debugging.
Best practices
With ModSecurity running, the following practices are recommended to improve your server performance and reduce errors you may encounter:
- Increase the memory_limit in the PHP configuration. For guidance, see How to Tweak PHP and MySQL settings for OP5 Monitor.
- When making API requests, use local user accounts rather than AD.
Enable audit logging
To enable ModSecurity audit logging, do the following:
- Navigate to, and open
/etc/httpd/conf.d/monitor-mod_security.conf. - In the configuration file, add the following lines after the initial
<IfModule mod_security2.c>statement: - Save your changes.
- Restart httpd:
SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^2-5 SecAuditLogParts ABCIFHZ SecAuditLogTypeSecAuditLog /var/log/httpd/modsec_audit.log Serial
# systemctl restart httpd
Success: Audit logging is now enabled and running in your httpd server. You can now check /var/log/httpd/modsec_audit.log to troubleshoot issues you may encounter in OP5 Monitor.
Enable debugging
To enable debug mode in the logs, do the following:
- Navigate to, and open
/etc/httpd/conf.d/monitor-mod_security.conf. - In the configuration file, set
SecDebugLogLevelto9. - Save your changes.
- Restart httpd:
# systemctl restart httpd
Success: Debug mode is now enabled and running in your httpd server. You can now check /var/log/httpd/modsec_debug.log to troubleshoot issues you may encounter in OP5 Monitor.
For more information on ModSecurity log levels, see SecDebugLogLevel in the ModSecurity Reference Manual.
Disable ModSecurity
Before you disable ModSecurity, first check that mod_security is loaded in the server by running the following command:
# apachectl -M | grep sec
If mod_security is loaded, you will find security2_module in the response. You can disable it by doing the following:
- Navigate to, and open
/etc/httpd/conf.modules.d/10-mod_security.conf. - Comment out every line in the file
- Save your changes.
- Restart httpd:
- To confirm that the module is no longer loaded, run the check command once more.
# systemctl restart httpd
Caution: It is not recommend to disable ModSecurity permanently. This option is presented to aid in troubleshooting. For further assistance, contact ITRS Support.