(22)Invalid argument: mod_security: apr_global_mutex_unlock(modsec_auditlog_lock) failed

Hi List!

Does somebody know what this means in Apachelogfile?:

[...]
[Mon May 01 10:37:25 2006] [error] (22)Invalid argument: mod_security:
apr_global_mutex_lock(modsec_auditlog_lock) failed
[Mon May 01 10:37:25 2006] [error] (22)Invalid argument: mod_security:
apr_global_mutex_unlock(modsec_auditlog_lock) failed
[...]

My packages are on Debian this:

# dpkg -l | grep apache2
ii  apache2                         2.0.55-4
next generation, scalable, extendable web se
ii  apache2-common                  2.0.55-4
next generation, scalable, extendable web se
ii  apache2-gotrootrules            0.1.0-2
Gotroot.com modsecurity(TM) rules/signatures
ii  apache2-mpm-prefork             2.0.55-4
traditional model for Apache2
ii  apache2-utils                   2.0.55-4
utility programs for webservers
ii  libapache2-mod-perl2            1.999.23-1
Integration of perl with the Apache2 web ser
ii  libapache2-mod-php4             4.4.2-1
server-side, HTML-embedded scripting languag
ii  libapache2-mod-python           3.1.3-3                           An
Apache module that embeds Python within t

defeating slash control system

Hi all,

Am I correct that using mod_security one can't reject 'POST //script.php?blaah' and pass 'POST
/script.php?blaah' at the same time?

thanks,
Uve

Re: defeating slash control system

On 5/2/06, Uve Lokk <Uve.Lokk <at> riigikogu.ee> wrote:
> Hi all,
>
> Am I correct that using mod_security one can't reject 'POST //script.php?blaah' and pass 'POST
/script.php?blaah' at the same time?

Not right now, with 1.9.x, because this version performs implicit
normalisation that results in two slashes being combined into one. But
2.x, which is around the corner (next week), can be configured not to
transform the input data and makes it possible to detect the case you
are asking about.

Why do you need this BTW?

--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642

Re: (22)Invalid argument: mod_security: apr_global_mutex_unlock(modsec_auditlog_lock) failed

On 5/1/06, Peter Padberg <pp <at> padberg-it.com> wrote:
> Hi List!
>
> Does somebody know what this means in Apachelogfile?:
>
> [...]
> [Mon May 01 10:37:25 2006] [error] (22)Invalid argument: mod_security:
> apr_global_mutex_lock(modsec_auditlog_lock) failed
> [Mon May 01 10:37:25 2006] [error] (22)Invalid argument: mod_security:
> apr_global_mutex_unlock(modsec_auditlog_lock) failed
> [...]

It means the locking mechanism does not work on your system. Now, this
is something normally handled by Apache, not ModSecurity. It might
depend on your kernel and/or Apache configuration. With no locking in
place usage of the serial audit logger could result in data
corruption. You should be safe with the concurrent audit logger.

I will contact you next week to debug the issue if you are interested.

--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642

Re: (22)Invalid argument: mod_security: apr_global_mutex_unlock(modsec_auditlog_lock) failed

Am Dienstag, den 02.05.2006, 10:32 +0100 schrieb Ivan Ristic:
> On 5/1/06, Peter Padberg <pp <at> padberg-it.com> wrote:
> > Hi List!
> >
> > Does somebody know what this means in Apachelogfile?:
> >
> > [...]
> > [Mon May 01 10:37:25 2006] [error] (22)Invalid argument: mod_security:
> > apr_global_mutex_lock(modsec_auditlog_lock) failed
> > [Mon May 01 10:37:25 2006] [error] (22)Invalid argument: mod_security:
> > apr_global_mutex_unlock(modsec_auditlog_lock) failed
> > [...]
> 
> It means the locking mechanism does not work on your system. 
Ok.

> Now, this
> is something normally handled by Apache, not ModSecurity. 
Ok, sorry .

> It might
> depend on your kernel and/or Apache configuration. With no locking in
> place usage of the serial audit logger could result in data
> corruption. You should be safe with the concurrent audit logger.
Sorry?
I dont know what you exactly mean, but I only use the rules from:
http://gotroot.com/tiki-index.php?page=mod_security+rules

Maybe I must RTFM.

Re: (22)Invalid argument: mod_security: apr_global_mutex_unlock(modsec_auditlog_lock) failed

On 5/2/06, Peter Padberg <pp <at> padberg-it.com> wrote:
>
> > It might
> > depend on your kernel and/or Apache configuration. With no locking in
> > place usage of the serial audit logger could result in data
> > corruption. You should be safe with the concurrent audit logger.
> Sorry?
> I dont know what you exactly mean, but I only use the rules from:
> http://gotroot.com/tiki-index.php?page=mod_security+rules
>
> Maybe I must RTFM.

Possibly :) Audit log comes in two flavours. One, where a single file
is used to store the log entries, and the other, where each log entry
goes into its own file. The lock is only used to synchronise file
writes then a single file is used.

> > I will contact you next week to debug the issue if you are interested.
> I had reboot HW-Node and after that the error appears never more.
> It is not a fine bugfix, but it works for me.

What is a HW-Node? In that case you might have had a problem with too
many shared memory mutexes. If the problem occurs again run "ipcs" and
store the output. If your Apache crashes it might not release the
mutexes and, over time, it might exhaust all of them.

--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: (22)Invalid argument: mod_security: apr_global_mutex_unlock(modsec_auditlog_lock) failed

Am Dienstag, den 02.05.2006, 20:40 +0100 schrieb Ivan Ristic:
> On 5/2/06, Peter Padberg <pp <at> padberg-it.com> wrote:
> >
> > > It might
> > > depend on your kernel and/or Apache configuration. With no locking in
> > > place usage of the serial audit logger could result in data
> > > corruption. You should be safe with the concurrent audit logger.
> > Sorry?
> > I dont know what you exactly mean, but I only use the rules from:
> > http://gotroot.com/tiki-index.php?page=mod_security+rules
> >
> > Maybe I must RTFM.
> 
> Possibly :) Audit log comes in two flavours. One, where a single file
> is used to store the log entries, and the other, where each log entry
> goes into its own file. The lock is only used to synchronise file
> writes then a single file is used.
Ok. thank you.
I dont study manual very much.

> > > I will contact you next week to debug the issue if you are interested.
> > I had reboot HW-Node and after that the error appears never more.
> > It is not a fine bugfix, but it works for me.
> 
> What is a HW-Node? 
I mean a dedicated Server.

> In that case you might have had a problem with too
> many shared memory mutexes. If the problem occurs again run "ipcs" and
> store the output. If your Apache crashes it might not release the

RE: defeating slash control system

> > Am I correct that using mod_security one can't reject 'POST 
> //script.php?blaah' and pass 'POST /script.php?blaah' at the 
> same time?
> 
> Why do you need this BTW?

In the forum /guestbook of a web server which is under my administration , the pattern 'POST /' is a normal
behaviour, all requests with 'POST //...' have abusive content and (probably) generated by scripts.

The CMS of that web server does not have captcha-feature (yet), at the same time simple user authentication
is too restrictive for people who want to share their problems and opinions with a governmental
institution, and therefore isn't an option.

Uve

-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642

SecAudit Log Problem with Security on windows...

Re: SecAudit Log Problem with Security on windows...

Use allowoverride in apache config? :) In the meantime, i don't really understand your problem. I 
would be more anxius about windows/apache...

Regards,
andrej

Jcink Coolcat wrote:
> Hi,
> 
> I want to keep htaccess on but I have discovered a problem if I do so... 
> and
> leave mod security up.
> 
> SecAuditEngine On
> SecAuditLog "C:\Apache\www\lol.php"
> 
> People can do this in htaccess. Goes right above the root folder. Is there
> any thing I can do to shut down their ability to do this? Because I think
> this is a BIG BIG security risk. Someone could inject PHP into their
> headers, trigger a security rule, get logged and well... there you go.
> 
> I am on windows. Permissions are not an option, so I am asking if there is
> some way to shut this down without disabling mod security.
> 
> Thanks,
> Dan
> 

-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642