OP5 Monitor

Managing ModSecurity

Overview

Beginning OP5 Monitor 8.1.3, ModSecurity has been introduced to enhance security and prevent cross-site scripting (XSS) attempts.

Since this feature introduces many changes across OP5 Monitor, this topic walks you through common errors you may encounter in your implementation, as well some best practices that have been identified moving forward.

How ModSecurity works

ModSecurity is an open-source web application firewall that is bundled with the Apache module. This filters every request made to the Apache web server and applies the OWASP ModSecurity Core Rule Set as a basis for allowing or denying the request.

Monitor uses a tailor-made core rule set to ensure a seamless experience. If you are using a customised httpd environment, then you may experience issues. Errors messages you may encounter with ModSecurity include Forbidden or You don't have permission to access <file>.

Configuration files

In OP5 Monitor, the following configuration files can be found in /etc/httpd/:

  • conf.modules.d/10-mod_security.conf — loads the mod_security module. Only change when disabling ModSecurity. For guidance, see Disable ModSecurity.
  • conf.d/monitor-mod_security.conf — contains your changes to mod_security. This file takes precedence over conf.d/mod_security.conf. For guidance, see Enable audit logging and Enable debugging.
  • conf.d/mod_security.conf — default configuration for mod_security. Do not change this file unless instructed by ITRS Support.

Log files

In OP5 Monitor, the following logs can be found in /var/log/httpd/:

  • modsec_audit.log — if audit logging is set up, logs every rule encountered. This is useful for finding out which rules are causing errors. For guidance, see Enable audit logging.
  • modsec_debug.log — if debug is enabled, logs everything. For guidance, see Enable debugging.

Best practices

With ModSecurity running, the following practices are recommended to improve your server performance and reduce errors you may encounter:

Enable audit logging

To enable ModSecurity audit logging, do the following:

  1. Navigate to, and open /etc/httpd/conf.d/monitor-mod_security.conf.
  2. In the configuration file, add the following lines after the initial <IfModule mod_security2.c> statement:
  3. SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus ^2-5
    SecAuditLogParts ABCIFHZ
    SecAuditLogTypeSecAuditLog /var/log/httpd/modsec_audit.log Serial
  4. Save your changes.
  5. Restart httpd:
  6. # systemctl restart httpd

    Success: Audit logging is now enabled and running in your httpd server. You can now check /var/log/httpd/modsec_audit.log to troubleshoot issues you may encounter in OP5 Monitor.

Enable debugging

To enable debug mode in the logs, do the following:

  1. Navigate to, and open /etc/httpd/conf.d/monitor-mod_security.conf.
  2. In the configuration file, set SecDebugLogLevel to 9.
  3. Save your changes.
  4. Restart httpd:
  5. # systemctl restart httpd

Success: Debug mode is now enabled and running in your httpd server. You can now check /var/log/httpd/modsec_debug.log to troubleshoot issues you may encounter in OP5 Monitor.

For more information on ModSecurity log levels, see SecDebugLogLevel in the ModSecurity Reference Manual.

Disable ModSecurity

Before you disable ModSecurity, first check that mod_security is loaded in the server by running the following command:

# apachectl -M | grep sec

If mod_security is loaded, you will find security2_module in the response. You can disable it by doing the following:

  1. Navigate to, and open /etc/httpd/conf.modules.d/10-mod_security.conf.
  2. Comment out every line in the file
  3. Save your changes.
  4. Restart httpd:
  5. # systemctl restart httpd
  6. To confirm that the module is no longer loaded, run the check command once more.

Caution: It is not recommend to disable ModSecurity permanently. This option is presented to aid in troubleshooting. For further assistance, contact ITRS Support.