Closed udi-aharon closed 3 months ago
Thanks @udi-aharon. That issue is probably due to us now using the unprivileged nginx image.
I checked. What you're seeing is the expected behaviour for the unprivileged image. That being said, IMO you should not log to the container filesystem anyway but to a mount point. That should also take care of the permissions:
touch /tmp/host-fs-auditlog.log
docker run -dti -p 80:80 --rm -e MODSEC_AUDIT_ENGINE=on -e MODSEC_AUDIT_LOG=/var/log/modsec_audit.log -d -v /tmp/host-fs-auditlog.log:/var/log/modsec_audit.log owasp/modsecurity-crs:3.3.5-nginx-202402070602
Shall we add this to the documentation?
Not a bad idea.
I checked. What you're seeing is the expected behaviour for the unprivileged image. That being said, IMO you should not log to the container filesystem anyway but to a mount point. That should also take care of the permissions:
touch /tmp/host-fs-auditlog.log docker run -dti -p 80:80 --rm -e MODSEC_AUDIT_ENGINE=on -e MODSEC_AUDIT_LOG=/var/log/modsec_audit.log -d -v /tmp/host-fs-auditlog.log:/var/log/modsec_audit.log owasp/modsecurity-crs:3.3.5-nginx-202402070602
This works. thank you!
PR to document volume mounts for logs: https://github.com/coreruleset/modsecurity-crs-docker/pull/225
Modsecurity audit log is written only to stdout, even when MODSEC_AUDIT_LOG is set. The problem seems to be a permission issue which nginx user can't write to the native "/var/log/" directory. Workaround - set MODSEC_AUDIT_LOG to "/tmp/modsec_audit.log"
Logs are written only to stdout: docker run -dti -p 80:80 --rm -e MODSEC_AUDIT_ENGINE=on -e MODSEC_AUDIT_LOG=/var/log/modsec_audit.log -d owasp/modsecurity-crs:3.3.5-nginx-202402070602
Workaround: docker run -dti -p 80:80 --rm -e MODSEC_AUDIT_ENGINE=on -e MODSEC_AUDIT_LOG=/tmp/modsec_audit.log -d owasp/modsecurity-crs:3.3.5-nginx-202402070602