libmodsecurity version is no longer printed on startup

Question

libmodsecurity version is no longer printed on startup

Closed this issue 5 months ago · 12 comments

ne20002 commented 6 months ago

I realized that the version of the used libmodsecurity is no longer printed with latest version.

This is an older version of owasp/modesecurity:nginx

2025/05/25 13:21:00 [notice] 1#1: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/833/0)
2025/05/25 13:21:00 [notice] 1#1: libmodsecurity3 version 3.0.13
2025/05/25 13:21:00 [notice] 1#1: using the "epoll" event method
2025/05/25 13:21:00 [notice] 1#1: nginx/1.27.3
2025/05/25 13:21:00 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14) 
2025/05/25 13:21:00 [notice] 1#1: OS: Linux 6.1.0-37-amd64
2025/05/25 13:21:00 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2025/05/25 13:21:00 [notice] 1#1: start worker processes
2025/05/25 13:21:00 [notice] 1#1: start worker process 6
2025/05/25 13:21:00 [notice] 1#1: start worker process 7
2025/05/25 13:21:00 [notice] 1#1: start worker process 8
2025/05/25 13:21:00 [notice] 1#1: start worker process 9
2025/05/25 13:21:00 [notice] 1#1: start worker process 10
2025/05/25 13:21:00 [notice] 1#1: start worker process 11
2025/05/25 13:21:00 [notice] 1#1: start worker process 12
2025/05/25 13:21:00 [notice] 1#1: start worker process 13

This is the current version:

2025/05/25 13:00:36 [notice] 1#1: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/943/0)
2025/05/25 13:00:36 [notice] 1#1: using the "epoll" event method
2025/05/25 13:00:36 [notice] 1#1: nginx/1.28.0
2025/05/25 13:00:36 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14) 
2025/05/25 13:00:36 [notice] 1#1: OS: Linux 6.1.0-37-amd64
2025/05/25 13:00:36 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2025/05/25 13:00:36 [notice] 1#1: start worker processes
2025/05/25 13:00:36 [notice] 1#1: start worker process 6
2025/05/25 13:00:36 [notice] 1#1: start worker process 7
2025/05/25 13:00:36 [notice] 1#1: start worker process 8
2025/05/25 13:00:36 [notice] 1#1: start worker process 9
2025/05/25 13:00:36 [notice] 1#1: start worker process 10
2025/05/25 13:00:36 [notice] 1#1: start worker process 11
2025/05/25 13:00:36 [notice] 1#1: start worker process 12
2025/05/25 13:00:36 [notice] 1#1: start worker process 13

Answer 1 · 2025-05-25T12:21:59.000Z

Hi @ne20002,

I realized that the version of the used libmodsecurity is no longer printed with latest version.

This is an older version of owasp/modesecurity:nginx

owasp/modesecurity:nginx - this means you use Coreruleset's docker image? Or how did you install the connector?

Here are mine (both output are from the same server), first the older version:

2025/05/25 13:21:00 [notice] 1#1: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/833/0)
2025/05/25 13:21:00 [notice] 1#1: libmodsecurity3 version 3.0.13

2025/05/22 14:14:14 [notice] 1102801#1102801: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/1068/0)

==%==

and the new one

This is the current version:

2025/05/25 13:00:36 [notice] 1#1: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/943/0)

2025/05/22 18:28:55 [notice] 1151830#1151830: ModSecurity-nginx v1.0.4 (rules loaded inline/local/remote: 0/1069/0)
2025/05/22 18:28:55 [notice] 1151830#1151830: libmodsecurity3 version 3.0.14

I use our own public ModSecurity repository.

Answer 2 · 2025-05-25T12:33:10.000Z

Hi @airween
Yes, I use the coreruleset docker image from docker hub.

Answer 3 · 2025-05-25T12:59:31.000Z

I wanted to be sure that the versioning is good so now I checked it again.

The mentioned log message is generated here

    ngx_log_error(NGX_LOG_NOTICE, cf->log, 0,
                  "%s (rules loaded inline/local/remote: %ui/%ui/%ui)",
                  MODSECURITY_NGINX_WHOAMI, mmcf->rules_inline,
                  mmcf->rules_file, mmcf->rules_remote);

As you can see this function uses MODSECURITY_NGINX_WHOAMI macro, which is defined here.

#define MODSECURITY_NGINX_WHOAMI "ModSecurity-nginx v" \
    MODSECURITY_NGINX_VERSION

and the MODSECURITY_NGINX_VERSION macro is defined here:

#define MODSECURITY_NGINX_VERSION MODSECURITY_NGINX_MAJOR "." \
    MODSECURITY_NGINX_MINOR "." MODSECURITY_NGINX_PATCHLEVEL \
    MODSECURITY_NGINX_TAG

So the version contains the MAJOR, MINOR, PATCHLEVEL and TAG macros with their prefix, which - in the new version - are here:

#define MODSECURITY_NGINX_MAJOR "1"
#define MODSECURITY_NGINX_MINOR "0"
#define MODSECURITY_NGINX_PATCHLEVEL "4"
#define MODSECURITY_NGINX_TAG ""

As you can see, here the PATCHLEVEL is 4. I don't think there is any other hardcoded version string which can appear in the log.

Answer 4 · 2025-05-25T13:02:14.000Z

Hmm, still ... I'm missing the libmodsecurity3 version 3.0.14 I would expect in the error log as it has been printed before.

Answer 5 · 2025-05-25T13:16:21.000Z

Hmm, still ... I'm missing the libmodsecurity3 version 3.0.14 I would expect in the error log as it has been printed before.

Then I'm afraid the image contains the previously version.

The mentioned line is generated here:

    ngx_log_error(NGX_LOG_NOTICE, cf->log, 0,
                  "libmodsecurity3 version %s.%s.%s",
                  MODSECURITY_MAJOR, MODSECURITY_MINOR, MODSECURITY_PATCHLEVEL);

which was added in #319 based on #316, after v1.0.3, so it's part of v1.0.4 (but not part of previous releases).

@theseion do you have any idea, why isn't these information in log in case of Docker image?

Answer 6 · 2025-05-25T13:19:19.000Z

Actually it has been printed before 1.0.4.

docker.io/owasp/modsecurity-crs:4.10-nginx-202501050801 is printing:

2025/05/25 13:21:00 [notice] 1#1: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/833/0)
2025/05/25 13:21:00 [notice] 1#1: libmodsecurity3 version 3.0.13
2025/05/25 13:21:00 [notice] 1#1: using the "epoll" event method
2025/05/25 13:21:00 [notice] 1#1: nginx/1.27.3
2025/05/25 13:21:00 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14) 
2025/05/25 13:21:00 [notice] 1#1: OS: Linux 6.1.0-37-amd64
2025/05/25 13:21:00 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576

while docker.io/owasp/modsecurity-crs:nginx is printing:

2025/05/25 13:00:36 [notice] 1#1: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/943/0)
2025/05/25 13:00:36 [notice] 1#1: using the "epoll" event method
2025/05/25 13:00:36 [notice] 1#1: nginx/1.28.0
2025/05/25 13:00:36 [notice] 1#1: built by gcc 12.2.0 (Debian 12.2.0-14) 
2025/05/25 13:00:36 [notice] 1#1: OS: Linux 6.1.0-37-amd64
2025/05/25 13:00:36 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576

Answer 7 · 2025-05-25T13:33:17.000Z

Actually it has been printed before 1.0.4.

Hmm... it's a bit weird to me. Let @theseion check this, probably he could find the cause. I think it's more an image issue and not the module.

Answer 8 · 2025-05-25T13:45:57.000Z

We haven't built the image with 1.0.4 yet. Going to do so now.

Answer 9 · 2025-05-25T14:11:14.000Z

Solving the issue by trying the next version. I like that. :D

Answer 10 · 2025-05-25T18:58:17.000Z

Here we go:

2025/05/25 18:57:44 [notice] 8#8: ModSecurity-nginx v1.0.4 (rules loaded inline/local/remote: 0/815/0)
2025/05/25 18:57:44 [notice] 8#8: libmodsecurity3 version 3.0.14

Answer 11 · 2025-05-25T19:02:03.000Z

@ne20002 - then can we close this issue?

Answer 12 · 2025-05-26T07:05:25.000Z

Thank you all.