From 9808ce47c597a25dd4662374b5bc30fe2a89f281 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Mon, 22 Jul 2024 15:23:51 +0200 Subject: [PATCH 1/9] CI improvement: First check syntax & always display error/audit logs --- .github/workflows/ci.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0c32ce189..4694c5071 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,8 +45,14 @@ jobs: sudo cp unicode.mapping /etc/apache2/ sudo mkdir -p /var/cache/modsecurity sudo chown -R www-data:www-data /var/cache/modsecurity + - name: first check config (to get syntax errors) + run: sudo apachectl configtest - name: start apache with module - run: | - sudo systemctl restart apache2.service - sudo cat /var/log/apache2/error.log - + run: sudo systemctl restart apache2.service + - name: Show httpd error log + if: always() + run: sudo cat /var/log/apache2/error.log + - name: Show mod_security2 audit log + if: always() + run: sudo cat /var/log/apache2/modsec_audit.log + # For non-regression tests: /home/runner/work/ModSecurity/ModSecurity/tests/regression/server_root/logs/audit/audit.log From ee9a2353a5ce56ec273e2f8873f68fa20f4d585d Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Mon, 22 Jul 2024 15:29:45 +0200 Subject: [PATCH 2/9] create audit log --- .github/security2.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/security2.conf b/.github/security2.conf index a503848ac..d9051b007 100644 --- a/.github/security2.conf +++ b/.github/security2.conf @@ -4,3 +4,5 @@ LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so SecDataDir /var/cache/modsecurity Include /etc/apache2/modsecurity.conf + +SecAuditLog /var/log/apache2/modsec_audit.log From 8723294cd188264d00b96bd925728737e60a4b66 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Fri, 2 Aug 2024 11:19:34 +0200 Subject: [PATCH 3/9] Search for errors/warnings in error log and stop if found --- .github/workflows/ci.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4694c5071..4eed4ef65 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -49,6 +49,14 @@ jobs: run: sudo apachectl configtest - name: start apache with module run: sudo systemctl restart apache2.service + - name: Search for errors/warnings in error log + run: | + errors="$(grep -E ":(?error|warn)[]]" /var/log/apache2/error.log)" + if [ -n "${errors}" ]; then + echo "Found errors/warnings in error.log" + echo "${errors}" + exit 1 + fi - name: Show httpd error log if: always() run: sudo cat /var/log/apache2/error.log From 4399ee9ba9ad73fcf3d8ced2dfaedd6653cb2266 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Fri, 2 Aug 2024 11:28:07 +0200 Subject: [PATCH 4/9] Fixed quotes --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4eed4ef65..516d5b210 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,7 +51,7 @@ jobs: run: sudo systemctl restart apache2.service - name: Search for errors/warnings in error log run: | - errors="$(grep -E ":(?error|warn)[]]" /var/log/apache2/error.log)" + errors=$(grep -E ':(?error|warn)[]]' /var/log/apache2/error.log) if [ -n "${errors}" ]; then echo "Found errors/warnings in error.log" echo "${errors}" From f5bbb0b8516cce33fca8f043f872f0a7a0dc6c51 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Fri, 2 Aug 2024 11:43:09 +0200 Subject: [PATCH 5/9] Fixed exit code in case of success --- .github/workflows/ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 516d5b210..9ec469c1a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -52,11 +52,12 @@ jobs: - name: Search for errors/warnings in error log run: | errors=$(grep -E ':(?error|warn)[]]' /var/log/apache2/error.log) - if [ -n "${errors}" ]; then + if [[ -n "${errors}" ]]; then echo "Found errors/warnings in error.log" echo "${errors}" exit 1 fi + exit 0 - name: Show httpd error log if: always() run: sudo cat /var/log/apache2/error.log From 5de53cc72897f7e7e5dead81205f0ed3c4958293 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Fri, 2 Aug 2024 12:11:16 +0200 Subject: [PATCH 6/9] handles the case grep doesn't match, otherwise the script exits with 1 (error) --- .github/workflows/ci.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9ec469c1a..5e6e58392 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,13 +51,12 @@ jobs: run: sudo systemctl restart apache2.service - name: Search for errors/warnings in error log run: | - errors=$(grep -E ':(?error|warn)[]]' /var/log/apache2/error.log) - if [[ -n "${errors}" ]]; then - echo "Found errors/warnings in error.log" - echo "${errors}" - exit 1 - fi - exit 0 + # '|| :' handles the case grep doesn't match, otherwise the script exits with 1 (error) + errors=$(grep -E ':(?error|warn)[]]' /var/log/apache2/error.log) || : + if [[ -z "${errors}" ]]; then exit 0; fi + echo "Found errors/warnings in error.log" + echo "${errors}" + exit 1 - name: Show httpd error log if: always() run: sudo cat /var/log/apache2/error.log From 1680f5be9065fdd8aaefe96a8674c0c2c3f3e28c Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Wed, 14 Aug 2024 12:56:59 +0200 Subject: [PATCH 7/9] removed comment --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5e6e58392..18601e321 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -63,4 +63,3 @@ jobs: - name: Show mod_security2 audit log if: always() run: sudo cat /var/log/apache2/modsec_audit.log - # For non-regression tests: /home/runner/work/ModSecurity/ModSecurity/tests/regression/server_root/logs/audit/audit.log From 4edeca70e4716f7c232cbd17a4dcfd5db78283af Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Wed, 14 Aug 2024 19:12:03 +0200 Subject: [PATCH 8/9] Added "::error" in error message --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 18601e321..7594cae8d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,7 +54,7 @@ jobs: # '|| :' handles the case grep doesn't match, otherwise the script exits with 1 (error) errors=$(grep -E ':(?error|warn)[]]' /var/log/apache2/error.log) || : if [[ -z "${errors}" ]]; then exit 0; fi - echo "Found errors/warnings in error.log" + echo "::error Found errors/warnings in error.log" echo "${errors}" exit 1 - name: Show httpd error log From d996f04e3acefb6ddbaedaf28d30fdd27a806946 Mon Sep 17 00:00:00 2001 From: Ervin Hegedus Date: Mon, 19 Aug 2024 16:47:09 +0200 Subject: [PATCH 9/9] Add trailing `::` sequence Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7594cae8d..f0582c878 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,7 +54,7 @@ jobs: # '|| :' handles the case grep doesn't match, otherwise the script exits with 1 (error) errors=$(grep -E ':(?error|warn)[]]' /var/log/apache2/error.log) || : if [[ -z "${errors}" ]]; then exit 0; fi - echo "::error Found errors/warnings in error.log" + echo "::error::Found errors/warnings in error.log" echo "${errors}" exit 1 - name: Show httpd error log