So you did QA testing with mod_security on!!!
The following for CentOS 7:
But not exactly ... adjusted above to suit and for CentOS 7
Can mod_sec installed via yum ... mod_security + rules.
The restart apache service.
Logs ... set up multi tail for
multitail -i /var/log/httpd/ssl_error_log -i /var/log/httpd/modsec_audit.log -i /var/log/httpd/modsec_debug.log
Following could be scripted but ...
grep ModSecurity /var/log/httpd/ssl_error_log > modsechits.txt
fgrep "[id" modsechits.txt
If your bash shell shows items found in red, id will be highlighted red.
Looking for references in file like: '[id "950109"]'
Those are the rules that tripped mod_security passing back to apache what might be false errors.
Example found 3 rules.
Am not sharing here to see if you, Al, get the same on a 3.7.highest ... nothing special about that moodle ... stock.
Anyhoo, after study of those, a gulp, then added bypasses with SecRuleRemoveById:
echo "SecRuleRemoveById 950109" >> /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
echo "SecRuleRemoveById 981173" >> /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
echo "SecRuleRemoveById 981204" >> /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
I have a backup of modsecurity_crs_10_config.conf - original state ... the SecRuleRemoveById adds them to the bottom of the file.
Tested the 3.7.highest some more ... no 404's no permissions denied ...
Once I'm done ...
Restart apache service for good measure.
Never thought, when I first began to use Moodle, that I'd have to put on a 'heavier security hat' (like a WWWII Army helmet!) ... but that's the nature of the beast and internet these days! :|
Gotta take the helmet off now ... getting heavy and I need to get back to watchin' the Cowboys (in Texas ... what can I say!