ModSecurity does not remove temporary files from /tmp directory

Issue

ModSecurity does not remove temporary files from /tmp directory if any error occurs during file upload. This can cause an overflow of storage space in the /tmp partition.

[Wed Apr 17 18:31:53.016522 2024] [:error] [pid 21272:tid 140630835582720] [client xx.xx.xx.xx:50xxx] [client 1x.xx.xx.xx] ModSecurity: Input filter: Failed to delete temporary file: /var/imunify360/tmp_modsec/20240417-180444-Zh-zHLHhgLeg4xbxnJtX1gAAAQE-request_body-LpQVUd [hostname "xxxxx"] [uri "/error_docs/internal_server_error.html"] [unique_id "Zh-zHLHhgLeg4xbxnJtX1gAAAQE"]

Environment

• Imunify360
• ModSecurity
• Any supported panel
• Any supported OS

Solution

As a workaround, creating a cron file with the following content can be used:

# cat /etc/cron.daily/remove_modsec_temp_files.cron
#!/bin/bash

# remove modsec temporary files not deleted automatically due to modsecurity bug
/bin/find /tmp/ -name "*-file-*" -mtime +1 -type f -delete

It will delete such files from the /tmp directory on a daily basis.

Cause

The issue is likely related to a bug in ModSecurity itself - if any error occurs during file upload, temporary files are not deleted (the following error as an example):

ModSecurity: Error reading request body: Software caused connection abort

If there are no such errors, temporary files are deleted successfully.

Task id DEF-19352 can be tracked in the changelog for future releases.

Useful links

• Imunify360 Hosting Panels Firewall Rulesets Specific Settings & ModSec.
• crontab(5) — Linux manual page.
• Imunify360 changelog.