I am in the process of setting up a web site - Apache 2.2 on Fedora Core 4 - and I am using the Center [sic] for Internet Security vulnerability scanner for hardening purposes.

This scanner checks for mod_security by means of the 'http -l' command, and complains that mod_security is not compiled-in. What I have done is set up mod_security up as a DSO (dynamic shared object) which will be included at run time.

The CIS scanner is written for Apache 1.3, and the command to check for DSOs ('httpd -M') was not available in that version. So my question is: are there any security implications of running mod_security as a DSO, rather than having it compiled in?

Thanks in advance for any feedback on this :-)

Regards,
Hugh

I'm not sure how there could be -- unless your config file changes, so that it no longer loads the mod_security DSO. One possible way that could happen is a mistake made when editing it. Another way would be if an attacker somehow got root on the machine (although that would open up another whole can of worms; removing mod_security is probably much less destructive than replacing your httpd executable).

But apart from that, I don't believe there's much difference between building a certain function in and building it as a DSO.