I hope you are well!
Perhaps someone might be able to point me in the right direction, as I seem to be getting nowhere with this. I encountered this issue where, cxswatch is unable to scan files in /tmp folder. In logs, I can see the following error:
[Fri Jun 20 13:38:16.491919 2025] [security2:error] [pid 495715:tid 495715] [client xxxxxxxxxx:37258] ModSecurity: Exec: Execution failed while reading output: /etc/cxs/cxscgi.sh (End of file found) [hostname "www.xxxxx.ie"] [uri "/test.php"] [unique_id "aFVWONxZfsj4pwg6oq3dZwAAAA4"]
This is happening on a bare metal server, while I have a VPS with an identical config that works as intended. If I run an on-demand scan, it works without issues.
OS: AlmaLinux 8.10.0
cPanel: 128.0.14
/tmp is mounted on /usr/tmpDSK with noexec,nosuid (same on both servers)
What I’ve Confirmed So Far
- cxscgi.sh exists, is executable, owned by root, and works when run manually.
- CXS symlink is correct: /usr/sbin/cxs -> /etc/cxs/cxs.pl
- sh points to bash on both servers
- All ModSecurity config files are identical (diffed line by line)
- SecTmpDir and SecUploadDir are both set to /tmp
- Tried changing PHP session path back from /tmp to the default /var/cpanel/php/sessions/ea-phpXX
- No difference when trying with different PHP versions
- Tested file ownership, permissions (755 for script), and CXS quarantine/logging works outside of ModSecurity
- mount | grep noexec returns nearly identical outputs on both systems — /tmp has noexec in both