OWASP CRS v4.15.0 Just Release

Mod_Security should not overwrite anything, it only does that when you change a setting like ModSec Rules Profile or Rules ENgine.

It is not mod_security

I mentioned before, it is the CWP Security Daemon that is checking the integrity of the files and overwrites known system files that have unknown edits.

My host (InMotion Hosting) confirmed that to me. Maybe it's their custom security module. I don't know.

The only thing I know is that on a regular basis, my mod_security.conf file would get overwritten with the default "Include:" path creating a chaos on my websites.

I hope this helps.

Yea, CWP doesn't do that... It doesn't even have a 'security daemon'. Only thing CWP does automatically is SSL generation/renewals, and update to the control panel itself.
So the info from InMotion is inaccurate, or is their security module, that I would disable, if it causing problems.

Otherwise we would be having problem with all of our servers. And we are not, and others are not reporting that problem either.

Trying to follow https://starburst.help/control-web-panel-cwp/modsecurity-running-with-control-web-panel/update-owasp-crs-ruleset-to-4-16-0-running-cwp-and-apache-on-almalinux-8-9/

cd /usr/local/apache/modsecurity-rules/owasp-crs

But I dont have this folder.

I have

Path: /usr/local/apache/modsecurity-owasp-old/base_rules

Should I use this path?

No, you want to use a new directory, and when you unzip the new rules, it will make it's own subdirectory.

Either way, you have to update you ModSecurity from the CWP default to 2.9.12

How to do this, and the ruleset can be found at our knowledge base at:
https://starburst.help