Merge pull request #2680 from SpiderLabs/v3/dev/issue_2606_a

Add ctl:auditengine action support

src/Makefile.am

@@ -118,6 +118,7 @@ ACTIONS = \
 	actions/capture.cc \
 	actions/chain.cc \
 	actions/ctl/audit_log_parts.cc \
+	actions/ctl/audit_engine.cc \
 	actions/ctl/rule_engine.cc \
 	actions/ctl/request_body_processor_json.cc \
 	actions/ctl/request_body_processor_xml.cc \

src/actions/ctl/audit_engine.cc

@@ -0,0 +1,63 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include "src/actions/ctl/audit_engine.h"
+
+#include <string>
+
+#include "modsecurity/rules_set_properties.h"
+#include "modsecurity/rules_set.h"
+#include "modsecurity/transaction.h"
+
+namespace modsecurity {
+namespace actions {
+namespace ctl {
+
+
+bool AuditEngine::init(std::string *error) {
+
+    std::string what(m_parser_payload, 12, m_parser_payload.size() - 12);
+
+    if (what == "on") {
+        m_auditEngine = audit_log::AuditLog::AuditLogStatus::OnAuditLogStatus;
+    } else if (what == "off") {
+        m_auditEngine = audit_log::AuditLog::AuditLogStatus::OffAuditLogStatus;
+    } else if (what == "relevantonly") {
+        m_auditEngine = audit_log::AuditLog::AuditLogStatus::RelevantOnlyAuditLogStatus;
+    } else {
+        error->assign("Internal error. Expected: On, Off or RelevantOnly; " \
+            "got: " + m_parser_payload);
+        return false;
+    }
+
+    return true;
+}
+
+bool AuditEngine::evaluate(RuleWithActions *rule, Transaction *transaction) {
+    std::stringstream a;
+    a << "Setting SecAuditEngine to ";
+    a << std::to_string(m_auditEngine);
+    a << " as requested by a ctl:auditEngine action";
+
+    ms_dbg_a(transaction, 8, a.str());
+
+    transaction->m_ctlAuditEngine = m_auditEngine;
+    return true;
+}
+
+
+}  // namespace ctl
+}  // namespace actions
+}  // namespace modsecurity

src/actions/ctl/audit_engine.h

@@ -0,0 +1,51 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include <string>
+
+#include "modsecurity/rules_set_properties.h"
+#include "modsecurity/actions/action.h"
+
+#include "modsecurity/audit_log.h"
+
+
+#ifndef SRC_ACTIONS_CTL_AUDIT_ENGINE_H_
+#define SRC_ACTIONS_CTL_AUDIT_ENGINE_H_
+
+namespace modsecurity {
+class Transaction;
+
+namespace actions {
+namespace ctl {
+
+
+class AuditEngine : public Action {
+ public:
+    explicit AuditEngine(const std::string &action)
+        : Action(action, RunTimeOnlyIfMatchKind),
+        m_auditEngine(audit_log::AuditLog::AuditLogStatus::NotSetLogStatus) { }
+
+    bool init(std::string *error) override;
+    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
+
+    audit_log::AuditLog::AuditLogStatus m_auditEngine;
+};
+
+
+}  // namespace ctl
+}  // namespace actions
+}  // namespace modsecurity
+
+#endif  // SRC_ACTIONS_CTL_AUDIT_ENGINE_H_

src/audit_log/audit_log.cc

@@ -21,6 +21,7 @@
 
 #include <fstream>
 
+#include "modsecurity/transaction.h"
 #include "modsecurity/rule_message.h"
 #include "src/audit_log/writer/https.h"
 #include "src/audit_log/writer/parallel.h"
@@ -61,7 +62,8 @@ AuditLog::AuditLog()
     m_status(NotSetLogStatus),
     m_type(NotSetAuditLogType),
     m_relevant(""),
-    m_writer(NULL) { }
+    m_writer(NULL),
+    m_ctlAuditEngineActive(false) { }
 
 
 AuditLog::~AuditLog() {
@@ -210,7 +212,8 @@ bool AuditLog::setType(AuditLogType audit_type) {
 bool AuditLog::init(std::string *error) {
     audit_log::writer::Writer *tmp_writer;
 
-    if (m_status == OffAuditLogStatus || m_status == NotSetLogStatus) {
+    if ((m_status == OffAuditLogStatus || m_status == NotSetLogStatus)
+        && !m_ctlAuditEngineActive) {
         if (m_writer) {
             delete m_writer;
             m_writer = NULL;
@@ -275,7 +278,13 @@ bool AuditLog::saveIfRelevant(Transaction *transaction) {
 
 bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) {
     bool saveAnyway = false;
-    if (m_status == OffAuditLogStatus || m_status == NotSetLogStatus) {
+
+    AuditLogStatus transactionAuditLogStatus(m_status);
+    if (transaction->m_ctlAuditEngine != NotSetLogStatus) {
+        transactionAuditLogStatus = transaction->m_ctlAuditEngine;
+    }
+
+    if (transactionAuditLogStatus == OffAuditLogStatus || transactionAuditLogStatus == NotSetLogStatus) {
         ms_dbg_a(transaction, 5, "Audit log engine was not set.");
         return true;
     }
@@ -287,7 +296,7 @@ bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) {
         }
     }
 
-    if ((m_status == RelevantOnlyAuditLogStatus
+    if ((transactionAuditLogStatus == RelevantOnlyAuditLogStatus
         && this->isRelevant(transaction->m_httpCodeReturned) == false)
         && saveAnyway == false) {
         ms_dbg_a(transaction, 9, "Return code `" +
@@ -353,6 +362,10 @@ bool AuditLog::merge(AuditLog *from, std::string *error) {
         m_format = from->m_format;
     }
 
+    if (from->m_ctlAuditEngineActive) {
+        m_ctlAuditEngineActive = from->m_ctlAuditEngineActive;
+    }
+
     return init(error);
 }
 

src/parser/seclang-parser.hh

@@ -64,6 +64,7 @@ class Driver;
 #include "src/actions/block.h"
 #include "src/actions/capture.h"
 #include "src/actions/chain.h"
+#include "src/actions/ctl/audit_engine.h"
 #include "src/actions/ctl/audit_log_parts.h"
 #include "src/actions/ctl/request_body_access.h"
 #include "src/actions/ctl/rule_engine.h"
@@ -350,7 +351,7 @@ using namespace modsecurity::operators;
     a = std::move(c);
 
 
-#line 354 "seclang-parser.hh"
+#line 355 "seclang-parser.hh"
 
 # include <cassert>
 # include <cstdlib> // std::abort
@@ -484,7 +485,7 @@ using namespace modsecurity::operators;
 #endif
 
 namespace yy {
-#line 488 "seclang-parser.hh"
+#line 489 "seclang-parser.hh"
 
 
 
@@ -8625,7 +8626,7 @@ switch (yykind)
   }
 
 } // yy
-#line 8629 "seclang-parser.hh"
+#line 8630 "seclang-parser.hh"
 
 
 

src/parser/seclang-parser.yy

@@ -25,6 +25,7 @@ class Driver;
 #include "src/actions/block.h"
 #include "src/actions/capture.h"
 #include "src/actions/chain.h"
+#include "src/actions/ctl/audit_engine.h"
 #include "src/actions/ctl/audit_log_parts.h"
 #include "src/actions/ctl/request_body_access.h"
 #include "src/actions/ctl/rule_engine.h"
@@ -2625,18 +2626,17 @@ act:
       }
     | ACTION_CTL_AUDIT_ENGINE CONFIG_VALUE_ON
       {
-        //ACTION_NOT_SUPPORTED("CtlAuditEngine", @0);
-        ACTION_CONTAINER($$, new actions::Action($1));
+        ACTION_CONTAINER($$, new actions::ctl::AuditEngine("ctl:auditengine=on"));
+        driver.m_auditLog->setCtlAuditEngineActive();
       }
     | ACTION_CTL_AUDIT_ENGINE CONFIG_VALUE_OFF
       {
-        //ACTION_NOT_SUPPORTED("CtlAuditEngine", @0);
-        ACTION_CONTAINER($$, new actions::Action($1));
+        ACTION_CONTAINER($$, new actions::ctl::AuditEngine("ctl:auditengine=off"));
       }
     | ACTION_CTL_AUDIT_ENGINE CONFIG_VALUE_RELEVANT_ONLY
       {
-        //ACTION_NOT_SUPPORTED("CtlAuditEngine", @0);
-        ACTION_CONTAINER($$, new actions::Action($1));
+        ACTION_CONTAINER($$, new actions::ctl::AuditEngine("ctl:auditengine=relevantonly"));
+        driver.m_auditLog->setCtlAuditEngineActive();
       }
     | ACTION_CTL_AUDIT_LOG_PARTS
       {

src/parser/seclang-scanner.ll

@@ -613,6 +613,7 @@ EQUALS_MINUS                            (?i:=\-)
 {CONFIG_VALUE_DETC}                                                     { return p::make_CONFIG_VALUE_DETC(yytext, *driver.loc.back()); }
 {CONFIG_VALUE_OFF}                                                      { return p::make_CONFIG_VALUE_OFF(yytext, *driver.loc.back()); }
 {CONFIG_VALUE_ON}                                                       { return p::make_CONFIG_VALUE_ON(yytext, *driver.loc.back()); }
+{CONFIG_VALUE_RELEVANT_ONLY}                                            { return p::make_CONFIG_VALUE_RELEVANT_ONLY(yytext, *driver.loc.back()); }
 [ \t]*\\\n[ \t]*                                                        { driver.loc.back()->lines(1); driver.loc.back()->step(); }
 [ \t]*\\\r\n[ \t]*                                                      { driver.loc.back()->lines(1); driver.loc.back()->step(); }
 }

src/transaction.cc

@@ -122,6 +122,7 @@ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData)
     m_ruleRemoveTargetById(),
     m_requestBodyAccess(RulesSet::PropertyNotSetConfigBoolean),
     m_auditLogModifier(),
+    m_ctlAuditEngine(AuditLog::AuditLogStatus::NotSetLogStatus),
     m_rulesMessages(),
     m_requestBody(),
     m_responseBody(),
@@ -195,6 +196,7 @@ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, char *id, void *logCb
     m_ruleRemoveTargetById(),
     m_requestBodyAccess(RulesSet::PropertyNotSetConfigBoolean),
     m_auditLogModifier(),
+    m_ctlAuditEngine(AuditLog::AuditLogStatus::NotSetLogStatus),
     m_rulesMessages(),
     m_requestBody(),
     m_responseBody(),