Add ctl:auditengine action support

2025-08-13 13:26:01 +03:00 · 2022-01-19 14:06:01 -08:00 · 2022-01-19 14:06:01 -08:00 · 2d51efae49
commit 2d51efae49
parent cb80837e6a
15 changed files with 4968 additions and 4759 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -96,6 +96,7 @@ TESTS+=test/test-cases/regression/action-ctl_request_body_access.json
 TESTS+=test/test-cases/regression/action-ctl_request_body_processor.json
 TESTS+=test/test-cases/regression/action-ctl_request_body_processor_urlencoded.json
 TESTS+=test/test-cases/regression/action-ctl_rule_engine.json
 TESTS+=test/test-cases/regression/action-ctl_audit_engine.json
 TESTS+=test/test-cases/regression/action-ctl_rule_remove_by_id.json
 TESTS+=test/test-cases/regression/action-ctl_rule_remove_by_tag.json
 TESTS+=test/test-cases/regression/action-ctl_rule_remove_target_by_id.json
--- a/headers/modsecurity/audit_log.h
+++ b/headers/modsecurity/audit_log.h
@ -22,12 +22,11 @@
 #ifndef HEADERS_MODSECURITY_AUDIT_LOG_H_
 #define HEADERS_MODSECURITY_AUDIT_LOG_H_
 #include "modsecurity/transaction.h"
 #ifdef __cplusplus
 namespace modsecurity {
 class Transaction;
 namespace audit_log {
 namespace writer {
 class Writer;
@ -177,6 +176,10 @@ class AuditLog {
    static int addParts(int parts, const std::string& new_parts);
    static int removeParts(int parts, const std::string& new_parts);
    void setCtlAuditEngineActive() {
        m_ctlAuditEngineActive = true;
    }
    bool merge(AuditLog *from, std::string *error);
    std::string m_path1;
@ -203,6 +206,7 @@ class AuditLog {
    std::string m_relevant;
    audit_log::writer::Writer *m_writer;
    bool m_ctlAuditEngineActive; // rules have at least one action On or RelevantOnly
 };
--- a/headers/modsecurity/transaction.h
+++ b/headers/modsecurity/transaction.h
@ -49,6 +49,7 @@ typedef struct Rules_t RulesSet;
 #include "modsecurity/collection/collection.h"
 #include "modsecurity/variable_origin.h"
 #include "modsecurity/anchored_set_variable_translation_proxy.h"
 #include "modsecurity/audit_log.h"
 #ifndef NO_LOGS
@ -529,6 +530,12 @@ class Transaction : public TransactionAnchoredVariables, public TransactionSecMa
     */
    std::list< std::pair<int, std::string> > m_auditLogModifier;
    /**
     * This transaction's most recent action ctl:auditEngine
     *
     */
    audit_log::AuditLog::AuditLogStatus m_ctlAuditEngine;
    /**
     * This variable holds all the messages asked to be save by the utilization
     * of the actions: `log_data' and `msg'. These should be included on the
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -118,6 +118,7 @@ ACTIONS = \
 	actions/capture.cc \
 	actions/chain.cc \
 	actions/ctl/audit_log_parts.cc \
 	actions/ctl/audit_engine.cc \
 	actions/ctl/rule_engine.cc \
 	actions/ctl/request_body_processor_json.cc \
 	actions/ctl/request_body_processor_xml.cc \
--- a/src/actions/ctl/audit_engine.cc
+++ b/src/actions/ctl/audit_engine.cc
@ -0,0 +1,63 @@
 /*
 * ModSecurity, http://www.modsecurity.org/
 * Copyright (c) 2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * If any of the files related to licensing are missing or if you have any
 * other questions related to licensing please contact Trustwave Holdings, Inc.
 * directly using the email address security@modsecurity.org.
 *
 */
 #include "src/actions/ctl/audit_engine.h"
 #include <string>
 #include "modsecurity/rules_set_properties.h"
 #include "modsecurity/rules_set.h"
 #include "modsecurity/transaction.h"
 namespace modsecurity {
 namespace actions {
 namespace ctl {
 bool AuditEngine::init(std::string *error) {
    std::string what(m_parser_payload, 12, m_parser_payload.size() - 12);
    if (what == "on") {
        m_auditEngine = audit_log::AuditLog::AuditLogStatus::OnAuditLogStatus;
    } else if (what == "off") {
        m_auditEngine = audit_log::AuditLog::AuditLogStatus::OffAuditLogStatus;
    } else if (what == "relevantonly") {
        m_auditEngine = audit_log::AuditLog::AuditLogStatus::RelevantOnlyAuditLogStatus;
    } else {
        error->assign("Internal error. Expected: On, Off or RelevantOnly; " \
            "got: " + m_parser_payload);
        return false;
    }
    return true;
 }
 bool AuditEngine::evaluate(RuleWithActions *rule, Transaction *transaction) {
    std::stringstream a;
    a << "Setting SecAuditEngine to ";
    a << std::to_string(m_auditEngine);
    a << " as requested by a ctl:auditEngine action";
    ms_dbg_a(transaction, 8, a.str());
    transaction->m_ctlAuditEngine = m_auditEngine;
    return true;
 }
 }  // namespace ctl
 }  // namespace actions
 }  // namespace modsecurity
--- a/src/actions/ctl/audit_engine.h
+++ b/src/actions/ctl/audit_engine.h
@ -0,0 +1,51 @@
 /*
 * ModSecurity, http://www.modsecurity.org/
 * Copyright (c) 2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
 *
 * You may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * If any of the files related to licensing are missing or if you have any
 * other questions related to licensing please contact Trustwave Holdings, Inc.
 * directly using the email address security@modsecurity.org.
 *
 */
 #include <string>
 #include "modsecurity/rules_set_properties.h"
 #include "modsecurity/actions/action.h"
 #include "modsecurity/audit_log.h"
 #ifndef SRC_ACTIONS_CTL_AUDIT_ENGINE_H_
 #define SRC_ACTIONS_CTL_AUDIT_ENGINE_H_
 namespace modsecurity {
 class Transaction;
 namespace actions {
 namespace ctl {
 class AuditEngine : public Action {
 public:
    explicit AuditEngine(const std::string &action)
        : Action(action, RunTimeOnlyIfMatchKind),
        m_auditEngine(audit_log::AuditLog::AuditLogStatus::NotSetLogStatus) { }
    bool init(std::string *error) override;
    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
    audit_log::AuditLog::AuditLogStatus m_auditEngine;
 };
 }  // namespace ctl
 }  // namespace actions
 }  // namespace modsecurity
 #endif  // SRC_ACTIONS_CTL_AUDIT_ENGINE_H_
--- a/src/audit_log/audit_log.cc
+++ b/src/audit_log/audit_log.cc
@ -21,6 +21,7 @@
 #include <fstream>
 #include "modsecurity/transaction.h"
 #include "modsecurity/rule_message.h"
 #include "src/audit_log/writer/https.h"
 #include "src/audit_log/writer/parallel.h"
@ -61,7 +62,8 @@ AuditLog::AuditLog()
    m_status(NotSetLogStatus),
    m_type(NotSetAuditLogType),
    m_relevant(""),
-    m_writer(NULL) { }
+    m_writer(NULL),
    m_ctlAuditEngineActive(false) { }
 AuditLog::~AuditLog() {
@ -210,7 +212,8 @@ bool AuditLog::setType(AuditLogType audit_type) {
 bool AuditLog::init(std::string *error) {
    audit_log::writer::Writer *tmp_writer;
-    if (m_status == OffAuditLogStatus || m_status == NotSetLogStatus) {
+    if ((m_status == OffAuditLogStatus || m_status == NotSetLogStatus)
        && !m_ctlAuditEngineActive) {
        if (m_writer) {
            delete m_writer;
            m_writer = NULL;
@ -275,7 +278,13 @@ bool AuditLog::saveIfRelevant(Transaction *transaction) {
 bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) {
    bool saveAnyway = false;
-    if (m_status == OffAuditLogStatus || m_status == NotSetLogStatus) {
+
    AuditLogStatus transactionAuditLogStatus(m_status);
    if (transaction->m_ctlAuditEngine != NotSetLogStatus) {
        transactionAuditLogStatus = transaction->m_ctlAuditEngine;
    }
    if (transactionAuditLogStatus == OffAuditLogStatus || transactionAuditLogStatus == NotSetLogStatus) {
        ms_dbg_a(transaction, 5, "Audit log engine was not set.");
        return true;
    }
@ -287,7 +296,7 @@ bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) {
        }
    }
-    if ((m_status == RelevantOnlyAuditLogStatus
+    if ((transactionAuditLogStatus == RelevantOnlyAuditLogStatus
        && this->isRelevant(transaction->m_httpCodeReturned) == false)
        && saveAnyway == false) {
        ms_dbg_a(transaction, 9, "Return code `" +
@ -353,6 +362,10 @@ bool AuditLog::merge(AuditLog *from, std::string *error) {
        m_format = from->m_format;
    }
    if (from->m_ctlAuditEngineActive) {
        m_ctlAuditEngineActive = from->m_ctlAuditEngineActive;
    }
    return init(error);
 }
--- a/src/parser/seclang-parser.cc
+++ b/src/parser/seclang-parser.cc
--- a/src/parser/seclang-parser.hh
+++ b/src/parser/seclang-parser.hh
@ -64,6 +64,7 @@ class Driver;
 #include "src/actions/block.h"
 #include "src/actions/capture.h"
 #include "src/actions/chain.h"
 #include "src/actions/ctl/audit_engine.h"
 #include "src/actions/ctl/audit_log_parts.h"
 #include "src/actions/ctl/request_body_access.h"
 #include "src/actions/ctl/rule_engine.h"
@ -350,7 +351,7 @@ using namespace modsecurity::operators;
    a = std::move(c);
-#line 354 "seclang-parser.hh"
+#line 355 "seclang-parser.hh"
 # include <cassert>
 # include <cstdlib> // std::abort
@ -484,7 +485,7 @@ using namespace modsecurity::operators;
 #endif
 namespace yy {
-#line 488 "seclang-parser.hh"
+#line 489 "seclang-parser.hh"
@ -8625,7 +8626,7 @@ switch (yykind)
  }
 } // yy
-#line 8629 "seclang-parser.hh"
+#line 8630 "seclang-parser.hh"
--- a/src/parser/seclang-parser.yy
+++ b/src/parser/seclang-parser.yy
@ -25,6 +25,7 @@ class Driver;
 #include "src/actions/block.h"
 #include "src/actions/capture.h"
 #include "src/actions/chain.h"
 #include "src/actions/ctl/audit_engine.h"
 #include "src/actions/ctl/audit_log_parts.h"
 #include "src/actions/ctl/request_body_access.h"
 #include "src/actions/ctl/rule_engine.h"
@ -2625,18 +2626,17 @@ act:
      }
    | ACTION_CTL_AUDIT_ENGINE CONFIG_VALUE_ON
      {
-        //ACTION_NOT_SUPPORTED("CtlAuditEngine", @0);
+        ACTION_CONTAINER($$, new actions::ctl::AuditEngine("ctl:auditengine=on"));
-        ACTION_CONTAINER($$, new actions::Action($1));
+        driver.m_auditLog->setCtlAuditEngineActive();
      }
    | ACTION_CTL_AUDIT_ENGINE CONFIG_VALUE_OFF
      {
-        //ACTION_NOT_SUPPORTED("CtlAuditEngine", @0);
+        ACTION_CONTAINER($$, new actions::ctl::AuditEngine("ctl:auditengine=off"));
        ACTION_CONTAINER($$, new actions::Action($1));
      }
    | ACTION_CTL_AUDIT_ENGINE CONFIG_VALUE_RELEVANT_ONLY
      {
-        //ACTION_NOT_SUPPORTED("CtlAuditEngine", @0);
+        ACTION_CONTAINER($$, new actions::ctl::AuditEngine("ctl:auditengine=relevantonly"));
-        ACTION_CONTAINER($$, new actions::Action($1));
+        driver.m_auditLog->setCtlAuditEngineActive();
      }
    | ACTION_CTL_AUDIT_LOG_PARTS
      {
--- a/src/parser/seclang-scanner.cc
+++ b/src/parser/seclang-scanner.cc
--- a/src/parser/seclang-scanner.ll
+++ b/src/parser/seclang-scanner.ll
@ -613,6 +613,7 @@ EQUALS_MINUS                            (?i:=\-)
 {CONFIG_VALUE_DETC}                                                     { return p::make_CONFIG_VALUE_DETC(yytext, *driver.loc.back()); }
 {CONFIG_VALUE_OFF}                                                      { return p::make_CONFIG_VALUE_OFF(yytext, *driver.loc.back()); }
 {CONFIG_VALUE_ON}                                                       { return p::make_CONFIG_VALUE_ON(yytext, *driver.loc.back()); }
 {CONFIG_VALUE_RELEVANT_ONLY}                                            { return p::make_CONFIG_VALUE_RELEVANT_ONLY(yytext, *driver.loc.back()); }
 [ \t]*\\\n[ \t]*                                                        { driver.loc.back()->lines(1); driver.loc.back()->step(); }
 [ \t]*\\\r\n[ \t]*                                                      { driver.loc.back()->lines(1); driver.loc.back()->step(); }
 }
--- a/src/transaction.cc
+++ b/src/transaction.cc
@ -122,6 +122,7 @@ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData)
    m_ruleRemoveTargetById(),
    m_requestBodyAccess(RulesSet::PropertyNotSetConfigBoolean),
    m_auditLogModifier(),
    m_ctlAuditEngine(AuditLog::AuditLogStatus::NotSetLogStatus),
    m_rulesMessages(),
    m_requestBody(),
    m_responseBody(),
@ -195,6 +196,7 @@ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, char *id, void *logCb
    m_ruleRemoveTargetById(),
    m_requestBodyAccess(RulesSet::PropertyNotSetConfigBoolean),
    m_auditLogModifier(),
    m_ctlAuditEngine(AuditLog::AuditLogStatus::NotSetLogStatus),
    m_rulesMessages(),
    m_requestBody(),
    m_responseBody(),
--- a/test/cppcheck_suppressions.txt
+++ b/test/cppcheck_suppressions.txt
@ -35,8 +35,8 @@ invalidScanfArgType_int:src/rules_set_properties.cc:102
 unmatchedSuppression:src/utils/geo_lookup.cc:82
 useInitializationList:src/utils/shared_files.h:87
 unmatchedSuppression:src/utils/msc_tree.cc
-functionStatic:headers/modsecurity/transaction.h:407
+functionStatic:headers/modsecurity/transaction.h:408
-duplicateBranch:src/audit_log/audit_log.cc:223
+duplicateBranch:src/audit_log/audit_log.cc:226
 unreadVariable:src/request_body_processor/multipart.cc:435
 stlcstrParam:src/audit_log/writer/parallel.cc:145
 functionStatic:src/engine/lua.h:70
@ -54,7 +54,7 @@ duplicateBranch:src/request_body_processor/multipart.cc:93
 danglingTempReference:src/modsecurity.cc:206
 knownConditionTrueFalse:src/operators/validate_url_encoding.cc:77
 knownConditionTrueFalse:src/operators/verify_svnr.cc:87
-rethrowNoCurrentException:headers/modsecurity/transaction.h:306
+rethrowNoCurrentException:headers/modsecurity/transaction.h:307
 rethrowNoCurrentException:src/rule_with_actions.cc:123
 noExplicitConstructor:seclang-parser.hh
--- a/test/test-cases/regression/action-ctl_audit_engine.json
+++ b/test/test-cases/regression/action-ctl_audit_engine.json
@ -0,0 +1,51 @@
 [
  {
    "enabled": 1,
    "version_min": 300000,
    "version_max": 0,
    "title": "auditengine : Config=Off, ctl:auditEngine=on",
    "client": {
      "ip": "200.249.12.31",
      "port": 2313
    },
    "server": {
      "ip": "200.249.12.31",
      "port": 80
    },
    "request": {
      "headers": {
        "Host": "www.modsecurity.org",
        "User-Agent": "Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko\/20091102 Firefox\/3.5.5 (.NET CLR 3.5.30729)",
        "Accept": "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8",
        "Accept-Language": "en-us,en;q=0.5",
        "Accept-Encoding": "gzip,deflate",
        "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7",
        "Keep-Alive": "300",
        "Connection": "keep-alive",
        "Pragma": "no-cache",
        "Cache-Control": "no-cache"
      },
      "uri": "\/test.pl?parm1=test1&parm2=test2",
      "method": "GET",
      "http_version": 1.1,
      "body": ""
    },
    "expected": {
      "audit_log": "--A--",
      "error_log": "",
      "http_code": 200
    },
    "rules": [
      "SecRuleEngine On",
      "SecDefaultAction \"phase:2,nolog,pass\"",
      "SecAuditEngine Off",
      "SecAuditLogParts ABCFHZ",
      "SecAuditLog /tmp/modsec_test_ctl_auditengine_auditlog_1.log",
      "SecAuditLogDirMode 0766",
      "SecAuditLogFileMode 0666",
      "SecAuditLogType Serial",
      "SecAuditLogRelevantStatus \"^(?:5|4(?!04))\"",
      "SecRule ARGS \"@contains test2\" \"id:1701,phase:2,pass,nolog,ctl:auditEngine=on\""
    ]
  }
 ]