From 616a2ae6de10da11305976b491cb6cbbfa3b22f0 Mon Sep 17 00:00:00 2001 From: Felipe Zimmerle Date: Fri, 3 Jul 2015 13:28:14 -0300 Subject: [PATCH] Adds AuditLog class The properties related to the Audit Log were saved into the classes Rules and Dirver, now all those properties will be saved into the AuditLog class. --- headers/modsecurity/rules.h | 3 + src/Makefile.am | 1 + src/assay.cc | 1 + src/audit_log.cc | 130 +++++++++++++++++++++++++ src/audit_log.h | 183 +++++++++++++++++++++++++++++++++++ src/parser/driver.cc | 9 +- src/parser/driver.h | 7 +- src/parser/seclang-parser.yy | 4 +- src/rules.cc | 6 +- 9 files changed, 335 insertions(+), 9 deletions(-) create mode 100644 src/audit_log.cc create mode 100644 src/audit_log.h diff --git a/headers/modsecurity/rules.h b/headers/modsecurity/rules.h index e74f3fd1..4fc9ec3d 100644 --- a/headers/modsecurity/rules.h +++ b/headers/modsecurity/rules.h @@ -39,6 +39,7 @@ class Driver; namespace ModSecurity { class Rule; +class AuditLog; /** @ingroup ModSecurity_CPP_API */ class Rules { @@ -85,6 +86,8 @@ class Rules { DebugLog *debug_log; void debug(int level, std::string message); + AuditLog *audit_log; + private: int m_referenceCount; DebugLog *m_custom_debug_log; diff --git a/src/Makefile.am b/src/Makefile.am index 6a77bea7..16c1efed 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -78,6 +78,7 @@ libmodsecurity_la_SOURCES = \ parser/seclang-scanner.ll \ parser/driver.cc \ assay.cc \ + audit_log.cc \ modsecurity.cc \ rules.cc \ utils.cc \ diff --git a/src/assay.cc b/src/assay.cc index 1a74f06c..7d3d0afb 100644 --- a/src/assay.cc +++ b/src/assay.cc @@ -28,6 +28,7 @@ #include "modsecurity/intervention.h" #include "actions/action.h" #include "src/utils.h" +#include "src/audit_log.h" using ModSecurity::actions::Action; diff --git a/src/audit_log.cc b/src/audit_log.cc new file mode 100644 index 00000000..4e2a3a94 --- /dev/null +++ b/src/audit_log.cc @@ -0,0 +1,130 @@ +/** + * ModSecurity, http://www.modsecurity.org/ + * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * If any of the files related to licensing are missing or if you have any + * other questions related to licensing please contact Trustwave Holdings, Inc. + * directly using the email address security@modsecurity.org. + * + */ + +#include "src/audit_log.h" + +#include +#include +#include +#include +#include + +#include +#include + + +#define PARTS_CONSTAINS(a, c) \ + if (new_parts.find(toupper(a)) != std::string::npos \ + || new_parts.find(tolower(a)) != std::string::npos) { \ + this->m_parts = this->m_parts | c; \ + } + +namespace ModSecurity { + + +bool AuditLog::setStorageDirMode(int permission) { + this->m_storage_permission = permission; + return true; +} + + +bool AuditLog::setFileMode(int permission) { + this->m_file_permissions = permission; + return true; +} + + +bool AuditLog::setStatus(AuditLogStatus new_status) { + this->m_status = new_status; + return true; +} + + +bool AuditLog::setRelevantStatus(const std::basic_string& status) { + this->m_relevant = status; + return true; +} + + +bool AuditLog::setStorageDir(const std::basic_string& path) { + this->m_storage_dir = path; + return true; +} + + +bool AuditLog::setFilePath1(const std::basic_string& path) { + this->m_path1 = path; + return true; +} + + +bool AuditLog::setFilePath2(const std::basic_string& path) { + this->m_path2 = path; + return true; +} + + +bool AuditLog::setParts(const std::basic_string& new_parts) { + PARTS_CONSTAINS('A', AAuditLogPart) + PARTS_CONSTAINS('B', BAuditLogPart) + PARTS_CONSTAINS('C', CAuditLogPart) + PARTS_CONSTAINS('D', DAuditLogPart) + PARTS_CONSTAINS('E', EAuditLogPart) + PARTS_CONSTAINS('F', FAuditLogPart) + PARTS_CONSTAINS('G', GAuditLogPart) + PARTS_CONSTAINS('H', HAuditLogPart) + PARTS_CONSTAINS('I', IAuditLogPart) + PARTS_CONSTAINS('J', JAuditLogPart) + PARTS_CONSTAINS('K', KAuditLogPart) + PARTS_CONSTAINS('Z', ZAuditLogPart) + + return true; +} + + +bool AuditLog::setType(AuditLogType audit_type) { + this->m_type = audit_type; + return true; +} + + +bool AuditLog::init() { + return true; +} + + +bool AuditLog::isRelevant(int status) { + std::string sstatus = std::to_string(status); + return std::regex_search(sstatus, std::regex(this->m_relevant)) != 0; +} + + +bool AuditLog::saveIfRelevant(Assay *assay) { + return true; +} + + +std::string AuditLog::logfy(Assay *assay) { + std::string log("ops"); + return log; +} + + +bool AuditLog::close() { + return true; +} + + +} // namespace ModSecurity diff --git a/src/audit_log.h b/src/audit_log.h new file mode 100644 index 00000000..fd376f79 --- /dev/null +++ b/src/audit_log.h @@ -0,0 +1,183 @@ +/** + * ModSecurity, http://www.modsecurity.org/ + * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * If any of the files related to licensing are missing or if you have any + * other questions related to licensing please contact Trustwave Holdings, Inc. + * directly using the email address security@modsecurity.org. + * + */ + +#ifdef __cplusplus +#include +#include +#include +#endif + +#ifndef SRC_AUDIT_LOG_H_ +#define SRC_AUDIT_LOG_H_ + +#include "modsecurity/assay.h" + +#ifdef __cplusplus + +namespace ModSecurity { + +/** @ingroup ModSecurity_CPP_API */ +class AuditLog { + public: + AuditLog() + : m_status(OffAuditLogStatus), + m_path1(""), + m_path2(""), + m_storage_dir(""), + m_parts(AAuditLogPart | BAuditLogPart | CAuditLogPart | FAuditLogPart + | HAuditLogPart | ZAuditLogPart), + m_type(ParallelAuditLogType), + m_relevant("") + { } + + enum AuditLogType { + SerialAuditLogType, + ParallelAuditLogType, + }; + + enum AuditLogStatus { + OnAuditLogStatus, + OffAuditLogStatus, + RelevantOnlyAuditLogStatus + }; + + enum AuditLogParts { + /** + * Audit log header (mandatory). + * + */ + AAuditLogPart = 2, + + /** + * Request headers. + * + */ + BAuditLogPart = 4, + + /** + * Request body (present only if the request body exists and ModSecurity + * is configured to intercept it). + * + */ + CAuditLogPart = 8, + + /** + * Reserved for intermediary response headers; not implemented yet. + * + */ + DAuditLogPart = 16, + + /** + * Intermediary response body (present only if ModSecurity is configured + * to intercept response bodies, and if the audit log engine is + * configured to record it). Intermediary response body is the same as the + * actual response body unless ModSecurity intercepts the intermediary + * response body, in which case the actual response body will contain the + * error message (either the Apache default error message, or the + * ErrorDocument page). + * + */ + EAuditLogPart = 32, + + /** + * Final response headers (excluding the Date and Server headers, which + * are always added by Apache in the late stage of content delivery). + * + */ + FAuditLogPart = 64, + + /** + * Reserved for the actual response body; not implemented yet. + * + */ + GAuditLogPart = 128, + + /** + * Audit log trailer. + * + */ + HAuditLogPart = 256, + + /** + * This part is a replacement for part C. It will log the same data as C + * in all cases except when multipart/form-data encoding in used. In this + * case, it will log a fake application/x-www-form-urlencoded body that + * contains the information about parameters but not about the files. This + * is handy if you don’t want to have (often large) files stored in your + * audit logs. + * + */ + IAuditLogPart = 512, + + /** + * This part contains information about the files uploaded using + * multipart/form-data encoding. + */ + JAuditLogPart = 1024, + + /** + * This part contains a full list of every rule that matched (one per + * line) in the order they were matched. The rules are fully qualified and + * will thus show inherited actions and default operators. Supported as of + * v2.5.0. + * + */ + KAuditLogPart = 2048, + + /** + * Final boundary, signifies the end of the entry (mandatory). + * + */ + ZAuditLogPart = 4096 + }; + + bool setStorageDirMode(int permission); + bool setFileMode(int permission); + bool setStatus(AuditLogStatus new_status); + bool setRelevantStatus(const std::basic_string& new_relevant_status); + bool setFilePath1(const std::basic_string& path); + bool setFilePath2(const std::basic_string& path); + bool setStorageDir(const std::basic_string& path); + + bool setParts(const std::basic_string& new_parts); + bool setType(AuditLogType audit_type); + + bool init(); + bool close(); + + bool saveIfRelevant(Assay *assay); + std::string logfy(Assay *assay); + bool isRelevant(int status); + + private: + AuditLogStatus m_status; + std::string m_path1; + std::string m_path2; + std::string m_storage_dir; + + int m_file_permissions; + int m_storage_permission; + + int m_parts; + AuditLogType m_type; + std::string m_relevant; + +// AuditLogWriter *m_writer; +}; + +} // namespace ModSecurity +#endif + +#endif // SRC_AUDIT_LOG_H_ diff --git a/src/parser/driver.cc b/src/parser/driver.cc index f2d820e8..c0ebe071 100644 --- a/src/parser/driver.cc +++ b/src/parser/driver.cc @@ -18,7 +18,9 @@ #include "parser/seclang-parser.hh" Driver::Driver() - : trace_scanning(false), trace_parsing(false) { + : trace_scanning(false), + trace_parsing(false), + audit_log(new ModSecurity::AuditLog()) { } @@ -46,6 +48,11 @@ int Driver::parse(const std::string &f) { int res = parser.parse(); + if (this->audit_log->init() == false) + { + return false; + } + scan_end(); return res; } diff --git a/src/parser/driver.h b/src/parser/driver.h index 190b7f55..92e77873 100644 --- a/src/parser/driver.h +++ b/src/parser/driver.h @@ -25,6 +25,7 @@ #include "modsecurity/modsecurity.h" #include "src/rule.h" +#include "src/audit_log.h" #include "parser/seclang-parser.hh" @@ -85,9 +86,11 @@ class Driver { bool sec_audit_engine; bool sec_request_body_access; bool sec_response_body_access; - std::string audit_log_path; - std::string audit_log_parts; + std::string debug_log_path; + + ModSecurity::AuditLog *audit_log; + int debug_level; }; diff --git a/src/parser/seclang-parser.yy b/src/parser/seclang-parser.yy index 71651711..fad6f48f 100644 --- a/src/parser/seclang-parser.yy +++ b/src/parser/seclang-parser.yy @@ -147,11 +147,11 @@ expression: } | CONFIG_DIR_AUDIT_LOG { - driver.audit_log_path = $1; + //driver.audit_log_path = $1; } | CONFIG_DIR_AUDIT_LOG_P { - driver.audit_log_parts = $1; + //driver.audit_log_parts = $1; } | CONFIG_DIR_DEBUG_LVL { diff --git a/src/rules.cc b/src/rules.cc index 78de4bf2..4ac5b969 100644 --- a/src/rules.cc +++ b/src/rules.cc @@ -159,8 +159,6 @@ int Rules::merge(Driver *from) { this->sec_audit_engine = from->sec_audit_engine; this->sec_request_body_access = from->sec_request_body_access; this->sec_response_body_access = from->sec_response_body_access; - this->audit_log_path = from->audit_log_path; - this->audit_log_parts = from->audit_log_parts; this->debug_log_path = from->debug_log_path; this->debug_level = from->debug_level; @@ -170,6 +168,8 @@ int Rules::merge(Driver *from) { this->debug_log = new DebugLog(); } + this->audit_log = from->audit_log; + this->debug_log->setDebugLevel(this->debug_level); this->debug_log->setOutputFile(this->debug_log_path); @@ -194,8 +194,6 @@ int Rules::merge(Rules *from) { this->sec_audit_engine = from->sec_audit_engine; this->sec_request_body_access = from->sec_request_body_access; this->sec_response_body_access = from->sec_response_body_access; - this->audit_log_path = from->audit_log_path; - this->audit_log_parts = from->audit_log_parts; this->debug_log = from->debug_log;