diff --git a/headers/modsecurity/rule_message.h b/headers/modsecurity/rule_message.h index 62e0d81a..28149352 100644 --- a/headers/modsecurity/rule_message.h +++ b/headers/modsecurity/rule_message.h @@ -47,6 +47,7 @@ class RuleMessage { m_maturity(rule->m_maturity), m_rule(rule), m_saveMessage(false), + m_noAuditLog(false), m_match(std::string("")) { } @@ -70,6 +71,7 @@ class RuleMessage { std::list m_tags; std::list m_server_logs; + bool m_noAuditLog; Rule *m_rule; bool m_saveMessage; }; diff --git a/headers/modsecurity/transaction.h b/headers/modsecurity/transaction.h index aa1fa975..63b23683 100644 --- a/headers/modsecurity/transaction.h +++ b/headers/modsecurity/transaction.h @@ -165,25 +165,6 @@ class Transaction { std::string toOldAuditLogFormatIndex(const std::string &filename, double size, const std::string &md5); - - /** - * This variable is basically set by the `autidlog' action. It means - * that this particular transaction was marked to be saved as part of - * the auditlogs, even if it is not originally classified to be saved - * by `SecAuditLogRelevantStatus'. - */ - bool m_toBeSavedInAuditlogs; - - /** - * Set by `noauditlog' action, it means that this particular should - * not be saved. Regardless of `SecAuditLogRelevantStatus'. - * - * @note It is possible to have `auditlog' and `noauditlog' actions - * in a same rule, in that case prevails the last input. - */ - bool m_toNotBeSavedInAuditLogs; - - /** * Filled during the class instantiation, this variable can be later * used to fill the SecRule variable `duration'. The variable `duration' diff --git a/src/actions/audit_log.cc b/src/actions/audit_log.cc index 836ffd11..2c46c832 100644 --- a/src/actions/audit_log.cc +++ b/src/actions/audit_log.cc @@ -19,13 +19,15 @@ #include #include "modsecurity/transaction.h" +#include "modsecurity/rule_message.h" namespace modsecurity { namespace actions { -bool AuditLog::evaluate(Rule *rule, Transaction *transaction) { - transaction->m_toBeSavedInAuditlogs = true; +bool AuditLog::evaluate(Rule *rule, Transaction *transaction, + RuleMessage *rm) { + rm->m_noAuditLog = false; return true; } diff --git a/src/actions/audit_log.h b/src/actions/audit_log.h index 2ea73bda..6dd0d676 100644 --- a/src/actions/audit_log.h +++ b/src/actions/audit_log.h @@ -34,7 +34,8 @@ class AuditLog : public Action { explicit AuditLog(std::string action) : Action(action, RunTimeOnlyIfMatchKind) { } - bool evaluate(Rule *rule, Transaction *transaction) override; + bool evaluate(Rule *rule, Transaction *transaction, + RuleMessage *rm) override; }; diff --git a/src/actions/no_audit_log.cc b/src/actions/no_audit_log.cc index 329ffb26..2f27c638 100644 --- a/src/actions/no_audit_log.cc +++ b/src/actions/no_audit_log.cc @@ -19,13 +19,16 @@ #include #include "modsecurity/transaction.h" +#include "modsecurity/rule.h" +#include "modsecurity/rule_message.h" namespace modsecurity { namespace actions { -bool NoAuditLog::evaluate(Rule *rule, Transaction *transaction) { - transaction->m_toNotBeSavedInAuditLogs = true; +bool NoAuditLog::evaluate(Rule *rule, Transaction *transaction, + RuleMessage *rm) { + rm->m_noAuditLog = true; return true; } diff --git a/src/actions/no_audit_log.h b/src/actions/no_audit_log.h index ad959ac9..1ec3362d 100644 --- a/src/actions/no_audit_log.h +++ b/src/actions/no_audit_log.h @@ -34,7 +34,8 @@ class NoAuditLog : public Action { explicit NoAuditLog(std::string action) : Action(action, RunTimeOnlyIfMatchKind) { } - bool evaluate(Rule *rule, Transaction *transaction) override; + bool evaluate(Rule *rule, Transaction *transaction, + RuleMessage *rm) override; }; } // namespace actions diff --git a/src/audit_log/audit_log.cc b/src/audit_log/audit_log.cc index 94976e79..93b395a7 100644 --- a/src/audit_log/audit_log.cc +++ b/src/audit_log/audit_log.cc @@ -21,6 +21,7 @@ #include +#include "modsecurity/rule_message.h" #include "src/audit_log/writer/https.h" #include "src/audit_log/writer/parallel.h" #include "src/audit_log/writer/serial.h" @@ -244,6 +245,7 @@ bool AuditLog::isRelevant(int status) { return false; } + if (sstatus.empty()) { return true; } @@ -259,13 +261,21 @@ bool AuditLog::saveIfRelevant(Transaction *transaction) { bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) { + bool saveAnyway = false; if (m_status == OffAuditLogStatus || m_status == NotSetLogStatus) { return true; } + for (RuleMessage &i : transaction->m_rulesMessages) { + if (i.m_noAuditLog == false) { + saveAnyway = true; + break; + } + } + if ((m_status == RelevantOnlyAuditLogStatus - && this->isRelevant(transaction->m_httpCodeReturned) == false - && transaction->m_toBeSavedInAuditlogs == false)) { + && this->isRelevant(transaction->m_httpCodeReturned) == false) + && saveAnyway == false) { transaction->debug(5, "Return code `" + std::to_string(transaction->m_httpCodeReturned) + "'" \ " is not interesting to audit logs, relevant code(s): `" + @@ -274,17 +284,6 @@ bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) { return false; } - /** - * Even if it is relevant, if it is marked not to be save, - * we won't save it. - * - */ - if (transaction->m_toNotBeSavedInAuditLogs == true) { - transaction->debug(5, "This request was marked to not " \ - "be saved in the audit logs."); - return false; - } - if (parts == -1) { parts = m_parts; } diff --git a/src/rule.cc b/src/rule.cc index f26f34d7..0d863906 100644 --- a/src/rule.cc +++ b/src/rule.cc @@ -623,6 +623,7 @@ end_exec: for (const auto &u : ruleMessage.m_server_logs) { trasn->serverLog(u); } + if (ruleMessage.m_server_logs.size() > 0) { trasn->m_rulesMessages.push_back(ruleMessage); } diff --git a/src/transaction.cc b/src/transaction.cc index 4a5972f3..3a4a5ace 100644 --- a/src/transaction.cc +++ b/src/transaction.cc @@ -106,8 +106,6 @@ Transaction::Transaction(ModSecurity *ms, Rules *rules, void *logCbData) m_method(""), m_httpVersion(""), m_rules(rules), - m_toBeSavedInAuditlogs(false), - m_toNotBeSavedInAuditLogs(false), m_timeStamp(std::time(NULL)), m_httpCodeReturned(200), m_highestSeverityAction(255), @@ -1262,12 +1260,6 @@ int Transaction::processLogging() { } } } -#ifndef NO_LOGS - if (m_toBeSavedInAuditlogs) { - debug(8, "This request was marked to be " \ - "saved via auditlog action."); - } -#endif debug(8, "Checking if this request is relevant to be " \ "part of the audit logs."); bool saved = this->m_rules->m_auditLog->saveIfRelevant(this, parts);