mirror of
https://github.com/owasp-modsecurity/ModSecurity.git
synced 2025-09-29 19:24:29 +03:00
Changes the saving selection for the audit logs
This commit is contained in:
Felipe Zimmerle
@@ -19,13 +19,15 @@
|
||||
#include <string>
|
||||
|
||||
#include "modsecurity/transaction.h"
|
||||
#include "modsecurity/rule_message.h"
|
||||
|
||||
namespace modsecurity {
|
||||
namespace actions {
|
||||
|
||||
|
||||
bool AuditLog::evaluate(Rule *rule, Transaction *transaction) {
|
||||
transaction->m_toBeSavedInAuditlogs = true;
|
||||
bool AuditLog::evaluate(Rule *rule, Transaction *transaction,
|
||||
RuleMessage *rm) {
|
||||
rm->m_noAuditLog = false;
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
@@ -34,7 +34,8 @@ class AuditLog : public Action {
|
||||
explicit AuditLog(std::string action)
|
||||
: Action(action, RunTimeOnlyIfMatchKind) { }
|
||||
|
||||
bool evaluate(Rule *rule, Transaction *transaction) override;
|
||||
bool evaluate(Rule *rule, Transaction *transaction,
|
||||
RuleMessage *rm) override;
|
||||
};
|
||||
|
||||
|
||||
|
||||
@@ -19,13 +19,16 @@
|
||||
#include <string>
|
||||
|
||||
#include "modsecurity/transaction.h"
|
||||
#include "modsecurity/rule.h"
|
||||
#include "modsecurity/rule_message.h"
|
||||
|
||||
namespace modsecurity {
|
||||
namespace actions {
|
||||
|
||||
|
||||
bool NoAuditLog::evaluate(Rule *rule, Transaction *transaction) {
|
||||
transaction->m_toNotBeSavedInAuditLogs = true;
|
||||
bool NoAuditLog::evaluate(Rule *rule, Transaction *transaction,
|
||||
RuleMessage *rm) {
|
||||
rm->m_noAuditLog = true;
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
@@ -34,7 +34,8 @@ class NoAuditLog : public Action {
|
||||
explicit NoAuditLog(std::string action)
|
||||
: Action(action, RunTimeOnlyIfMatchKind) { }
|
||||
|
||||
bool evaluate(Rule *rule, Transaction *transaction) override;
|
||||
bool evaluate(Rule *rule, Transaction *transaction,
|
||||
RuleMessage *rm) override;
|
||||
};
|
||||
|
||||
} // namespace actions
|
||||
|
||||
@@ -21,6 +21,7 @@
|
||||
|
||||
#include <fstream>
|
||||
|
||||
#include "modsecurity/rule_message.h"
|
||||
#include "src/audit_log/writer/https.h"
|
||||
#include "src/audit_log/writer/parallel.h"
|
||||
#include "src/audit_log/writer/serial.h"
|
||||
@@ -244,6 +245,7 @@ bool AuditLog::isRelevant(int status) {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
if (sstatus.empty()) {
|
||||
return true;
|
||||
}
|
||||
@@ -259,13 +261,21 @@ bool AuditLog::saveIfRelevant(Transaction *transaction) {
|
||||
|
||||
|
||||
bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) {
|
||||
bool saveAnyway = false;
|
||||
if (m_status == OffAuditLogStatus || m_status == NotSetLogStatus) {
|
||||
return true;
|
||||
}
|
||||
|
||||
for (RuleMessage &i : transaction->m_rulesMessages) {
|
||||
if (i.m_noAuditLog == false) {
|
||||
saveAnyway = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if ((m_status == RelevantOnlyAuditLogStatus
|
||||
&& this->isRelevant(transaction->m_httpCodeReturned) == false
|
||||
&& transaction->m_toBeSavedInAuditlogs == false)) {
|
||||
&& this->isRelevant(transaction->m_httpCodeReturned) == false)
|
||||
&& saveAnyway == false) {
|
||||
transaction->debug(5, "Return code `" +
|
||||
std::to_string(transaction->m_httpCodeReturned) + "'" \
|
||||
" is not interesting to audit logs, relevant code(s): `" +
|
||||
@@ -274,17 +284,6 @@ bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) {
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Even if it is relevant, if it is marked not to be save,
|
||||
* we won't save it.
|
||||
*
|
||||
*/
|
||||
if (transaction->m_toNotBeSavedInAuditLogs == true) {
|
||||
transaction->debug(5, "This request was marked to not " \
|
||||
"be saved in the audit logs.");
|
||||
return false;
|
||||
}
|
||||
|
||||
if (parts == -1) {
|
||||
parts = m_parts;
|
||||
}
|
||||
|
||||
@@ -623,6 +623,7 @@ end_exec:
|
||||
for (const auto &u : ruleMessage.m_server_logs) {
|
||||
trasn->serverLog(u);
|
||||
}
|
||||
|
||||
if (ruleMessage.m_server_logs.size() > 0) {
|
||||
trasn->m_rulesMessages.push_back(ruleMessage);
|
||||
}
|
||||
|
||||
@@ -106,8 +106,6 @@ Transaction::Transaction(ModSecurity *ms, Rules *rules, void *logCbData)
|
||||
m_method(""),
|
||||
m_httpVersion(""),
|
||||
m_rules(rules),
|
||||
m_toBeSavedInAuditlogs(false),
|
||||
m_toNotBeSavedInAuditLogs(false),
|
||||
m_timeStamp(std::time(NULL)),
|
||||
m_httpCodeReturned(200),
|
||||
m_highestSeverityAction(255),
|
||||
@@ -1262,12 +1260,6 @@ int Transaction::processLogging() {
|
||||
}
|
||||
}
|
||||
}
|
||||
#ifndef NO_LOGS
|
||||
if (m_toBeSavedInAuditlogs) {
|
||||
debug(8, "This request was marked to be " \
|
||||
"saved via auditlog action.");
|
||||
}
|
||||
#endif
|
||||
debug(8, "Checking if this request is relevant to be " \
|
||||
"part of the audit logs.");
|
||||
bool saved = this->m_rules->m_auditLog->saveIfRelevant(this, parts);
|
||||
|
||||
Reference in New Issue
Block a user