github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-15 23:55:03 +03:00
Code Issues Packages Projects Releases Wiki Activity

Changes the saving selection for the audit logs

Browse Source
This commit is contained in:
Felipe Zimmerle 2016-12-20 09:23:57 -03:00
parent 10cdf8fed9
commit bbb61d560c
No known key found for this signature in database
GPG Key ID: E6DFB08CE8B11277
9 changed files with 28 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
headers/modsecurity/rule_message.h
View File

@ -47,6 +47,7 @@ class RuleMessage {
m_maturity(rule->m_maturity), m_maturity(rule->m_maturity),
m_rule(rule), m_rule(rule),
m_saveMessage(false), m_saveMessage(false),
m_noAuditLog(false),
m_match(std::string("")) m_match(std::string(""))
{ } { }
@ -70,6 +71,7 @@ class RuleMessage {
std::list<std::string> m_tags; std::list<std::string> m_tags;
std::list<std::string> m_server_logs; std::list<std::string> m_server_logs;
bool m_noAuditLog;
Rule *m_rule; Rule *m_rule;
bool m_saveMessage; bool m_saveMessage;
}; };

19
headers/modsecurity/transaction.h
View File

@ -165,25 +165,6 @@ class Transaction {
std::string toOldAuditLogFormatIndex(const std::string &filename, std::string toOldAuditLogFormatIndex(const std::string &filename,
double size, const std::string &md5); double size, const std::string &md5);
/**
* This variable is basically set by the `autidlog' action. It means
* that this particular transaction was marked to be saved as part of
* the auditlogs, even if it is not originally classified to be saved
* by `SecAuditLogRelevantStatus'.
*/
bool m_toBeSavedInAuditlogs;
/**
* Set by `noauditlog' action, it means that this particular should
* not be saved. Regardless of `SecAuditLogRelevantStatus'.
*
* @note It is possible to have `auditlog' and `noauditlog' actions
* in a same rule, in that case prevails the last input.
*/
bool m_toNotBeSavedInAuditLogs;
/** /**
* Filled during the class instantiation, this variable can be later * Filled during the class instantiation, this variable can be later
* used to fill the SecRule variable `duration'. The variable `duration' * used to fill the SecRule variable `duration'. The variable `duration'

6
src/actions/audit_log.cc
View File

@ -19,13 +19,15 @@
#include <string> #include <string>
#include "modsecurity/transaction.h" #include "modsecurity/transaction.h"
#include "modsecurity/rule_message.h"
namespace modsecurity { namespace modsecurity {
namespace actions { namespace actions {
bool AuditLog::evaluate(Rule *rule, Transaction *transaction) { bool AuditLog::evaluate(Rule *rule, Transaction *transaction,
transaction->m_toBeSavedInAuditlogs = true; RuleMessage *rm) {
rm->m_noAuditLog = false;
return true; return true;
} }

3
src/actions/audit_log.h
View File

@ -34,7 +34,8 @@ class AuditLog : public Action {
explicit AuditLog(std::string action) explicit AuditLog(std::string action)
: Action(action, RunTimeOnlyIfMatchKind) { } : Action(action, RunTimeOnlyIfMatchKind) { }
bool evaluate(Rule *rule, Transaction *transaction) override; bool evaluate(Rule *rule, Transaction *transaction,
RuleMessage *rm) override;
}; };

7
src/actions/no_audit_log.cc
View File

@ -19,13 +19,16 @@
#include <string> #include <string>
#include "modsecurity/transaction.h" #include "modsecurity/transaction.h"
#include "modsecurity/rule.h"
#include "modsecurity/rule_message.h"
namespace modsecurity { namespace modsecurity {
namespace actions { namespace actions {
bool NoAuditLog::evaluate(Rule *rule, Transaction *transaction) { bool NoAuditLog::evaluate(Rule *rule, Transaction *transaction,
transaction->m_toNotBeSavedInAuditLogs = true; RuleMessage *rm) {
rm->m_noAuditLog = true;
return true; return true;
} }

3
src/actions/no_audit_log.h
View File

@ -34,7 +34,8 @@ class NoAuditLog : public Action {
explicit NoAuditLog(std::string action) explicit NoAuditLog(std::string action)
: Action(action, RunTimeOnlyIfMatchKind) { } : Action(action, RunTimeOnlyIfMatchKind) { }
bool evaluate(Rule *rule, Transaction *transaction) override; bool evaluate(Rule *rule, Transaction *transaction,
RuleMessage *rm) override;
}; };
} // namespace actions } // namespace actions

25
src/audit_log/audit_log.cc
View File

@ -21,6 +21,7 @@
#include <fstream> #include <fstream>
#include "modsecurity/rule_message.h"
#include "src/audit_log/writer/https.h" #include "src/audit_log/writer/https.h"
#include "src/audit_log/writer/parallel.h" #include "src/audit_log/writer/parallel.h"
#include "src/audit_log/writer/serial.h" #include "src/audit_log/writer/serial.h"
@ -244,6 +245,7 @@ bool AuditLog::isRelevant(int status) {
return false; return false;
} }
if (sstatus.empty()) { if (sstatus.empty()) {
return true; return true;
} }
@ -259,13 +261,21 @@ bool AuditLog::saveIfRelevant(Transaction *transaction) {
bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) { bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) {
bool saveAnyway = false;
if (m_status == OffAuditLogStatus || m_status == NotSetLogStatus) { if (m_status == OffAuditLogStatus || m_status == NotSetLogStatus) {
return true; return true;
} }
for (RuleMessage &i : transaction->m_rulesMessages) {
if (i.m_noAuditLog == false) {
saveAnyway = true;
break;
}
}
if ((m_status == RelevantOnlyAuditLogStatus if ((m_status == RelevantOnlyAuditLogStatus
&& this->isRelevant(transaction->m_httpCodeReturned) == false && this->isRelevant(transaction->m_httpCodeReturned) == false)
&& transaction->m_toBeSavedInAuditlogs == false)) { && saveAnyway == false) {
transaction->debug(5, "Return code `" + transaction->debug(5, "Return code `" +
std::to_string(transaction->m_httpCodeReturned) + "'" \ std::to_string(transaction->m_httpCodeReturned) + "'" \
" is not interesting to audit logs, relevant code(s): `" + " is not interesting to audit logs, relevant code(s): `" +
@ -274,17 +284,6 @@ bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) {
return false; return false;
} }
/**
* Even if it is relevant, if it is marked not to be save,
* we won't save it.
*
*/
if (transaction->m_toNotBeSavedInAuditLogs == true) {
transaction->debug(5, "This request was marked to not " \
"be saved in the audit logs.");
return false;
}
if (parts == -1) { if (parts == -1) {
parts = m_parts; parts = m_parts;
} }

1
src/rule.cc
View File

@ -623,6 +623,7 @@ end_exec:
for (const auto &u : ruleMessage.m_server_logs) { for (const auto &u : ruleMessage.m_server_logs) {
trasn->serverLog(u); trasn->serverLog(u);
} }
if (ruleMessage.m_server_logs.size() > 0) { if (ruleMessage.m_server_logs.size() > 0) {
trasn->m_rulesMessages.push_back(ruleMessage); trasn->m_rulesMessages.push_back(ruleMessage);
} }

8
src/transaction.cc
View File

@ -106,8 +106,6 @@ Transaction::Transaction(ModSecurity *ms, Rules *rules, void *logCbData)
m_method(""), m_method(""),
m_httpVersion(""), m_httpVersion(""),
m_rules(rules), m_rules(rules),
m_toBeSavedInAuditlogs(false),
m_toNotBeSavedInAuditLogs(false),
m_timeStamp(std::time(NULL)), m_timeStamp(std::time(NULL)),
m_httpCodeReturned(200), m_httpCodeReturned(200),
m_highestSeverityAction(255), m_highestSeverityAction(255),
@ -1262,12 +1260,6 @@ int Transaction::processLogging() {
} }
} }
} }
#ifndef NO_LOGS
if (m_toBeSavedInAuditlogs) {
debug(8, "This request was marked to be " \
"saved via auditlog action.");
}
#endif
debug(8, "Checking if this request is relevant to be " \ debug(8, "Checking if this request is relevant to be " \
"part of the audit logs."); "part of the audit logs.");
bool saved = this->m_rules->m_auditLog->saveIfRelevant(this, parts); bool saved = this->m_rules->m_auditLog->saveIfRelevant(this, parts);