Thanks for the suggestions, but I don't think either of these will solve our problem permanently.
The 'nolog' option is rule or status code dependent and we want to make sure that *no* request bodies are ever printed to the Nginx log. The 'SecAuditLogParts' option seems to only affect what gets sent to the audit logs, we've tried this. Mod_security docs say that "Messages at levels 1-3 are *always* copied to the Apache error log." We are assuming that this applies equally to Nginx logs, and this is what we need to address. We have clients sending credit card numbers in request bodies and they are triggering mod_security SQL injection rules which then write these bodies to the Nginx logs exposing the CC number. We know that we can disable these specific rules, but are afraid that at some future time, or after an upgrade, these or some other rules will be triggered again exposing sensitive information. Does OWASP have a "best practices" procedure for protecting this kind of data in a PCI environment? How can we prevent *all* level 1-3 messages from being sent to the Nginx log? Thanks again for your help. --charlie On Tue, Jun 2, 2015 at 4:08 PM, Joshua Roback <jrob...@gmail.com> wrote: > Inside your base modsecurity.conf file, I believe the following directive > will allow you to choose which pars are logged based on the assigned letter > values. > Example below will remove REQUEST and RESPONSE body: > SecAuditLogParts ABIFEHZ > > > > On Tue, Jun 2, 2015 at 11:39 AM Chaim Sanders <csand...@trustwave.com> > wrote: > >> Hey Charles, >> >> You can use the nolog action to prevent ModSecurity from adding entries. >> For instance: >> >> SecRule ARGS:test "Test" "block,status:403,nolog,id:1" >> >> >> >> >> >> *Chaim Sanders * >> >> Security Researcher, SpiderLabs >> >> >> >> *Trustwave* | SMART SECURITY ON DEMAND >> >> www.trustwave.com >> >> >> >> *From:* owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto: >> owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] *On Behalf Of >> *Charles >> Farinella >> *Sent:* Tuesday, June 2, 2015 10:38 AM >> *To:* owasp-modsecurity-core-rule-set@lists.owasp.org >> *Subject:* [Owasp-modsecurity-core-rule-set] How to prevent request body >> logging? >> >> >> >> We are seeing request bodies logged to our nginx logs. mod_security >> documentation says that "Messages at levels 1-3 are always copied to the >> Apache error log." Does anyone know how we can prevent this behavior? >> >> -- >> >> Charles Farinella >> >> Systems Administrator >> >> Appropriate Solutions, Inc. >> >> 603-924-6079 >> >> ------------------------------ >> >> This transmission may contain information that is privileged, >> confidential, and/or exempt from disclosure under applicable law. If you >> are not the intended recipient, you are hereby notified that any >> disclosure, copying, distribution, or use of the information contained >> herein (including any reliance thereon) is strictly prohibited. If you >> received this transmission in error, please immediately contact the sender >> and destroy the material in its entirety, whether in electronic or hard >> copy format. >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> Owasp-modsecurity-core-rule-set@lists.owasp.org >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >> > -- Charles Farinella Systems Administrator Appropriate Solutions, Inc. 603-924-6079
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
