Re: [Owasp-modsecurity-core-rule-set] How to prevent request body logging?

Wed, 03 Jun 2015 08:30:46 -0700 

Le 03/06/2015 16:22, Charles Farinella a écrit :
> Thanks for the suggestions, but I don't think either of these will
> solve our problem permanently.
>
> The 'nolog' option is rule or status code dependent and we want to
> make sure that *no* request bodies are ever printed to the Nginx log.
> The 'SecAuditLogParts' option seems to only affect what gets sent to
> the audit logs, we've tried this.  Mod_security docs say that
> "Messages at levels 1-3 are *always* copied to the Apache error
> log."   We are assuming that this applies equally to Nginx logs, and
> this is what we need to address.
>
> We have clients sending credit card numbers in request bodies and they
> are triggering mod_security SQL injection rules which then write these
> bodies to the Nginx logs exposing the CC number.
>
> We know that we can disable these specific rules, but are afraid that
> at some future time, or after an upgrade, these or some other rules
> will be triggered again exposing sensitive information.
>
> Does OWASP have a "best practices" procedure for protecting this kind
> of data in a PCI environment?
> How can we prevent *all* level 1-3 messages from being sent to the
> Nginx log?
>
> Thanks again for your help.
>
> --charlie
>

Hello Charlie,

We had the exact same issue at my workplace, and I found a semi solution
only : disable logging of rules, and add a new rule to log only final
result of anomaly score with last matched rule ID (see attached
15-custom-config.conf).

Now remains the audit rules adding specifically audit flags we don't
want, so I made a script and run it against my rules directory to
generate an additionnal rule file included AT THE END (99-xxx). It
generates something like that (script is attached):

    SecRuleUpdateActionById 950120 ctl:auditLogParts=-E,chain
    [...]
    SecRuleUpdateActionById 973337 nolog
    [...]
    SecRuleUpdateActionById 981205 "logdata:'Matched rules:
    %{tx.counter}; Rule list: %{matched_rule-1} %{matched_rule-2}
    %{matched_rule-3} %{matched_rule-4} %{matched_rule-5}
    %{matched_rule-6} %{matched_rule-7} %{matched_rule-8}
    %{matched_rule-9} %{matched_rule-10} %{matched_rule-11}
    %{matched_rule-12} %{matched_rule-13} %{matched_rule-14}
    %{matched_rule-15} %{matched_rule-16} %{matched_rule-17}
    %{matched_rule-18} %{matched_rule-19} %{matched_rule-20}',log,auditlog"

On some rules, the keyword "chain" is specified. In fact current
modsecurity needs us to specify again this keyword when we update a
chained action.
The last parts here are an attempt to fetch the rule IDs that matched
since they don't get logged. Although it doesn't work, but keep it so it
replaces the logdata of these rules, which can contain sensitive
information. It was coupled with a rule included before all
(20-track-ids.conf) containing only this (currently disabled) :
#SecRule TX:/^\d/ "."
"phase:2,id:'45',t:none,nolog,noauditlog,pass,setvar:tx.counter=+1,setvar:tx.matched_rule-%{tx.counter}=%{matched_var_name}"
I'm interested by feedback if you manage to log a list of matched rule ids !

Since we don't get that much information of matched rules, except when
the request get blocked, I added some rules which kinda copies the
blocking rule (without the block part of course) from
base_rules/modsecurity_crs_49_inbound_blocking.conf when the anomaly
score is not exceeded. See attached 99-log-low-anomalies.conf.
As you can see in the 99- file, I also had to alter the last matched
data variable when SecRule was matching a parameter containing sensitive
data. We use JSON parsing so we can use that, but XML parsing does not
provide parameter name, so I hope you're in REST API and not SOAP.

The result is : we always get a summary of what happened when score is
not 0, with the ID of last matched rule, but not all the IDs.

Maybe modsecurity / OWASP team could make a PCI compliant version of the
rules / software, because it is indeed hard to work with as it is when
you need to avoid sensitive data being logged.

I hope I didn't forget anything, and it helps you on your modsecurity
journey ^^

--
Loïc Gomez

Attachment: 15-custom-config.conf.gz
Description: application/gzip

Attachment: 99-log-low-anomalies.conf.gz
Description: application/gzip

Attachment: modsecurity-no-bodies.sh.gz
Description: application/gzip

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to