enforces prefix, comments in recommended confs

corazawaf · Apr 1, 2024 · d7b5759 · d7b5759
1 parent fddb69d
commit d7b5759
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 10 deletions.
diff --git a/example/envoy/envoy-config.yaml b/example/envoy/envoy-config.yaml
@@ -60,8 +60,7 @@ static_resources:
                                     "SecDefaultAction \"phase:3,log,auditlog,pass\"",
                                     "SecDefaultAction \"phase:4,log,auditlog,pass\"",
                                     "SecDefaultAction \"phase:5,log,auditlog,pass\"",
-                                    "SecAuditLog /dev/stdout",
-                                    "SecAuditLogFormat JSON",
+                                    "SecAuditEngine On",
                                     "SecDebugLogLevel 3",
                                     "Include @owasp_crs/*.conf",
                                     "SecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\" \nSecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\" \nSecRule RESPONSE_HEADERS::status \"@rx 406\" \"id:103,phase:3,t:lowercase,deny\" \nSecRule RESPONSE_BODY \"@contains responsebodycode\" \"id:104,phase:4,t:lowercase,deny\""

diff --git a/internal/auditlog/serial_writer.go b/internal/auditlog/serial_writer.go
@@ -11,12 +11,10 @@ import (
 	"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm"
 )
 
-// Coraza does not come with a built-in audit log writer for Wasm
-// See https://github.com/corazawaf/coraza/blob/main/internal/auditlog/init_tinygo.go
-// This function overrides the default "Serial" audit log writer in order to print audit logs
-// to the proxy-wasm log as info messages.
+// This function overrides the default "Serial" audit log writer (see https://github.com/corazawaf/coraza/blob/main/internal/auditlog/init_tinygo.go)
+// in order to print audit logs to the proxy-wasm log as info messages with a prefix to differentiate them from other logs.
 func RegisterWasmSerialWriter() {
-	plugins.RegisterAuditLogWriter("serialNotUsed", func() plugintypes.AuditLogWriter {
+	plugins.RegisterAuditLogWriter("serial", func() plugintypes.AuditLogWriter {
 		return &wasmSerial{}
 	})
 }
@@ -44,8 +42,8 @@ func (s *wasmSerial) Write(al plugintypes.AuditLog) error {
 	if len(bts) == 0 {
 		return nil
 	}
-
-	proxywasm.LogInfo(string(bts))
+	// Print the audit log to the proxy-wasm log as an info message adding an "AuditLog:" prefix.
+	proxywasm.LogInfo("AuditLog:" + string(bts))
 	return nil
 }
 

diff --git a/wasmplugin/rules/coraza-demo.conf b/wasmplugin/rules/coraza-demo.conf
@@ -230,11 +230,12 @@ SecAuditLogParts ABIJDEFHZ
 # Use a single file for logging. This is much easier to look at, but
 # assumes that you will use the audit log only occasionally.
 #
+# Because of proxy-wasm limitations, audit logs can only be written to stdout
+# which end up in the proxy logs.
 SecAuditLogType Serial
 SecAuditLog /dev/stdout
 SecAuditLogFormat JSON
 
-
 # -- Miscellaneous -----------------------------------------------------------
 
 # Use the most commonly used application/x-www-form-urlencoded parameter

diff --git a/wasmplugin/rules/coraza.conf-recommended.conf b/wasmplugin/rules/coraza.conf-recommended.conf
@@ -229,6 +229,8 @@ SecAuditLogParts ABIJDEFHZ
 # Use a single file for logging. This is much easier to look at, but
 # assumes that you will use the audit log only occasionally.
 #
+# Because of proxy-wasm limitations, audit logs can only be written to stdout
+# which end up in the proxy logs. 
 SecAuditLogType Serial
 SecAuditLog /dev/stdout
 SecAuditLogFormat JSON