Add ctl:auditengine action support to libmodsecurity #2606
Comments
|
Hi @alekravch , You are correct that ctl:auditengine has not been implemented in v3 thus far. Note that a change in the 3.1 development branch was made to produce an error message if that action is used rather than simply failing silently ( 0466a5a ). That may or may not eventually proceed to v3/master. It is certainly possible for ctl:auditengine to become a supported action in v3. However, there has been a deliberate approach in v3 to not always implement functionality from v2 just because it exists in that version. In at least some cases, the use case for some functionality is dubious at best (although it may have been useful years ago) -- see for example SecArgumentSeparator. So, out of curiosity, do you have particular use case(s) where you have wanted to use ctl:auditEngine, and where other tools like 'log/nolog', and 'ctl:auditLogParts' have proven inadequate? |
|
Hi, The problem with ctl:auditLogParts is that it can't disable auditlog altogether - A and Z parts are mandatory and can't be turned off. Downsides (in my opinion) are:
It seems to be more straightforward and reliable to disable auditengine globaly and turn it on conditionally if one wants to perform selective audit logging for specific situations only. Agree that this feature is not absolute necessity, but it seems to be useful and easy enough to implement. |
|
Agreed that the implementation is not particularly complex. I guess I'm still wondering about the usefulness. In other words, what are the underlying use cases for which this is considered desirable by current users of ModSecurity. A couple of examples: In the case of (A), I would normally suggest that it is safer to disable only the particular rules that are causing false positives. For either case, one could also check for the IP address and the disable the engine (ctl:ruleEngine=Off) for those requests -- unless of course there is a good reason to want to still execute the rules but to not have any audit logging from those executed rules. Just wanting to better understand the need ... |
I don't have any useful instance, therefore I can't check it, but as I remember, once we ran into this problem:
The proxy logged these requests, we couldn't turn off the auditlog engine, and those log entries filled the disk (without any ModSecurity warning). In that case, that would have been nice this feature. Then I made a very minimalist patch (partially implemented the |
|
Hi, For example I don't need audit log feature for normal requests and I have to keep audit log turned off due to the reason of performance or disk storage. Then I have some client experiencing problem and to debug this problem I want to capture all activities (via audit log) for this specific client only. So it would be nice to have a feature to turn audit log on locally for the specific condition only. Or I have some suspicious activity and I want to make a detailed investigation, capturing appropriate traffic. So again it would be nice to turn audit log on for the specific condition only. |
|
All right; I'm sufficiently convinced that this would be useful enough. |
martinhsv
changed the title
Hello.
Suggest to make work “ctl:auditengine” option.
Attached patch implements this.
ctl_auditengine2_patch.txt
Feature ctl:auditengine is not yet implemented, but IMHO it’s quite important and useful feature for logging and debugging, mentioned even in ModSecutiry Handbook (Chapter 4. Logging. Selective Audit Logging)
This example from the book will not work.
4 Logging
Selective Audit Logging
Implementation Proposal
This feature should operate on a transaction scope, not interfering with the global rule set.
So we store AuditLogStatus in the transaction and then use function AuditLog::getActualStatus to get AuditLogStatus either from the transaction scope (if set), or from the global rule set (unless it’s not set on the transaction scope). This function is used in AuditLog::init and AuditLog::saveIfRelevant.
Aleksey Kravchuk
The text was updated successfully, but these errors were encountered: