Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow configuring mod_security's SecAuditLogParts #1392

Merged
merged 6 commits into from Mar 10, 2016

Conversation

Projects
None yet
3 participants
@stig
Copy link
Contributor

commented Mar 8, 2016

The default configuration for this includes "I" which is not always
always suitable, e.g. if you cannot tolerate POST parameters appearing
in your modsec_audit.log

You may want to omit I if mod_security is protecting a hypothetical
web service that accepts credit card data in a POST request, for
example.

stig added some commits Mar 8, 2016

Allow configuring mod_security's SecAuditLogParts
The default configuration for this includes "I" which is not always
always suitable, e.g. if you cannot tolerate POST parameters appearing
in your modsec_audit.log

You may want to omit `I` if mod_security is protecting a hypothetical
web service that accepts credit card data in a POST request, for
example.
Move default value outside the redhat-specific section
So it is valid for Debian-based systems also.
@stig

This comment has been minimized.

Copy link
Contributor Author

commented Mar 9, 2016

So many apologies about the many commits here. This is my first encounter with rspec, and I was initially not able to run the tests locally, so was coding blind. I believe it should now pass. I'm happy to squash the commits if desired. (Assuming this change is is accepted at all :-) )

@stig

This comment has been minimized.

Copy link
Contributor Author

commented Mar 9, 2016

It appears that the failure is unrelated to my change:

Finished in 24 minutes 12 seconds (files took 1 minute 29.64 seconds to load)
472 examples, 1 failure, 1 pending

Failed examples:

rspec ./spec/acceptance/vhost_spec.rb:1397 # apache::vhost define fastcgi applies cleanly
@igalic

This comment has been minimized.

Copy link
Member

commented Mar 9, 2016

@stig as far as i know, @hunner is trying to figure this out, as we speak

@stig

This comment has been minimized.

Copy link
Contributor Author

commented Mar 10, 2016

Should I be adding an entry to the README as well, to document this new option?

@igalic igalic added the needs-docs label Mar 10, 2016

@igalic

This comment has been minimized.

Copy link
Member

commented Mar 10, 2016

@stig yes please!

@@ -47,6 +47,8 @@

$vhost_include_pattern = '*'

$modsec_audit_log_parts = 'ABIJDEFHZ'

This comment has been minimized.

Copy link
@hunner

hunner Mar 10, 2016

Member

According to the docs the default is ABCFHZ. Why did you choose this instead? It actually says that D isn't even implemented yet.

@@ -50,7 +50,7 @@
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ

This comment has been minimized.

Copy link
@hunner

hunner Mar 10, 2016

Member

Oh, because this was already the default...

hunner added a commit that referenced this pull request Mar 10, 2016

Merge pull request #1392 from stig/configurable-SecAuditLogParts
Allow configuring mod_security's SecAuditLogParts

@hunner hunner merged commit 26aecf9 into puppetlabs:master Mar 10, 2016

2 of 3 checks passed

continuous-integration/pcci-trusty PCCI Voting System
Details
continuous-integration/pcci-centos7 PCCI Voting System
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@stig stig deleted the stig:configurable-SecAuditLogParts branch May 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.