7 May 20:12
Re: Header sanitization
From: Brian Rectanus <Brian.Rectanus <at> breach.com>
Subject: Re: Header sanitization
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-07 18:12:16 GMT
Subject: Re: Header sanitization
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-07 18:12:16 GMT
Brian Rectanus wrote:
> If you just want to log the username in the audit log, then you should
> be able to use setuid action for this.
>
> EX:
> SecAction "pass,nolog,setuid:%{REMOTE_USER}"
>
> OR, if you want it for all, not just authenticated:
>
> SecRule REQUEST_HEADERS:Authorization "^([^:]+)" \
> "phase:1,t:none,t:base64Decode,setuid:%{tx.1}"
Forgot the "capture,pass,nolog" action in the above.
-B
>
> And in the audit log you should have the following in part 'H'
>
> WebApp-Info: "WebAppName" "SessionId" "UserName"
>
> -B
>
> Nick Gearls wrote:
>> I found a possible solution.
>> If we write a filter to strip the password, then we could
>> 1. map the "base64(user:pwd)"
>> 2. decode64 it, strip pwd, and map it again
>> 3. print TX.1 in log
>>
>>
>> Questions:
>>
>> 1. Any generic function to strip things after the colon ?
>> If not, we could write a generic sub plug-in.
>>
>> 2. This works on rules checking the Authorization header.
>> Any way to add this for all log entries ?
>>
>> Thanks,
>>
>> Nick
>>
>>
>> Nick Gearls wrote:
>>> Hello,
>>>
>>> For obvious privacy reasons, it is advisable to sanitize the header
>>> "Authorization" in the log.
>>> However, it may be handy to have the userid part of it in case of an
>>> error trap.
>>> Any possibility ?
>>>
>>> Thanks,
>>>
>>> Nick
>>>
>>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
>> Don't miss this year's exciting event. There's still time to save $100.
>> Use priority code J8TL2D2.
>> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users <at> lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>
>
>
--
--
Brian Rectanus
Breach Security
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
RSS Feed