8 May 09:58
Re: Header sanitization
From: Nick Gearls <nickgearls <at> gmail.com>
Subject: Re: Header sanitization
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-08 07:58:45 GMT
Subject: Re: Header sanitization
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-08 07:58:45 GMT
That's great, although the syntax is a bit more complex:
# Add Basic Authentication userid to logs
SecRule REQUEST_HEADERS:Authorization "^Basic\s(.*)$" \
"phase:1,chain,t:none,capture,nolog,pass"
SecRule TX:1 "^(.*)$" \
"chain,t:none,t:base64Decode,capture"
SecRule TX:1 "^([^:]+)" \
"t:none,capture,setuid:%{TX.1}"
Thanks,
Nick
Brian Rectanus wrote:
> Brian Rectanus wrote:
>> If you just want to log the username in the audit log, then you should
>> be able to use setuid action for this.
>>
>> EX:
>> SecAction "pass,nolog,setuid:%{REMOTE_USER}"
>>
>> OR, if you want it for all, not just authenticated:
>>
>> SecRule REQUEST_HEADERS:Authorization "^([^:]+)" \
>> "phase:1,t:none,t:base64Decode,setuid:%{tx.1}"
>
> Forgot the "capture,pass,nolog" action in the above.
>
> -B
>
>> And in the audit log you should have the following in part 'H'
>>
>> WebApp-Info: "WebAppName" "SessionId" "UserName"
>>
>> -B
>>
>> Nick Gearls wrote:
>>> I found a possible solution.
>>> If we write a filter to strip the password, then we could
>>> 1. map the "base64(user:pwd)"
>>> 2. decode64 it, strip pwd, and map it again
>>> 3. print TX.1 in log
>>>
>>>
>>> Questions:
>>>
>>> 1. Any generic function to strip things after the colon ?
>>> If not, we could write a generic sub plug-in.
>>>
>>> 2. This works on rules checking the Authorization header.
>>> Any way to add this for all log entries ?
>>>
>>> Thanks,
>>>
>>> Nick
>>>
>>>
>>> Nick Gearls wrote:
>>>> Hello,
>>>>
>>>> For obvious privacy reasons, it is advisable to sanitize the header
>>>> "Authorization" in the log.
>>>> However, it may be handy to have the userid part of it in case of an
>>>> error trap.
>>>> Any possibility ?
>>>>
>>>> Thanks,
>>>>
>>>> Nick
>>>>
>>>>
>>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
>>> Don't miss this year's exciting event. There's still time to save $100.
>>> Use priority code J8TL2D2.
>>> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>>> _______________________________________________
>>> mod-security-users mailing list
>>> mod-security-users <at> lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>
>>
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
RSS Feed