8 May 10:21
Re: Header sanitization
From: Ivan Ristic <ivan.ristic <at> gmail.com>
Subject: Re: Header sanitization
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-08 08:21:36 GMT
Subject: Re: Header sanitization
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-08 08:21:36 GMT
Actually, I think the username)is relevant information that needs to
be recorded in the audit log automatically. I'll open a ticket for it.
On Thu, May 8, 2008 at 8:58 AM, Nick Gearls <nickgearls <at> gmail.com> wrote:
> That's great, although the syntax is a bit more complex:
>
> # Add Basic Authentication userid to logs
> SecRule REQUEST_HEADERS:Authorization "^Basic\s(.*)$" \
> "phase:1,chain,t:none,capture,nolog,pass"
> SecRule TX:1 "^(.*)$" \
> "chain,t:none,t:base64Decode,capture"
> SecRule TX:1 "^([^:]+)" \
> "t:none,capture,setuid:%{TX.1}"
>
> Thanks,
>
> Nick
>
>
>
>
> Brian Rectanus wrote:
> > Brian Rectanus wrote:
> >> If you just want to log the username in the audit log, then you should
> >> be able to use setuid action for this.
> >>
> >> EX:
> >> SecAction "pass,nolog,setuid:%{REMOTE_USER}"
> >>
> >> OR, if you want it for all, not just authenticated:
> >>
> >> SecRule REQUEST_HEADERS:Authorization "^([^:]+)" \
> >> "phase:1,t:none,t:base64Decode,setuid:%{tx.1}"
> >
> > Forgot the "capture,pass,nolog" action in the above.
> >
> > -B
> >
> >> And in the audit log you should have the following in part 'H'
> >>
> >> WebApp-Info: "WebAppName" "SessionId" "UserName"
> >>
> >> -B
> >>
> >> Nick Gearls wrote:
> >>> I found a possible solution.
> >>> If we write a filter to strip the password, then we could
> >>> 1. map the "base64(user:pwd)"
> >>> 2. decode64 it, strip pwd, and map it again
> >>> 3. print TX.1 in log
> >>>
> >>>
> >>> Questions:
> >>>
> >>> 1. Any generic function to strip things after the colon ?
> >>> If not, we could write a generic sub plug-in.
> >>>
> >>> 2. This works on rules checking the Authorization header.
> >>> Any way to add this for all log entries ?
> >>>
> >>> Thanks,
> >>>
> >>> Nick
> >>>
> >>>
> >>> Nick Gearls wrote:
> >>>> Hello,
> >>>>
> >>>> For obvious privacy reasons, it is advisable to sanitize the header
> >>>> "Authorization" in the log.
> >>>> However, it may be handy to have the userid part of it in case of an
> >>>> error trap.
> >>>> Any possibility ?
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Nick
> >>>>
> >>>>
> >>> -------------------------------------------------------------------------
> >>> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> >>> Don't miss this year's exciting event. There's still time to save $100.
> >>> Use priority code J8TL2D2.
> >>> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> >>> _______________________________________________
> >>> mod-security-users mailing list
> >>> mod-security-users <at> lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >>>
> >>
> >
> >
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
--
--
Ivan Ristic
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
RSS Feed