1

I am currently running Apache 2.4.25 on Debian 9.8. I'm trying to set up mod_security to log POST request payloads for a specific URI. I have several API on a Debian server and I have to log all of them except 2. I tried to log only one URI for testing but it seems that the rules I tried doesn't work.

I started by following this question but it seems it doesn't work. Every calls are logged. Even if I comment the two SecRule lines, it still log every call.

My config :

 # On active le module.
SecRuleEngine On
SecAuditEngine On
# On lui donne un fichier de log.
SecAuditLog /var/log/httpd/website-audit.log
# On l'autorise à accéder au corps des requêtes.
SecRequestBodyAccess on
SecAuditLogParts ABCDEFGHIJZ

# On configure une action par défaut.
SecDefaultAction "nolog,noauditlog,allow,phase:2"

# On définit une règle qui nous permet de logger le contenu des requêtes POST
SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2,id:13"
SecRule REQUEST_URI "@streq /api/ICM/SendMessage" "auditlog"

What am I doing incorrectly?

Thanks a lot.

Christopher H
  • 338
  • 2
  • 16
Sylvain Lefevre
  • 11
  • 2
  • Most mod_security settings can be activated and /or disabled for any specific scope in Apache, by including them in a particular ` ..` or `` or `` block but some are restricted and cannot be changed / set in such a way. See https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#configuration-directives That means that maybe some settings are configured or need to be in for instance a .htaccess , specific VirtualHost or other file than what you are editing – Bob Aug 10 '20 at 14:23
  • Thanks but the config file is activated. If I set `SecRuleEngine Off`, logs are desactivated. With `SecRule REQUEST_METHOD "^POST$" "chain,deny,phase:2,id:13"`, all calls are denied. So, I don't think the problem is the activation of this config file. – Sylvain Lefevre Aug 11 '20 at 07:56
  • SecAuditEngine Off must be Off otherwise all actions will be logged. However, since this is Off, there is none log. Why ? "auditlog" need any configuration ? – Sylvain Lefevre Aug 12 '20 at 15:12

1 Answers1

0

I think this is what you're looking for:

SecRule REQUEST_METHOD "!@streq POST" "allow,phase:1,id:13,ctl:auditEngine=Off"

Please note for the reference:

If the SecAuditEngine is set to On, all of the transactions will be logged. If it is set to RelevantOnly, then you can control the logging with the noauditlog action.

So, this would be the another solution.

The noauditlog action affects only the current rule. If you prevent audit logging in one rule only, a match in another rule will still cause audit logging to take place. If you want to prevent audit logging from taking place, regardless of whether any rule matches, use ctl:auditEngine=Off.

But IMHO the ctl action above is more clear.

airween
  • 195
  • 1
  • 1
  • 8