1

Are there any best practices or approaches I can take to prevent certain data (e.g. passwords) from being logged into mod-security's log files?

We've a call coming into our Apache server (and onto the Karaf backend) that seems to occasionally trigger a mod-security rule. This call includes a password as one of the URL parameters.

How can I get mod-security to report the rule but suppress certain information from the log? Obviously I want to know the rule has been triggered but I worry about leaving sensitive data in the log.

Here's an example (the dodgy bit is on the second line):-

--0a6bf76f-C--
userName=fred.bloggs%40whatever.com&password=SHOULDNTBEHERE&%3Asubmit=1
--0a6bf76f-F--
HTTP/1.1 200 OK
Ajax-Location: ./home
Content-Type: text/xml;charset=ISO-8859-1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store
Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Sat, 18-Apr-2015 08:06:08 GMT
Strict-Transport-Security: max-age=15768000
Vary: Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked

--0a6bf76f-E--
<ajax-response><redirect><![CDATA[./home]]></redirect></ajax-response>
--0a6bf76f-H--
Message: Warning. Pattern match "(.*?)=(?i)(?!.*secure.*)(.*$)" at RESPONSE_HEADERS:Set-Cookie. [file "/etc/modsecurity/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "99"] [id "981185"] [msg "AppDefect: Missing Secure Cookie Flag for rememberMe."] [tag "WASCTC/WASC-15"] [tag "MISCONFIGURATION"] [tag "http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-secure-flag"]
Message: Warning. Pattern match "(.*?)=(?i)(?!.*httponly.*)(.*$)" at RESPONSE_HEADERS:Set-Cookie. [file "/etc/modsecurity/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "83"] [id "981184"] [msg "AppDefect: Missing HttpOnly Cookie Flag for rememberMe."] [tag "WASCTC/WASC-15"] [tag "MISCONFIGURATION"] [tag "http://websecuritytool.codeplex.com/wikipage?title=Checks#cookie-not-setting-httponly-flag"]
Apache-Handler: proxy-server
Stopwatch: 1429430768382701 63597 (- - -)
Stopwatch2: 1429430768382701 63597; combined=13093, p1=317, p2=11903, p3=242, p4=130, p5=395, sr=110, sw=106, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
WebApp-Info: "default" "-" ""

--0a6bf76f-Z--

This is Apache 2.2 running on Ubuntu 12.04.

Thanks.

Jeremy Gooch
  • 423
  • 1
  • 4
  • 11

2 Answers2

2

You should set up a Sanitise rule:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#sanitiseArg

5kKate the password is in section C which is the request body. Which is where passwords should be for POST requests. I agree you shouldn't use them in URLS via GET requests (in which case they would should in section B of the audit log).

Barry Pollard
  • 4,461
  • 14
  • 26
0

You can configure mod_security to disable logging the request URL. This is the letter B which I removed from the below configuration. 

SecAuditLogParts ACIFHZ

You can read more here: http://resources.infosecinstitute.com/analyzing-mod-security-logs/

The bigger issue though is that you are sending cleartext passwords in the URL. I'm not as familiar with Karaf but I'd be surprised if they don't have a more secure way of authenticating.

5kKate
  • 9
  • 2
  • Removing the useful log info just to hide one part is overkill as ModSecurity provides a facility to scrub certain arguments. Also, despite what the OP said the password appears to be in 'C' section (REQUEST_BODY) rather than B section (REQUEST_HEADER). I'd expect it to be in the body rather than in the URL and that appears to be the case. – Barry Pollard Apr 28 '15 at 08:56