7

I currently have a CentOS system that is successfully logging relevant mod_security actions to the audit log file. The following is my configuration:

<IfModule mod_security2.c>
  SecRuleEngine On
  SecAuditEngine RelevantOnly
  SecAuditLog /var/log/httpd/modsec_audit.log
  SecDebugLog /var/log/httpd/modsec_debug.log
  SecDebugLogLevel 0
  SecRequestBodyAccess On
  SecDataDir /tmp
  SecTmpDir /tmp
  SecPcreMatchLimit 250000
  SecPcreMatchLimitRecursion 250000
</IfModule>

This logs all actions where mod_security intercepts/blocks the request because of the SecAuditEngine RelevantOnly setting.

However, I would like it to additionally log all POST data that is submitted to the server (regardless of the status). I could achieve this by setting SecAuditEngine On but this logs all GET and POST data which is overkill. I would basically like to omit all GET data unless the request was intercepted.

Can anyone suggest how to do this?

PersianGulf
  • 596
  • 6
  • 21
Chris
  • 263
  • 2
  • 4
  • 9
  • Note: this will expose things like passwords in plain-text. If your system is at all sensitive (god forbid it process credit cards) this may be an unacceptable risk. – ceejayoz May 27 '15 at 19:07
  • 1
    We are looking to determine where/how malware is being uploaded, so we want to see how file X was uploaded to the server. Do you have a suggestion how to do this without exposing sensitive information? – Chris May 27 '15 at 19:38

1 Answers1

6

Have a rule which turns on the AuditEngine for POST requests.

Something like this (untested):

SecRule REQUEST_METHOD "POST" "id:1000,phase:2,ctl:auditEngine=On,nolog,pass"

Ctl actions only affect the current request so afterwards it will reset back to RelevantOnly for the next request.

You can also create Sanitise rules to ensure sensitive data like passwords and credit card data is masked before logging. See here: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#sanitiseArg

Barry Pollard
  • 4,461
  • 14
  • 26