How to deactivate base64 logging in modsecurity

Question

In my modsecurity audit log there are base64-encoded Images which were logged from owncloud uploads.

How can I add a custom rule in my virtualhost definition so that uploads are not logged as base64-encoded text?

I found something that should work to exclude the request from getting logged through nolog option if it's an image:

#SecRule REQUEST_HEADERS:Content-Type "(?:image/gif|image/jpg|image/png|image/bmp)"
SecRule REQUEST_HEADERS:Content-Type "image/" \
        "id:333837,t:none,t:lowercase,pass,nolog,skip:1"
        SecAction "phase:2,id:334385,t:none,pass,nolog,skipAfter:END_IMAGE_CHECKS"

But I just want to stop the logging of images as base-64 text(because it is bloating the logfiles), not the logging which files were uploaded.

Answer 1

I can think a few options, but you have to choose according to your needs.

1. You could evaluate using the SecAuditLogParts option:

SecAuditLogParts default is: ABCFHZ

Available audit log parts:

A – audit log header (mandatory)

B – request headers

C – request body (present only if the request body exists and ModSecurity is configured to intercept it)

D - RESERVED for intermediary response headers, not implemented yet.

E – intermediary response body (present only if ModSecurity is configured to intercept response bodies, and if the audit log engine is configured to record it). Intermediary response body is the same as the actual response body unless ModSecurity intercepts the intermediary response body, in which case the actual response body will contain the error message (either the Apache default error message, or the ErrorDocument page).

F – final response headers (excluding the Date and Server headers, which are always added by Apache in the late stage of content delivery).

G – RESERVED for the actual response body, not implemented yet.

H - audit log trailer

I - This part is a replacement for part C. It will log the same data as C in all cases except when multipart/form-data encoding in used. In this case it will log a fake application/x-www-form-urlencoded body that contains the information about parameters but not about the files. This is handy if you don't want to have (often large) files stored in your audit logs.

J - RESERVED. This part, when implemented, will contain information about the files uploaded using multipart/form-data encoding.

Z – final boundary, signifies the end of the entry (mandatory)

If i'm not mistaken, you could filter the C option, leaving ABFHZ instead when the type is image/ as to avoid getting the body into the log.

2. Another option would be to set SecAuditEngine to the RelevantOnly option, instead of the On/Off:

SecAuditEngine

Configures the audit logging engine. Possible values are:

On - log all transactions by default.

Off - do not log transactions by default.

RelevantOnly - by default only log transactions that have triggered a warning or an error, or have a status code that is considered to be relevant (see SecAuditLogRelevantStatus).

3. And a third option, might be change the response body handling and avoid static files, setting in modsecurity.conf:

SecResponseBodyMimeType text/plain text/html text/xml

Sources:

• https://nature.berkeley.edu/~casterln/modsecurity/modsecurity2-apache-reference.html#N1008C
• https://www.feistyduck.com/library/modsecurity-handbook-free/online/ch04-logging.html
• https://docs.oracle.com/cd/E28280_01/web.1111/e10144/config_mod_sec.htm#CIHDAHJI