Skip to content

Commit

Permalink
Add template variables and parameters for ModSecurity Audit Logs
Browse files Browse the repository at this point in the history
  • Loading branch information
jlindquist-godaddy committed Dec 31, 2019
1 parent ebfb108 commit 79407f7
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 1 deletion.
10 changes: 10 additions & 0 deletions manifests/mod/security.pp
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,12 @@
# Defines which parts of each transaction are going to be recorded in the audit log. Each part is assigned a single letter; when a
# letter appears in the list then the equivalent part will be recorded.
#
# @param audit_log_type
# Defines the type of audit logging mechanism to be used.
#
# @param audit_log_storage_dir
# Defines the directory where concurrent audit log entries are to be stored. This directive is only needed when concurrent audit logging is used.
#
# @param secpcrematchlimit
# Sets the match limit in the PCRE library.
#
Expand Down Expand Up @@ -96,6 +102,8 @@
$modsec_secruleengine = $::apache::params::modsec_secruleengine,
$audit_log_relevant_status = '^(?:5|4(?!04))',
$audit_log_parts = $::apache::params::modsec_audit_log_parts,
$audit_log_type = $::apache::params::modsec_audit_log_type,
$audit_log_storage_dir = undef,
$secpcrematchlimit = $::apache::params::secpcrematchlimit,
$secpcrematchlimitrecursion = $::apache::params::secpcrematchlimitrecursion,
$allowed_methods = 'GET HEAD POST OPTIONS',
Expand Down Expand Up @@ -169,6 +177,8 @@
# - logroot
# - $modsec_dir
# - $audit_log_parts
# - $audit_log_type
# - $audit_log_storage_dir
# - secpcrematchlimit
# - secpcrematchlimitrecursion
# - secrequestbodylimit
Expand Down
1 change: 1 addition & 0 deletions manifests/params.pp
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
$vhost_include_pattern = '*'

$modsec_audit_log_parts = 'ABIJDEFHZ'
$modsec_audit_log_type = 'Serial'

# no client certs should be trusted for auth by default.
$ssl_certs_dir = undef
Expand Down
9 changes: 9 additions & 0 deletions spec/classes/mod/security_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
is_expected.to contain_file('security.conf')
.with_content(%r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!04\)\)"$})
.with_content(%r{^\s+SecAuditLogParts ABIJDEFHZ$})
.with_content(%r{^\s+SecAuditLogType Serial$})
.with_content(%r{^\s+SecDebugLog /var/log/httpd/modsec_debug.log$})
.with_content(%r{^\s+SecAuditLog /var/log/httpd/modsec_audit.log$})
}
Expand Down Expand Up @@ -78,12 +79,16 @@
],
audit_log_relevant_status: '^(?:5|4(?!01|04))',
audit_log_parts: 'ABCDZ',
audit_log_type: 'Concurrent',
audit_log_storage_dir: '/var/log/httpd/audit',
secdefaultaction: 'deny,status:406,nolog,auditlog',
}
end

it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!01\|04\)\)"$} }
it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABCDZ$} }
it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogType Concurrent$} }
it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogStorageDir /var/log/httpd/audit$} }
it { is_expected.to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content %r{^\s*SecDefaultAction "phase:2,deny,status:406,nolog,auditlog"$} }
it {
is_expected.to contain_file('bar.conf').with(
Expand Down Expand Up @@ -126,6 +131,7 @@
is_expected.to contain_file('security.conf')
.with_content(%r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!04\)\)"$})
.with_content(%r{^\s+SecAuditLogParts ABIJDEFHZ$})
.with_content(%r{^\s+SecAuditLogType Serial$})
.with_content(%r{^\s+SecDebugLog /var/log/apache2/modsec_debug.log$})
.with_content(%r{^\s+SecAuditLog /var/log/apache2/modsec_audit.log$})
}
Expand Down Expand Up @@ -165,6 +171,8 @@
],
audit_log_relevant_status: '^(?:5|4(?!01|04))',
audit_log_parts: 'ABCDZ',
audit_log_type: 'Concurrent',
audit_log_storage_dir: '/var/log/httpd/audit',
secdefaultaction: 'deny,status:406,nolog,auditlog',
}
end
Expand All @@ -173,6 +181,7 @@
(facts[:os]['release']['major'].to_i < 9 && facts[:os]['name'] == 'Debian')
it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!01\|04\)\)"$} }
it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABCDZ$} }
it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogStorageDir /var/log/httpd/audit$} }
it { is_expected.to contain_file('/etc/modsecurity/security_crs.conf').with_content %r{^\s*SecDefaultAction "phase:2,deny,status:406,nolog,auditlog"$} }
it {
is_expected.to contain_file('bar.conf').with(
Expand Down
5 changes: 4 additions & 1 deletion templates/mod/security.conf.erb
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,10 @@
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "<%= @audit_log_relevant_status %>"
SecAuditLogParts <%= @audit_log_parts %>
SecAuditLogType Serial
SecAuditLogType <%= @audit_log_type %>
<%- if @audit_log_storage_dir -%>
SecAuditLogStorageDir <%= @audit_log_storage_dir %>
<%- end -%>
SecArgumentSeparator &
SecCookieFormat 0
<%- if scope.lookupvar('::osfamily') == 'Debian' -%>
Expand Down

0 comments on commit 79407f7

Please sign in to comment.