Parametrize the SecDebugLogLevel

puppetlabs · Feb 8, 2024 · fc46598 · fc46598
1 parent 9f159df
commit fc46598
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 36 deletions.
diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp
@@ -1,116 +1,119 @@
 # @summary
 #   Installs and configures `mod_security`.
-# 
+#
 # @param version
 #   Manage mod_security or mod_security2
 #
 # @param logroot
 #   Configures the location of audit and debug logs.
-# 
+#
 # @param crs_package
 #   Name of package that installs CRS rules.
-# 
+#
 # @param activated_rules
 #   An array of rules from the modsec_crs_path or absolute to activate via symlinks.
 #
 # @param custom_rules
-# 
+#
 # @param custom_rules_set
 #
 # @param modsec_dir
 #   Defines the path where Puppet installs the modsec configuration and activated rules links.
-# 
+#
 # @param modsec_secruleengine
 #   Configures the rules engine.
-# 
+#
 # @param audit_log_relevant_status
 #   Configures which response status code is to be considered relevant for the purpose of audit logging.
-# 
+#
 # @param audit_log_parts
 #   Defines which parts of each transaction are going to be recorded in the audit log. Each part is assigned a single letter; when a
 #   letter appears in the list then the equivalent part will be recorded.
-# 
+#
 # @param audit_log_type
 #   Defines the type of audit logging mechanism to be used.
-# 
+#
 # @param audit_log_storage_dir
 #   Defines the directory where concurrent audit log entries are to be stored. This directive is only needed when concurrent audit logging is used.
-# 
+#
+# @param debug_log_level
+#   Defines the level of debug logging mechanism to be used. Values can be set from 0 to 9, with 9 being the maximum version of information logged.
+#
 # @param secpcrematchlimit
 #   Sets the match limit in the PCRE library.
-# 
+#
 # @param secpcrematchlimitrecursion
 #   Sets the match limit recursion in the PCRE library.
-# 
+#
 # @param allowed_methods
 #   A space-separated list of allowed HTTP methods.
-# 
+#
 # @param content_types
 #   A list of one or more allowed MIME types.
-# 
+#
 # @param restricted_extensions
 #   A space-sparated list of prohibited file extensions.
-# 
+#
 # @param restricted_headers
 #   A list of restricted headers separated by slashes and spaces.
-# 
+#
 # @param secdefaultaction
 #   Defines the default list of actions, which will be inherited by the rules in the same configuration context.
-# 
+#
 # @param inbound_anomaly_threshold
 #   Sets the scoring threshold level of the inbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.
-# 
+#
 # @param outbound_anomaly_threshold
 #   Sets the scoring threshold level of the outbound blocking rules for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule Set.
-# 
+#
 # @param critical_anomaly_score
 #   Sets the Anomaly Score for rules assigned with a critical severity.
-# 
+#
 # @param error_anomaly_score
 #   Sets the Anomaly Score for rules assigned with a error severity.
-# 
+#
 # @param warning_anomaly_score
 #   Sets the Anomaly Score for rules assigned with a warning severity.
-# 
+#
 # @param notice_anomaly_score
 #   Sets the Anomaly Score for rules assigned with a notice severity.
-# 
+#
 # @param paranoia_level
 #   Sets the paranoia level in the OWASP ModSecurity Core Rule Set.
-# 
+#
 # @param executing_paranoia_level
 #   Sets the executing paranoia level in the OWASP ModSecurity Core Rule Set.
 #   The default is equal to, and cannot be lower than, $paranoia_level.
-# 
+#
 # @param secrequestmaxnumargs
 #   Sets the maximum number of arguments in the request.
-# 
+#
 # @param secrequestbodylimit
 #   Sets the maximum request body size ModSecurity will accept for buffering.
-# 
+#
 # @param secrequestbodynofileslimit
-#   Configures the maximum request body size ModSecurity will accept for buffering, excluding the size of any files being transported 
+#   Configures the maximum request body size ModSecurity will accept for buffering, excluding the size of any files being transported
 #   in the request.
-# 
+#
 # @param secrequestbodyinmemorylimit
 #   Configures the maximum request body size that ModSecurity will store in memory.
-# 
+#
 # @param secrequestbodyaccess
 #   Toggle SecRequestBodyAccess On or Off
-# 
+#
 # @param secrequestbodylimitaction
 #   Controls what happens once a request body limit, configured with
 #   SecRequestBodyLimit, is encountered
-# 
+#
 # @param secresponsebodyaccess
 #   Toggle SecResponseBodyAccess On or Off
 #
 # @param secresponsebodylimitaction
 #   Controls what happens once a response body limit, configured with
-#   SecResponseBodyLimitAction, is encountered. 
-# 
+#   SecResponseBodyLimitAction, is encountered.
+#
 # @param manage_security_crs
-#   Toggles whether to manage ModSecurity Core Rule Set 
+#   Toggles whether to manage ModSecurity Core Rule Set
 #
 # @param enable_dos_protection
 #   Toggles the optional OWASP ModSecurity Core Rule Set DOS protection rule
@@ -144,6 +147,7 @@
   String $audit_log_parts                                      = $apache::params::modsec_audit_log_parts,
   String $audit_log_type                                       = $apache::params::modsec_audit_log_type,
   Optional[Stdlib::Absolutepath] $audit_log_storage_dir        = undef,
+  Integer[0,9] $debug_log_level                                = 0,
   Integer $secpcrematchlimit                                   = $apache::params::secpcrematchlimit,
   Integer $secpcrematchlimitrecursion                          = $apache::params::secpcrematchlimitrecursion,
   String $allowed_methods                                      = 'GET HEAD POST OPTIONS',
@@ -231,6 +235,7 @@
   # - $audit_log_parts
   # - $audit_log_type
   # - $audit_log_storage_dir
+  # - $debug_log_level
   # - secpcrematchlimit
   # - secpcrematchlimitrecursion
   # - secrequestbodylimit
@@ -257,6 +262,7 @@
     'audit_log_parts'             => $audit_log_parts,
     'audit_log_type'              => $audit_log_type,
     'audit_log_storage_dir'       => $audit_log_storage_dir,
+    'debug_log_level'             => $debug_log_level,
     'logroot'                     => $logroot,
   }
 

diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb
@@ -103,6 +103,7 @@
                 audit_log_parts: 'ABCDZ',
                 audit_log_type: 'Concurrent',
                 audit_log_storage_dir: '/var/log/httpd/audit',
+                debug_log_level: 3,
                 secdefaultaction: 'deny,status:406,nolog,auditlog',
                 secrequestbodyaccess: 'Off',
                 secresponsebodyaccess: 'On',
@@ -117,6 +118,7 @@
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogStorageDir /var/log/httpd/audit$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecRequestBodyAccess Off$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecResponseBodyAccess On$} }
+            it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecDebugLogLevel 3$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecRequestBodyLimitAction ProcessPartial$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecResponseBodyLimitAction Reject$} }
             it { is_expected.to contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with_content %r{^\s*SecDefaultAction "phase:2,deny,status:406,nolog,auditlog"$} }

diff --git a/templates/mod/security.conf.epp b/templates/mod/security.conf.epp
@@ -44,7 +44,7 @@
     SecResponseBodyMimeType text/plain text/html text/xml
     SecResponseBodyLimit 524288
     SecResponseBodyLimitAction <%= $secresponsebodylimitaction %>
-    SecDebugLogLevel 0
+    SecDebugLogLevel <%= $debug_log_level %>
     SecAuditEngine RelevantOnly
     SecAuditLogRelevantStatus "<%= $audit_log_relevant_status %>"
     SecAuditLogParts <%= $audit_log_parts %>