Nginx Question posted in
The official documentation can be found here.

Nginx – ModSecurity WAF log configuration

I’m using a ModSecurity WAF for my application that is defined within a k8s ingress.

The configuration looks like this:

nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"
nginx.ingress.kubernetes.io/enable-modsecurity: "true"
nginx.ingress.kubernetes.io/modsecurity-snippet: |
  SecAuditEngine RelevantOnly
  SecRuleEngine On
  SecAuditLogParts AZ
  SecAuditLog /dev/stdout
  SecAuditLogFormat JSON
  SecRequestBodyAccess On

  SecRequestBodyLimit 104857600
  SecRequestBodyNoFilesLimit 5242880
  SecRequestBodyLimitAction Reject
  SecAction "id:900200,phase:1,nolog,pass,t:none,
    setvar:tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE"

  SecRuleRemoveById 949110
  SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json"  "id:9990001,phase:1,t:none,t:lowercase,pass,log,ctl:requestBodyProcessor=JSON"

I have SecAuditLogParts set to AZ which are the mandatory parts. I am trying to avoid logging the entire request or at least the headers within as the headers contain a bearer token that I don’t want to make it visible in the logs, and even though I removed the B from the SecAuditLogParts value, it is still showing. The following is how it shows in my logs:

{
  "transaction": {
    "client_ip": ,
    "time_stamp": ,
    "server_id": "",
    "client_port": ,
    "host_ip": ,
    "host_port": ,
    "unique_id": ,
    "request":
      {
        headers: { ... },
        ...
       },
    "response": { ... }, 
    "producer": { ... },
    "messages": { ... },
}

How do I log my WAF outputs without Headers, or at least without the token?

I found the SanitiseRequestHeader which I tried and it returned an error at deployment, and by looking the message up online, I found that it was a bug, reported since October 2023

Tags:

2

Answers


  1. 0

    Are you sure Modsecurity is running, I don’t see a SecRuleEngine On. Also, you need to remove SecRuleRemoveById 949110 as this is an important rule ID and is necessary for ModSecurity to work property.

    P.S:- I wanted to comment but do not have enough rep.

    Login or Signup to reply.
  2. 0

    CRS dev-on-duty here. I don’t know, why your configuration SecAuditLogParts AZ doesn’t work.
    But if you don’t need any transaction logs, can you try to disable audit logging with SecAuditEngine Off or with a control statement (more granular) ctl:auditEngine=Off (also see https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#user-content-SecAuditEngine and https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v3.x)#user-content-ctl)

    And as CRS-Dev already mentioned: you have to remove SecRuleRemoveById 949110, if you want that your WAF properly works (949110 is the blocking rule!).

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search