Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configuring mod_security's SecAuditLogParts #1392

Merged
merged 6 commits into from
Mar 10, 2016
Merged

Allow configuring mod_security's SecAuditLogParts #1392

merged 6 commits into from
Mar 10, 2016

Conversation

stig
Copy link

@stig stig commented Mar 8, 2016

The default configuration for this includes "I" which is not always
always suitable, e.g. if you cannot tolerate POST parameters appearing
in your modsec_audit.log

You may want to omit I if mod_security is protecting a hypothetical
web service that accepts credit card data in a POST request, for
example.

Stig Brautaset added 5 commits March 8, 2016 17:12
Allow configuring mod_security's SecAuditLogParts
7212175 
The default configuration for this includes "I" which is not always
always suitable, e.g. if you cannot tolerate POST parameters appearing
in your modsec_audit.log

You may want to omit `I` if mod_security is protecting a hypothetical
web service that accepts credit card data in a POST request, for
example.
Add SecAuditLogParts tests for Debian-based systems
d2699d1
Fix parameter name
78ee594
Use regular expression rather than exact string match
388ab4b
Move default value outside the redhat-specific section
3d5aa16 
So it is valid for Debian-based systems also.
@stig
Copy link
Author

stig commented Mar 9, 2016

So many apologies about the many commits here. This is my first encounter with rspec, and I was initially not able to run the tests locally, so was coding blind. I believe it should now pass. I'm happy to squash the commits if desired. (Assuming this change is is accepted at all :-) )

@stig
Copy link
Author

stig commented Mar 9, 2016

It appears that the failure is unrelated to my change:

Finished in 24 minutes 12 seconds (files took 1 minute 29.64 seconds to load)
472 examples, 1 failure, 1 pending

Failed examples:

rspec ./spec/acceptance/vhost_spec.rb:1397 # apache::vhost define fastcgi applies cleanly

@igalic
Copy link
Contributor

igalic commented Mar 9, 2016

@stig as far as i know, @hunner is trying to figure this out, as we speak

@stig
Copy link
Author

stig commented Mar 10, 2016

Should I be adding an entry to the README as well, to document this new option?

@igalic
Copy link
Contributor

igalic commented Mar 10, 2016

@stig yes please!

hunner
hunner reviewed Mar 10, 2016
View reviewed changes
manifests/params.pp
@@ -47,6 +47,8 @@

$vhost_include_pattern = '*'

$modsec_audit_log_parts = 'ABIJDEFHZ'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the docs the default is ABCFHZ. Why did you choose this instead? It actually says that D isn't even implemented yet.

hunner added a commit that referenced this pull request Mar 10, 2016
@hunner
Merge pull request #1392 from stig/configurable-SecAuditLogParts
26aecf9 
Allow configuring mod_security's SecAuditLogParts
@hunner hunner merged commit 26aecf9 into puppetlabs:master Mar 10, 2016
@stig stig deleted the configurable-SecAuditLogParts branch May 5, 2016 22:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@stig @igalic @hunner @jordanbreen28