在我的 modsecurity 审计日志中,有从 owncloud 上传记录的 base64 编码图像。
如何在虚拟主机定义中添加自定义规则,以便上传内容不会记录为 base64 编码的文本?
如果请求是图像的话,我发现有些东西应该可以通过 nolog 选项排除记录请求:
#SecRule REQUEST_HEADERS:Content-Type "(?:image/gif|image/jpg|image/png|image/bmp)"
SecRule REQUEST_HEADERS:Content-Type "image/" \
"id:333837,t:none,t:lowercase,pass,nolog,skip:1"
SecAction "phase:2,id:334385,t:none,pass,nolog,skipAfter:END_IMAGE_CHECKS"
但我只是想停止将图像记录为 base-64 文本(因为它会使日志文件膨胀),而不是记录上传的文件。
答案1
我可以想到一些选择,但你必须根据自己的需要进行选择。
- 您可以使用安全审计日志部分选项:
SecAuditLogParts 默认为:ABCFHZ
可用的审计日志部分:
A – audit log header (mandatory)
B – request headers
C – request body (present only if the request body exists and ModSecurity is configured to intercept it)
D - RESERVED for intermediary response headers, not implemented yet.
E – intermediary response body (present only if ModSecurity is configured to intercept response bodies, and if the audit log engine is configured to record it). Intermediary response body is the same as the actual response body unless ModSecurity intercepts the intermediary response body, in which case the actual response body will contain the error message (either the Apache default error message, or the ErrorDocument page).
F – final response headers (excluding the Date and Server headers, which are always added by Apache in the late stage of content delivery).
G – RESERVED for the actual response body, not implemented yet.
H - audit log trailer
I - This part is a replacement for part C. It will log the same data as C in all cases except when multipart/form-data encoding in used. In this case it will log a fake application/x-www-form-urlencoded body that contains the information about parameters but not about the files. This is handy if you don't want to have (often large) files stored in your audit logs.
J - RESERVED. This part, when implemented, will contain information about the files uploaded using multipart/form-data encoding.
Z – final boundary, signifies the end of the entry (mandatory)
如果我没记错的话,你可以过滤C选择,离开ABFHZ相反,当类型为时,image/
要避免将主体放入日志中。
- 另一个选项是设置
SecAuditEngine
为RelevantOnly
选项,而不是On/Off
:
安全审计引擎
配置审计日志引擎。可能的值包括:
On - log all transactions by default.
Off - do not log transactions by default.
RelevantOnly - by default only log transactions that have triggered a warning or an error, or have a status code that is considered to be relevant (see SecAuditLogRelevantStatus).
- 第三种选择是,更改响应主体处理并避免使用静态文件,在 modsecurity.conf 中设置:
SecResponseBodyMimeType text/plain text/html text/xml
资料来源: