I'm using a ModSecurity WAF for my application that is defined within a k8s ingress.
The configuration looks like this:
nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"
nginx.ingress.kubernetes.io/enable-modsecurity: "true"
nginx.ingress.kubernetes.io/modsecurity-snippet: |
SecAuditEngine RelevantOnly
SecRuleEngine On
SecAuditLogParts AZ
SecAuditLog /dev/stdout
SecAuditLogFormat JSON
SecRequestBodyAccess On
SecRequestBodyLimit 104857600
SecRequestBodyNoFilesLimit 5242880
SecRequestBodyLimitAction Reject
SecAction "id:900200,phase:1,nolog,pass,t:none,\
setvar:tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE"
SecRuleRemoveById 949110
SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" "id:9990001,phase:1,t:none,t:lowercase,pass,log,ctl:requestBodyProcessor=JSON"
I have SecAuditLogParts
set to AZ
which are the mandatory parts. I am trying to avoid logging the entire request or at least the headers within as the headers contain a bearer token that I don't want to make it visible in the logs, and even though I removed the B from the SecAuditLogParts
value, it is still showing. The following is how it shows in my logs:
{
"transaction": {
"client_ip": ,
"time_stamp": ,
"server_id": "",
"client_port": ,
"host_ip": ,
"host_port": ,
"unique_id": ,
"request":
{
headers: { ... },
...
},
"response": { ... },
"producer": { ... },
"messages": { ... },
}
How do I log my WAF outputs without Headers, or at least without the token?
I found the SanitiseRequestHeader
which I tried and it returned an error at deployment, and by looking the message up online, I found that it was a bug, reported since October 2023
After lots of searching, I contacted the main DevOps team in my organization and found out that there is a global ingress for the entire AKS cluster (I am not aware of how exactly is that implemented) and that we can add to the settings, within our own deployments. We got to know collectively through this issue that we can't override the already existing settings in the global ingress configuration, but we may only add or disable rules!
They fixed the global logging in their configuration and it reflected in our namespace.
Disclaimer: SecRuleRemoveById 949110
was only there to continue a workflow while testing with detectonly set to false. I should have removed it before posting my question.