nginxowaspmod-securityweb-application-firewall

ModSecurity WAF log configuration

I'm using a ModSecurity WAF for my application that is defined within a k8s ingress.

The configuration looks like this:

nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"
nginx.ingress.kubernetes.io/enable-modsecurity: "true"
nginx.ingress.kubernetes.io/modsecurity-snippet: |
  SecAuditEngine RelevantOnly
  SecRuleEngine On
  SecAuditLogParts AZ
  SecAuditLog /dev/stdout
  SecAuditLogFormat JSON
  SecRequestBodyAccess On

  SecRequestBodyLimit 104857600
  SecRequestBodyNoFilesLimit 5242880
  SecRequestBodyLimitAction Reject
  SecAction "id:900200,phase:1,nolog,pass,t:none,\
    setvar:tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE"

  SecRuleRemoveById 949110
  SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json"  "id:9990001,phase:1,t:none,t:lowercase,pass,log,ctl:requestBodyProcessor=JSON"

I have SecAuditLogParts set to AZ which are the mandatory parts. I am trying to avoid logging the entire request or at least the headers within as the headers contain a bearer token that I don't want to make it visible in the logs, and even though I removed the B from the SecAuditLogParts value, it is still showing. The following is how it shows in my logs:

{
  "transaction": {
    "client_ip": ,
    "time_stamp": ,
    "server_id": "",
    "client_port": ,
    "host_ip": ,
    "host_port": ,
    "unique_id": ,
    "request":
      {
        headers: { ... },
        ...
       },
    "response": { ... }, 
    "producer": { ... },
    "messages": { ... },
}

How do I log my WAF outputs without Headers, or at least without the token?

I found the SanitiseRequestHeader which I tried and it returned an error at deployment, and by looking the message up online, I found that it was a bug, reported since October 2023

Solution

  • After lots of searching, I contacted the main DevOps team in my organization and found out that there is a global ingress for the entire AKS cluster (I am not aware of how exactly is that implemented) and that we can add to the settings, within our own deployments. We got to know collectively through this issue that we can't override the already existing settings in the global ingress configuration, but we may only add or disable rules!

    They fixed the global logging in their configuration and it reflected in our namespace.

    Disclaimer: SecRuleRemoveById 949110 was only there to continue a workflow while testing with detectonly set to false. I should have removed it before posting my question.