gmane.comp.apache.mod-security.user

Nick Gearls | 7 May 16:34

Picon

Header sanitization

Hello,

For obvious privacy reasons, it is advisable to sanitize the header 
"Authorization" in the log.
However, it may be handy to have the userid part of it in case of an 
error trap.
Any possibility ?

Thanks,

Nick

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Nick Gearls | 7 May 17:05

Picon

Re: Header sanitization

I found a possible solution.
If we write a filter to strip the password, then we could
  1. map the "base64(user:pwd)"
  2. decode64 it, strip pwd, and map it again
  3. print TX.1 in log

Questions:

1. Any generic function to strip things after the colon ?
If not, we could write a generic sub plug-in.

2. This works on rules checking the Authorization header.
Any way to add this for all log entries ?

Thanks,

Nick

Nick Gearls wrote:
> Hello,
> 
> For obvious privacy reasons, it is advisable to sanitize the header 
> "Authorization" in the log.
> However, it may be handy to have the userid part of it in case of an 
> error trap.
> Any possibility ?
> 
> Thanks,
> 
> Nick

(Continue reading)

Ivan Ristic | 7 May 18:13

Picon

Re: Header sanitization

On Wed, May 7, 2008 at 4:05 PM, Nick Gearls <nickgearls <at> gmail.com> wrote:
> I found a possible solution.
>  If we write a filter to strip the password, then we could
>   1. map the "base64(user:pwd)"
>   2. decode64 it, strip pwd, and map it again
>   3. print TX.1 in log
>
>
>  Questions:
>
>  1. Any generic function to strip things after the colon ?
>  If not, we could write a generic sub plug-in.

You mean sanitise just part of the header? We don't have such a
feature at the moment but we have scheduled RESPONSE_BODY sanitation
for 2.6 and there we will have to support partial field sanitation.
Perhaps we'd be able to extend it to cover other fields.

>  2. This works on rules checking the Authorization header.
>  Any way to add this for all log entries ?

I am not following, can you please elaborate?

>  Thanks,
>
>  Nick
>
>
>
>

(Continue reading)

Brian Rectanus | 7 May 20:07

Re: Header sanitization

If you just want to log the username in the audit log, then you should
be able to use setuid action for this.

EX:
SecAction "pass,nolog,setuid:%{REMOTE_USER}"

OR, if you want it for all, not just authenticated:

SecRule REQUEST_HEADERS:Authorization "^([^:]+)" \
        "phase:1,t:none,t:base64Decode,setuid:%{tx.1}"

And in the audit log you should have the following in part 'H'

WebApp-Info: "WebAppName" "SessionId" "UserName"

-B

Nick Gearls wrote:
> I found a possible solution.
> If we write a filter to strip the password, then we could
>   1. map the "base64(user:pwd)"
>   2. decode64 it, strip pwd, and map it again
>   3. print TX.1 in log
> 
> 
> Questions:
> 
> 1. Any generic function to strip things after the colon ?
> If not, we could write a generic sub plug-in.
>

(Continue reading)

Brian Rectanus | 7 May 20:12

Re: Header sanitization

Brian Rectanus wrote:
> If you just want to log the username in the audit log, then you should
> be able to use setuid action for this.
> 
> EX:
> SecAction "pass,nolog,setuid:%{REMOTE_USER}"
> 
> OR, if you want it for all, not just authenticated:
> 
> SecRule REQUEST_HEADERS:Authorization "^([^:]+)" \
>         "phase:1,t:none,t:base64Decode,setuid:%{tx.1}"

Forgot the "capture,pass,nolog" action in the above.

-B

> 
> And in the audit log you should have the following in part 'H'
> 
> WebApp-Info: "WebAppName" "SessionId" "UserName"
> 
> -B
> 
> Nick Gearls wrote:
>> I found a possible solution.
>> If we write a filter to strip the password, then we could
>>   1. map the "base64(user:pwd)"
>>   2. decode64 it, strip pwd, and map it again
>>   3. print TX.1 in log
>>

(Continue reading)

Nick Gearls | 8 May 09:58

Picon

Re: Header sanitization

That's great, although the syntax is a bit more complex:

# Add Basic Authentication userid to logs
SecRule REQUEST_HEADERS:Authorization  "^Basic\s(.*)$" \
   "phase:1,chain,t:none,capture,nolog,pass"
  SecRule TX:1  "^(.*)$" \
   "chain,t:none,t:base64Decode,capture"
  SecRule TX:1  "^([^:]+)" \
   "t:none,capture,setuid:%{TX.1}"

Thanks,

Nick

Brian Rectanus wrote:
> Brian Rectanus wrote:
>> If you just want to log the username in the audit log, then you should
>> be able to use setuid action for this.
>>
>> EX:
>> SecAction "pass,nolog,setuid:%{REMOTE_USER}"
>>
>> OR, if you want it for all, not just authenticated:
>>
>> SecRule REQUEST_HEADERS:Authorization "^([^:]+)" \
>>         "phase:1,t:none,t:base64Decode,setuid:%{tx.1}"
> 
> Forgot the "capture,pass,nolog" action in the above.
> 
> -B

(Continue reading)

Ivan Ristic | 8 May 10:21

Picon

Re: Header sanitization

Actually, I think the username)is relevant information that needs to
be recorded in the audit log automatically. I'll open a ticket for it.

On Thu, May 8, 2008 at 8:58 AM, Nick Gearls <nickgearls <at> gmail.com> wrote:
> That's great, although the syntax is a bit more complex:
>
>  # Add Basic Authentication userid to logs
>  SecRule REQUEST_HEADERS:Authorization  "^Basic\s(.*)$" \
>    "phase:1,chain,t:none,capture,nolog,pass"
>   SecRule TX:1  "^(.*)$" \
>    "chain,t:none,t:base64Decode,capture"
>   SecRule TX:1  "^([^:]+)" \
>    "t:none,capture,setuid:%{TX.1}"
>
>  Thanks,
>
>  Nick
>
>
>
>
>  Brian Rectanus wrote:
>  > Brian Rectanus wrote:
>  >> If you just want to log the username in the audit log, then you should
>  >> be able to use setuid action for this.
>  >>
>  >> EX:
>  >> SecAction "pass,nolog,setuid:%{REMOTE_USER}"
>  >>
>  >> OR, if you want it for all, not just authenticated:

(Continue reading)

Nick Gearls | 8 May 12:03

Picon

Re: Header sanitization

Would be great to be able to add a username from a HTML form also (with 
a specific directive obviously), as many applications do not use basic auth.
I did this - with a similar trick - but it is lost on the next request, 
although I registered the session id.

Any idea to remember the userid from the session ?

Ivan Ristic wrote:
> Actually, I think the username)is relevant information that needs to
> be recorded in the audit log automatically. I'll open a ticket for it.
> 
> On Thu, May 8, 2008 at 8:58 AM, Nick Gearls <nickgearls <at> gmail.com> wrote:
>> That's great, although the syntax is a bit more complex:
>>
>>  # Add Basic Authentication userid to logs
>>  SecRule REQUEST_HEADERS:Authorization  "^Basic\s(.*)$" \
>>    "phase:1,chain,t:none,capture,nolog,pass"
>>   SecRule TX:1  "^(.*)$" \
>>    "chain,t:none,t:base64Decode,capture"
>>   SecRule TX:1  "^([^:]+)" \
>>    "t:none,capture,setuid:%{TX.1}"
>>
>>  Thanks,
>>
>>  Nick
>>
>>
>>
>>
>>  Brian Rectanus wrote:

(Continue reading)

Ivan Ristic | 8 May 12:12

Picon

Re: Header sanitization

Yes, you store it in the session storage, then, on every request, you
take the username from the session storage and run it against setuid.

Although this too is something I would expect ModSecurity to do
automatically. Adding another ticket. (Keep those requests coming!)

On Thu, May 8, 2008 at 11:03 AM, Nick Gearls <nickgearls <at> gmail.com> wrote:
> Would be great to be able to add a username from a HTML form also (with a
> specific directive obviously), as many applications do not use basic auth.
>  I did this - with a similar trick - but it is lost on the next request,
> although I registered the session id.
>
>  Any idea to remember the userid from the session ?
>
>
>
>  Ivan Ristic wrote:
>
> > Actually, I think the username)is relevant information that needs to
> > be recorded in the audit log automatically. I'll open a ticket for it.
> >
> > On Thu, May 8, 2008 at 8:58 AM, Nick Gearls <nickgearls <at> gmail.com> wrote:
> >
> > > That's great, although the syntax is a bit more complex:
> > >
> > >  # Add Basic Authentication userid to logs
> > >  SecRule REQUEST_HEADERS:Authorization  "^Basic\s(.*)$" \
> > >   "phase:1,chain,t:none,capture,nolog,pass"
> > >  SecRule TX:1  "^(.*)$" \
> > >   "chain,t:none,t:base64Decode,capture"

(Continue reading)

Nick Gearls | 9 May 08:33

Picon

Re: Header sanitization

I tried the following, but it doesn't work
    SecRule USERID "."  pass,nolog,setuid:%{USERID}

I also tried
    # Set userid again into session
    SecRule SESSION:user "."  pass,setuid:%{SESSION.user},log
    ...
    # Save userid into session
    SecRule USERID "."  pass,log,setvar:SESSION.user=%{USERID}

And even
    # Set userid again into session
    SecRule SESSION:user "."  pass,setuid:%{SESSION.user},log
    # Add Basic Authentication userid to logs
    SecRule REQUEST_HEADERS:Authorization  "^Basic\s(.*)$" \
      "phase:1,chain,t:none,capture,nolog,pass"
     SecRule TX:1  "^(.*)$" \
      "chain,t:none,t:base64Decode,capture"
     SecRule TX:1  "^([^:]+)" \
      "t:none,capture,setuid:%{TX.1},setvar:SESSION.user=%{TX.1}"

no way to get the userid remembered.
I assume I missed something !?!

Thanks,

Nick

Ivan Ristic wrote:
> Yes, you store it in the session storage, then, on every request, you

(Continue reading)

Brian Rectanus | 9 May 17:55

Re: Header sanitization

Th setuid action is what sets USERID, so it is empty to begin with.  You
want REMOTE_USER:

SecRule REMOTE_USER "."  pass,nolog,setuid:%{REMOTE_USER}

Or you need to parse out the user and put it in TX.1 or similar via capture.

-B

Nick Gearls wrote:
> I tried the following, but it doesn't work
>     SecRule USERID "."  pass,nolog,setuid:%{USERID}
> 
> I also tried
>     # Set userid again into session
>     SecRule SESSION:user "."  pass,setuid:%{SESSION.user},log
>     ...
>     # Save userid into session
>     SecRule USERID "."  pass,log,setvar:SESSION.user=%{USERID}
> 
> And even
>     # Set userid again into session
>     SecRule SESSION:user "."  pass,setuid:%{SESSION.user},log
>     # Add Basic Authentication userid to logs
>     SecRule REQUEST_HEADERS:Authorization  "^Basic\s(.*)$" \
>       "phase:1,chain,t:none,capture,nolog,pass"
>      SecRule TX:1  "^(.*)$" \
>       "chain,t:none,t:base64Decode,capture"
>      SecRule TX:1  "^([^:]+)" \
>       "t:none,capture,setuid:%{TX.1},setvar:SESSION.user=%{TX.1}"

(Continue reading)

Return

Return to gmane.comp.apache.mod-security.user.

Advertisement

Project Web Page

Apache mod-security

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane