From 214e99aed4ea905dc7e62c243b493f9da11c12ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Carlos=20Ch=C3=A1vez?= Date: Tue, 17 Oct 2023 15:32:33 +0200 Subject: [PATCH] chore: fixes audit log. --- internal/auditlog/concurrent_writer.go | 14 +++++++++----- internal/auditlog/formats.go | 25 +++++++++++++++++-------- internal/auditlog/serial_writer.go | 5 +++++ internal/corazawaf/waf.go | 10 ++++++++-- waf.go | 4 +++- 5 files changed, 42 insertions(+), 16 deletions(-) diff --git a/internal/auditlog/concurrent_writer.go b/internal/auditlog/concurrent_writer.go index fab2382cc..ab6d4bcc0 100644 --- a/internal/auditlog/concurrent_writer.go +++ b/internal/auditlog/concurrent_writer.go @@ -55,6 +55,15 @@ func (cl concurrentWriter) Write(al plugintypes.AuditLog) error { return nil } + formattedAL, err := cl.formatter.Format(al) + if err != nil { + return err + } + + if len(formattedAL) == 0 { + return nil + } + // 192.168.3.130 192.168.3.1 - - [22/Aug/2009:13:24:20 +0100] "GET / HTTP/1.1" 200 56 "-" "-" SojdH8AAQEAAAugAQAAAAAA "-" /20090822/20090822-1324/20090822-132420-SojdH8AAQEAAAugAQAAAAAA 0 1248 t := time.Unix(0, al.Transaction().UnixTimestamp()) @@ -67,11 +76,6 @@ func (cl concurrentWriter) Write(al plugintypes.AuditLog) error { return err } - formattedAL, err := cl.formatter.Format(al) - if err != nil { - return err - } - filepath := path.Join(logdir, filename) if err = os.WriteFile(filepath, formattedAL, cl.logFileMode); err != nil { return err diff --git a/internal/auditlog/formats.go b/internal/auditlog/formats.go index 82ad71d05..dab2c91c4 100644 --- a/internal/auditlog/formats.go +++ b/internal/auditlog/formats.go @@ -31,6 +31,10 @@ import ( type nativeFormatter struct{} func (nativeFormatter) Format(al plugintypes.AuditLog) ([]byte, error) { + if len(al.Parts()) == 0 { + return nil, nil + } + boundaryPrefix := fmt.Sprintf("--%s-", utils.RandomString(10)) var res strings.Builder @@ -56,31 +60,36 @@ func (nativeFormatter) Format(al plugintypes.AuditLog) ([]byte, error) { // Content-Length: 6 _, _ = fmt.Fprintf( &res, - "%s %s %s\n", + "\n%s %s %s", al.Transaction().Request().Method(), al.Transaction().Request().URI(), al.Transaction().Request().Protocol(), ) for k, vv := range al.Transaction().Request().Headers() { for _, v := range vv { + res.WriteByte('\n') res.WriteString(k) res.WriteString(": ") res.WriteString(v) - res.WriteByte('\n') } } case types.AuditLogPartRequestBody: - // b=test - res.WriteString(al.Transaction().Request().Body()) + if body := al.Transaction().Request().Body(); body != "" { + res.WriteByte('\n') + res.WriteString(body) + } case types.AuditLogPartIntermediaryResponseBody: - res.WriteString(al.Transaction().Response().Body()) + if body := al.Transaction().Response().Body(); body != "" { + res.WriteByte('\n') + res.WriteString(al.Transaction().Response().Body()) + } case types.AuditLogPartResponseHeaders: for k, vv := range al.Transaction().Response().Headers() { for _, v := range vv { + res.WriteByte('\n') res.WriteString(k) res.WriteString(": ") res.WriteString(v) - res.WriteByte('\n') } } case types.AuditLogPartAuditLogTrailer: @@ -91,11 +100,11 @@ func (nativeFormatter) Format(al plugintypes.AuditLog) ([]byte, error) { // Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/). // Server: Apache // Engine-Mode: "ENABLED" - _, _ = fmt.Fprintf(&res, "Stopwatch: %s\nResponse-Body-Transformed: %s\nProducer: %s\nServer: %s", "", "", "", "") + _, _ = fmt.Fprintf(&res, "\nStopwatch: %s\nResponse-Body-Transformed: %s\nProducer: %s\nServer: %s", "", "", "", "") case types.AuditLogPartRulesMatched: for _, r := range al.Messages() { - res.WriteString(r.Data().Raw()) res.WriteByte('\n') + res.WriteString(r.Data().Raw()) } } res.WriteByte('\n') diff --git a/internal/auditlog/serial_writer.go b/internal/auditlog/serial_writer.go index d752d541a..9626db0ae 100644 --- a/internal/auditlog/serial_writer.go +++ b/internal/auditlog/serial_writer.go @@ -54,6 +54,11 @@ func (sl *serialWriter) Write(al plugintypes.AuditLog) error { if err != nil { return err } + + if len(bts) == 0 { + return nil + } + sl.logger.Println(string(bts)) return nil } diff --git a/internal/corazawaf/waf.go b/internal/corazawaf/waf.go index 7af329a10..bb0331b41 100644 --- a/internal/corazawaf/waf.go +++ b/internal/corazawaf/waf.go @@ -281,8 +281,14 @@ func NewWAF() *WAF { auditLogWriter: logWriter, auditLogWriterInitialized: false, AuditLogWriterConfig: auditlog.NewConfig(), - Logger: logger, - ArgumentLimit: 1000, + AuditLogParts: types.AuditLogParts{ + types.AuditLogPartRequestHeaders, + types.AuditLogPartRequestBody, + types.AuditLogPartResponseHeaders, + types.AuditLogPartAuditLogTrailer, + }, + Logger: logger, + ArgumentLimit: 1000, } if environment.HasAccessToFS { diff --git a/waf.go b/waf.go index 348cafad3..90295feec 100644 --- a/waf.go +++ b/waf.go @@ -64,7 +64,9 @@ func NewWAF(config WAFConfig) (WAF, error) { waf.AuditEngine = types.AuditEngineOn } - waf.AuditLogParts = a.parts + if len(a.parts) > 0 { + waf.AuditLogParts = a.parts + } if a.writer != nil { waf.SetAuditLogWriter(a.writer)