Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: ocsf audit logging #1089

Merged
merged 36 commits into from
Sep 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
4aa92ee
Updated golangCI-lint version to 1.59.1
Jun 25, 2024
2e6fa3e
Created lint exclusion for rule.go for use of deprecated reflect.Stri…
Jun 25, 2024
ffc10bf
Added OCSF audit log format
Jun 25, 2024
2f2603e
Merge branch 'feature/OCSF_Audit_Logging' of https://github.com/durg7…
Jun 25, 2024
9b7598b
Changed default for SecAuditLogFormat to'Native'
Jun 25, 2024
7456aa7
AuditLogFormat is no longer strongly typed
Jul 9, 2024
5192bcf
Merge pull request #1 from corazawaf/main
durg78 Sep 4, 2024
8d29add
Merge branch 'feature/OCSF_Audit_Logging' into main
durg78 Sep 4, 2024
69ce43f
Merge pull request #2 from durg78/main
durg78 Sep 4, 2024
37d5b7d
AuditLogFormat should not be a strict type
Sep 4, 2024
bec6659
moved gathering of request argument fields out of transaction
Sep 4, 2024
41b83eb
Added comments
Sep 4, 2024
ded83ed
Added several test cases
Sep 4, 2024
9a79c22
Merge branch 'feature/OCSF_Audit_Logging' of https://github.com/durg7…
Sep 4, 2024
fdb2fcb
fix: TransactionProducer may be nil
Sep 5, 2024
28b12f8
Merge branch 'feature/OCSF_Audit_Logging' into main
durg78 Sep 6, 2024
63ff42a
Merge pull request #3 from durg78/main
durg78 Sep 6, 2024
8e38d4e
chore(deps): fix mising requirement for ocsf lib
Sep 6, 2024
b515933
fix: missing comment indicating audit log format option for jasonlegacy
Sep 9, 2024
d360d7a
Added observables for logging request files and ServerID
Sep 10, 2024
bc093a8
removed inadvertent unnecessary whitespace
Sep 10, 2024
c8ede9e
improved test coverage
Sep 10, 2024
c054cb3
Merge branch 'feature/OCSF_Audit_Logging' into main
durg78 Sep 10, 2024
2a0740d
Merge pull request #4 from durg78/main
durg78 Sep 10, 2024
244b69f
improved auditlog test coverage
Sep 10, 2024
b9d8ffb
Merge branch 'feature/OCSF_Audit_Logging' of https://github.com/durg7…
Sep 10, 2024
e51c93e
fix: ocsf observable entry crated for ServerID when no ServerID was s…
Sep 11, 2024
fb97a6f
fix: spelling of 'Validate"
Sep 11, 2024
3b41b86
fix: Update file description comment
Sep 11, 2024
de45c90
fix: simplify iteration over Request Arguments
Sep 11, 2024
6a12d80
Update internal/seclang/directives.go
durg78 Sep 11, 2024
a0dd877
Merge branch 'feature/OCSF_Audit_Logging' of https://github.com/durg7…
Sep 11, 2024
2fd16a1
Added logging of whether the transaction was allowed or denied
Sep 13, 2024
65a0a5a
Moved logging of transaction id from metadata to http request
Sep 13, 2024
70c68e9
fix: corrected logging of http request length
Sep 13, 2024
1025693
security: fix Incorrect conversion of an integer
Sep 13, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .golangci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ issues:
exclude-rules:
- path: magefile\.go
linters:
- deadcode
- deadcode
5 changes: 4 additions & 1 deletion coraza.conf-recommended
Original file line number Diff line number Diff line change
Expand Up @@ -161,8 +161,11 @@ SecAuditLogParts ABIJDEFHZ
#
SecAuditLogType Serial

# The following settings are not supported by Coraza
# The format used to write the audit log.
# Can be one of JSON|JsonLegacy|Native|OCSF
SecAuditLogFormat Native

# The following settings are not supported by Coraza
# SecCookieFormat 0
# SecArgumentSeparator &
# SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
Expand Down
5 changes: 5 additions & 0 deletions experimental/plugins/plugintypes/auditlog.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ package plugintypes
import (
"io/fs"

"github.com/corazawaf/coraza/v3/internal/collections"
"github.com/corazawaf/coraza/v3/types"
)

Expand All @@ -31,6 +32,8 @@ type AuditLogTransaction interface {
Response() AuditLogTransactionResponse
HasResponse() bool
Producer() AuditLogTransactionProducer
HighestSeverity() string // The highest severity of the matched rules for the transaction
IsInterrupted() bool // True if the transaction was interrupted
}

// AuditLogTransactionResponse contains response specific information
Expand Down Expand Up @@ -61,6 +64,8 @@ type AuditLogTransactionRequest interface {
Headers() map[string][]string
Body() string
Files() []AuditLogTransactionRequestFiles
Args() *collections.ConcatKeyed // A string representation of all request agruments in the format 'k=v,'
Length() int32 // The total size of the request in bytes
}

// AuditLogTransactionRequestFiles contains information for the
Expand Down
3 changes: 3 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ go 1.22
// - aho-corasick
// - gjson
// - binaryregexp
// - ocsf-schema-golang

require (
github.com/anuraaga/go-modsecurity v0.0.0-20220824035035-b9a4099778df
Expand All @@ -23,6 +24,7 @@ require (
github.com/mccutchen/go-httpbin/v2 v2.14.0
github.com/petar-dambovaliev/aho-corasick v0.0.0-20240411101913-e07a1f0e8eb4
github.com/tidwall/gjson v1.17.3
github.com/valllabh/ocsf-schema-golang v1.0.3
golang.org/x/net v0.28.0
golang.org/x/sync v0.8.0
rsc.io/binaryregexp v0.2.0
Expand All @@ -35,4 +37,5 @@ require (
golang.org/x/mod v0.17.0 // indirect
golang.org/x/sys v0.23.0 // indirect
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
google.golang.org/protobuf v1.34.1 // indirect
)
6 changes: 6 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ github.com/corazawaf/libinjection-go v0.2.1 h1:vNJ7L6c4xkhRgYU6sIO0Tl54TmeCQv/yf
github.com/corazawaf/libinjection-go v0.2.1/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw=
github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI=
github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
github.com/mccutchen/go-httpbin/v2 v2.14.0 h1:9N7GUf8+JunYMFd+yHPIVYApC6KYgqtF0pHIcTGYcVQ=
Expand All @@ -21,6 +23,8 @@ github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JT
github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
github.com/valllabh/ocsf-schema-golang v1.0.3 h1:eR8k/3jP/OOqB8LRCtdJ4U+vlgd/gk5y3KMXoodrsrw=
github.com/valllabh/ocsf-schema-golang v1.0.3/go.mod h1:sZ3as9xqm1SSK5feFWIR2CuGeGRhsM7TR1MbpBctzPk=
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
Expand Down Expand Up @@ -86,5 +90,7 @@ golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
rsc.io/binaryregexp v0.2.0 h1:HfqmD5MEmC0zvwBuF187nq9mdnXjXsSivRiXN7SmRkE=
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
66 changes: 59 additions & 7 deletions internal/auditlog/auditlog.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"encoding/json"

"github.com/corazawaf/coraza/v3/experimental/plugins/plugintypes"
"github.com/corazawaf/coraza/v3/internal/collections"
"github.com/corazawaf/coraza/v3/types"
)

Expand Down Expand Up @@ -77,13 +78,15 @@ type Transaction struct {
// Client IP Address string representation
ClientIP_ string `json:"client_ip"`

ClientPort_ int `json:"client_port"`
HostIP_ string `json:"host_ip"`
HostPort_ int `json:"host_port"`
ServerID_ string `json:"server_id"`
Request_ *TransactionRequest `json:"request,omitempty"`
Response_ *TransactionResponse `json:"response,omitempty"`
Producer_ *TransactionProducer `json:"producer,omitempty"`
ClientPort_ int `json:"client_port"`
HostIP_ string `json:"host_ip"`
HostPort_ int `json:"host_port"`
ServerID_ string `json:"server_id"`
Request_ *TransactionRequest `json:"request,omitempty"`
Response_ *TransactionResponse `json:"response,omitempty"`
Producer_ *TransactionProducer `json:"producer,omitempty"`
HighestSeverity_ string `json:"highest_severity"`
IsInterrupted_ bool `json:"is_interrupted"`
}

var _ plugintypes.AuditLogTransaction = Transaction{}
Expand Down Expand Up @@ -140,6 +143,14 @@ func (t Transaction) Producer() plugintypes.AuditLogTransactionProducer {
return t.Producer_
}

func (t Transaction) HighestSeverity() string {
return t.HighestSeverity_
}

func (t Transaction) IsInterrupted() bool {
return t.IsInterrupted_
}

// TransactionResponse contains response specific
// information
type TransactionResponse struct {
Expand Down Expand Up @@ -197,26 +208,50 @@ type TransactionProducer struct {
var _ plugintypes.AuditLogTransactionProducer = (*TransactionProducer)(nil)

func (tp *TransactionProducer) Connector() string {
if tp == nil {
return ""
}

return tp.Connector_
}

func (tp *TransactionProducer) Version() string {
if tp == nil {
return ""
}

return tp.Version_
}

func (tp *TransactionProducer) Server() string {
if tp == nil {
return ""
}

return tp.Server_
}

func (tp *TransactionProducer) RuleEngine() string {
if tp == nil {
return ""
}

return tp.RuleEngine_
}

func (tp *TransactionProducer) Stopwatch() string {
if tp == nil {
return ""
}

return tp.Stopwatch_
}

func (tp *TransactionProducer) Rulesets() []string {
if tp == nil {
return nil
}

return tp.Rulesets_
}

Expand All @@ -230,6 +265,8 @@ type TransactionRequest struct {
Headers_ map[string][]string `json:"headers"`
Body_ string `json:"body"`
Files_ []plugintypes.AuditLogTransactionRequestFiles `json:"files"`
Args_ *collections.ConcatKeyed `json:"args"`
Length_ int32 `json:"length"`
}

var _ plugintypes.AuditLogTransactionRequest = (*TransactionRequest)(nil)
Expand Down Expand Up @@ -286,6 +323,21 @@ func (tr *TransactionRequest) Files() []plugintypes.AuditLogTransactionRequestFi
return tr.Files_
}

func (tr *TransactionRequest) Args() *collections.ConcatKeyed {
if tr == nil {
return &collections.ConcatKeyed{}
}

return tr.Args_
}

func (tr *TransactionRequest) Length() int32 {
if tr == nil {
return 0
}
return tr.Length_
}

// TransactionRequestFiles contains information
// for the uploaded files using multipart forms
type TransactionRequestFiles struct {
Expand Down
Loading
Loading