|
Packit |
284210 |
### SecAudit* directive tests
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# SecAuditEngine
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecAuditEngine On",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecAuditEngine On
|
|
Packit |
284210 |
SecAuditLog $ENV{AUDIT_LOG}
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
audit => [ qr/./, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecAuditEngine Off",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecAuditEngine Off
|
|
Packit |
284210 |
SecAuditLog $ENV{AUDIT_LOG}
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-audit => [ qr/./, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecAuditEngine RelevantOnly (pos)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecAuditEngine RelevantOnly
|
|
Packit |
284210 |
SecAuditLog $ENV{AUDIT_LOG}
|
|
Packit |
284210 |
SecDebugLog $ENV{DEBUG_LOG}
|
|
Packit |
284210 |
SecDebugLogLevel 9
|
|
Packit |
284210 |
SecResponseBodyAccess On
|
|
Packit |
284210 |
SecDefaultAction "phase:2,log,auditlog,pass"
|
|
Packit |
284210 |
SecRule REQUEST_URI "." "phase:4,deny,id:500251"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
audit => [ qr/./, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^403$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecAuditEngine RelevantOnly (neg)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecAuditEngine RelevantOnly
|
|
Packit |
284210 |
SecAuditLog $ENV{AUDIT_LOG}
|
|
Packit |
284210 |
SecResponseBodyAccess On
|
|
Packit |
284210 |
SecDefaultAction "phase:2,log,auditlog,pass"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-audit => [ qr/./, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# SecAuditLogType & SecAuditLogStorageDir
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecAuditLogType Serial",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecAuditEngine On
|
|
Packit |
284210 |
SecAuditLog $ENV{AUDIT_LOG}
|
|
Packit |
284210 |
SecAuditLogType Serial
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
audit => [ qr/./, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^404$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/bogus",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecAuditLogType Concurrent",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecAuditEngine On
|
|
Packit |
284210 |
SecAuditLog $ENV{AUDIT_LOG}
|
|
Packit |
284210 |
SecAuditLogType Concurrent
|
|
Packit |
284210 |
SecAuditLogStorageDir "$ENV{LOGS_DIR}/audit"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
test => sub {
|
|
Packit |
284210 |
### Perl code to parse the audit log entry and verify
|
|
Packit |
284210 |
### that the concurrent audit log exists and contains
|
|
Packit |
284210 |
### the correct data.
|
|
Packit |
284210 |
###
|
|
Packit |
284210 |
### TODO: Need some API for this :)
|
|
Packit |
284210 |
###
|
|
Packit |
284210 |
### FIXME: Just workable with apache, the timing to load auditlog from nginx
|
|
Packit |
284210 |
### is not correct, so the test is failing even when it should pass.
|
|
Packit |
284210 |
### Disabling it for now until we figure out a way to handle that.
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Parse log
|
|
Packit |
284210 |
#my $alogre = qr/^(?:\S+)\ (?:\S+)\ (?:\S+)\ (?:\S+)\ \[(?:[^:]+):(?:\d+:\d+:\d+)\ (?:[^\]]+)\]\ \"(?:.*)\"\ (?:\d+)\ (?:\S+)\ \"(?:.*)\"\ \"(?:.*)\"\ (\S+)\ \"(?:.*)\"\ (\S+)\ (?:\d+)\ (?:\d+)\ (?:\S+)(?:.*)$/m;
|
|
Packit |
284210 |
#my $alog = match_log("audit", $alogre, 1);
|
|
Packit |
284210 |
#chomp $alog;
|
|
Packit |
284210 |
#dbg("Alog: $alog\n");
|
|
Packit |
284210 |
#my @log = ($alog =~ m/$alogre/);
|
|
Packit |
284210 |
#my($id, $fn) = ($log[0], $log[1]);
|
|
Packit |
284210 |
#if (!$id or !$fn) {
|
|
Packit |
284210 |
#dbg("LOG ENTRY: $alog");
|
|
Packit |
284210 |
#die "Failed to parse audit log: $ENV{AUDIT_LOG}\n";
|
|
Packit |
284210 |
#}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Verify concurrent log exists
|
|
Packit |
284210 |
#my $alogdatafn = "$ENV{LOGS_DIR}/audit$fn";
|
|
Packit |
284210 |
#if (! -e "$alogdatafn") {
|
|
Packit |
284210 |
#die "Audit log does not exist: $alogdatafn\n";
|
|
Packit |
284210 |
#}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Verify concurrent log contents
|
|
Packit |
284210 |
#if (defined match_file($alogdatafn, qr/^--[^-]+-A--.*$id.*-Z--$/s)) {
|
|
Packit |
284210 |
#return 0;
|
|
Packit |
284210 |
#}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# Error
|
|
Packit |
284210 |
#dbg("LOGDATA: \"$FILE{$alogdatafn}{buf}\"");
|
|
Packit |
284210 |
#die "Audit log data did not match.\n";
|
|
Packit |
284210 |
return 0;
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# SecAuditLogRelevantStatus
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecAuditLogRelevantStatus (pos)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecAuditEngine RelevantOnly
|
|
Packit |
284210 |
SecAuditLog $ENV{AUDIT_LOG}
|
|
Packit |
284210 |
SecAuditLogRelevantStatus "^4"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
audit => [ qr/./, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^404$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/bogus",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecAuditLogRelevantStatus (neg)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecAuditEngine RelevantOnly
|
|
Packit |
284210 |
SecAuditLog $ENV{AUDIT_LOG}
|
|
Packit |
284210 |
SecAuditLogRelevantStatus "^4"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
-audit => [ qr/./, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
|
|
Packit |
284210 |
# SecAuditLogParts
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecAuditLogParts (minimal)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecAuditEngine On
|
|
Packit |
284210 |
SecAuditLog $ENV{AUDIT_LOG}
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecResponseBodyAccess On
|
|
Packit |
284210 |
SecAuditLogParts "AZ"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
audit => [ qr/-A--.*-Z--/s, 1 ],
|
|
Packit |
284210 |
-audit => [ qr/-[B-Y]--/, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Content-Type" => "application/x-www-form-urlencoded",
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
"a=1r&=2",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecAuditLogParts (default)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecAuditEngine On
|
|
Packit |
284210 |
SecAuditLog $ENV{AUDIT_LOG}
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecResponseBodyAccess On
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
audit => [ qr/-A--.*-B--.*-F--.*-H--.*-Z--/s, 1 ],
|
|
Packit |
284210 |
-audit => [ qr/-[DEGIJK]--/, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Content-Type" => "application/x-www-form-urlencoded",
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
"a=1r&=2",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
type => "config",
|
|
Packit |
284210 |
comment => "SecAuditLogParts (all)",
|
|
Packit |
284210 |
conf => qq(
|
|
Packit |
284210 |
SecRuleEngine On
|
|
Packit |
284210 |
SecAuditEngine On
|
|
Packit |
284210 |
SecAuditLog $ENV{AUDIT_LOG}
|
|
Packit |
284210 |
SecRequestBodyAccess On
|
|
Packit |
284210 |
SecResponseBodyAccess On
|
|
Packit |
284210 |
SecAuditLogParts "ABCDEFGHIJKZ"
|
|
Packit |
284210 |
SecAction "phase:4,log,auditlog,allow,id:500086"
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
match_log => {
|
|
Packit |
284210 |
audit => [ qr/-A--.*-B--.*-C--.*-F--.*-E--.*-H--.*-K--.*-Z--/s, 1 ],
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
match_response => {
|
|
Packit |
284210 |
status => qr/^200$/,
|
|
Packit |
284210 |
},
|
|
Packit |
284210 |
request => new HTTP::Request(
|
|
Packit |
284210 |
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
|
|
Packit |
284210 |
[
|
|
Packit |
284210 |
"Content-Type" => "application/x-www-form-urlencoded",
|
|
Packit |
284210 |
],
|
|
Packit |
284210 |
"a=1r&=2",
|
|
Packit |
284210 |
),
|
|
Packit |
284210 |
},
|