I currently have a CentOS system that is successfully logging relevant mod_security actions to the audit log file. The following is my configuration:
<IfModule mod_security2.c>
SecRuleEngine On
SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/modsec_audit.log
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecRequestBodyAccess On
SecDataDir /tmp
SecTmpDir /tmp
SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000
</IfModule>
This logs all actions where mod_security intercepts/blocks the request because of the SecAuditEngine RelevantOnly
setting.
However, I would like it to additionally log all POST data that is submitted to the server (regardless of the status). I could achieve this by setting SecAuditEngine On
but this logs all GET and POST data which is overkill. I would basically like to omit all GET data unless the request was intercepted.
Can anyone suggest how to do this?
Best Answer
Have a rule which turns on the
AuditEngine
forPOST
requests.Something like this (untested):
Ctl actions only affect the current request so afterwards it will reset back to RelevantOnly for the next request.
You can also create
Sanitise
rules to ensure sensitive data like passwords and credit card data is masked before logging. See here: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#sanitiseArg