Merge pull request #2680 from SpiderLabs/v3/dev/issue_2606_a

Add ctl:auditengine action support

Author: martinhsv

Makefile.am

@@ -96,6 +96,7 @@ TESTS+=test/test-cases/regression/action-ctl_request_body_access.json
 TESTS+=test/test-cases/regression/action-ctl_request_body_processor.json
 TESTS+=test/test-cases/regression/action-ctl_request_body_processor_urlencoded.json
 TESTS+=test/test-cases/regression/action-ctl_rule_engine.json
+TESTS+=test/test-cases/regression/action-ctl_audit_engine.json
 TESTS+=test/test-cases/regression/action-ctl_rule_remove_by_id.json
 TESTS+=test/test-cases/regression/action-ctl_rule_remove_by_tag.json
 TESTS+=test/test-cases/regression/action-ctl_rule_remove_target_by_id.json

headers/modsecurity/audit_log.h

@@ -22,12 +22,11 @@
 #ifndef HEADERS_MODSECURITY_AUDIT_LOG_H_
 #define HEADERS_MODSECURITY_AUDIT_LOG_H_
 
-#include "modsecurity/transaction.h"
-
 
 #ifdef __cplusplus
 
 namespace modsecurity {
+class Transaction;
 namespace audit_log {
 namespace writer {
 class Writer;
@@ -177,6 +176,10 @@ class AuditLog {
     static int addParts(int parts, const std::string& new_parts);
     static int removeParts(int parts, const std::string& new_parts);
 
+    void setCtlAuditEngineActive() {
+        m_ctlAuditEngineActive = true;
+    }
+
     bool merge(AuditLog *from, std::string *error);
 
     std::string m_path1;
@@ -203,6 +206,7 @@ class AuditLog {
     std::string m_relevant;
 
     audit_log::writer::Writer *m_writer;
+    bool m_ctlAuditEngineActive; // rules have at least one action On or RelevantOnly
 };
 
 

headers/modsecurity/transaction.h

@@ -49,6 +49,7 @@ typedef struct Rules_t RulesSet;
 #include "modsecurity/collection/collection.h"
 #include "modsecurity/variable_origin.h"
 #include "modsecurity/anchored_set_variable_translation_proxy.h"
+#include "modsecurity/audit_log.h"
 
 
 #ifndef NO_LOGS
@@ -529,6 +530,12 @@ class Transaction : public TransactionAnchoredVariables, public TransactionSecMa
      */
     std::list< std::pair<int, std::string> > m_auditLogModifier;
 
+    /**
+     * This transaction's most recent action ctl:auditEngine
+     *
+     */
+    audit_log::AuditLog::AuditLogStatus m_ctlAuditEngine;
+
     /**
      * This variable holds all the messages asked to be save by the utilization
      * of the actions: `log_data' and `msg'. These should be included on the

src/Makefile.am

@@ -118,6 +118,7 @@ ACTIONS = \
 	actions/capture.cc \
 	actions/chain.cc \
 	actions/ctl/audit_log_parts.cc \
+	actions/ctl/audit_engine.cc \
 	actions/ctl/rule_engine.cc \
 	actions/ctl/request_body_processor_json.cc \
 	actions/ctl/request_body_processor_xml.cc \

src/actions/ctl/audit_engine.cc

@@ -0,0 +1,63 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include "src/actions/ctl/audit_engine.h"
+
+#include <string>
+
+#include "modsecurity/rules_set_properties.h"
+#include "modsecurity/rules_set.h"
+#include "modsecurity/transaction.h"
+
+namespace modsecurity {
+namespace actions {
+namespace ctl {
+
+
+bool AuditEngine::init(std::string *error) {
+
+    std::string what(m_parser_payload, 12, m_parser_payload.size() - 12);
+
+    if (what == "on") {
+        m_auditEngine = audit_log::AuditLog::AuditLogStatus::OnAuditLogStatus;
+    } else if (what == "off") {
+        m_auditEngine = audit_log::AuditLog::AuditLogStatus::OffAuditLogStatus;
+    } else if (what == "relevantonly") {
+        m_auditEngine = audit_log::AuditLog::AuditLogStatus::RelevantOnlyAuditLogStatus;
+    } else {
+        error->assign("Internal error. Expected: On, Off or RelevantOnly; " \
+            "got: " + m_parser_payload);
+        return false;
+    }
+
+    return true;
+}
+
+bool AuditEngine::evaluate(RuleWithActions *rule, Transaction *transaction) {
+    std::stringstream a;
+    a << "Setting SecAuditEngine to ";
+    a << std::to_string(m_auditEngine);
+    a << " as requested by a ctl:auditEngine action";
+
+    ms_dbg_a(transaction, 8, a.str());
+
+    transaction->m_ctlAuditEngine = m_auditEngine;
+    return true;
+}
+
+
+}  // namespace ctl
+}  // namespace actions
+}  // namespace modsecurity

src/actions/ctl/audit_engine.h

@@ -0,0 +1,51 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2022 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include <string>
+
+#include "modsecurity/rules_set_properties.h"
+#include "modsecurity/actions/action.h"
+
+#include "modsecurity/audit_log.h"
+
+
+#ifndef SRC_ACTIONS_CTL_AUDIT_ENGINE_H_
+#define SRC_ACTIONS_CTL_AUDIT_ENGINE_H_
+
+namespace modsecurity {
+class Transaction;
+
+namespace actions {
+namespace ctl {
+
+
+class AuditEngine : public Action {
+ public:
+    explicit AuditEngine(const std::string &action)
+        : Action(action, RunTimeOnlyIfMatchKind),
+        m_auditEngine(audit_log::AuditLog::AuditLogStatus::NotSetLogStatus) { }
+
+    bool init(std::string *error) override;
+    bool evaluate(RuleWithActions *rule, Transaction *transaction) override;
+
+    audit_log::AuditLog::AuditLogStatus m_auditEngine;
+};
+
+
+}  // namespace ctl
+}  // namespace actions
+}  // namespace modsecurity
+
+#endif  // SRC_ACTIONS_CTL_AUDIT_ENGINE_H_

src/audit_log/audit_log.cc

@@ -21,6 +21,7 @@
 
 #include <fstream>
 
+#include "modsecurity/transaction.h"
 #include "modsecurity/rule_message.h"
 #include "src/audit_log/writer/https.h"
 #include "src/audit_log/writer/parallel.h"
@@ -61,7 +62,8 @@ AuditLog::AuditLog()
     m_status(NotSetLogStatus),
     m_type(NotSetAuditLogType),
     m_relevant(""),
-    m_writer(NULL) { }
+    m_writer(NULL),
+    m_ctlAuditEngineActive(false) { }
 
 
 AuditLog::~AuditLog() {
@@ -210,7 +212,8 @@ bool AuditLog::setType(AuditLogType audit_type) {
 bool AuditLog::init(std::string *error) {
     audit_log::writer::Writer *tmp_writer;
 
-    if (m_status == OffAuditLogStatus || m_status == NotSetLogStatus) {
+    if ((m_status == OffAuditLogStatus || m_status == NotSetLogStatus)
+        && !m_ctlAuditEngineActive) {
         if (m_writer) {
             delete m_writer;
             m_writer = NULL;
@@ -275,7 +278,13 @@ bool AuditLog::saveIfRelevant(Transaction *transaction) {
 
 bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) {
     bool saveAnyway = false;
-    if (m_status == OffAuditLogStatus || m_status == NotSetLogStatus) {
+
+    AuditLogStatus transactionAuditLogStatus(m_status);
+    if (transaction->m_ctlAuditEngine != NotSetLogStatus) {
+        transactionAuditLogStatus = transaction->m_ctlAuditEngine;
+    }
+
+    if (transactionAuditLogStatus == OffAuditLogStatus || transactionAuditLogStatus == NotSetLogStatus) {
         ms_dbg_a(transaction, 5, "Audit log engine was not set.");
         return true;
     }
@@ -287,7 +296,7 @@ bool AuditLog::saveIfRelevant(Transaction *transaction, int parts) {
         }
     }
 
-    if ((m_status == RelevantOnlyAuditLogStatus
+    if ((transactionAuditLogStatus == RelevantOnlyAuditLogStatus
         && this->isRelevant(transaction->m_httpCodeReturned) == false)
         && saveAnyway == false) {
         ms_dbg_a(transaction, 9, "Return code `" +
@@ -353,6 +362,10 @@ bool AuditLog::merge(AuditLog *from, std::string *error) {
         m_format = from->m_format;
     }
 
+    if (from->m_ctlAuditEngineActive) {
+        m_ctlAuditEngineActive = from->m_ctlAuditEngineActive;
+    }
+
     return init(error);
 }