Adding ModSecurity parameter for audit log format.

Author: Tamerz

manifests/mod/security.pp

@@ -32,6 +32,10 @@
 # 
 # @param audit_log_type
 #   Defines the type of audit logging mechanism to be used.
+#
+# @param audit_log_format
+#   Defines what format the logs should be written in. Accepts `Native` and `JSON`.
+#   Default value: Native
 # 
 # @param audit_log_storage_dir
 #   Defines the directory where concurrent audit log entries are to be stored. This directive is only needed when concurrent audit logging is used.
@@ -143,6 +147,7 @@
   String $audit_log_relevant_status                            = '^(?:5|4(?!04))',
   String $audit_log_parts                                      = $apache::params::modsec_audit_log_parts,
   String $audit_log_type                                       = $apache::params::modsec_audit_log_type,
+  Enum['Native', 'JSON'] $audit_log_format                     = $apache::params::modsec_audit_log_format,
   Optional[Stdlib::Absolutepath] $audit_log_storage_dir        = undef,
   Integer $secpcrematchlimit                                   = $apache::params::secpcrematchlimit,
   Integer $secpcrematchlimitrecursion                          = $apache::params::secpcrematchlimitrecursion,
@@ -256,6 +261,7 @@
     'audit_log_relevant_status'   => $audit_log_relevant_status,
     'audit_log_parts'             => $audit_log_parts,
     'audit_log_type'              => $audit_log_type,
+    'audit_log_format'            => $audit_log_format,
     'audit_log_storage_dir'       => $audit_log_storage_dir,
     'logroot'                     => $logroot,
   }

manifests/params.pp

@@ -36,6 +36,7 @@
 
   $modsec_audit_log_parts = 'ABIJDEFHZ'
   $modsec_audit_log_type = 'Serial'
+  $modsec_audit_log_format = 'Native'
   $modsec_custom_rules = false
   $modsec_custom_rules_set = undef
 

spec/classes/mod/security_spec.rb

@@ -102,6 +102,7 @@
                 audit_log_relevant_status: '^(?:5|4(?!01|04))',
                 audit_log_parts: 'ABCDZ',
                 audit_log_type: 'Concurrent',
+                audit_log_format: 'JSON',
                 audit_log_storage_dir: '/var/log/httpd/audit',
                 secdefaultaction: 'deny,status:406,nolog,auditlog',
                 secrequestbodyaccess: 'Off',
@@ -114,6 +115,7 @@
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!01\|04\)\)"$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABCDZ$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogType Concurrent$} }
+            it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogFormat JSON$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogStorageDir /var/log/httpd/audit$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecRequestBodyAccess Off$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecResponseBodyAccess On$} }

templates/mod/security.conf.epp

@@ -49,6 +49,9 @@
     SecAuditLogRelevantStatus "<%= $audit_log_relevant_status %>"
     SecAuditLogParts <%= $audit_log_parts %>
     SecAuditLogType <%= $audit_log_type %>
+    <%- if $audit_log_format == 'JSON' { -%>
+    SecAuditLogFormat JSON
+    <%- } -%>
     <%- if $audit_log_storage_dir { -%>
     SecAuditLogStorageDir <%= $audit_log_storage_dir %>
     <%- } -%>