Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Audit logs in proxy-wasm logs #263

Merged
merged 10 commits into from
Jul 18, 2024
Merged

feat: Audit logs in proxy-wasm logs #263

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
0667cef
implements auditlogs as info logs
M4tteoP Mar 25, 2024
a385e97
TINYGO_VERSION and recommended/demo
M4tteoP Mar 25, 2024
a620f32
adds serial_writer_go
M4tteoP Mar 25, 2024
42923fd
fix test registering serial writer
M4tteoP Mar 26, 2024
9cb6fd0
JSON added to recommended, SecAuditLog for default Serial writer
M4tteoP Mar 28, 2024
ec56bc5
enforces prefix, comments in recommended confs
M4tteoP Apr 1, 2024
cf8f47b
nit: naming
M4tteoP Apr 2, 2024
ebd88d7
fix: adds workaround for SecAuditLogRelevantStatus and default deny a…
M4tteoP Jul 16, 2024
07d99b1
revert workaround, points to Coraza master with fix
M4tteoP Jul 18, 2024
776444b
nit: removes leftover
M4tteoP Jul 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ go 1.20

require (
github.com/corazawaf/coraza-wasilibs v0.2.0
github.com/corazawaf/coraza/v3 v3.2.1
github.com/corazawaf/coraza/v3 v3.2.2-0.20240718151026-8ebb4a82ce41
github.com/stretchr/testify v1.9.0
github.com/tetratelabs/proxy-wasm-go-sdk v0.23.0
github.com/tidwall/gjson v1.17.1
Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
github.com/corazawaf/coraza-wasilibs v0.2.0 h1:BT8x2pks6Xk7Oi1cUS9BPO+hi3QWQyQAtBkC3IR3Mt8=
github.com/corazawaf/coraza-wasilibs v0.2.0/go.mod h1:jmUPQdndtPfMzKPn0a8BqdikXjuT3wY+6zDx5NvKshI=
github.com/corazawaf/coraza/v3 v3.2.1 h1:zBIji4ut9FtFe8lXdqFwXMAkUoDJZ7HsOlEUYWERLI8=
github.com/corazawaf/coraza/v3 v3.2.1/go.mod h1:fVndCGdUHJWl9c26VZPcORQRzUYwMPnRkC6TyTkhbUg=
github.com/corazawaf/coraza/v3 v3.2.2-0.20240718151026-8ebb4a82ce41 h1:BVk6PUP8RsYtSAGlpGH3w0Bnjyjd2nADCy7ZkjXC0MQ=
github.com/corazawaf/coraza/v3 v3.2.2-0.20240718151026-8ebb4a82ce41/go.mod h1:fVndCGdUHJWl9c26VZPcORQRzUYwMPnRkC6TyTkhbUg=
github.com/corazawaf/libinjection-go v0.2.1 h1:vNJ7L6c4xkhRgYU6sIO0Tl54TmeCQv/yfxBma30Dy/Y=
github.com/corazawaf/libinjection-go v0.2.1/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
Expand Down
50 changes: 50 additions & 0 deletions internal/auditlog/serial_writer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
// Copyright The OWASP Coraza contributors
// SPDX-License-Identifier: Apache-2.0

package auditlog

import (
"io"

"github.com/corazawaf/coraza/v3/experimental/plugins"
"github.com/corazawaf/coraza/v3/experimental/plugins/plugintypes"
"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm"
)

// RegisterProxyWasmSerialWriter overrides the default "Serial" audit log writer (see https://github.com/corazawaf/coraza/blob/main/internal/auditlog/init_tinygo.go)
// in order to print audit logs to the proxy-wasm log as info messages with a prefix to differentiate them from other logs.
func RegisterProxyWasmSerialWriter() {
plugins.RegisterAuditLogWriter("serial", func() plugintypes.AuditLogWriter {
return &wasmSerial{}
})
}

type wasmSerial struct {
io.Closer
formatter plugintypes.AuditLogFormatter
}

func (s *wasmSerial) Init(cfg plugintypes.AuditLogConfig) error {
s.formatter = cfg.Formatter
return nil
}

func (s *wasmSerial) Write(al plugintypes.AuditLog) error {
if s.formatter == nil {
return nil
}

bts, err := s.formatter.Format(al)
if err != nil {
return err
}

if len(bts) == 0 {
return nil
}
// Print the audit log to the proxy-wasm log as an info message adding an "AuditLog:" prefix.
proxywasm.LogInfo("AuditLog:" + string(bts))
return nil
}

func (s *wasmSerial) Close() error { return nil }
2 changes: 2 additions & 0 deletions main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,13 @@ package main
import (
"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm"

"github.com/corazawaf/coraza-proxy-wasm/internal/auditlog"
"github.com/corazawaf/coraza-proxy-wasm/internal/operators"
"github.com/corazawaf/coraza-proxy-wasm/wasmplugin"
)

func main() {
operators.Register()
auditlog.RegisterProxyWasmSerialWriter()
proxywasm.SetVMContext(wasmplugin.NewVMContext())
}
2 changes: 2 additions & 0 deletions main_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm/proxytest"
"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm/types"

"github.com/corazawaf/coraza-proxy-wasm/internal/auditlog"
"github.com/corazawaf/coraza-proxy-wasm/wasmplugin"
)

Expand Down Expand Up @@ -1412,6 +1413,7 @@ func vmTest(t *testing.T, f func(*testing.T, types.VMContext)) {
t.Helper()

t.Run("go", func(t *testing.T) {
auditlog.RegisterProxyWasmSerialWriter()
f(t, wasmplugin.NewVMContext())
})

Expand Down
7 changes: 5 additions & 2 deletions wasmplugin/rules/coraza-demo.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,7 @@ SecDebugLogLevel 3
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditEngine On
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9])$"

# Log everything we know about a transaction.
Expand All @@ -230,8 +230,11 @@ SecAuditLogParts ABIJDEFHZ
# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only occasionally.
#
# Because of proxy-wasm limitations, audit logs can only be written to stdout
# which end up in the proxy logs.
SecAuditLogType Serial

SecAuditLog /dev/stdout
SecAuditLogFormat JSON

# -- Miscellaneous -----------------------------------------------------------

Expand Down
7 changes: 5 additions & 2 deletions wasmplugin/rules/coraza.conf-recommended.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ SecResponseBodyLimitAction ProcessPartial
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditEngine Off
SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9])$"

# Log everything we know about a transaction.
Expand All @@ -229,8 +229,11 @@ SecAuditLogParts ABIJDEFHZ
# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only occasionally.
#
# Because of proxy-wasm limitations, audit logs can only be written to stdout
# which end up in the proxy logs.
SecAuditLogType Serial

SecAuditLog /dev/stdout
SecAuditLogFormat JSON

# -- Miscellaneous -----------------------------------------------------------

Expand Down
Loading