1
### SecAudit* directive tests
6
comment => "SecAuditEngine On",
9
SecAuditLog $ENV{AUDIT_LOG}
12
audit => [ qr/./, 1 ],
17
request => new HTTP::Request(
18
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
23
comment => "SecAuditEngine Off",
26
SecAuditLog $ENV{AUDIT_LOG}
29
-audit => [ qr/./, 1 ],
34
request => new HTTP::Request(
35
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
40
comment => "SecAuditEngine RelevantOnly (pos)",
43
SecAuditEngine RelevantOnly
44
SecAuditLog $ENV{AUDIT_LOG}
45
SecDebugLog $ENV{DEBUG_LOG}
47
SecResponseBodyAccess On
48
SecDefaultAction "phase:2,log,auditlog,pass"
49
SecRule REQUEST_URI "." "phase:4,deny"
52
audit => [ qr/./, 1 ],
57
request => new HTTP::Request(
58
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
63
comment => "SecAuditEngine RelevantOnly (neg)",
65
SecAuditEngine RelevantOnly
66
SecAuditLog $ENV{AUDIT_LOG}
67
SecResponseBodyAccess On
68
SecDefaultAction "phase:2,log,auditlog,pass"
71
-audit => [ qr/./, 1 ],
76
request => new HTTP::Request(
77
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
81
# SecAuditLogType & SecAuditLogStorageDir
84
comment => "SecAuditLogType Serial",
87
SecAuditLog $ENV{AUDIT_LOG}
88
SecAuditLogType Serial
91
audit => [ qr/./, 1 ],
96
request => new HTTP::Request(
97
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/bogus",
102
comment => "SecAuditLogType Concurrent",
105
SecAuditLog $ENV{AUDIT_LOG}
106
SecAuditLogType Concurrent
107
SecAuditLogStorageDir "$ENV{LOGS_DIR}/audit"
110
### Perl code to parse the audit log entry and verify
111
### that the concurrent audit log exists and contains
112
### the correct data.
114
### TODO: Need some API for this :)
118
my $alogre = qr/^(?:\S+)\ (?:\S+)\ (?:\S+)\ (?:\S+)\ \[(?:[^:]+):(?:\d+:\d+:\d+)\ (?:[^\]]+)\]\ \"(?:.*)\"\ (?:\d+)\ (?:\S+)\ \"(?:.*)\"\ \"(?:.*)\"\ (\S+)\ \"(?:.*)\"\ (\S+)\ (?:\d+)\ (?:\d+)\ (?:\S+)(?:.*)$/m;
119
my $alog = match_log("audit", $alogre, 1);
121
my @log = ($alog =~ m/$alogre/);
122
my($id, $fn) = ($log[0], $log[1]);
124
dbg("LOG ENTRY: $alog");
125
die "Failed to parse audit log: $ENV{AUDIT_LOG}\n";
128
# Verify concurrent log exists
129
my $alogdatafn = "$ENV{LOGS_DIR}/audit$fn";
130
if (! -e "$alogdatafn") {
131
die "Audit log does not exist: $alogdatafn\n";
134
# Verify concurrent log contents
135
if (defined match_file($alogdatafn, qr/^--[^-]+-A--.*$id.*-Z--$/s)) {
140
dbg("LOGDATA: \"$FILE{$alogdatafn}{buf}\"");
141
die "Audit log data did not match.\n";
146
request => new HTTP::Request(
147
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
151
# SecAuditLogRelevantStatus
154
comment => "SecAuditLogRelevantStatus (pos)",
156
SecAuditEngine RelevantOnly
157
SecAuditLog $ENV{AUDIT_LOG}
158
SecAuditLogRelevantStatus "^4"
161
audit => [ qr/./, 1 ],
166
request => new HTTP::Request(
167
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/bogus",
172
comment => "SecAuditLogRelevantStatus (neg)",
174
SecAuditEngine RelevantOnly
175
SecAuditLog $ENV{AUDIT_LOG}
176
SecAuditLogRelevantStatus "^4"
179
-audit => [ qr/./, 1 ],
184
request => new HTTP::Request(
185
GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
192
comment => "SecAuditLogParts (minimal)",
195
SecAuditLog $ENV{AUDIT_LOG}
196
SecRequestBodyAccess On
197
SecResponseBodyAccess On
198
SecAuditLogParts "AZ"
201
audit => [ qr/-A--.*-Z--/s, 1 ],
202
-audit => [ qr/-[B-Y]--/, 1 ],
207
request => new HTTP::Request(
208
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
210
"Content-Type" => "application/x-www-form-urlencoded",
217
comment => "SecAuditLogParts (default)",
220
SecAuditLog $ENV{AUDIT_LOG}
221
SecRequestBodyAccess On
222
SecResponseBodyAccess On
225
audit => [ qr/-A--.*-B--.*-F--.*-H--.*-Z--/s, 1 ],
226
-audit => [ qr/-[DEGIJK]--/, 1 ],
231
request => new HTTP::Request(
232
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
234
"Content-Type" => "application/x-www-form-urlencoded",
241
comment => "SecAuditLogParts (all)",
245
SecAuditLog $ENV{AUDIT_LOG}
246
SecRequestBodyAccess On
247
SecResponseBodyAccess On
248
SecAuditLogParts "ABCDEFGHIJKZ"
249
SecAction "phase:4,log,auditlog,allow"
252
audit => [ qr/-A--.*-B--.*-C--.*-F--.*-E--.*-H--.*-K--.*-Z--/s, 1 ],
257
request => new HTTP::Request(
258
POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
260
"Content-Type" => "application/x-www-form-urlencoded",