We can hide the sensitive data from the audit log of the ModSecurity by using a "sanitiseArg" variable action for log.
Assuming that you have an application that uses the parameters password, oldPassword, and newPassword to transmit, we can write rule:
SecAction phase:5,nolog,pass,\
sanitiseArg:password,\
sanitiseArg:oldPassword,\
sanitiseArg:newPassword
If you dont know the parameters name in advance then you can do something like this:
SecRule ARGS_NAMES password phase:5,nolog,pass,\
sanitiseMatched
In the following example, we look for anything that resembles a credit card number and then sanitize it:
SecRule ARGS @verifyCC phase:5,nolog,pass,\
sanitiseMatched
Here, "@verifyCC" is provided by modsecurity for detecting credit card pattern.
Assuming that you have an application that uses the parameters password, oldPassword, and newPassword to transmit, we can write rule:
SecAction phase:5,nolog,pass,\
sanitiseArg:password,\
sanitiseArg:oldPassword,\
sanitiseArg:newPassword
If you dont know the parameters name in advance then you can do something like this:
SecRule ARGS_NAMES password phase:5,nolog,pass,\
sanitiseMatched
In the following example, we look for anything that resembles a credit card number and then sanitize it:
SecRule ARGS @verifyCC phase:5,nolog,pass,\
sanitiseMatched
Here, "@verifyCC" is provided by modsecurity for detecting credit card pattern.
No comments:
Post a Comment