Apache Security - Ivan Ristic [192]
Actions
You can do many things when an invalid request is discovered. The SecFilterDefaultAction determines the default action list:
# Reject invalid requests with status 403
SecFilterDefaultAction deny,log,status:403
You can override the default action list by supplying a list of actions to individual rules as the last (optional) parameter:
# Only log a warning message when the KEYWORD is found
SecFilter KEYWORD log,pass
* * *
Warning
If you use the optional third parameter to specify per-rule actions, you must ensure all the actions you want to take place are listed. This is because the list you supply replaces the default action list, therefore none of the default actions take place.
* * *
The full list of supported actions is given in Table 12-3.
Table 12-3. mod_security action list
Action
Description
allow
Skip over the remaining rules and allow the request to be processed.
auditlog
Log the request to the audit log.
chain
Chain the current rule with the one that follows. Process the next rule if the current rule matches. This feature allows many rules to be used as one, performing a logical AND.
deny
Deny request processing.
exec:filename
Execute the external script specified by filename on rule match.
id:n
Assign a unique ID n to the rule. The ID will appear in the log. Useful when there are many rules designed to handle the same problem.
log
Log the rule match. A message will go into the Apache error log and into the audit log (if such logging is enabled).
msg:text
Assign a message text to the rule, which will appear in the log.
noauditlog
Do not log the request to the audit log. All requests that trigger a rule will be written to the audit log by default (unless audit logging is completely disabled by configuration). This action should be used when you don't want a request to appear in the audit log (e.g., it may be too long and you do not need it).
nolog
Do not log the rule match.
pass
Proceed to the next rule in spite of the current rule match. This is useful when you want to perform some action but otherwise don't want to reject the request.
pause:n
Pause for n milliseconds on rule match. Be careful with this one; it makes it easy to DoS yourself by having many Apache processes sleep for too long a time.
redirect:url
Perform a redirection to the address specified by url when a request is denied.
setenv:name = value
Set the environment variable name to value. The value is optional. 1 is used if the parameter is omitted.
skipnext:n
On rule match skip the next n rules (or just one if the parameter is omitted).
status:n
Configure the status n to be used to deny the request.
Logging
There are three places where, depending on the configuration, you may find mod_security logging information:
mod_security debug log
The mod_security debug log, if enabled via the SecFilterDebugLevel and SecFilterDebugLog directives, contains a large number of entries for every request processed. Each log entry is associated with a log level, which is a number from 0 (no messages at all) to 4 (maximum logging). The higher the log level you specify, the more information you get in error logs. You normally need to keep the debug log level at 0 and increase it only when you are debugging your rule set. Excessive logging slows down server operation.
Apache error log
Some of the messages from the debug log will make it into the Apache error log (even if you set the mod_security debug log level to 0). These are the messages that require an administrator's attention, such as information about requests being rejected.
mod_security audit log
When audit logging is enabled (using the SecAuditEngine and SecAuditLog directives),