本文主要是介绍modsecurity安装HTTP全量审计步骤,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
1)cd /etc/httpd/modsecurity-crs/rules2)在该目录创建新文件REQUEST-SELF-100-HTTP-audit.conf
vi REQUEST-SELF-100-HTTP-audit.conf
写入
SecRuleEngine DetectionOnly
SecRequestBodyAccess On
SecResponseBodyAccess On
SecAuditEngine On
SecAuditLogParts ABCIFEHZ
SecAuditLog /usr/local/apache/logs/audit.log
SecAuditLogType Concurrent
SecAuditLogStorageDir /usr/local/apache/audit/logs/audit
注解:
a)SecAuditLogType Concurrent 代表并行
b)/usr/local/apache/logs/audit.log和/usr/local/apache/audit/logs/audit请确保存在,没有需要自己创建。
3)验证配置
a)进入网站,执行操作。登录,修改内容均可以。
b) cat /usr/local/apache/logs/audit.log
看到如下:
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:16 +0800] "GET /centreon/include/common/javascript/autologoutXMLresponse.php?sid=g03dvbmv1tpq9plgpqtm7reds3 HTTP/1.1" 200 125 "-" "-" WMn8eKwbzgcAAD9mEUEAAAAG "-" /20170316/20170316-1046/20170316-104616-WMn8eKwbzgcAAD9mEUEAAAAG 0 2622 md5:1a9c3806299bb34f0e11a06252126348
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:19 +0800] "GET /centreon/main.php?p=60301&o=c&contact_id=56 HTTP/1.1" 200 115953 "-" "-" WMn8e6wbzgcAAD9iEFwAAAAC "-" /20170316/20170316-1046/20170316-104619-WMn8e6wbzgcAAD9iEFwAAAAC 0 127236 md5:44effca7ec920eae8a6b1d24aac66c30
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:19 +0800] "GET /centreon/Themes/Centreon-2/Modalbox/Color/blue_css.php HTTP/1.1" 200 405 "-" "-" WMn8e6wbzgcAAD9gD-QAAAAA "-" /20170316/20170316-1046/20170316-104619-WMn8e6wbzgcAAD9gD-QAAAAA 0 1950 md5:e530e4a72eb117f16e91a3d29119cf19
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:19 +0800] "GET /centreon/Themes/Centreon-2/Color/blue_css.php HTTP/1.1" 200 4959 "-" "-" WMn8e6wbzgcAAD9lEQgAAAAF "-" /20170316/20170316-1046/20170316-104619-WMn8e6wbzgcAAD9lEQgAAAAF 0 1944 md5:1ca3ace6eb8d3aa44303f379ba12d2ba
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:19 +0800] "GET /centreon/include/common/javascript/topCounterStatus/ajaxStatusCounter.js.php HTTP/1.1" 200 9962 "-" "-" WMn8e6wbzgcAAD9hECQAAAAB "-" /20170316/20170316-1046/20170316-104619-WMn8e6wbzgcAAD9hECQAAAAB 0 13512 md5:7c612b1feb6ed6bca0db250622682207
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:19 +0800] "GET /centreon/img/icones/16x16/clipboard.gif HTTP/1.1" 304 0 "-" "-" WMn8e6wbzgcAAD9nEXgAAAAH "-" /20170316/20170316-1046/20170316-104619-WMn8e6wbzgcAAD9nEXgAAAAH 0 2093 md5:42bc6cecd69d6dce26645f71f19304e3
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:19 +0800] "GET /centreon/include/common/javascript/keygen.js HTTP/1.1" 304 0 "-" "-" WMn8e6wbzgcAAD9jEJcAAAAD "-" /20170316/20170316-1046/20170316-104619-WMn8e6wbzgcAAD9jEJcAAAAD 0 2078 md5:dfbcf40646a093c8282655e34520f900
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:19 +0800] "GET /centreon/img/icones/16x16/mailer.gif HTTP/1.1" 304 0 "-" "-" WMn8e6wbzgcAAD9mEUIAAAAG "-" /20170316/20170316-1046/20170316-104619-WMn8e6wbzgcAAD9mEUIAAAAG 0 2088 md5:29861a17608eb8e7c4b0f78c2e15c97e
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:19 +0800] "GET /centreon/include/common/javascript/codebase/dhtmlxtree.php?sid=g03dvbmv1tpq9plgpqtm7reds3 HTTP/1.1" 200 66666 "-" "-" WMn8e6wbzgcAAD9kEM4AAAAE "-" /20170316/20170316-1046/20170316-104619-WMn8e6wbzgcAAD9kEM4AAAAE 0 70098 md5:7ded548ffcfabdc08ac682eb8669f85a
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:19 +0800] "GET /centreon/img/icones/16x16/centreon.gif HTTP/1.1" 200 1031 "-" "-" WMn8e6wbzgcAAD9iEF0AAAAC "-" /20170316/20170316-1046/20170316-104619-WMn8e6wbzgcAAD9iEF0AAAAC 0 1994 md5:b9bc5ebeb55a7fcee9684d5a2208e073
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:19 +0800] "GET /centreon/include/common/javascript/autologoutXMLresponse.php?sid=g03dvbmv1tpq9plgpqtm7reds3 HTTP/1.1" 200 125 "-" "-" WMn8e6wbzgcAAD9gD-UAAAAA "-" /20170316/20170316-1046/20170316-104619-WMn8e6wbzgcAAD9gD-UAAAAA 0 2659 md5:3e08d8a66d1d1640208c67d9b5ec794f
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:19 +0800] "POST /centreon/include/monitoring/status/TopCounter/xml/ndo/statusCounter.php HTTP/1.1" 200 1301 "-" "-" WMn8e6wbzgcAAD9hECUAAAAB "-" /20170316/20170316-1046/20170316-104619-WMn8e6wbzgcAAD9hECUAAAAB 0 3572 md5:fb1b33bd7e3542398bc5ecdbaf3900ad
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:25 +0800] "POST /centreon/main.php?p=60301 HTTP/1.1" 200 114973 "-" "-" WMn8gKwbzgcAAD9nEXkAAAAH "-" /20170316/20170316-1046/20170316-104625-WMn8gKwbzgcAAD9nEXkAAAAH 0 125191 md5:d7c896371ed23c41d3a6de60bd8ee665
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:25 +0800] "GET /centreon/Themes/Centreon-2/Modalbox/Color/blue_css.php HTTP/1.1" 200 405 "-" "-" WMn8gawbzgcAAD9jEJgAAAAD "-" /20170316/20170316-1046/20170316-104625-WMn8gawbzgcAAD9jEJgAAAAD 0 1933 md5:a619803952ea0c0d989845cae63b5ee9
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:25 +0800] "GET /centreon/Themes/Centreon-2/Color/blue_css.php HTTP/1.1" 200 4959 "-" "-" WMn8gawbzgcAAD9lEQkAAAAF "-" /20170316/20170316-1046/20170316-104625-WMn8gawbzgcAAD9lEQkAAAAF 0 1928 md5:9741e7abd81da6d974c300e2d7cc7a8e
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:25 +0800] "GET /centreon/include/common/javascript/topCounterStatus/ajaxStatusCounter.js.php HTTP/1.1" 200 9962 "-" "-" WMn8gawbzgcAAD9mEUMAAAAG "-" /20170316/20170316-1046/20170316-104625-WMn8gawbzgcAAD9mEUMAAAAG 0 13495 md5:8bde9c0d7a769cdb013965349b81bc35
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:25 +0800] "GET /centreon/include/common/javascript/codebase/dhtmlxtree.php?sid=g03dvbmv1tpq9plgpqtm7reds3 HTTP/1.1" 200 66666 "-" "-" WMn8gawbzgcAAD9kEM8AAAAE "-" /20170316/20170316-1046/20170316-104625-WMn8gawbzgcAAD9kEM8AAAAE 0 70082 md5:1644ad8fe8b5359e6b68e8cdd3f191e5
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:25 +0800] "GET /centreon/include/common/javascript/autologoutXMLresponse.php?sid=g03dvbmv1tpq9plgpqtm7reds3 HTTP/1.1" 200 125 "-" "-" WMn8gawbzgcAAD9iEF4AAAAC "-" /20170316/20170316-1046/20170316-104625-WMn8gawbzgcAAD9iEF4AAAAC 0 2625 md5:b5b290b88891e8d91e0778eda26531a5
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:46:25 +0800] "POST /centreon/include/monitoring/status/TopCounter/xml/ndo/statusCounter.php HTTP/1.1" 200 1301 "-" "-" WMn8gawbzgcAAD9gD-YAAAAA "-" /20170316/20170316-1046/20170316-104625-WMn8gawbzgcAAD9gD-YAAAAA 0 3554 md5:a3103e533b037d0e66d393596c37958b
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:48:55 +0800] "POST /centreon/include/monitoring/status/TopCounter/xml/ndo/statusCounter.php HTTP/1.1" 200 1301 "-" "-" WMn9F6wbzgcAAD9hECYAAAAB "-" /20170316/20170316-1048/20170316-104855-WMn9F6wbzgcAAD9hECYAAAAB 0 3554 md5:5f1f86aff6d6b388e6970db4e6308248
172.27.206.7 172.26.18.108 - - [16/Mar/2017:10:48:55 +0800] "GET /centreon/include/common/javascript/autologoutXMLresponse.php?sid=g03dvbmv1tpq9plgpqtm7reds3 HTTP/1.1" 200 125 "-" "-" WMn9F6wbzgcAAD9nEXoAAAAH "-" /20170316/20170316-1048/20170316-104855-WMn9F6wbzgcAAD9nEXoAAAAH 0 2623 md5:f7ce6c112f2dc0522f2c37b83f21dfec
c)cat /usr/local/apache/audit/logs/audit/20170316/20170316-1034/20170316-103453-WMn5zawbzgcAAD9iEFAAAAAC
可以看到具体的执行
--1e2c2150-A--
[16/Mar/2017:10:34:53 +0800] WMn5zawbzgcAAD9iEFAAAAAC 172.26.18.108 49824 172.27.206.7 80
--1e2c2150-B--
GET /centreon/include/common/javascript/jquery/plugins/colorbox/images/border.png HTTP/1.1
Host: 172.27.206.7
Connection: keep-alive
Accept: image/webp,image/*,*/*;q=0.8
If-None-Match: "1c14bd-a3-54aac03e225b9"
If-Modified-Since: Tue, 14 Mar 2017 07:45:43 GMT
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.97 Safari/537.36
Referer: http://172.27.206.7/centreon/main.php
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=g03dvbmv1tpq9plgpqtm7reds3
--1e2c2150-F--
HTTP/1.1 304 Not Modified
Last-Modified: Tue, 14 Mar 2017 07:45:43 GMT
ETag: "1c14bd-a3-54aac03e225b9"
Accept-Ranges: bytes
Content-Length: 0
Connection: close
Content-Type: image/png
--1e2c2150-E--
--1e2c2150-H--
Message: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first.
Message: collection_retrieve_ex: Unable to retrieve collection (name "ip", key "172.26.18.108_cd85a82133a70fed9906fed8b8960aec0bf92efa"). Use SecDataDir to define data directory first.
Message: Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "793"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "172.27.206.7"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Stopwatch: 1489631693988843 1280 (- - -)
Stopwatch2: 1489631693988843 1280; combined=914, p1=175, p2=637, p3=22, p4=53, p5=27, sr=32, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache/2.2.15 (CentOS)
Engine-Mode: "DETECTION_ONLY"
--1e2c2150-Z--
这篇关于modsecurity安装HTTP全量审计步骤的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
