1 ### SecAudit* directive tests
6 comment => "SecAuditEngine On",
9 SecAuditLog $ENV{AUDIT_LOG}
12 audit => [ qr/./, 1 ],
17 request => new HTTP::Request(
18 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
23 comment => "SecAuditEngine Off",
26 SecAuditLog $ENV{AUDIT_LOG}
29 -audit => [ qr/./, 1 ],
34 request => new HTTP::Request(
35 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
40 comment => "SecAuditEngine RelevantOnly (pos)",
43 SecAuditEngine RelevantOnly
44 SecAuditLog $ENV{AUDIT_LOG}
45 SecDebugLog $ENV{DEBUG_LOG}
47 SecResponseBodyAccess On
48 SecDefaultAction "phase:2,log,auditlog,pass"
49 SecRule REQUEST_URI "." "phase:4,deny"
52 audit => [ qr/./, 1 ],
57 request => new HTTP::Request(
58 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
63 comment => "SecAuditEngine RelevantOnly (neg)",
65 SecAuditEngine RelevantOnly
66 SecAuditLog $ENV{AUDIT_LOG}
67 SecResponseBodyAccess On
68 SecDefaultAction "phase:2,log,auditlog,pass"
71 -audit => [ qr/./, 1 ],
76 request => new HTTP::Request(
77 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
81 # SecAuditLogType & SecAuditLogStorageDir
84 comment => "SecAuditLogType Serial",
87 SecAuditLog $ENV{AUDIT_LOG}
88 SecAuditLogType Serial
91 audit => [ qr/./, 1 ],
96 request => new HTTP::Request(
97 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/bogus",
102 comment => "SecAuditLogType Concurrent",
105 SecAuditLog $ENV{AUDIT_LOG}
106 SecAuditLogType Concurrent
107 SecAuditLogStorageDir "$ENV{LOGS_DIR}/audit"
110 ### Perl code to parse the audit log entry and verify
111 ### that the concurrent audit log exists and contains
112 ### the correct data.
114 ### TODO: Need some API for this :)
118 my $alogre = qr/^(?:\S+)\ (?:\S+)\ (?:\S+)\ (?:\S+)\ \[(?:[^:]+):(?:\d+:\d+:\d+)\ (?:[^\]]+)\]\ \"(?:.*)\"\ (?:\d+)\ (?:\S+)\ \"(?:.*)\"\ \"(?:.*)\"\ (\S+)\ \"(?:.*)\"\ (\S+)\ (?:\d+)\ (?:\d+)\ (?:\S+)(?:.*)$/m;
119 my $alog = match_log("audit", $alogre, 1);
121 my @log = ($alog =~ m/$alogre/);
122 my($id, $fn) = ($log[0], $log[1]);
124 dbg("LOG ENTRY: $alog");
125 die "Failed to parse audit log: $ENV{AUDIT_LOG}\n";
128 # Verify concurrent log exists
129 my $alogdatafn = "$ENV{LOGS_DIR}/audit$fn";
130 if (! -e "$alogdatafn") {
131 die "Audit log does not exist: $alogdatafn\n";
134 # Verify concurrent log contents
135 if (defined match_file($alogdatafn, qr/^--[^-]+-A--.*$id.*-Z--$/s)) {
140 dbg("LOGDATA: \"$FILE{$alogdatafn}{buf}\"");
141 die "Audit log data did not match.\n";
146 request => new HTTP::Request(
147 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
151 # SecAuditLogRelevantStatus
154 comment => "SecAuditLogRelevantStatus (pos)",
156 SecAuditEngine RelevantOnly
157 SecAuditLog $ENV{AUDIT_LOG}
158 SecAuditLogRelevantStatus "^4"
161 audit => [ qr/./, 1 ],
166 request => new HTTP::Request(
167 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/bogus",
172 comment => "SecAuditLogRelevantStatus (neg)",
174 SecAuditEngine RelevantOnly
175 SecAuditLog $ENV{AUDIT_LOG}
176 SecAuditLogRelevantStatus "^4"
179 -audit => [ qr/./, 1 ],
184 request => new HTTP::Request(
185 GET => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
192 comment => "SecAuditLogParts (minimal)",
195 SecAuditLog $ENV{AUDIT_LOG}
196 SecRequestBodyAccess On
197 SecResponseBodyAccess On
198 SecAuditLogParts "AZ"
201 audit => [ qr/-A--.*-Z--/s, 1 ],
202 -audit => [ qr/-[B-Y]--/, 1 ],
207 request => new HTTP::Request(
208 POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
210 "Content-Type" => "application/x-www-form-urlencoded",
217 comment => "SecAuditLogParts (default)",
220 SecAuditLog $ENV{AUDIT_LOG}
221 SecRequestBodyAccess On
222 SecResponseBodyAccess On
225 audit => [ qr/-A--.*-B--.*-F--.*-H--.*-Z--/s, 1 ],
226 -audit => [ qr/-[DEGIJK]--/, 1 ],
231 request => new HTTP::Request(
232 POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
234 "Content-Type" => "application/x-www-form-urlencoded",
241 comment => "SecAuditLogParts (all)",
245 SecAuditLog $ENV{AUDIT_LOG}
246 SecRequestBodyAccess On
247 SecResponseBodyAccess On
248 SecAuditLogParts "ABCDEFGHIJKZ"
249 SecAction "phase:4,log,auditlog,allow"
252 audit => [ qr/-A--.*-B--.*-C--.*-F--.*-E--.*-H--.*-K--.*-Z--/s, 1 ],
257 request => new HTTP::Request(
258 POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/test.txt",
260 "Content-Type" => "application/x-www-form-urlencoded",