From 429dd0528b1d1387fde80c01f7d4dfa7d548b0b6 Mon Sep 17 00:00:00 2001 From: Julien Godin Date: Wed, 31 Jan 2024 17:39:59 +0100 Subject: [PATCH] feature: Allow to set the verbosity of the debug Signed-off-by: Julien Godin --- manifests/mod/security.pp | 5 +++++ spec/classes/mod/security_spec.rb | 2 ++ templates/mod/security.conf.epp | 2 +- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index a64be57f8a..b64e8a3859 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -23,6 +23,9 @@ # @param modsec_secruleengine # Configures the rules engine. # +# @param debug_log_level +# Configures the debug log level. +# # @param audit_log_relevant_status # Configures which response status code is to be considered relevant for the purpose of audit logging. # @@ -140,6 +143,7 @@ Optional[Array[String]] $custom_rules_set = $apache::params::modsec_custom_rules_set, Stdlib::Absolutepath $modsec_dir = $apache::params::modsec_dir, String $modsec_secruleengine = $apache::params::modsec_secruleengine, + Integer[0, 9] $debug_log_level = 0, String $audit_log_relevant_status = '^(?:5|4(?!04))', String $audit_log_parts = $apache::params::modsec_audit_log_parts, String $audit_log_type = $apache::params::modsec_audit_log_type, @@ -257,6 +261,7 @@ 'audit_log_parts' => $audit_log_parts, 'audit_log_type' => $audit_log_type, 'audit_log_storage_dir' => $audit_log_storage_dir, + 'debug_log_level' => $debug_log_level, 'logroot' => $logroot, } diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb index ec41852199..0b58567ab4 100644 --- a/spec/classes/mod/security_spec.rb +++ b/spec/classes/mod/security_spec.rb @@ -103,6 +103,7 @@ audit_log_parts: 'ABCDZ', audit_log_type: 'Concurrent', audit_log_storage_dir: '/var/log/httpd/audit', + debug_log_level: 3, secdefaultaction: 'deny,status:406,nolog,auditlog', secrequestbodyaccess: 'Off', secresponsebodyaccess: 'On', @@ -116,6 +117,7 @@ it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogType Concurrent$} } it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogStorageDir /var/log/httpd/audit$} } it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecRequestBodyAccess Off$} } + it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecDebugLogLevel 3$} } it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecResponseBodyAccess On$} } it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecRequestBodyLimitAction ProcessPartial$} } it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecResponseBodyLimitAction Reject$} } diff --git a/templates/mod/security.conf.epp b/templates/mod/security.conf.epp index dbca254b30..e2dc2241f9 100644 --- a/templates/mod/security.conf.epp +++ b/templates/mod/security.conf.epp @@ -44,7 +44,7 @@ SecResponseBodyMimeType text/plain text/html text/xml SecResponseBodyLimit 524288 SecResponseBodyLimitAction <%= $secresponsebodylimitaction %> - SecDebugLogLevel 0 + SecDebugLogLevel <%= $debug_log_level %> SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "<%= $audit_log_relevant_status %>" SecAuditLogParts <%= $audit_log_parts %>