From 3c58ec686bcf011bb452e9ba300b535e658c20da Mon Sep 17 00:00:00 2001
From: Tames McTigue <tames@tamerz.com>
Date: Thu, 28 Nov 2024 13:24:55 +0300
Subject: [PATCH 1/5] Adding ModSecurity parameter for audit log format.

---
 manifests/mod/security.pp         | 6 ++++++
 manifests/params.pp               | 1 +
 spec/classes/mod/security_spec.rb | 2 ++
 templates/mod/security.conf.epp   | 3 +++
 4 files changed, 12 insertions(+)

diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp
index a64be57f8a..4247ddf8c4 100644
--- a/manifests/mod/security.pp
+++ b/manifests/mod/security.pp
@@ -32,6 +32,10 @@
 # 
 # @param audit_log_type
 #   Defines the type of audit logging mechanism to be used.
+#
+# @param audit_log_format
+#   Defines what format the logs should be written in. Accepts `Native` and `JSON`.
+#   Default value: Native
 # 
 # @param audit_log_storage_dir
 #   Defines the directory where concurrent audit log entries are to be stored. This directive is only needed when concurrent audit logging is used.
@@ -143,6 +147,7 @@
   String $audit_log_relevant_status                            = '^(?:5|4(?!04))',
   String $audit_log_parts                                      = $apache::params::modsec_audit_log_parts,
   String $audit_log_type                                       = $apache::params::modsec_audit_log_type,
+  Enum['Native', 'JSON'] $audit_log_format                     = $apache::params::modsec_audit_log_format,
   Optional[Stdlib::Absolutepath] $audit_log_storage_dir        = undef,
   Integer $secpcrematchlimit                                   = $apache::params::secpcrematchlimit,
   Integer $secpcrematchlimitrecursion                          = $apache::params::secpcrematchlimitrecursion,
@@ -256,6 +261,7 @@
     'audit_log_relevant_status'   => $audit_log_relevant_status,
     'audit_log_parts'             => $audit_log_parts,
     'audit_log_type'              => $audit_log_type,
+    'audit_log_format'            => $audit_log_format,
     'audit_log_storage_dir'       => $audit_log_storage_dir,
     'logroot'                     => $logroot,
   }
diff --git a/manifests/params.pp b/manifests/params.pp
index be3fd6b24d..113b5939ce 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -36,6 +36,7 @@
 
   $modsec_audit_log_parts = 'ABIJDEFHZ'
   $modsec_audit_log_type = 'Serial'
+  $modsec_audit_log_format = 'Native'
   $modsec_custom_rules = false
   $modsec_custom_rules_set = undef
 
diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb
index ec41852199..a1c457457b 100644
--- a/spec/classes/mod/security_spec.rb
+++ b/spec/classes/mod/security_spec.rb
@@ -102,6 +102,7 @@
                 audit_log_relevant_status: '^(?:5|4(?!01|04))',
                 audit_log_parts: 'ABCDZ',
                 audit_log_type: 'Concurrent',
+                audit_log_format: 'JSON',
                 audit_log_storage_dir: '/var/log/httpd/audit',
                 secdefaultaction: 'deny,status:406,nolog,auditlog',
                 secrequestbodyaccess: 'Off',
@@ -114,6 +115,7 @@
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogRelevantStatus "\^\(\?:5\|4\(\?!01\|04\)\)"$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogParts ABCDZ$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogType Concurrent$} }
+            it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogFormat JSON$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecAuditLogStorageDir /var/log/httpd/audit$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecRequestBodyAccess Off$} }
             it { is_expected.to contain_file('security.conf').with_content %r{^\s+SecResponseBodyAccess On$} }
diff --git a/templates/mod/security.conf.epp b/templates/mod/security.conf.epp
index dbca254b30..4e6a6e789e 100644
--- a/templates/mod/security.conf.epp
+++ b/templates/mod/security.conf.epp
@@ -49,6 +49,9 @@
     SecAuditLogRelevantStatus "<%= $audit_log_relevant_status %>"
     SecAuditLogParts <%= $audit_log_parts %>
     SecAuditLogType <%= $audit_log_type %>
+    <%- if $audit_log_format == 'JSON' { -%>
+    SecAuditLogFormat JSON
+    <%- } -%>
     <%- if $audit_log_storage_dir { -%>
     SecAuditLogStorageDir <%= $audit_log_storage_dir %>
     <%- } -%>

From db12e0eb3a29d182d632edde6e414c98d1063925 Mon Sep 17 00:00:00 2001
From: Tames McTigue <tames@tamerz.com>
Date: Thu, 28 Nov 2024 13:47:00 +0300
Subject: [PATCH 2/5] Update REFERENCE.md with new parameter

---
 REFERENCE.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/REFERENCE.md b/REFERENCE.md
index 69c53e1b16..dc4f80aff3 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -6075,6 +6075,7 @@ The following parameters are available in the `apache::mod::security` class:
 * [`audit_log_relevant_status`](#-apache--mod--security--audit_log_relevant_status)
 * [`audit_log_parts`](#-apache--mod--security--audit_log_parts)
 * [`audit_log_type`](#-apache--mod--security--audit_log_type)
+* [`audit_log_format`](#-apache--mod--security--audit_log_format)
 * [`audit_log_storage_dir`](#-apache--mod--security--audit_log_storage_dir)
 * [`secpcrematchlimit`](#-apache--mod--security--secpcrematchlimit)
 * [`secpcrematchlimitrecursion`](#-apache--mod--security--secpcrematchlimitrecursion)
@@ -6194,6 +6195,15 @@ Defines the type of audit logging mechanism to be used.
 
 Default value: `$apache::params::modsec_audit_log_type`
 
+##### <a name="-apache--mod--security--audit_log_format"></a>`audit_log_format`
+
+Data type: `Enum['Native', 'JSON']`
+
+Defines what format the logs should be written in. Accepts `Native` and `JSON`.
+Default value: Native
+
+Default value: `$apache::params::modsec_audit_log_format`
+
 ##### <a name="-apache--mod--security--audit_log_storage_dir"></a>`audit_log_storage_dir`
 
 Data type: `Optional[Stdlib::Absolutepath]`

From b085de66e5edf1e32fa0c4cebffb0c26ef4bffcb Mon Sep 17 00:00:00 2001
From: Tames McTigue <tames@tamerz.com>
Date: Thu, 28 Nov 2024 13:48:37 +0300
Subject: [PATCH 3/5] Fixed docstring to fit existing format

---
 REFERENCE.md              | 1 -
 manifests/mod/security.pp | 1 -
 2 files changed, 2 deletions(-)

diff --git a/REFERENCE.md b/REFERENCE.md
index dc4f80aff3..14f2138a57 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -6200,7 +6200,6 @@ Default value: `$apache::params::modsec_audit_log_type`
 Data type: `Enum['Native', 'JSON']`
 
 Defines what format the logs should be written in. Accepts `Native` and `JSON`.
-Default value: Native
 
 Default value: `$apache::params::modsec_audit_log_format`
 
diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp
index 4247ddf8c4..839b90e36d 100644
--- a/manifests/mod/security.pp
+++ b/manifests/mod/security.pp
@@ -35,7 +35,6 @@
 #
 # @param audit_log_format
 #   Defines what format the logs should be written in. Accepts `Native` and `JSON`.
-#   Default value: Native
 # 
 # @param audit_log_storage_dir
 #   Defines the directory where concurrent audit log entries are to be stored. This directive is only needed when concurrent audit logging is used.

From 72ceff36afb48d194b882a25b78c13721e4c758d Mon Sep 17 00:00:00 2001
From: Tames McTigue <tames@northwestern.edu>
Date: Sun, 5 Jan 2025 13:15:01 +0300
Subject: [PATCH 4/5] Following smortex's suggestions

---
 manifests/mod/security.pp | 4 ++--
 manifests/params.pp       | 1 -
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp
index 839b90e36d..95726f0905 100644
--- a/manifests/mod/security.pp
+++ b/manifests/mod/security.pp
@@ -34,7 +34,7 @@
 #   Defines the type of audit logging mechanism to be used.
 #
 # @param audit_log_format
-#   Defines what format the logs should be written in. Accepts `Native` and `JSON`.
+#   Defines what format the logs should be written in.
 # 
 # @param audit_log_storage_dir
 #   Defines the directory where concurrent audit log entries are to be stored. This directive is only needed when concurrent audit logging is used.
@@ -146,7 +146,7 @@
   String $audit_log_relevant_status                            = '^(?:5|4(?!04))',
   String $audit_log_parts                                      = $apache::params::modsec_audit_log_parts,
   String $audit_log_type                                       = $apache::params::modsec_audit_log_type,
-  Enum['Native', 'JSON'] $audit_log_format                     = $apache::params::modsec_audit_log_format,
+  Enum['Native', 'JSON'] $audit_log_format                     = 'Native',
   Optional[Stdlib::Absolutepath] $audit_log_storage_dir        = undef,
   Integer $secpcrematchlimit                                   = $apache::params::secpcrematchlimit,
   Integer $secpcrematchlimitrecursion                          = $apache::params::secpcrematchlimitrecursion,
diff --git a/manifests/params.pp b/manifests/params.pp
index 113b5939ce..be3fd6b24d 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -36,7 +36,6 @@
 
   $modsec_audit_log_parts = 'ABIJDEFHZ'
   $modsec_audit_log_type = 'Serial'
-  $modsec_audit_log_format = 'Native'
   $modsec_custom_rules = false
   $modsec_custom_rules_set = undef
 

From 8a10df5694b84cb5b58aeb2d3c1d8228089f89d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= <romain@blogreen.org>
Date: Mon, 6 Jan 2025 14:30:11 -1000
Subject: [PATCH 5/5] Regenerate REFERENCE.md

---
 REFERENCE.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/REFERENCE.md b/REFERENCE.md
index 14f2138a57..8c84b6ca0a 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -6199,9 +6199,9 @@ Default value: `$apache::params::modsec_audit_log_type`
 
 Data type: `Enum['Native', 'JSON']`
 
-Defines what format the logs should be written in. Accepts `Native` and `JSON`.
+Defines what format the logs should be written in.
 
-Default value: `$apache::params::modsec_audit_log_format`
+Default value: `'Native'`
 
 ##### <a name="-apache--mod--security--audit_log_storage_dir"></a>`audit_log_storage_dir`