Enable modsecurity in nginx-ingress deployments
What does this MR do?
Issue: https://gitlab.com/gitlab-org/gitlab-ce/issues/65192
This MR enables nginx-ingress's modsecurity
addon to run "Detection-only mode" by logging all requests that violate the Modsecurity Core Rule Set. By default this logs to /var/log/modsec_audit.log
, so the current way of retrieving this log data is by tailing that file:
Example usage
Request
❯ curl -kI "https://test-nodejs.34.83.241.84.nip.io?username=1'%20or%20'1'%20=%20'"
HTTP/2 200
server: openresty/1.15.8.1
date: Wed, 28 Aug 2019 19:15:21 GMT
content-type: text/html; charset=utf-8
content-length: 170
x-powered-by: Express
etag: W/"aa-z+ebXSEdArbZ+EXlN/WQjf6HV8c"
strict-transport-security: max-age=15724800; includeSubDomains
Logs
❯ kubectl -n gitlab-managed-apps exec -it ingress-nginx-ingress-controller-68977dd7f6-bz5n4 -- tail -f /var/log/modsec_audit.log
---FrqqUKH2---A--
[28/Aug/2019:19:15:21 +0000] 156701972122.664396 10.56.1.1 64758 10.56.1.1 443
---FrqqUKH2---B--
HEAD /?username=1'%20or%20'1'%20=%20' HTTP/2.0
host: test-nodejs.34.83.241.84.nip.io
user-agent: curl/7.54.0
accept: */*
---FrqqUKH2---D--
---FrqqUKH2---F--
HTTP/2.0 200
Server: openresty/1.15.8.1
Date: Wed, 28 Aug 2019 19:15:21 GMT
Content-Length: 170
Content-Type: text/html; charset=utf-8
Connection: close
X-Powered-By: Express
ETag: W/"aa-z+ebXSEdArbZ+EXlN/WQjf6HV8c"
Strict-Transport-Security: max-age=15724800; includeSubDomains
---FrqqUKH2---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "43"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s&sos found within ARGS:username: 1' or '1' = '"] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [hostname "10.56.1.1"] [uri "/"] [unique_id "156701972122.664396"] [ref "v16,13"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.56.1.1"] [uri "/"] [unique_id "156701972122.664396"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection; individual paranoia level scores: 5, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "10.56.1.1"] [uri "/"] [unique_id "156701972122.664396"] [ref ""]
---FrqqUKH2---I--
---FrqqUKH2---J--
---FrqqUKH2---Z--
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation created/updated or follow-up review issue created -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Performance and Testing
Adding WIP
Until performance testing has been performed. Impact should be minimal but we need to establish a baseline that this additional analysis adds to requests.
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Edited by Lucas Charles