Enable modsecurity in nginx-ingress deployments (!32905) · Merge requests · GitLab.org / GitLab FOSS

This MR enables nginx-ingress's modsecurity addon to run "Detection-only mode" by logging all requests that violate the Modsecurity Core Rule Set. By default this logs to /var/log/modsec_audit.log, so the current way of retrieving this log data is by tailing that file:

Example usage

Request

 ❯ curl -kI "https://test-nodejs.34.83.241.84.nip.io?username=1'%20or%20'1'%20=%20'"                                                       

HTTP/2 200
server: openresty/1.15.8.1
date: Wed, 28 Aug 2019 19:15:21 GMT
content-type: text/html; charset=utf-8
content-length: 170
x-powered-by: Express
etag: W/"aa-z+ebXSEdArbZ+EXlN/WQjf6HV8c"
strict-transport-security: max-age=15724800; includeSubDomains

Logs

 ❯ kubectl -n gitlab-managed-apps exec -it ingress-nginx-ingress-controller-68977dd7f6-bz5n4 -- tail -f /var/log/modsec_audit.log

---FrqqUKH2---A--
[28/Aug/2019:19:15:21 +0000] 156701972122.664396 10.56.1.1 64758 10.56.1.1 443
---FrqqUKH2---B--
HEAD /?username=1'%20or%20'1'%20=%20' HTTP/2.0
host: test-nodejs.34.83.241.84.nip.io
user-agent: curl/7.54.0
accept: */*

---FrqqUKH2---D--

---FrqqUKH2---F--
HTTP/2.0 200
Server: openresty/1.15.8.1
Date: Wed, 28 Aug 2019 19:15:21 GMT
Content-Length: 170
Content-Type: text/html; charset=utf-8
Connection: close
X-Powered-By: Express
ETag: W/"aa-z+ebXSEdArbZ+EXlN/WQjf6HV8c"
Strict-Transport-Security: max-age=15724800; includeSubDomains

---FrqqUKH2---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "43"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s&sos found within ARGS:username: 1' or '1' = '"] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [hostname "10.56.1.1"] [uri "/"] [unique_id "156701972122.664396"] [ref "v16,13"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.56.1.1"] [uri "/"] [unique_id "156701972122.664396"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection; individual paranoia level scores: 5, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "10.56.1.1"] [uri "/"] [unique_id "156701972122.664396"] [ref ""]

---FrqqUKH2---I--

---FrqqUKH2---J--

---FrqqUKH2---Z--

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Performance and Testing

Adding WIP Until performance testing has been performed. Impact should be minimal but we need to establish a baseline that this additional analysis adds to requests.

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Enable modsecurity in nginx-ingress deployments

What does this MR do?