Skip to content

Enable modsecurity in nginx-ingress deployments

Lucas Charles requested to merge 65192-enable-modsecurity-in-ingress into master

What does this MR do?

Issue: https://gitlab.com/gitlab-org/gitlab-ce/issues/65192

This MR enables nginx-ingress's modsecurity addon to run "Detection-only mode" by logging all requests that violate the Modsecurity Core Rule Set. By default this logs to /var/log/modsec_audit.log, so the current way of retrieving this log data is by tailing that file:

Example usage

Request
 ❯ curl -kI "https://test-nodejs.34.83.241.84.nip.io?username=1'%20or%20'1'%20=%20'"                                                       

HTTP/2 200
server: openresty/1.15.8.1
date: Wed, 28 Aug 2019 19:15:21 GMT
content-type: text/html; charset=utf-8
content-length: 170
x-powered-by: Express
etag: W/"aa-z+ebXSEdArbZ+EXlN/WQjf6HV8c"
strict-transport-security: max-age=15724800; includeSubDomains
Logs
 ❯ kubectl -n gitlab-managed-apps exec -it ingress-nginx-ingress-controller-68977dd7f6-bz5n4 -- tail -f /var/log/modsec_audit.log

---FrqqUKH2---A--
[28/Aug/2019:19:15:21 +0000] 156701972122.664396 10.56.1.1 64758 10.56.1.1 443
---FrqqUKH2---B--
HEAD /?username=1'%20or%20'1'%20=%20' HTTP/2.0
host: test-nodejs.34.83.241.84.nip.io
user-agent: curl/7.54.0
accept: */*

---FrqqUKH2---D--

---FrqqUKH2---F--
HTTP/2.0 200
Server: openresty/1.15.8.1
Date: Wed, 28 Aug 2019 19:15:21 GMT
Content-Length: 170
Content-Type: text/html; charset=utf-8
Connection: close
X-Powered-By: Express
ETag: W/"aa-z+ebXSEdArbZ+EXlN/WQjf6HV8c"
Strict-Transport-Security: max-age=15724800; includeSubDomains

---FrqqUKH2---H--
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "43"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s&sos found within ARGS:username: 1' or '1' = '"] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [hostname "10.56.1.1"] [uri "/"] [unique_id "156701972122.664396"] [ref "v16,13"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "10.56.1.1"] [uri "/"] [unique_id "156701972122.664396"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection; individual paranoia level scores: 5, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "10.56.1.1"] [uri "/"] [unique_id "156701972122.664396"] [ref ""]

---FrqqUKH2---I--

---FrqqUKH2---J--

---FrqqUKH2---Z--

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Performance and Testing

Adding WIP Until performance testing has been performed. Impact should be minimal but we need to establish a baseline that this additional analysis adds to requests.

Edited by Mayra Cabrera

Merge request reports