Preventing an Apache 2 Server from Logging Sensitive Data
Solution 1
Apache 2 by default logs the entire request URI including query string of every request.
What is a straight forward way to prevent an Apache 2 web server from logging sensitive data, for example passwords, credit card numbers, etc., but still log the rest of the request?
Am I reading right, that you are sending sensitive information in URI as QueryString ? I would suggest changing the application so it does do so in the first place.
Then, there would be no requirement to change apache, since, it does not do any such thing by default.
Solution 2
You can mask the passwords before they end up in access.log by combining a CustomLog directive with a bit of sed magic (as instructed in https://stackoverflow.com/a/9473943/102170):
This would replace every occurrence of password=secret with password=[FILTERED] in /your/path/access.log:
CustomLog "|/bin/sed -u -E s/'param=[^& \t\n]*'/'param=\[FILTERED\]'/g >> /your/path/access.log" combined
That being said, it would be best to avoid putting sensitive data in the query strings if possible.
Solution 3
You read up on the difference between GET and POST and rewrite your applications to stop putting passwords and info in GET parameters.
Solution 4
You may modify some request parameters during the log phase with LuaHookLog (mod_lua). Although the request line (%r in the 'combined' log format) is read-only, you may mask query string directly, and then fine-tune all your log formats to use it. To mask password=XXX in the query string do the following:
-
Create /etc/apache2/log_mask.lua:
function log_mask_password(r) if r.args then r.args = r.args:gsub("([pP][aA][sS][sS][wW][oO][rR][dD])=[^&=]*(&?)", "%1=XXX%2") end return apache2.OK end enable mod_lua in apache with
a2enmod lua-
set up lua log hook somewhere in your apache config:
<IfModule lua_module> LuaHookLog /etc/apache2/log_mask.lua log_mask_password </IfModule> -
fix your LogFormat to use "%m %U%q %H" instead of "%r". e.g.:
LogFormat "%a %l %u %t \"%m %U%q %H\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
Don't forget to fix all your other log formats too to prevent password leak in all of them!
Also, you can just do return apache2.DONE in lua code to drop the log message completely (this would be another code with some if and sensitive data pattern matching).
Warning: It is not recommended that you use lua module on a server that is shared with users you do not trust (and who has permissions to modify apache config files), as it can be abused to change the internal workings of httpd.
Related videos on Youtube
23 : 43
20 : 43
09 : 28
21 : 05
03 : 20
Benito103e
Updated on September 17, 2022Comments
-
Benito103e almost 2 years
Apache 2 by default logs the entire request URI including query string of every request.
What is a straight forward way to prevent an Apache 2 web server from logging sensitive data, for example passwords, credit card numbers, etc., but still log the rest of the request?
I would like to log all log-in attempts including the attempted username as Apache does by default, and prevent Apache from logging the password directly.
I have looked through the Apache 2 documentation and there doesn't appear to be an easy way to do this other than completely preventing logging of these requests (using SetEnvIf).
How can I accomplish this?
-
Damien - Layershift almost 8 yearsI don't believe this really answers the question. Whilst the advice is sound, "you're doing it wrong" is not a complete answer and it's wrong to assume that the question is posed through ignorance rather than through necessity (e.g. maybe jstr does not have any control over the applications / design and is simply trying to implement a better logging practice for them as a responsible sysadmin). -
Oliver Posewitz about 4 yearsThis seems to be a standard Apache tool that addresses the issue being asked about by the OP. Thank you for posting this!
