Allow to set SecAuditLog

README.md

@@ -2448,6 +2448,18 @@ apache::vhost { 'sample.example.net':
 }
 ```
 
+##### `modsec_audit_log` & `modsec_audit_log_file` & `modsec_audit_log_pipe`
+
+Determines how to send mod_security audit log ([SecAuditLog](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecAuditLog)).
+
+If `modsec_audit_log_file` is set, it is relative to [`logroot`][]. Default: undef.
+
+If `modsec_audit_log_pipe` is set, it should start with a pipe. Example '|/path/to/mlogc /path/to/mlogc.conf'. Default: undef.
+
+If `modsec_audit_log` is true, given a virtual host---for instance, example.com---it defaults to 'example.com\_security\_ssl.log' for [SSL-encrypted][SSL encryption] virtual hosts and 'example.com\_security.log' for unencrypted virtual hosts. Default: false.
+
+When none of those parameters is set, the global audit log is used (i.e. ''/var/log/apache2/modsec\_audit.log'' on Debian and derivatives, ''/var/log/httpd/modsec\_audit.log'' on others).
+
 ##### `no_proxy_uris`
 
 Specifies URLs you do not want to proxy. This parameter is meant to be used in combination with [`proxy_dest`](#proxy_dest).

manifests/vhost.pp

@@ -61,6 +61,9 @@
   $error_log_file              = undef,
   $error_log_pipe              = undef,
   $error_log_syslog            = undef,
+  $modsec_audit_log            = false,
+  $modsec_audit_log_file       = undef,
+  $modsec_audit_log_pipe       = undef,
   $error_documents             = [],
   $fallbackresource            = undef,
   $scriptalias                 = undef,
@@ -177,6 +180,7 @@
   validate_bool($ip_based)
   validate_bool($access_log)
   validate_bool($error_log)
+  validate_bool($modsec_audit_log)
   validate_bool($ssl)
   validate_bool($default_vhost)
   validate_bool($ssl_proxyengine)
@@ -243,6 +247,10 @@
     fail("Apache::Vhost[${name}]: 'error_log_file' and 'error_log_pipe' cannot be defined at the same time")
   }
 
+  if $modsec_audit_log_file and $modsec_audit_log_pipe {
+    fail("Apache::Vhost[${name}]: 'modsec_audit_log_file' and 'modsec_audit_log_pipe' cannot be defined at the same time")
+  }
+
   if $fallbackresource {
     validate_re($fallbackresource, '^/|disabled', 'Please make sure fallbackresource starts with a / (or is "disabled")')
   }
@@ -397,6 +405,21 @@
     }
   }
 
+  if $modsec_audit_log_file {
+    $modsec_audit_log_destination = "${logroot}/${modsec_audit_log_file}"
+  } elsif $modsec_audit_log_pipe {
+    $modsec_audit_log_destination = $modsec_audit_log_pipe
+  } elsif $modsec_audit_log {
+    if $ssl {
+      $modsec_audit_log_destination = "${logroot}/${name}_security_ssl.log"
+    } else {
+      $modsec_audit_log_destination = "${logroot}/${name}_security.log"
+    }
+  } else {
+    $modsec_audit_log_destination = undef
+  }
+
+
   if $ip {
     $_ip = enclose_ipv6($ip)
     if $port {
@@ -1044,7 +1067,8 @@
   # - $modsec_disable_msgs
   # - $modsec_disable_tags
   # - $modsec_body_limit
-  if $modsec_disable_vhost or $modsec_disable_ids or $modsec_disable_ips or $modsec_disable_msgs or $modsec_disable_tags {
+  # - $modsec_audit_log_destination
+  if $modsec_disable_vhost or $modsec_disable_ids or $modsec_disable_ips or $modsec_disable_msgs or $modsec_disable_tags or $modsec_audit_log_destination {
     concat::fragment { "${name}-security":
       target  => "${priority_real}${filename}.conf",
       order   => 320,

spec/classes/mod/security_spec.rb

@@ -1,3 +1,4 @@
+
 require 'spec_helper'
 
 describe 'apache::mod::security', :type => :class do

spec/defines/vhost_spec.rb

@@ -584,6 +584,7 @@
       it { is_expected.to contain_concat__fragment('rspec.example.com-allow_encoded_slashes') }
       it { is_expected.to contain_concat__fragment('rspec.example.com-passenger') }
       it { is_expected.to contain_concat__fragment('rspec.example.com-charsets') }
+      it { is_expected.to_not contain_concat__fragment('rspec.example.com-security') }
       it { is_expected.to contain_concat__fragment('rspec.example.com-file_footer') }
       it { is_expected.to contain_concat__fragment('rspec.example.com-jk_mounts').with(
         :content => /^\s+JkMount\s+\/\*\s+tcnode1$/)}
@@ -713,6 +714,28 @@
       it { is_expected.to_not contain_concat__fragment('NameVirtualHost *:80') }
     end
 
+    context 'modsec_audit_log' do
+      let :params do
+        {
+          'docroot'          => '/rspec/docroot',
+          'modsec_audit_log' => true,
+        }
+      end
+      it { is_expected.to compile }
+      it { is_expected.to contain_concat__fragment('rspec.example.com-security').with(
+        :content => /^\s*SecAuditLog "\/var\/log\/apache2\/rspec\.example\.com_security\.log"$/ ) }
+    end
+    context 'modsec_audit_log_file' do
+      let :params do
+        {
+          'docroot'               => '/rspec/docroot',
+          'modsec_audit_log_file' => 'foo.log',
+        }
+      end
+      it { is_expected.to compile }
+      it { is_expected.to contain_concat__fragment('rspec.example.com-security').with(
+        :content => /\s*SecAuditLog "\/var\/log\/apache2\/foo.log"$/ ) }
+    end
     context 'set only aliases' do
       let :params do
         {

templates/vhost/_security.erb

@@ -1,6 +1,9 @@
 <% if @modsec_disable_vhost -%>
   SecRuleEngine Off
 <% end -%>
+<% if @modsec_audit_log_destination -%>
+  SecAuditLog "<%= @modsec_audit_log_destination %>"
+<% end -%>
 <% if @_modsec_disable_ids.is_a?(Hash) -%>
 <%   @_modsec_disable_ids.each do |location,rules| -%>
   <LocationMatch <%= location %>>