AuditConsole

A web-console for managing ModSecurity events

The AuditConsole is a J2EE web application based in a set of stable enterprise components. The primary objective is the reception of ModSecurity audit-event data from mlogc or manual file-upload.

Besides receiving/importing events, the current version of the AuditConsole provides a basic set of components/features:

  • Event Storage
  • User Views
  • Event Tagging
  • Event Rules

Event Storage

The AuditConsole implements a core-component, called the AuditStorage. This component is responsible for managing events, providing user-views and all other actions in some way related to events. The AuditStorage also implements an abstraction layer to the database layer, which is used for indexing events.

User Views

There exists a view-filter for each user. A user can only browse within his view, which basically leads to a separation of the event database. This can be useful if you have different responsibilities for different sites, allowing a user to view events for his site only.
The views are a fundamental concept within the AuditConsole. Each user action, e.g. the deletion of events, generation of reports* or evaluation of rules, is based on views. Thus, there exists a clear separation between user actions based on views.

Event Tagging

The AuditConsole allows for users to freely tag events. These tags can be later used for filtering or any other purposes. Event within user-views, effectively allows a user to only view events tagged with some string.
The primary objective for providing a tagging-mechanims was to allow for tags like false-positive, attack or needs-analysis to be associated with events for helping to ease the event-management process. The use of tags is however not limitted to that.

Event Rules

The console provides an extendible rule-processor which allows for users to create rules to be evaluated on incoming events:
  • Once an event is received AND is contained within a user's view, it will be checked against the user's rules.
  • A user's rules can fire several actions (currently Delete and Notify)
User may specify rules in a syntax very close to the ModSecurity rule language. Basically the event-rule engine provides a subset of ModSecurity's operators and currently acts on the same variables.
As an example, a rule may be created to notify a users about events with a specific Host-Header by adding a rule conditions such as:
REQUEST_HEADERS:Host @eq www.jwall.org
To allow for more flexibility, the use of operators such as @rx or @endsWith is also supported, e.g. the following is a valid rule-condition within the event-rule engine:
REQUEST_HEADERS:Host @eq www.jwall.org
* The AuditConsole is a project in progress. There are a lot of features planned for future releases, which have not yet fully been implemented in the official release.