fix(rules): remove response body from logs #3034
Conversation
|
Did we come up with a policy for this? Several meetings ago (I guess a couple of months ago?), we agreed to define a policy of "when does CRS apply Unless, of course, that decision has been made and the policy will be "CRS will never apply If that is the policy then we will need to add it to the contribution guidelines and explain why, for future development/reference. |
|
I really would love a policy for this. I remember that we talked about logging request and response body, but I can't remember if we come out with a decision. Maybe we can talk about this at the next meeting |
|
Negative. We talked about this a bit in issue chat July 2021 (https://github.com/coreruleset/project-chat-archive/blob/master/chat-archive-2021-07-19.md), scheduled for August 2021, but then only pointed to #2139 which I think is more limited. |
|
Personally, I think a general no response body in audit log makes sense, if we can provide a config item that will activate response body in audit logs. Also people might have a setting of their own, so this takes a bit of thinking. |
|
@dune73 @RedXanadu What's the decision here then? |
|
@fzipi We still don't have a policy on how to approach this. I'll add it as a "project discussion" item for January's meeting. I personally think it makes sense to remove |
|
Thought about this again. I'm team @RedXanadu. Let's get rid of it and people can enable it themselves if they want to. Reasoning: If you know there is an audit log, you know how to navigate it and you know to read it, then you are also able to write a rule to write it. |
|
Then this makes sense to me also. So provided four people (@theMiddleBlue, @RedXanadu, @dune73 and @fzipi) already said 👍 , let's merge this one. |
Since the response body could contain personal/sensitive data, it should not be logged and stored anywhere.
A false positive intercepted by a rule could contain unwanted data on logs.
This PR removes all
ctl:auditLogParts=+Efrom all rules