Can`t disable ModSecurity logging into the nginx-ingress-controller pods

NGINX Ingress controller version: 0.31.1

Kubernetes version (use kubectl version): v1.16.2

What happened:

Nginx use default config from /etc/nginx/modsecurity/modsecurity.conf:

SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsec_audit.log
SecAuditLogStorageDir /var/log/audit/

And I cant rewrite it via nginx.ingress.kubernetes.io/modsecurity-snippet. I am trying different configurations but cant disable logging into container:

kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
    nginx.ingress.kubernetes.io/modsecurity-snippet: |
      Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
      SecRuleEngine On
      SecAuditEngine Off

or

kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
    nginx.ingress.kubernetes.io/modsecurity-snippet: |
      Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
      SecRuleEngine On
      SecAuditEngine Off
      SecAuditLog /dev/null
      SecAuditLogStorageDir /dev/null

or

kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
    nginx.ingress.kubernetes.io/modsecurity-snippet: |
      Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
      SecRuleEngine On
      SecAuditLog /dev/stdout
      SecAuditLogStorageDir /dev/stdout

and so on ...

The only way is to delete the file /var/log/modsec_audit.log and /var/log/audit/ dir:

rm -rf /var/log/audit/
rm /var/log/modsec_audit.log

What you expected to happen:

No logging into /var/log/modsec_audit.log and /var/log/audit/ dir

Only stdout

How to reproduce it:

Try to disable ModSecurity logging into the nginx-ingress-controller pods

/kind bug

[aledbf]

@xyzxyxzxzxyz change the include like to be the last line. Some settings cannot be override in the same block

@aledbf Yes I tried it too

For example SecRule 777 and SecRuleEngine On / DetectionOnly work fine

    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
    nginx.ingress.kubernetes.io/modsecurity-snippet: |
      SecRuleEngine On
      SecAuditEngine Off
      SecRule REQUEST_HEADERS:User-Agent "777" "log,deny,id:777,status:403,msg:\'777 Identified\'"
      Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf

[aledbf]

I have an issue in modsecurity asking about this kind of configuration owasp-modsecurity/ModSecurity-nginx#183 Still waiting for feedback.

[muradmomani]

also, I face the same problem, and tried to change the Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf to the last line but also not working.

but is it really make sense to change the Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf to the bottom of the snippet? i noticed that some of my SecAction did not take value till moved the Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conft to the bottom ! so why this behaviour ?

@aledbf It seems that I solved my problem by setting the parameter through the ConfigMap

data:
  enable-modsecurity: "true"
  modsecurity-snippet: |
    SecAuditEngine Off
kind: ConfigMap

And it seems quite logical to configure globally for nginx-ingress-controller because ultimately I don't want to write logs to files inside the nginx-ingress-controller pods at all.

[muradmomani]

yes, it works if set on the controller configmap,, I'm using helm :
--set-string controller.config.modsecurity-snippet="SecAuditEngine Off" \
which is equivalent to the previous comment .

[strongjz]

/help

[k8s-ci-robot]

@strongjz:
This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[strongjz]

/priority backlog
/remove-kind bug
/kind feature