On 6/7/2012 1:56 PM, Jeff Trawick wrote: > On Thu, Jun 7, 2012 at 2:18 PM, William A. Rowe Jr. <wr...@rowe-clan.net> > wrote: >> On 6/6/2012 2:46 PM, Jeff Trawick wrote: >>> On Tue, May 29, 2012 at 1:36 PM, Daniel Shahaf <d...@daniel.shahaf.name> >>> wrote: >>>> >>>> Perhaps it would be a useful feature to allow excluding those headers >>>> from being logged, too. >>> >>> IMO they shouldn't be logged by default (if at all). >>> Proxy-Authorization also needs to be handled. (Anything else? My >>> search query foo is particularly bad today.) >> >> ANY parsing which occurs within mod_log_forensic is going to open that module >> itself to suspicion and potential un-captured exploitative header values. >> >> My own theory; provide pipe log redirection and write a filter to do whatever >> you like to corrupt the pure data received from the client. >> >> Otherwise, you have other issues like proxy connect >> scheme://user:pass@backend/ >> or session tokens in URL's or cookies to contend with. >> >> There is no way to make forensic logging 'safe for general consumption' and >> that >> is the message we have to broadcast loudly. > > The list of concerns can't be fixed with with code and we need to put > more hints in the documentation. > > Logging obvious passwords by default is just plain stupid though.
And when that user and pass is fed into mod_authnz_ldap and causes the crash? There's nothing stupid about it, IMHO. >> A forensic logging pipe could easily kill off all matched requests before >> they >> were ever logged to disk, resulting in only unmatched pairs. The parent >> process >> which spawned the logger shouldn't be crashing, so the logging should 'just >> work'. > > Writing only the unmatched requests is equivalent to what you get with > mod_whatkilledus, though using a much different implementation. The point to mod_log_forensic is for deep forensic studies of server corruption, at least that's the only point I've ever taken away from that module. It certainly -can- do other things, but mod_log_config is better suited for most of those applications.
