Forum Discussion
NimbostratusHow to mask HTTP Authorization header in ASM logs, similar to sensitive parameters?
The subject pretty much says it all. We use the "Sensitive Parameters" setting described in Chapter 9 of the "Configuration Guide for BIG-IP Application Security Manager" to ensure that passwords and PAN data is masked when ASM log entries are viewed. This works for XML entities in the HTTP body, and I believe it also works for URL-encoded parameters in a GET URI or a POST body. However, it does not mask HTTP header parameters.
Specifically, we have an application using HTTP Basic authentication and so the username and password are base64-encoded and stuffed into an HTTP header - which is trivial to decode, so we don't want it sitting readable in the logs.
How can we mask specific HTTP header contents in the ASM logs?
TIA
17 Replies
TortiCirrus
Hi,
there is no option to do this. A Header is no part of the body and it isn't a "classic http parameter". If you need such an option, you should open a feature request. If it is a problem, because you send the log files to another destination? Perhaps, you could do it there.
gowenfawrThese logs are not shipped off, they're only available via the F5 ASM log interface. However, obviously there's value in obfuscating sensitive data there - otherwise the option to do it with URI parameters and XML body wouldn't be there. I have two services protected by the ASM today - one passes credentials as XML elements, the other is RESTful and uses HTTP basic authentication. The first is protected, the latter isn't - and while I trust my network admins, they have no need to know our customer's passwords. I will open a feature request - thank you for that suggestion.- gowenfawrThat being said, any pointers to the appropriate method for filing a feature request? Is that a support account issue, or generally handled through DevCentral?
- Tortino you have to open a support case. There you can describe the problem and you can write "feature request" or something. There is no dedicated option for feature requests.
Torti_93733Hi,
there is no option to do this. A Header is no part of the body and it isn't a "classic http parameter". If you need such an option, you should open a feature request. If it is a problem, because you send the log files to another destination? Perhaps, you could do it there.
- gowenfawrThese logs are not shipped off, they're only available via the F5 ASM log interface. However, obviously there's value in obfuscating sensitive data there - otherwise the option to do it with URI parameters and XML body wouldn't be there. I have two services protected by the ASM today - one passes credentials as XML elements, the other is RESTful and uses HTTP basic authentication. The first is protected, the latter isn't - and while I trust my network admins, they have no need to know our customer's passwords. I will open a feature request - thank you for that suggestion.
- gowenfawrThat being said, any pointers to the appropriate method for filing a feature request? Is that a support account issue, or generally handled through DevCentral?
- Torti_93733no you have to open a support case. There you can describe the problem and you can write "feature request" or something. There is no dedicated option for feature requests.
- Torti
... and you should trust your admins ;-) they always have the possibility to see sensitive data. It is only a nice feature, if you save the log files on an external server, you send a report to another employee or people have access to the system, who shouldn't see the sensitive data.
- gowenfawrI understand and agree - an admin who could see this, could also run tcpdump/ssldump from the F5 and grab the same data. The difference is that I do have to show auditors things like the log interface, and I don't have to explain ssldump to them.
- Tortithen, the only way is to forbit them the access and provide log entries, if it is necessary. There you can remove the sensitive data.
- Torti_93733
... and you should trust your admins ;-) they always have the possibility to see sensitive data. It is only a nice feature, if you save the log files on an external server, you send a report to another employee or people have access to the system, who shouldn't see the sensitive data.
- gowenfawrI understand and agree - an admin who could see this, could also run tcpdump/ssldump from the F5 and grab the same data. The difference is that I do have to show auditors things like the log interface, and I don't have to explain ssldump to them.
- Torti_93733then, the only way is to forbit them the access and provide log entries, if it is necessary. There you can remove the sensitive data.
rob_carrCirrocumulus
This doesn't actually resolve the issue, per se, but why don't you change your logging profile to something like 'illegal requests only', then if you are recording sensitive information, it's only for sessions already deemed to be in violation?
