Forum Discussion
NimbostratusMask Request Body ASM Reporting
Hi,
Recently support told me that there is no way to turn off Request Body logging in the ASM. The requests that come in to our ASM have sensitive information that needs to be masked. We were informed that the only way to not have this information logged is to turn off local logging, the problem with this is that we would then not be able to see anything in the reporting area of the ASM, making it useless for us to meet our compliance requirements.
Is there a way to mask request body using the ASM but continue to send the unalterated request body through to the web application?
Thank you,
Ryan
3 Replies
hoolioCirrostratus
Hi Ryan,
Can you mark the parameters which contain sensitive data as sensitive so that ASM won't log the values?
Configuring sensitive parameters
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-4-0/asm_parameters.html1035705
In 11.4, ASM automatically masks CC numbers in reports:
https://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnote-asm-11-4-0.html
Mask Sensitive Information in Request Log
In addition to masking sensitive information in parameters, with this release the security policy can also mask credit card numbers that appear in any part of the request. The credit card numbers are not masked in the actual requests, but rather in various ASM logs within the ASM Configuration utility:
Credit card numbers appearing in entity names are only masked in the ASM Requests log.
Credit card numbers appearing in entity values are masked wherever request information can be viewed.
To set the security policy to mask credit card numbers in the Requests log, navigate to the Security > Application Security > Security Policies screen, click a security policy to view its properties, and enable the Mask Credit Card Numbers in Request Log check box. This setting is enabled by default.
When you are upgrading to version 11.4, or importing from older versions, the configuration of this feature is set to enabled. Logs generated by previous versions do not undergo offline credit card number masking.
You could open a Support case to request a new feature that would allow an admin to specify one or more generic regexes to mask in a similar fashion.
Aaron
chiznitz_15400Thanks for the reply.
I looked for the setting you mentioned and it does not exist, I did notice the documentation you linked is for 11.4 and we are currently on 11.2.1. I'll research some more and see if this setting was just added in one of the recent releases and will try and get one of our ASMs upgraded to try this.
The information in the request is a RAW string that does not have any XML or special parameters that the WAF would recognize, thus the need to drop it. A couple of our sites have certain XML tags that we mask using the entities as you mention.- chiznitz_15400
Brought an 11.4 appliance up in the lab and the masking of the credit card number itself works but the rest of the data is still not masked. This data could be CVV etc etc that is not allowed to be logged by PCI compliance.
here is an example request that we would want to mask, replaces what would normally be card data or sensitive info.
POST /Micros/process_transaction.cgi HTTP/1.1:
Host: 192.168.1.1
Content-Type: x-VISA-II/x-auth
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
User-Agent: VSCA
Content-Length: 158
Cookie: TS6c52a9=78f9df9fcdfa6b306b81503d3cd9b20ab7c9eb723cec0c1e51cb6853
X-Forwarded-For: 192.168.1.2
K0.90005008843003212500010001QF840840272150000007055812Y125754@HB^DUMMY /NAME H^ MY PLACE OF BUSINESS NC %
There are no tags to list as parameters, its just a raw string. Any idea how this could be masked in local logging?
