Forum Discussion

JustJozef's avatar
JustJozef
Icon for Cirrus rankCirrus
Jun 01, 2023

Mask Value in Logs based on the OpenAPI specification

Hello,

is there any option to define value under "Mask Value in Logs" for JSON profile based on the OpenAPI specification?

Policy is build from the swagger file. JSON profile is created based on the schema defined in swagger (OpenAPI) file. What I cannot modify is part "Value Masking" under JSON profile in security policy. I tried to use "format": "password" in swagger file for password. But "Value Masking" was not modified. Or better value password was not added there.

Below is screen when it was added manually via GUI.

OpenAPI specification:

 

     "Request": {
        "required": [
          "password",
          "username"
        ],
        "type": "object",
        "properties": {
          "username": {
            "type": "string"
          },
          "password": {
            "type": "string",
            "format": "password"
          }
        },
        "additionalProperties": false
      },

 

 Is there any way how I can add it via swagger?

Another option would be add it manually in security template (in JSON format) like for some other non default options what have defined but when it's added manually there are no changes in the policy configuration. JSON of the exported policy is same for policy where "Value Masking" is defined with policy where "Value Masking" is empty.

  • Hi  JustJozef  , 

    you can modify the Sensitive Data Configuration of the JSON profile and remove the sensitive data elements. To do so, perform the following procedure:

    Impact of workaround: The BIG-IP ASM security policy will no longer mask sensitive data elements.

    1. Log in to the Configuration utility.
    2. Navigate to Security > Application Security > Content Profiles > JSON Profiles.
    3. Set Current edited security policy to the name of the affected security policy.
    4. Click the profile name of the affected JSON profile.
    5. To remove sensitive JSON data masking, click the Sensitive Data Configuration tab.
    6. In the Namespace section, select the box to the left of each element.
    7. Click Delete.
    8. Click Update.
    9. Click Apply Policy.

      Could you check all the elements available for this JSON profile and share the screenshot.

      Please check if the password keyword is correct or do you need to use pwd as i am trying to share one example

       

      {"app":"MyMoABC","srv":"MyMoAuthen","op":"login","header":{"pwd":"111111","user":"2222222222222"}}} 

       

      Please refer this document:

      K52154401: Masking data in the BIG-IP ASM request log

      https://my.f5.com/manage/s/article/K52154401

      Topic

      You should consider using these procedures under the following conditions:

      • You want to mask sensitive data in the BIG-IP ASM request log so that the data cannot be viewed by the administrator.
      • You want to mask HTTP header or cookie data (BIG-IP ASM 14.0.0 or later only).

        Description

        By default, the BIG-IP ASM system logs information about incoming requests to the request log in plain text. In some cases you may want to mask request information in the logs as some requests include sensitive information, such as authorization credentials or credit card information. When you enable Mask Value in Logs for a policy element, the system replaces the sensitive data with asterisks (***). The masked data cannot be viewed by the administrator.

        You can mask data in the logs for the following policy elements.

        Data to mask Description Example Parameters Masks the parameter value, including the value for positional parameters. The setting does not mask the parameter name. GET /profiles/**** HTTP headers Masks the header value. The setting does not mask the header name. GET / HTTP/1.1
        Host: Example.com
        Connection: Keep-alive
        Authorization: ******
        Cookie: TS-Cookie
        Cookies Masks the values for allowed and enforced cookies types. The setting does not mask the cookie name and does not apply to BIG-IP ASM cookies. GET / HTTP/1.1
        Host: Example.com
        Connection: Keep-alive
        Cookie: ******
        JSON Profiles Masks elements within the JSON data whose values are should considered sensitive. secID: ****** XML Profiles Masks sensitive data in an XML document. You can specify the element or attribute whose value contains sensitive data and should be masked by the policy. <secID>******</secID>

        Note: When a BIG-IP ASM policy is set to use Case Sensitive, the created parameters must match the case of the parameter presented by the client. This may require creating multiple parameters to cover variants of the Parameter (for example: password/Password/PASSWORD).

        Prerequisites

        You must meet the following prerequisites to use these procedures:

        • You have access to the Configuration utility.
        • You have identified the sensitive content to be masked.

          Procedures

          • Masking request log data for a parameter
          • Masking request log data for HTTP headers
          • Masking request log data for cookies
          • Masking request log data for JSON profiles
          • Masking request log data for XML profiles

            Masking request log data for a parameter

            Impact of procedure: Performing the following procedure should not have a negative impact on your system.

            1. Log in to the Configuration utility.
            2. Go to Security > Application Security > Parameters > Parameters List.
            3. Select the name of an existing parameter or select Create to create a new parameter.
            4. For Mask Value in Logs, select the Enabled check box.

              Note: In versions prior to BIG-IP ASM 14.0.0, for Sensitive Parameter, select the Enabled check box.

            5. Select Update.
            6. Select Apply Policy.

              Masking request log data for HTTP headers

              Impact of procedure: Performing the following procedure should not have a negative impact on your system.

              17.0.0 and later

              1. Log in to the Configuration utility.
              2. Go to Security > Application Security > Security Policies > Policies List > policy_name > HTTP Message Protection > Headers.
              3. Select the name of the HTTP header or select Add Header.
              4. For Mask Value in Logs, select Enabled.
              5. Select Update.
              6. Select Save.
              7. Select Apply Policy.

                14.x - 16.x

                1. Log in to the Configuration utility.
                2. Go to Security > Application Security > Headers > HTTP Headers.
                3. Select the name of the HTTP header or click Create to create a new HTTP header.
                4. For Mask Value in Logs, select the Enabled check box.
                5. Select Update.
                6. Select Apply Policy.

                  Masking request log data for cookies

                  Impact of procedure: Performing the following procedure should not have a negative impact on your system.

                  17.0.0 and later

                  1. Log in to the Configuration utility.
                  2. Go to Security > Application Security > Security Policies > Policies List > policy_name > HTTP Message Protection > Cookies.
                  3. Select the name of the Cookie or select Create.
                  4. For Mask Value in Logs, select Enabled.
                  5. Select Update.
                  6. Select Save.
                  7. Select Apply Policy.

                    14.x - 16.x

                    1. Log in to the Configuration utility.
                    2. Go to Security > Application Security > Headers > Cookie List.
                    3. Under Cookies, select the Enforced Cookies tab or Allowed Cookies tab.
                    4. Select the name of the cookie or click Create to create a new cookie.
                    5. For the Mask Value in Logs, select the Enabled check box.
                    6. Select Update.
                    7. Select Apply Policy.

                      Masking request log data for JSON profiles

                      You can use Mask Value in Logs for the JSON profile only when Parse Parameters is disabled for the profile.

                      Impact of procedure: Performing the following procedure should not have a negative impact on your system.

                      1. Log in to the Configuration utility.
                      2. Go to Security > Application Security > Content Profiles > JSON Profiles.
                      3. Select the name of the JSON profile.
                      4. Select the Value Masking tab.

                        Note: In versions prior to BIG-IP ASM 14.0.0, select the Sensitive Data Configuration tab.

                        Note: The Value Masking tab is available when the Parse Parameters option is not selected in the profile.

                      5. For Element Name, enter the name of the element within the JSON data for which the values are considered sensitive.
                      6. Select Add to add the JSON data to the list.
                      7. Select Update.
                      8. Select Apply Policy.

                        Masking request log data for XML profiles

                        Impact of procedure: Performing the following procedure should not have a negative impact on your system.

                        1. Log in to the Configuration utility.
                        2. Go to Security > Application Security > Content Profiles > XML Profiles.
                        3. Select the name of the XML profile.
                        4. Select the Value Masking tab.

                          Note: In versions prior to BIG-IP ASM 14.0.0, select the Sensitive Data Configuration tab.

                        5. For Namespace, select the appropriate option.
                        6. For Name, select the appropriate option.
                        7. Enter the name of the attribute or element within the XML data for which the values are considered sensitive.
                        8. Select Add.
                        9. Select Update.
                        10. Select Apply Policy.

                          Best Regards

                          F5 Desing Engineer

                           

                        11.  

                      9.  

            7.  

    Best Regards

    F5 Design Engineer

    • JustJozef's avatar
      JustJozef
      Icon for Cirrus rankCirrus

      Hello,

      thank you for answer. I am aware about option related to mask/unmask sensitive parameters. In my case it is not possible to do modification directly via GUI as security policies for APIs are automated. When there is a new swagger file available secuirty policy is adapted by the scripts.

      So my options are:

      1. Define it via swagger file  - ASM policy will took it from swagger file and add sensitive parameter under tab "Value Masking"
      2. Define it in JSON file of the security policy.

      In first option I canot define property in swagger file to say ASM policy to mask parameter in tab "Value Masking". Second option does not work for me as modification of the tab "Value Masking" does not show any configuration change of the exported policy.

  • I'd like to pin this one to the top of the forum for a bit - get some more eyes on it.
    JustJozef - have you made any updates/progress/decision on this in the past couple weeks?