containers icon indicating copy to clipboard operation
containers copied to clipboard

Published 20 hours ago verified publisher icon bitnami

[bitnami/nginx-ingress-controller] ModSecurity audit logs are not configured like the official image

Open maxbrunet opened this issue 3 years ago • 3 comments

The official documentation states the following:

Due to the value of the setting SecAuditLogType=Concurrent the ModSecurity log is stored in multiple files inside the directory /var/log/audit. The default Serial value in SecAuditLogType can impact performance.

https://kubernetes.github.io/ingress-nginx/user-guide/third-party-addons/modsecurity/

It does not seem to be the case in the Bitnami image:

$ docker run --rm -ti --entrypoint= \
    quay.io/bitnami/nginx-ingress-controller:1.0.4-debian-10-r8 \
    grep -E '^(SecAuditLogType|SecAuditLogStorageDir)' /etc/nginx/modsecurity/modsecurity.conf
SecAuditLogType Serial

In the official image:

$ docker run --rm -ti --entrypoint= \
    k8s.gcr.io/ingress-nginx/controller:v1.0.4 \
    grep -E '^(SecAuditLogType|SecAuditLogStorageDir)' /etc/nginx/modsecurity/modsecurity.conf
SecAuditLogType Concurrent
SecAuditLogStorageDir /var/log/audit/

The change appear to be made by this script upstream: https://github.com/kubernetes/ingress-nginx/blob/af7d9581f47113f4e2cfd7fac92ba02ae9cd49f0/images/nginx/rootfs/build.sh#L550-L554

It would be nice to have this discrepancy corrected in both the 0.x and 1.x Bitnami images.

maxbrunet avatar Oct 22 '21 19:10 maxbrunet

Unfortunately, using modsecurity-snippet as a workaround does not work:

modsecurity-snippet: |
  SecAuditLogType Concurrent
  SecAuditLogStorageDir /var/log/audit/

maxbrunet avatar Oct 24 '21 04:10 maxbrunet

Hi @maxbrunet,

Thank you for reporting this. I will open an internal task for investigation. As soon as we have more news, we will update this ticket.

pablogalegoc avatar Oct 25 '21 12:10 pablogalegoc

We are going to transfer this issue to bitnami/containers

In order to unify the approaches followed in Bitnami containers and Bitnami charts, we are moving some issues in bitnami/bitnami-docker-<container> repositories to bitnami/containers.

Please follow bitnami/containers to keep you updated about the latest bitnami images.

More information here: https://blog.bitnami.com/2022/07/new-source-of-truth-bitnami-containers.html

fmulero avatar Jul 28 '22 10:07 fmulero

@maxbrunet this issue has been now addressed within the latest container's release 1.3.1-debian-11-r1 and it is available also in the latest chart's release 9.3.7.

aoterolorenzo avatar Sep 07 '22 09:09 aoterolorenzo