日志说明
存储路径
OpenRASP 默认会开启文件日志,存储路径如下:
- Java 版本:
<app_home>/rasp/logs/alarm/*.log* - PHP 版本:
<openrasp_rootdir>/logs/alarm/*.log
值得注意的是,Java 版本当前的报警没有日期,只有日志滚动之后才会有日期,e.g
/tomcat/rasp/logs/alarm/alarm.log
/tomcat/rasp/logs/alarm/alarm.log.2018-12-04
...
对于 PHP 版本,报警日志总是会带有日期,e.g
/opt/rasp/logs/alarm/alarm.log.2018-12-16
不过,由于 PHP 本身的限制,有些日志还是会打印到 PHP 错误日志里,比如 INI 配置错误。
日志类型
OpenRASP 包含四类日志,
| 文件名 | 文件内容 |
|---|---|
| plugin/plugin-DATE.log | 检测插件的日志,e.g 插件异常、插件调试输出 |
| rasp/rasp-DATE.log | rasp agent 调试日志 |
| alarm/alarm-DATE.log | 攻击报警日志,JSON 格式,一行一个 |
| policy_alarm/policy_alarm-DATE.log | 安全基线检查报警日志,JSON 格式,一行一个 |
日志格式
1. 攻击日志格式
当发生攻击事件时,OpenRASP 将会记录以下信息,
| 字段 | 说明 |
|---|---|
| rasp_id | RASP agent id |
| app_id | 应用ID |
| app_name | 应用名称 |
| event_type | 日志类型,固定为 attack 字样 |
| event_time | 事件发生时间 |
| event_level | 漏洞级别,范围是 critical/high/medium/low |
| request_id | 当前请求ID |
| request_method | 请求方法 |
| intercept_state | 拦截状态 |
| attack_source | 攻击来源 IP |
| target | 被攻击目标域名 |
| server_hostname | 被攻击的服务器主机名 |
| server_ip | 被攻击目标 IP |
| server_type | 应用服务器类型 |
| server_version | 应用服务器版本 |
| path | 当前URL,不包含参数 |
| url | 当前URL,包含完整GET参数 |
| attack_type | 攻击类型 |
| attack_params | 攻击参数,包含hook点参数、堆栈等等 |
| attack_source | 请求来源 |
| client_ip | 客户端真实IP地址,请参考 其他配置选项 进行配置 |
| plugin_name | 报告攻击插件名称 |
| plugin_confidence | 检测结果可靠性,插件返回 |
| plugin_message | 检测结果信息 |
| plugin_algorithm | 插件检测算法 |
| header | 请求header信息 |
| stack_md5 | 当前堆栈MD5 |
| body | 当前请求的body,如果有 |
一个完整的 JSON 日志样例如下:
{
"@timestamp": 1618894722217,
"app_id": "88cce00aa5a5207f2d13250f892bdcb96c46f080",
"app_name": "Demo App",
"attack_count": 2,
"attack_location": {
"latitude": 0,
"location_en": "-",
"location_zh_cn": "-",
"longitude": 0
},
"attack_params": {
"command": "cmd /c calc",
"env": [],
"stack": [
"java.base/java.lang.ProcessImpl.<init>(ProcessImpl.java)",
"java.base/java.lang.ProcessImpl.start(ProcessImpl.java:244)",
"java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1109)",
"java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1073)",
"java.base/java.lang.Runtime.exec(Runtime.java:590)",
"java.base/java.lang.Runtime.exec(Runtime.java:414)",
"java.base/java.lang.Runtime.exec(Runtime.java:311)",
"org.apache.jsp._004_002dcommand_002d1_jsp._jspService(_004_002dcommand_002d1_jsp.java:136)",
"org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)",
"javax.servlet.http.HttpServlet.service(HttpServlet.java:741)",
"org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476)",
"org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)",
"org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)",
"javax.servlet.http.HttpServlet.service(HttpServlet.java:741)",
"org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)",
"org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)",
"org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)",
"org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)",
"org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)",
"org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)",
"org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)",
"org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)",
"org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)",
"org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)",
"org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668)",
"org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)",
"org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)",
"org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)",
"org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)",
"org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834)",
"org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1417)",
"org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)",
"java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)",
"java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)",
"org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)",
"java.base/java.lang.Thread.run(Thread.java:831)"
]
},
"attack_source": "127.0.0.1",
"attack_type": "command",
"body": "",
"client_ip": "",
"event_level": "critical",
"event_time": "2021-04-20T12:58:42+0800",
"event_type": "attack",
"header": {
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"accept-encoding": "gzip, deflate, br",
"accept-language": "en,zh-CN;q=0.9,zh;q=0.8,la;q=0.7",
"connection": "keep-alive",
"cookie": "JSESSIONID=FA7196A1FDE61D1795DCEB3280890E14",
"dnt": "1",
"host": "127.0.0.1:8080",
"referer": "http://127.0.0.1:8080/vulns/004-command-1.jsp",
"upgrade-insecure-requests": "1",
"user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0"
},
"id": "5f425ea2234ca4d4bcd991108affff8c",
"intercept_state": "log",
"parameter": {
"form": "{\"cmd\":[\"cmd /c calc\"]}",
"json": "{}",
"multipart": "[]"
},
"path": "/vulns/004-command-1.jsp",
"plugin_algorithm": "command_other",
"plugin_confidence": 90,
"plugin_message": "Command execution - Logging all command execution by default, command is cmd /c calc",
"plugin_name": "official",
"rasp_id": "520d19c523509c53025d66e67e394ab2",
"rasp_version": "1.3.6",
"request_id": "c7229f3f91e34e95902c7ada3b17865d",
"request_method": "get",
"server_hostname": "YOUR_COMPUTER",
"server_ip": "127.0.0.1",
"server_nic": [
{
"ip": "192.168.154.1",
"name": "vmnet8"
},
{
"ip": "172.16.177.1",
"name": "vmnet1"
},
{
"ip": "172.24.172.41",
"name": "en0"
}
],
"server_type": "tomcat",
"server_version": "9.0.14.0",
"source_code": "",
"stack_md5": "c0eccc0d41f14fcef3f0a6d7521d0875",
"target": "127.0.0.1",
"upsert_id": "5f425ea2234ca4d4bcd991108affff8c",
"url": "http://127.0.0.1:8080/vulns/004-command-1.jsp?cmd=cmd+/c+calc"
}
2. 安全基线检查日志
当检测到不符合安全规范的配置时,OpenRASP 将会记录以下信息:
| 字段 | 说明 |
|---|---|
| event_type | 日志类型,固定为 security_policy 字样 |
| event_time | 事件发生时间 |
| server_hostname | 服务器主机名 |
| server_nic | 服务器IP |
| server_type | 应用服务器类型 |
| server_version | 应用服务器版本 |
| policy_id | 匹配的策略编号 |
| policy_params | 基线报警额外参数,比如 PID |
| message | 不符合规范的配置说明 |
| stack_trace | 当前调用堆栈,某些情况可能为空 |
一个完整的 JSON 日志样例如下:
{
"event_type": "security_policy",
"event_time" : "2017-04-01T08:00:00Z",
"policy_id": "3002",
"server_hostname": "my-bloodly-hostname",
"server_nic": {
{
"name": "eth0",
"ip": "10.10.1.131"
},
{
"name": "eth0",
"ip": "192.168.1.150"
}
},
"server_type": "Tomcat",
"stack_trace": "org.apache.catalina.startup.Catalina.start(Catalina.java)\nsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\nsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)\nsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\njava.lang.reflect.Method.invoke(Method.java:606)\norg.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)\norg.apache.catalina.startup.Bootstrap.main(Bootstrap.java:428)\n"
"server_version": "7.0.15",
"message": "Tomcat 不应该以root权限启动",
"policy_params": {
"pid": 1023
}
}
3. 应用行为日志
当你在管理后台 -> 防护设置里,开启 打印「行为日志」,仅用于调试,请勿在线上开启 后,我们会在 plugin.log 里打印应用的行为日志,样例如下:
2021-01-04 10:11:39,627 INFO [http-bio-8080-exec-2][com.baidu.openrasp.plugin.js.log] http://127.0.0.1:8080/vulns/004-command-1.jsp [official] Read file: /usr/local/apache-tomcat-7.0.78/webapps/vulns/004-command-1.jsp
2021-01-04 10:11:40,882 INFO [http-bio-8080-exec-1][com.baidu.openrasp.plugin.js.log] http://127.0.0.1:8080/vulns/004-command-1.jsp [official] Execute command: cp /etc/passwd /tmp/ [ 'java.lang.UNIXProcess.<init>',
'java.lang.ProcessImpl.start',
'java.lang.ProcessBuilder.start',
'java.lang.Runtime.exec',
'java.lang.Runtime.exec',
'java.lang.Runtime.exec',
'org.apache.jsp._004_002dcommand_002d1_jsp._jspService',
'org.apache.jasper.runtime.HttpJspBase.service',
'javax.servlet.http.HttpServlet.service',
'org.apache.jasper.servlet.JspServletWrapper.service',
'org.apache.jasper.servlet.JspServlet.serviceJspFile',
'org.apache.jasper.servlet.JspServlet.service',
'javax.servlet.http.HttpServlet.service',
'org.apache.catalina.core.ApplicationFilterChain.internalDoFilter',
'org.apache.catalina.core.ApplicationFilterChain.doFilter',
'org.apache.tomcat.websocket.server.WsFilter.doFilter',
'org.apache.catalina.core.ApplicationFilterChain.internalDoFilter',
'org.apache.catalina.core.ApplicationFilterChain.doFilter',
'org.apache.catalina.core.StandardWrapperValve.invoke',
'org.apache.catalina.core.StandardContextValve.invoke',
'org.apache.catalina.authenticator.AuthenticatorBase.invoke',
'org.apache.catalina.core.StandardHostValve.invoke',
'org.apache.catalina.valves.ErrorReportValve.invoke',
'org.apache.catalina.valves.AccessLogValve.invoke',
'org.apache.catalina.core.StandardEngineValve.invoke',
'org.apache.catalina.connector.CoyoteAdapter.service',
'org.apache.coyote.http11.AbstractHttp11Processor.process',
'org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process',
'org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run',
'java.util.concurrent.ThreadPoolExecutor.runWorker',
'java.util.concurrent.ThreadPoolExecutor$Worker.run',
'org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run',
'java.lang.Thread.run' ]