日志说明

存储路径

OpenRASP 默认会开启文件日志,存储路径如下:

  • Java 版本: <app_home>/rasp/logs/alarm/*.log*
  • PHP 版本: <openrasp_rootdir>/logs/alarm/*.log

值得注意的是,Java 版本当前的报警没有日期,只有日志滚动之后才会有日期,e.g

  1. /tomcat/rasp/logs/alarm/alarm.log
  2. /tomcat/rasp/logs/alarm/alarm.log.2018-12-04
  3. ...

对于 PHP 版本,报警日志总是会带有日期,e.g

  1. /opt/rasp/logs/alarm/alarm.log.2018-12-16

不过,由于 PHP 本身的限制,有些日志还是会打印到 PHP 错误日志里,比如 INI 配置错误。

日志类型

OpenRASP 包含四类日志,

文件名文件内容
plugin/plugin-DATE.log检测插件的日志,e.g 插件异常、插件调试输出
rasp/rasp-DATE.lograsp agent 调试日志
alarm/alarm-DATE.log攻击报警日志,JSON 格式,一行一个
policy_alarm/policy_alarm-DATE.log安全基线检查报警日志,JSON 格式,一行一个

日志格式

1. 攻击日志格式

当发生攻击事件时,OpenRASP 将会记录以下信息,

字段说明
rasp_idRASP agent id
app_id应用ID
event_type日志类型,固定为 attack 字样
event_time事件发生时间
request_id当前请求ID
request_method请求方法
intercept_state拦截状态
attack_source攻击来源 IP
target被攻击目标域名
server_hostname被攻击的服务器主机名
server_ip被攻击目标 IP
server_type应用服务器类型
server_version应用服务器版本
path当前URL,不包含参数
url当前URL,包含完整GET参数
attack_type攻击类型
attack_params攻击参数
attack_source请求来源
client_ip客户端真实IP地址,请参考 其他配置选项 进行配置
plugin_name报告攻击插件名称
plugin_confidence检测结果可靠性,插件返回
plugin_message检测结果信息
plugin_algorithm插件检测算法
header请求header信息
stack_trace当前调用堆栈
body当前请求的body,如果有

一个完整的 JSON 日志样例如下:

  1. {
  2. "attack_type": "xss_userinput",
  3. "request_method": "get",
  4. "server_version": "7.0.78.0",
  5. "path": "/vulns/017-xss.jsp",
  6. "event_type": "attack",
  7. "attack_params": {
  8. "name": "input",
  9. "value": "<script>alert(1)</script>"
  10. },
  11. "server_ip": "127.0.0.1",
  12. "client_ip": "",
  13. "attack_source": "127.0.0.1",
  14. "app_id": "1e46d1ae2cec7966343c1c1455cdb9ea3c356662",
  15. "server_nic": [
  16. {
  17. "name": "eth0",
  18. "ip": "172.24.172.168"
  19. }
  20. ],
  21. "intercept_state": "log",
  22. "plugin_confidence": 100,
  23. "plugin_algorithm": "xss_userinput",
  24. "plugin_name": "java_builtin_plugin",
  25. "server_hostname": "devnull",
  26. "url": "http://127.0.0.1:8080/vulns/017-xss.jsp?input=%3cscript%3ealert(1)%3c%2fscript%3e",
  27. "target": "127.0.0.1",
  28. "header": {
  29. "referer": "http://127.0.0.1:8080/vulns/017-xss.jsp",
  30. "accept-language": "en-US,en;q=0.9,fr;q=0.8,zh-CN;q=0.7,zh;q=0.6,zh-TW;q=0.5,hr;q=0.4,ja;q=0.3,pt;q=0.2,la;q=0.1",
  31. "cookie": "JSESSIONID=E51A4982D9E62B1C49F1B522404C6AA7; 89facc616a91c8542b4120d0985ae97c=r7f62uq42ihucmdt4j53kufepj",
  32. "host": "127.0.0.1:8080",
  33. "upgrade-insecure-requests": "1",
  34. "connection": "keep-alive",
  35. "cache-control": "no-cache",
  36. "pragma": "no-cache",
  37. "accept-encoding": "gzip, deflate, br",
  38. "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.1453.93 Safari/537.36",
  39. "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3"
  40. },
  41. "stack_trace": "org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java)\norg.apache.catalina.connector.Response.finishResponse(Response.java:537)\norg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:483)\norg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)\norg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)\norg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)\njava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\njava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\norg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\njava.lang.Thread.run(Thread.java:748)",
  42. "rasp_id": "18619d5f553f0fc31a4e4f0eb96b2564",
  43. "request_id": "3ff7d8cae4d3441e927433a1161be89c",
  44. "source_code": [
  45. "",
  46. "this.outputBuffer.close();",
  47. "",
  48. "this.adapter.service(this.request, this.response);",
  49. "",
  50. "state = this.this$0.handler.process(this.socket, this.status);",
  51. "runnable.run();",
  52. "this.this$0.runWorker(this);",
  53. "this.wrappedRunnable.run();",
  54. "this.target.run();"
  55. ],
  56. "event_time": "2019-05-27T14:36:42+0800",
  57. "plugin_message": "Reflected XSS attack detected, parameter name: input",
  58. "server_type": "tomcat"
  59. }
2. 安全基线检查日志

当检测到不符合安全规范的配置时,OpenRASP 将会记录以下信息:

字段说明
event_type日志类型,固定为 security_policy 字样
event_time事件发生时间
server_hostname服务器主机名
server_nic服务器IP
server_type应用服务器类型
server_version应用服务器版本
policy_id匹配的策略编号
policy_params基线报警额外参数,比如 PID
message不符合规范的配置说明
stack_trace当前调用堆栈,某些情况可能为空

一个完整的 JSON 日志样例如下:

  1. {
  2. "event_type": "security_policy",
  3. "event_time" : "2017-04-01T08:00:00Z",
  4. "policy_id": "3002",
  5. "server_hostname": "my-bloodly-hostname",
  6. "server_nic": {
  7. {
  8. "name": "eth0",
  9. "ip": "10.10.1.131"
  10. },
  11. {
  12. "name": "eth0",
  13. "ip": "192.168.1.150"
  14. }
  15. },
  16. "server_type": "Tomcat",
  17. "stack_trace": "org.apache.catalina.startup.Catalina.start(Catalina.java)\nsun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\nsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)\nsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\njava.lang.reflect.Method.invoke(Method.java:606)\norg.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)\norg.apache.catalina.startup.Bootstrap.main(Bootstrap.java:428)\n"
  18. "server_version": "7.0.15",
  19. "message": "Tomcat 不应该以root权限启动",
  20. "policy_params": {
  21. "pid": 1023
  22. }
  23. }
3. 应用行为日志

当你在管理后台 -> 防护设置里,开启 打印「行为日志」,仅用于调试,请勿在线上开启 后,我们会在 plugin.log 里打印应用的行为日志,样例如下:

  1. 2021-01-04 10:11:39,627 INFO [http-bio-8080-exec-2][com.baidu.openrasp.plugin.js.log] http://127.0.0.1:8080/vulns/004-command-1.jsp [official] Read file: /usr/local/apache-tomcat-7.0.78/webapps/vulns/004-command-1.jsp
  2. 2021-01-04 10:11:40,882 INFO [http-bio-8080-exec-1][com.baidu.openrasp.plugin.js.log] http://127.0.0.1:8080/vulns/004-command-1.jsp [official] Execute command: cp /etc/passwd /tmp/ [ 'java.lang.UNIXProcess.<init>',
  3. 'java.lang.ProcessImpl.start',
  4. 'java.lang.ProcessBuilder.start',
  5. 'java.lang.Runtime.exec',
  6. 'java.lang.Runtime.exec',
  7. 'java.lang.Runtime.exec',
  8. 'org.apache.jsp._004_002dcommand_002d1_jsp._jspService',
  9. 'org.apache.jasper.runtime.HttpJspBase.service',
  10. 'javax.servlet.http.HttpServlet.service',
  11. 'org.apache.jasper.servlet.JspServletWrapper.service',
  12. 'org.apache.jasper.servlet.JspServlet.serviceJspFile',
  13. 'org.apache.jasper.servlet.JspServlet.service',
  14. 'javax.servlet.http.HttpServlet.service',
  15. 'org.apache.catalina.core.ApplicationFilterChain.internalDoFilter',
  16. 'org.apache.catalina.core.ApplicationFilterChain.doFilter',
  17. 'org.apache.tomcat.websocket.server.WsFilter.doFilter',
  18. 'org.apache.catalina.core.ApplicationFilterChain.internalDoFilter',
  19. 'org.apache.catalina.core.ApplicationFilterChain.doFilter',
  20. 'org.apache.catalina.core.StandardWrapperValve.invoke',
  21. 'org.apache.catalina.core.StandardContextValve.invoke',
  22. 'org.apache.catalina.authenticator.AuthenticatorBase.invoke',
  23. 'org.apache.catalina.core.StandardHostValve.invoke',
  24. 'org.apache.catalina.valves.ErrorReportValve.invoke',
  25. 'org.apache.catalina.valves.AccessLogValve.invoke',
  26. 'org.apache.catalina.core.StandardEngineValve.invoke',
  27. 'org.apache.catalina.connector.CoyoteAdapter.service',
  28. 'org.apache.coyote.http11.AbstractHttp11Processor.process',
  29. 'org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process',
  30. 'org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run',
  31. 'java.util.concurrent.ThreadPoolExecutor.runWorker',
  32. 'java.util.concurrent.ThreadPoolExecutor$Worker.run',
  33. 'org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run',
  34. 'java.lang.Thread.run' ]