Hi,

Hopefully this is the right repo (but could be https://github.com/owasp-modsecurity/ModSecurity/tree/v3/master)

I'm searching for a blog/documentation on the process to bring modsecurity to an already running system without causing any disruption.
Ingress-Nginx helm allows to almost transparently enable mod-security: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#modsecurity-snippet

But as the following recommended setting is showing: https://github.com/owasp-modsecurity/ModSecurity/blob/v3/master/modsecurity.conf-recommended#L7 start with DetectionOnly then turn it on.

Now I want to discuss the process between the 2 stages.

My initial thought process was:

1. Enable detection only
2. Review what would be blocked
3. Introduce skip rules when they are false positive
4. Continue reviewing what would be blocked, ignoring the ones skipped already
5. Enable Enforce On

First issue, while in detection only we found that SecAuditLogParts ABIJDEFHZ was printing too much details including body token/password. So we restricted to SecAuditLogParts AHKZ but now the log doesn't show the actual domain but only the path. Is that expected? Is there an alternative?

In detection only, nothing should be blocked thus if a rule was to be blocked when turned on it would still be a 200 right? Thus if setting SecAuditLogRelevantStatus "^(?:5|4(?!04))" wouldn't that make only print the blocked queries from other means?

Step 4, "reviewing what would still be blocked but ignoring the ones skipped" seems tricky. In Detection Only everything returns 200 and skipped rules don't seem to apply. Am I wrong here? Is there a flag in detection only that could show the rule would be skipped in non detection only?

Happy to get your input or be sent to a full breakdown on how one brought this live