Logging is an important security mechanism that records events for auditing purposes. It is important to log security-related events like administrative actions, logins, and password changes/resets. When logging, sensitive data like passwords should be avoided and tainted or excessive data can cause issues. Log files are also vulnerable to spoofing if carriage returns are not properly filtered from user input.
2. Logging Core Concepts
What happened?
Who was doing what, when & where?
important to have an application log
in addition to the server log
Not just bugs & error events…
Determine what security events should be auditable.
For example:
• Use of administrative functions
• Login success & failures
• Password reset attempts
• Password changes
3. Logging Words to Live By
Avoid logging sensitive data (e.g., passwords)
Beware of logging tainted data to the logs
Beware of logging excessive data
Beware of potential log spoofing
4. Logging Words to Live By: #1
The problem
– Information written to log files can be of a sensitive nature and give
valuable guidance to an attacker or expose sensitive user
information.
Avoid logging sensitive data (e.g., passwords)
6. Secure Coding …
Consider seriously the sensitivity of the information written
into log files. Do not write secrets into the log files.
– Passwords
– Credit card information
– Trade secrets
– Social security number
– Medical data
7. Logging Words to Live By: #2
The problem
– The software does not neutralize or incorrectly neutralizes output
that is written to logs.
Beware logging tainted data to the logs
8. Logging Words to Live By: #3
The problem
– The software logs too much information, making log files hard to
process and possibly hindering recovery efforts or forensic analysis
after an attack.
Beware of logging excessive data
9. Logging Words to Live By: #4
The problem
– The software uses CRLF (carriage return line feeds) as a special
element, e.g., to separate lines or records, but it does neutralize or
incorrectly neutralizes CRLF sequences from inputs.
Beware of potential log spoofing