R075. Record exceptional events in logs

Requirement

The system must register all exceptional and security events in logs.

Description

The organization must properly record the exceptional and security events in duly protected logs (confidentiality), considering that an event of this type should not show confidential or detailed information of the problem in error messages to prevent the use of that information by an attacker or malicious user.

Recorded events allow error pages to display simple generic messages, alerting end users that an error has occurred, with some option to contact support.

The details of how to address these problems should be kept securely stored in a previously defined log storage. When an event of this type is not properly recorded, a malicious behavior can be proven difficult to detect or a forensic analysis can be obstructed in case an attack is successful.

Implementation

  1. Use a centralized logging mechanism that supports several levels of detail. Make sure all events related to successes and failures are recorded.

  2. Make sure that the logging level is properly configured for production environments. Enough information must be recorded to allow a system administrator to detect attacks, diagnose errors and recover from attacks. On the other hand, recording too much information can lead to the same problems (CWE-779).

Attacks

Given the scenario that critical security information is not recorded, an attacker can perform an attack that will not leave a trace during a forensic analysis. Therefore, discovering the cause of the problem, or the origin of one or several attacks, can prove to be very difficult or impossible.

Attributes

  • Layer: Application layer

  • Asset: Logs

  • Scope: Responsibility

  • Phase: Operation

  • Type of control: Procedure

References

  1. CIS Controls. 4.8 Log and Alert on Changes to Administrative Group Membership. Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.

  2. CIS Controls. 4.9 Log and Alert on Unsuccessful Administrative Account Login. Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.

  3. CIS Controls. 6.2 Activate Audit Logging. Ensure that local logging has been enabled on all systems and networking devices.

  4. CWE-390: Detection of Error Condition Without Action. The software detects a specific error, but takes no actions to handle the error.

  5. CWE-544: Missing Standardized Error Handling Mechanism. The software does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses.

  6. CWE-778: Insufficient Logging. When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it.

  7. GDPR. Art. 33: Notification of a personal data breach to the supervisory authority.(5) The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

  8. HIPAA Security Rules 164.312(b): Audit Controls: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

  9. ISO 27001:2013. Annex A - 12.4.1 Store, maintain and regularly review records of user activities, exceptions, failures and information security events.

  10. ISO 27001:2013. Annex A - 12.4.3 Record operator and administrator actions in logs, and protect and regularly review the records.

  11. NERC CIP-007-6. B. Requirements and measures. R4.1 Log events for identification of, and after-the-fact investigations of, Cyber Security Incidents.

  12. OWASP Top 10 A10:2017-Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.

  13. OWASP-ASVS v4.0.1 V1.7 Errors, Logging and Auditing Architectural Requirements.(1.7.1) Verify that a common logging format and approach is used across the system.

  14. OWASP-ASVS v4.0.1 V7.1 Log Content Requirements.(7.1.3) Verify that the application logs security relevant events including successful and failed authentication events, access control failures, deserialization failures and input validation failures.

  15. OWASP-ASVS v4.0.1 V7.1 Log Content Requirements.(7.1.4) Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens.

  16. OWASP-ASVS v4.0.1 V7.2 Log Processing Requirements.(7.2.1) Verify that all authentication decisions are logged, without storing sensitive session identifiers or passwords. This should include requests with relevant metadata needed for security investigations.

  17. OWASP-ASVS v4.0.1 V7.2 Log Processing Requirements.(7.2.2) Verify that all access control decisions can be logged and all failed decisions are logged. This should include requests with relevant metadata needed for security investigations.

  18. OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.5) Verify accessing sensitive data is audited (without logging the sensitive data itself), if the data is collected under relevant data protection directives or where logging of access is required.

  19. OWASP-ASVS v4.0.1 V9.2 Server Communications Security Requirements.(9.2.5) Verify that backend TLS connection failures are logged.

  20. OWASP-ASVS v4.0.1 V11.1 Business Logic Security Requirements.(11.1.7) Verify the application monitors for unusual events or activity from a business logic perspective. For example, attempts to perform actions out of order or actions which a normal user would never attempt.

  21. PCI DSS v3.2.1 - Requirement 10.2.1 Implement automated audit trails for all system components to reconstruct all individual user accesses to cardholder data.

  22. PCI DSS v3.2.1 - Requirement 10.2.2 Implement automated audit trails for all system components to reconstruct all actions taken by any individual with root or administrative privileges.

  23. PCI DSS v3.2.1 - Requirement 10.2.3 Implement automated audit trails for all system components to reconstruct access to all audit trails.

  24. PCI DSS v3.2.1 - Requirement 10.2.4 Implement automated audit trails for all system components to reconstruct invalid logical access attempts.

  25. PCI DSS v3.2.1 - Requirement 10.2.5 Implement automated audit trails for all system components to reconstruct use of and changes to identification and authentication mechanisms and all changes, additions, or deletions to accounts with root or administrative privileges.

  26. PCI DSS v3.2.1 - Requirement 10.2.6 Implement automated audit trails for all system components to reconstruct initialization, stopping, or pausing of the audit logs.

  27. PCI DSS v3.2.1 - Requirement 10.2.7 Implement automated audit trails for all system components to reconstruct creation and deletion of system-level objects.

  28. PCI DSS v3.2.1 - Appendix A1 A1.3 Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy