R322. Avoid excessive logging

Requirement

The system must not register unnecessary information when logging exceptional events.

Description

While event logging is generally a good security practice, the organization must consider that using high logging levels is only appropriate for development environments, since having too much log information in production stages may hinder the performance of a system administrator in detecting abnormal conditions. This may imply that both the attacker and the attack be able to remain hidden while trying to penetrate the system, the audit trail in a forensic analysis be reduced, or the debugging of issues in production environments be hindered.

Implementation

  1. Delete big volumes of records in duplicated logs and replace them with periodic summary messages. For example, syslog may register a repetition event saying "the last message was repeated X times", in order to avoid multiple logging of the same event.

  2. Set a maximum size for log files. If the maximum size is reached, the system administrator must be notified. You may also consider reducing subsystem functionalities. This may cause a denial of service for all users, but prevent subsystems from negatively impacting the overall system.

  3. Properly adjust system settings when changing from the debugging to the production stage.

Attacks

  1. The system may suffer in terms of performance when log files become excessively large and consume excessive resources.

  2. By storing too much information in logs, they lose their value when performing either a troubleshoot diagnosis to recover from an attack or a forensic analysis.

  3. If administrators are not able to effectively process files in logs, attack attempts may remain unnoticed, which eventually will compromise the system security.

Attributes

  • Layer: Application layer

  • Asset: Logs

  • Scope: Integrity

  • Phase: Operation

  • Type of control: Procedure

References

  1. CWE-779: Logging of Excessive Data The software logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.

  2. OWASP-ASVS v4.0.1 V1.7 Errors, Logging and Auditing Architectural Requirements.(1.7.1) Verify that a common logging format and approach is used across the system.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy