Young hacker smiling

REQ.075 Record exceptional events in logs

This document contains the details of the security requirements related to the definition and management of Logs. This requirement establishes the importance of recording exceptional and security events in logs, allowing the backtracking and proper response in an undesired scenario.

Requirement

The system must register all exceptional and security events in logs.

Description

The organization must properly record the exceptional and security events in duly protected log (confidentiality), considering that an event of this type should not show confidential or detailed information of the problem in error messages to prevent the use of that information on the part of an attacker or malicious user.

Recorded events allow error pages to display simple generic messages, alerting end users that an error has occurred, with some option to contact support.

The detail of how to address these problems should be kept securely stored in a previously defined log storage. When an event of these types is not properly recorded, a malicious behavior can be proven difficult to detect or a forensic analysis can be obstructed in case an attack is successful.

Implementation

  1. Use a centralized logging mechanism that supports several levels of detail. Make sure all events related to successes and failures are recorded.

  2. Make sure that the logging level is properly configured for production environments. Enough information must be recorded to allow a system administrator to detect attacks, diagnose errors and recover from attacks. On the other hand, recording too much information can lead to the same problems (CWE-779).

Attacks

Given the scenario that critical security information is not recorded, an attacker can perform an attack that won’t leave a trace during a forensic analysis, therefore discovering the cause of the problem or the origin of one or several attacks can prove to be very difficult or impossible.

Attributes

  • Layer: Application Layer.

  • Asset: Logs

  • Scope: Responsibility.

  • Phase: Operation.

  • Type of Control: Procedure.

References

  1. OWASP - CodeReview-Error-Handling.

  2. OWASP - Proactive Controls.

  3. OWASP - Exception Handling.

  4. CWE - Insufficient logging.

  5. HIPAA Security Rules 164.312(b): Audit Controls: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.


Service status - Terms of Use