CWE-778: Insufficient Logging
Description
When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
Submission Date :
July 2, 2009, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
MITRE
Extended Description
When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds.
As organizations adopt cloud storage resources, these technologies often require configuration changes to enable detailed logging information, since detailed logging can incur additional costs. This could lead to telemetry gaps in critical audit logs. For example, in Azure, the default value for logging is disabled.
Example - 1
The example below shows a configuration for the service security audit feature in the Windows Communication Foundation (WCF).
<serviceSecurityAudit auditLogLocation="Default"suppressAuditFailure="false"serviceAuthorizationAuditLevel="None"messageAuthenticationAuditLevel="None" /><behavior name="NewBehavior">...<serviceBehaviors><behaviors><system.serviceModel></system.serviceModel>The previous configuration file has effectively disabled the recording of security-critical events, which would force the administrator to look to other sources during debug or recovery efforts.
Logging failed authentication attempts can warn administrators of potential brute force attacks. Similarly, logging successful authentication events can provide a useful audit trail when a legitimate account is compromised. The following configuration shows appropriate settings, assuming that the site does not have excessive traffic, which could fill the logs if there are a large number of success or failure events (CWE-779).
<serviceSecurityAudit auditLogLocation="Default"suppressAuditFailure="false"serviceAuthorizationAuditLevel="SuccessAndFailure"messageAuthenticationAuditLevel="SuccessAndFailure" /><behavior name="NewBehavior">...<serviceBehaviors><behaviors><system.serviceModel></system.serviceModel>Example - 2
In the following Java example the code attempts to authenticate the user. If the login fails a retry is made. Proper restrictions on the number of login attempts are of course part of the retry functionality. Unfortunately, the failed login is not recorded and there would be no record of an adversary attempting to brute force the program.
// Login successfulRunProgram();
// Login unsuccessfulLoginRetry();if LoginUser(){} else {}It is recommended to log the failed login action. Note that unneutralized usernames should not be part of the log message, and passwords should never be part of the log message.
// Login successfullog.warn("Login by user successful.");RunProgram();
// Login unsuccessfullog.warn("Login attempt by user failed, trying again.");LoginRetry();if LoginUser(){} else {}Example - 3
Consider this command for updating Azure's Storage Logging for Blob service, adapted from [REF-1307]:
az storage logging update --account-name --account-key --services b --log d --retention 90The "--log d" portion of the command says to log deletes. However, the argument does not include the logging of writes and reads. Adding the "rw" arguments to the -log parameter will fix the issue:
az storage logging update --account-name --account-key --services b --log rwd --retention 90To enable Azure's storage analytic logs programmatically using PowerShell:
Set-AzStorageServiceLoggingProperty -ServiceType Queue -LoggingOperations read,write,delete -RetentionDays 5 -Context $MyContextObjectNotice that here, the retention has been limited to 5 days.
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.