Python logoPython/
PY-A6006

Audit required: Configuring loggers can be security-sensitivePY-A6006

Minor severityMinor
Security categorySecurity
cwe, cwe-532, a09, cwe-778, sans-top-25, owasp-top-10

This issue higlights code that initiates loggers configuration. This should be audited to make sure no sensitive information is being logged. Since this is an audit issue, some occurrences may be harmless here. The goal is to bring the issue in attention. Please take a look at the Audit Checklist mentioned later in the description. If the occurrences doesn't seem to be valid, please feel free to ignore them.

The configuration determines the type of information logged and how it is logged. Logs might contain sensitive information which can be used by malicious users. But they should contain sufficient information to understand the damage an attacker might have inflicted.

Audit Checklist: Make sure these points are taken care of:

  • Logs doesn't contain sensitive information. This can happen when the logger is in the debug mode.
  • Logs aren't growing without limit. This happens when additional information is written into logs every time a user performs an action and the user can perform the action any number of times.
  • Logs contain enough information to understand the damage, in case there's a security incident.
  • Log format is easy to parse and process automatically. Processing logs rapidly is important in case of an attack.
  • Logs are stored in a secure location which is only accessible to system administrators.

Bad practice

import logging
import os

from logging.config import fileConfig, dictConfig

logging.basicConfig(level=os.environ.get("LOGLEVEL", "INFO"))
fileConfig(fname='file.conf', disable_existing_loggers=False)  # Disabling the loggers.
dictConfig(config)  # Configuring a logger shoud be audited.

logging.disable() # Disabling the logger.

class SomeLogger(logging.Logger):  # A custom logger implementation shoud be audited
    ...

def set_logger_class(logger_class):
    logging.setLoggerClass(logger_class)  # A custom logger implementation shoud be audited

def set_logging_last_resort(last_resort):
    logging.lastResort = last_resort  # Hints the absence of any logging configuration. It is recommended to set up logging properly.

References: