Audit required: Configuring loggers can be security-sensitivePY-A6006
cwe, cwe-532, a09, cwe-778, sans-top-25, owasp-top-10
This issue higlights code that initiates loggers configuration. This should be audited to make sure no sensitive information is being logged.
Since this is an audit issue, some occurrences may be harmless here. The goal is to bring the issue in attention. Please take a look at the Audit Checklist
mentioned later in the description.
If the occurrences doesn't seem to be valid, please feel free to ignore them.
The configuration determines the type of information logged and how it is logged. Logs might contain sensitive information which can be used by malicious users. But they should contain sufficient information to understand the damage an attacker might have inflicted.
Audit Checklist: Make sure these points are taken care of:
- Logs doesn't contain sensitive information. This can happen when the logger is in the
debug
mode. - Logs aren't growing without limit. This happens when additional information is written into logs every time a user performs an action and the user can perform the action any number of times.
- Logs contain enough information to understand the damage, in case there's a security incident.
- Log format is easy to parse and process automatically. Processing logs rapidly is important in case of an attack.
- Logs are stored in a secure location which is only accessible to system administrators.
Bad practice
import logging
import os
from logging.config import fileConfig, dictConfig
logging.basicConfig(level=os.environ.get("LOGLEVEL", "INFO"))
fileConfig(fname='file.conf', disable_existing_loggers=False) # Disabling the loggers.
dictConfig(config) # Configuring a logger shoud be audited.
logging.disable() # Disabling the logger.
class SomeLogger(logging.Logger): # A custom logger implementation shoud be audited
...
def set_logger_class(logger_class):
logging.setLoggerClass(logger_class) # A custom logger implementation shoud be audited
def set_logging_last_resort(last_resort):
logging.lastResort = last_resort # Hints the absence of any logging configuration. It is recommended to set up logging properly.
References:
- OWASP Top 10 2021 Category A09 - Security Logging and Monitoring Failures
- CWE 532 - Insertion of Sensitive Information into Log File
- CWE 778 - Insufficient logging