Insufficient Logging

When a security-critical event occurs, the software either does not record the event or omits important details about the event when logging it.


Description

When security-critical events are not logged properly, such as a failed login attempt, this can make malicious behavior more difficult to detect and may hinder forensic analysis after an attack succeeds.

Demonstrations

The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.

Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.

Example One

The example below shows a configuration for the service security audit feature in the Windows Communication Foundation (WCF).

<system.serviceModel>
  <behaviors>
    <serviceBehaviors>
      <behavior name="NewBehavior">
        <serviceSecurityAudit auditLogLocation="Default"
        suppressAuditFailure="false"
        serviceAuthorizationAuditLevel="None"
        messageAuthenticationAuditLevel="None" />

      ...



</system.serviceModel>

The previous configuration file has effectively disabled the recording of security-critical events, which would force the administrator to look to other sources during debug or recovery efforts.

Logging failed authentication attempts can warn administrators of potential brute force attacks. Similarly, logging successful authentication events can provide a useful audit trail when a legitimate account is compromised. The following configuration shows appropriate settings, assuming that the site does not have excessive traffic, which could fill the logs if there are a large number of success or failure events (CWE-779).

<system.serviceModel>
  <behaviors>
    <serviceBehaviors>
      <behavior name="NewBehavior">
        <serviceSecurityAudit auditLogLocation="Default"
        suppressAuditFailure="false"
        serviceAuthorizationAuditLevel="SuccessAndFailure"
        messageAuthenticationAuditLevel="SuccessAndFailure" />

      ...



</system.serviceModel>

See Also

CISQ Quality Measures - Security

Weaknesses in this category are related to the CISQ Quality Measures for Security. Presence of these weaknesses could reduce the security of the software.

Audit / Logging Errors

Weaknesses in this category are related to audit-based components of a software system. Frequently these deal with logging user activities in order to identify undesir...

OWASP Top Ten 2017 Category A10 - Insufficient Logging & Monitoring

Weaknesses in this category are related to the A10 category in the OWASP Top Ten 2017.

Comprehensive CWE Dictionary

This view (slice) covers all the elements in CWE.

Weaknesses without Software Fault Patterns

CWE identifiers in this view are weaknesses that do not have associated Software Fault Patterns (SFPs), as covered by the CWE-888 view. As such, they represent gaps in...

Weakness Base Elements

This view (slice) displays only weakness base elements.


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.