Logging is essential for gathering debugging information, carrying out incident response or forensics activities and for maintaining incriminating evidence. However, sensitive data should not be logged for many reasons. Privacy of the stakeholders, limitations imposed by the law on the collection of personal information, and data exposure through insiders are a few concerns. Sensitive information includes and is not limited to IP addresses, user names and passwords, email addresses, credit card numbers and any personally identifiable information such as social security numbers. In JDK v1.4 and above, the java.util.logging class provides the basic logging framework.
...
Noncompliant Code Example
In this noncompliant code example, a server logs the IP address of the remote client in the event of a security exception. Such data can be misused for nefarious purposes such as building a profile of the user's browsing habits. Many countries disallow the collection of non-anonymous personal data while others allow its retention in an anonymized form.
| Code Block | ||
|---|---|---|
| ||
public void logRemoteIPAddress(String name){
Logger logger = Logger.getLogger("com.organization.Log");
InetAddress machine = null;
try {
machine = InetAddress.getByName(name);
}
catch (UnknownHostException e){
Exception e = MyExceptionReporter.handle(e);
}
catch (SecurityException e){
Exception e = MyExceptionReporter.handle(e);
logger.severe(name + "," + machine.getHostAddress() + "," + e.toString());
}
}
|
Compliant Solution
To be compliant, simply eliminate This compliant solution excludes the sensitive information before loggingfrom the log message.
| Code Block | ||
|---|---|---|
| ||
// ... catch (SecurityException e){ Exception e = MyExceptionReporter.handle(e); logger.log(Level.FINEST, "Security Exception Occurred", e); } |
If the exception contains such sensitive information, the custom MyExceptionReporter class should extract or cleanse it, before returning control to the next statement in the catch block. (EXC05-J. Use a class dedicated to reporting exceptions)
...
| Code Block | ||
|---|---|---|
| ||
logger.info(passengerAge); // displays passenger age on the console |
Compliant Solution
This compliant solution logs at the FINEST level so that the passenger age is not displayed on the console.
...
Noncompliant Code Example
It can also be the case that is also possible for sensitive user data gets to get recorded without deliberate intent, for example, when the log message uses user supplied input. In this noncompliant code example, the user mistakenly enters personal details (such as an SSN) in the occupation field. A suspicious server might throw an exception during input validation and the entered data will be logged so that intrusion detection systems can operate on it. Clearly, logging personally identifiable information is undesirable.
...
As a first step, a filter can be applied to the input to prevent inadvertent logging of sensitive data. In this compliant solution, a check is built in enforced so that a string of digits from the SSN field that lies above say the occupation field, does not accidentally show up in the log files.
| Code Block | ||
|---|---|---|
| ||
public class MyFilter implements Filter {
public boolean isLoggable(LogRecord lr) {
String msg = lr.getMessage();
if (msg.matches("\\d*")) { // filtersFilters out any digits
return false;
}
return true;
}
}
// Set the filter in main code
Logger logger = Logger.getLogger("com.organization.Log");
logger.setFilter(new MyFilter());
|
...