Logging is essential for debugging, incident response, and collecting forensic evidence. Nevertheless, logging sensitive data raises many concerns, including the privacy of the stakeholders, limitations imposed by the law on the collection of personal information, and the potential for data exposure by insiders. Sensitive information includes, but is not limited to, IP addresses, user names and passwords, email addresses, credit card numbers, and any personally identifiable information such as social security numbers. Many countries prohibit or restrict collection of personal data; others permit retention of personal data only when held in an anonymized form. Consequently, logs must not contain sensitive data, particularly when prohibited by law.
...
Programs must typically support varying levels of protection. Some information, such as access times, can be safely logged. Some information can be logged, but the log file must be restricted from everyone but particular administrators. Other information, such as credit card numbers, can be included in logs only be logged in encrypted form. Other informationInformation, such as passwords, should not be logged at all.
For these the following code samples, we will assume that the log in question lies outside the trust boundary of the information being sent to it. Also, normal log messages should include additional parameters such as date, time, source event, and so forth. This information has been omitted from our the following code examples for brevity.
Noncompliant Code Example
In this noncompliant code example, a server logs the IP address of the remote client in the event of a security exception. This data can be misused, for example, to build a profile of a user's browsing habits. Such logging may violate legal restrictions in many countries.
If When the log cannot contain IP addresses, it should not contain any information about a SecurityException, because it might indicate the existence of an IP address. When an exception contains sensitive information, the custom MyExceptionReporter class should extract or cleanse it , before returning control to the next statement in the catch block (see rule ERR00-J. Do not suppress or ignore checked exceptions).The MyExceptionReporter.handle() method may also do its own logging, after filtering out sensitive information.
| Code Block | ||
|---|---|---|
| ||
public void logRemoteIPAddress(String name) {
Logger logger = Logger.getLogger("com.organization.Log");
InetAddress machine = null;
try {
machine = InetAddress.getByName(name);
} catch (UnknownHostException e) {
Exception e = MyExceptionReporter.handle(e);
} catch (SecurityException e) {
Exception e = MyExceptionReporter.handle(e);
logger.severe(name + "," + machine.getHostAddress() + "," +
e.toString());
}
}
|
Compliant Solution
This compliant solution does not log security exceptions , except for the logging implicitly performed by MyExceptionReporter.
| Code Block | ||
|---|---|---|
| ||
// ...
catch (SecurityException e) {
Exception e = MyExceptionReporter.handle(e);
}
|
...
Log messages with sensitive information should not be printed to the console display for security reasons (a possible example might be of sensitive information is passenger age). The java.util.logging.Logger class supports different logging levels that can be used for classifying such information. These are FINEST, FINER, FINE, CONFIG, INFO, WARNING, and SEVERE. By default, the INFO, WARNING, and SEVERE levels print the message to the console, which is accessible by end users and system administrators.
...
This compliant solution logs the passenger age at the FINEST level to prevent this information from displaying on the console. As noted abovepreviously, we are assuming the age may appear in system log files , but not on the console.
| Code Block | ||
|---|---|---|
| ||
// make sure that all handlers only print log messages rated INFO or higher
Handler handlers[] = logger.getHandlers();
for (int i = 0; i < handlers.length; i++) {
handlers[i].setLevel(Level.INFO);
}
// ...
logger.finest("Age: " + passengerAge);
|
...
CWE-532. Information Exposure Through Log Files exposure through log files | |
| CWE-533. Information Exposure Through Server Log Files exposure through server log files |
| CWE-359. Privacy Violation violation |
| CWE-542. Information Exposure Through Cleanup Log Files exposure through cleanup log files |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="101fc00a7b0df94f-c9424657-44a14a14-9b618887-d06a942a0cb683479f0df086"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | Class | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8bf1f234d9e09f22-6937ce60-46a145b9-8cb2b14f-41d7b45f679544e5e180dab6"><ac:plain-text-body><![CDATA[ | [[Chess 2007 | AA. Bibliography#Chess 07]] | 11.1, Privacy and Regulation: Handling Private Information | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d15c12db4d2d56b1-ac355803-4f754efa-a496925f-fb4ca2824db257083a65bb1e"><ac:plain-text-body><![CDATA[ | [[CVE 20082011 | AA. Bibliography#CVE 08]] | [CVE-2005-2990 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2990] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f5091df6f05dd646-fa56c2da-41024e0e-b7b2b78a-e6702f799ebf139a9dd2d499"><ac:plain-text-body><![CDATA[ | [[Sun 2006 | AA. Bibliography#Sun 06]] | [Java Logging Overview | http://java.sun.com/javase/6/docs/technotes/guides/logging/overview.html] | ]]></ac:plain-text-body></ac:structured-macro> |
...