Logging is essential for gathering debugging information, for carrying out incident response or forensics activities and for maintaining incriminating , or collecting forensic evidence. Nevertheless, logging sensitive data raises many concerns, including the privacy of the stakeholders, limitations imposed by the law on the collection of personal information, and the potential for data exposure through by insiders. Sensitive information includes, but is not limited to, IP addresses, user names and passwords, email addresses, credit card numbers and any personally identifiable information such as social security numbers. Many countries prohibit or restrict collection of personal data; others permit retention of personal data only when held in an anonymized form. Consequently, ensure that logs must not contain only non- sensitive data, particularly when prohibited by law.
| Wiki Markup |
|---|
ViolationsUnfortunately, violations of this rule are common. For example, prior to version 0.8.1, LineControl Java client logged sensitive information including the local user's password \[[CVE 2008|AA. Bibliography#CVE 08]\]. |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a131c91b0b159e7e-a0196735-494c4072-badba715-56638f435b9f0aa75288594b"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE ID 532 | http://cwe.mitre.org/data/definitions/532.html] "Information Exposure Through Log Files" | ]]></ac:plain-text-body></ac:structured-macro> |
| CWE ID 533 "Information Exposure Through Server Log Files" | ||||
| CWE ID 359 "Privacy Violation" | ||||
| CWE ID 542 "Information Exposure Through Cleanup Log Files" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0720c942f82b8d26-ccc7fb82-49574a2f-b25db214-99e5da952d43354d1c580f2e"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]]] | Class | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7086d4bde623d3e3-0d7bc56d-4f5c4c46-824b81e0-f2b11b0c80a00832cefcd794"><ac:plain-text-body><![CDATA[ | [[Chess 2007 | AA. Bibliography#Chess 07]]] | 11.1 Privacy and Regulation: Handling Private Information | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="821ba8dc1d21ebed-f5700d47-45574adc-9f32801d-589b0a98f91b41cfbd9bee9a"><ac:plain-text-body><![CDATA[ | [[CVE 2008 | AA. Bibliography#CVE 08]]] | [CVE-2005-2990 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2990] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ca161086390e6608-754e617a-48a64978-bd5c821f-2b26fab225e644871d023b4d"><ac:plain-text-body><![CDATA[ | [[Sun 2006 | AA. Bibliography#Sun 06]]] | [Java Logging Overview | http://java.sun.com/javase/6/docs/technotes/guides/logging/overview.html] | ]]></ac:plain-text-body></ac:structured-macro> |
...