OWASP Top Ten Proactive Controls 2018: C9 Implement Security Logging and Monitoring
Learn about the importance of security logging and monitoring for application security. Explore best practices for secure logging design and intrusion detection.
Overview
This article focuses on the importance of implementing security logging and monitoring as a proactive control for application security. It provides an overview of security logging and its benefits, along with best practices for implementing security logging. The article also discusses how to use logging for intrusion detection and response, as well as secure logging design. References to additional resources and tools are provided for further information.
Description
Security logging is a concept that involves logging security information during the runtime operation of an application. It helps in feeding intrusion detection systems, forensic analysis and investigations, and satisfying regulatory compliance requirements. This article provides best practices for implementing security logging, including using a common logging format, logging the necessary information without logging private or confidential data, and ensuring consistent timestamps. It also discusses how logging can be used for intrusion detection and response to identify and respond to potentially malicious activity. The article emphasizes the secure design of logging solutions, including encoding and validating dangerous characters, not logging sensitive information, and protecting log integrity. It suggests forwarding logs from distributed systems to a central, secure logging service for centralized monitoring.
How to Prevent ?
To implement security logging and monitoring effectively, follow these steps: 1. Use a common logging format and approach within your system and across systems of your organization, such as the Apache Logging Services framework. 2. Log the necessary information without logging private or confidential data. 3. Pay attention to time syncing across nodes to ensure consistent timestamps. 4. Use logging for intrusion detection and response by identifying and logging potentially malicious activity. 5. Implement secure logging design by encoding and validating dangerous characters, not logging sensitive information, and protecting log integrity. 6. Forward logs from distributed systems to a central, secure logging service for centralized monitoring.
Example Attack Scenarios:
Tampering with Log Files: In this attack scenario, an attacker gains unauthorized access to the log files and tampers with the logged data, either by modifying or deleting it. This can lead to a loss of critical security information and make it difficult to detect and investigate security incidents. To prevent this, it is important to implement secure logging design measures, such as limiting access to log files, monitoring and auditing log changes, and ensuring log integrity.
Log Injection: In this attack scenario, an attacker injects malicious data or commands into the log files, which can lead to various consequences, such as code execution, privilege escalation, or data leakage. To prevent log injection attacks, it is crucial to encode and validate any dangerous characters before logging, and strictly avoid logging sensitive information.