Logging is an important tool in detecting and understanding malicious activity. It can also become a security liability if sensitive information is logged.
- Logging plays an important role in security. It provides evidence after an incident to help establish what happened, and logs can help you to find and fix problems. However, be aware that logging itself can become a security liability. We need to be smart about what gets logged and how it gets logged. There are there main activities you should log. You should log any errors that occur. Include as many details about the error as possible, it will help you to understand the state of the application when the error took place and to track down the problem. You should also log any sensitive actions. Examples might include logins by users or admins, changing user permissions, financial transactions, file exports, or deleting database records. You should log suspicious activity, which might indicate an attack. This might be page requests sent in too quickly or requests looking for common vulnerabilities. For example, I don't run a WordPress site, but I frequently see requests to my servers searching for a WordPress admin page. That's an indication that someone is probing my site looking for a way inside, probably using an automated script. You should log the information which is most helpful to you. But I will give you some tips on information, which is commonly helpful. Many web frameworks already include similar functionality. Log the date and time when an event occurred, this is critical to establishing a timeline of events. Record information about the source of the action. At a minimum, log the IP address of the request. If the user's logged in, you can store information about the user's account. Log the action, or what the user was trying to do and as much information as possible about the target of their action. What were they trying to effect? If they're trying to edit a record in the database, then log the ID of the record. You should also record the URL, all parameters including the form parameters and a post request, and any cookie data that was sent along with the request. And record a backtrace if your programming language supports it. A backtrace is a list of the files and functions which were used by the code along the way to the error or action. It allows you to follow the code step-by-step. It's not essential that you log all of these, but they give you some ideas. Logs should always be kept in restricted areas. They can be stored in a database or in simple files in a private directory. You also need to take care not to accidentally log sensitive data. For example, you shouldn't log all post parameters sent in my web forums because you may end up recording user passwords in plain text in the log file. Database queries or interactions with the payment processor can also include sensitive data. I also like to rotate log files so they don't get too long and difficult to work with. Each day the current log file is renamed, usually with a number after it, and a new log file is started. The next day all of the numbers are incremented by one and the rotation keeps going and it keeps the logs for as many days as you specify. Linux has a program called Log Rotate which does this for you and there's similar software available for Windows. Smart logging is a key part of protecting your application, detecting threats, and providing helpful information to use after an incident has happened.
- Threat models
- Least privilege
- Defense in depth
- Validating and sanitizing input
- Credential attacks
- SQL injection
- Cross-site scripting