|
| 1 | +# CWE-778: Insufficient Logging |
| 2 | + |
| 3 | +Ensure you have sufficient logging in order to adequately record important events within an application and/or system. |
| 4 | + |
| 5 | +Without comprehensive and sufficient logging, it becomes challenging to identify and respond to security incidents, leading to delayed and/or inefficient incident response efforts. |
| 6 | + |
| 7 | +Insufficient logging also negatively affects forensic analysis, hindering the ability to reconstruct events accurately after a breach. |
| 8 | + |
| 9 | +Writing exceptions to stdout, stderr or local files is not sufficient as: |
| 10 | + |
| 11 | +* The stdout or stderr buffer may be exhausted or closed, preventing subsequent writes |
| 12 | +* Trust level of stdout or stderr may be the end-user or attacker |
| 13 | +* Logfiles which are only on a local filesystem can be deleted by an attacker |
| 14 | + |
| 15 | +If errors occur while recording logs, they can hinder the logging process unless preventive measures are implemented. Security risks can occur when these errors occur. For example, an attacker hiding crucial security issues by refraining the attacker from being logged. Therefore it is essential that logging functions in applications are effective, even when exceptions arise when completing the logging process. |
| 16 | + |
| 17 | +## Non-Compliant Code Example |
| 18 | + |
| 19 | +In `noncompliant01.py`, if a risky operation occurs such as the division by zero, the try block catches the `ZeroDivisionError` exception and prints it to the console without logging it, leaving the system vulnerable to undetected issues. The error print is also vague. |
| 20 | + |
| 21 | +*[noncompliant01.py](noncompliant01.py):* |
| 22 | + |
| 23 | +```python |
| 24 | +""" Non-compliant Code Example """ |
| 25 | + |
| 26 | +try: |
| 27 | + result = 10 / 0 |
| 28 | +except ZeroDivisionError as e: |
| 29 | + print("Error occurred:", e) |
| 30 | + |
| 31 | +``` |
| 32 | + |
| 33 | +The `noncompliant01.py` code prints the error to `stdout` instead of allowing central logging to take place. |
| 34 | + |
| 35 | +## Compliant Solution |
| 36 | + |
| 37 | +The security exception output in `compliant01.py` is using the logger. The program catches the `ZeroDivisionError` exception and logs it with the `critical` level, ensuring that errors are properly recorded. Production projects should setup log forwarding to a remote logging service. |
| 38 | + |
| 39 | +*[compliant01.py](compliant01.py):* |
| 40 | + |
| 41 | +```python |
| 42 | +""" Compliant Code Example """ |
| 43 | + |
| 44 | +import logging |
| 45 | + |
| 46 | +try: |
| 47 | + result = 10 / 0 |
| 48 | +except ZeroDivisionError: |
| 49 | + logging.critical("Error occurred: Division by zero") |
| 50 | + |
| 51 | +``` |
| 52 | + |
| 53 | +In `compliant01.py`, using `logging` and loglevels allows better integration with a centralized logging system. |
| 54 | + |
| 55 | +## Automated Detection |
| 56 | + |
| 57 | +|Tool|Version|Checker|Description| |
| 58 | +|:---|:---|:---|:---| |
| 59 | +|Bandit|1.6.2|No Detection|| |
| 60 | + |
| 61 | +## Related Guidelines |
| 62 | + |
| 63 | +||| |
| 64 | +|:---|:---| |
| 65 | +|MITRE CWE Pillar|[CWE-693: Protection Mechanism Failure (4.16) (mitre.org)](https://cwe.mitre.org/data/definitions/693.html)| |
| 66 | +|MITRE CWE Base|[CWE-778: Numeric Truncation Error](https://cwe.mitre.org/data/definitions/778.html)| |
| 67 | +|[SEI CERT](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[ERR02-J. Prevent exceptions while logging data](https://wiki.sei.cmu.edu/confluence/display/java/ERR02-J.+Prevent+exceptions+while+logging+data)| |
0 commit comments