|
| 1 | +# CWE-778: Insufficient Logging |
| 2 | + |
| 3 | +Ensure you have sufficient logging in order to adequately record important events within an application and/or system. |
| 4 | + |
| 5 | +This can leave applications vulnerable to undetected attacks, as malicious users are able to perform harmful activities without leaving a trace in the logs. Without comprehensive and sufficient logging, it becomes challenging to identify and respond to security incidents, leading to delayed and/or inefficient incident response efforts. |
| 6 | + |
| 7 | +Insufficient logging also negatively affects forensic analysis, hindering the ability to reconstruct events accurately after a breach. |
| 8 | + |
| 9 | +Writing exceptions to stdout, stderr or local files is not sufficient as: |
| 10 | + |
| 11 | +The stdout or stderr buffer may be exhausted or closed, preventing subsequent writes |
| 12 | +Trust level of stdout or stderr may be the end-user or attacker |
| 13 | +logfiles which are only on a local filesystem can be deleted by an attacker |
| 14 | + |
| 15 | +If errors occur while recording logs, they can hinder the logging process unless preventive measures are implemented. Security risks can occur when these error's occur. For example, an attacker hiding crucial security issues by refraining the attacker from being logged. Therefore it is essential that logging functions in applications are effective, even when exceptions arise when completing the logging process. |
| 16 | + |
| 17 | +## Non-Compliant Code Example |
| 18 | + |
| 19 | +In noncompliant01.py, if a risky operation occurs such as the division by zero, the try block catches the ZeroDivisionError exception and prints it to the console without logging it, leaving the system vulnerable to undetected issues. The error print is also vague. |
| 20 | + |
| 21 | +*[noncompliant01.py](noncompliant01.py):* |
| 22 | + |
| 23 | +```python |
| 24 | +""" Non-compliant Code Example """ |
| 25 | + |
| 26 | +try: |
| 27 | + result = 10 / 0 |
| 28 | +except ZeroDivisionError as e: |
| 29 | + print("Error occurred:", e) |
| 30 | +#Continues to execute |
| 31 | +``` |
| 32 | + |
| 33 | +## Compliant Solution |
| 34 | + |
| 35 | +The security exception output in compliant01.py is using the logger. The program catches the ZeroDivisionError exception and logs it with the "critical" level, ensuring that errors are properly recorded. Production projects should setup log forwarding to a remote logging service. |
| 36 | + |
| 37 | +*[compliant01.py](compliant01.py):* |
| 38 | + |
| 39 | +```python |
| 40 | +""" Compliant Code Example """ |
| 41 | + |
| 42 | +import logging |
| 43 | + |
| 44 | +try: |
| 45 | + result = 10 / 0 |
| 46 | +except ZeroDivisionError: |
| 47 | + logging.critical("Error occurred: Division by zero") |
| 48 | +#Continues to execute |
| 49 | +``` |
| 50 | + |
| 51 | +## Automated Detection |
| 52 | + |
| 53 | +|Tool|Version|Checker|Description| |
| 54 | +|:---|:---|:---|:---| |
| 55 | +|Bandit|1.6.2|No Detection|| |
| 56 | + |
| 57 | +## Related Guidelines |
| 58 | + |
| 59 | +||| |
| 60 | +|:---|:---| |
| 61 | +|MITRE CWE Pillar|[CWE-693: Protection Mechanism Failure (4.16) (mitre.org)](https://cwe.mitre.org/data/definitions/693.html)| |
| 62 | +|MITRE CWE Base|[CWE-778: Numeric Truncation Error](https://cwe.mitre.org/data/definitions/778.html)| |
| 63 | +|[SEI CERT](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java)|[ERR02-J. Prevent exceptions while logging data](https://wiki.sei.cmu.edu/confluence/display/java/ERR02-J.+Prevent+exceptions+while+logging+data)| |
0 commit comments