Insufficient Logging

Description

This weakness occurs when an application fails to properly record important security events or captures them with insufficient detail, making it hard to spot and investigate suspicious activity.

Extended Description

Insufficient logging creates blind spots for security teams. When critical events—like failed logins, privilege escalations, or data access—aren't logged with enough detail, detecting attacks in progress becomes nearly impossible. This also severely hampers post-incident forensic analysis, leaving you without the evidence needed to understand how a breach happened or what data was affected. Modern cloud environments often introduce this risk through misconfiguration. Cloud services frequently have detailed logging disabled by default to manage costs and performance. If developers don't explicitly enable and configure audit logs for services like storage buckets, databases, or identity management, critical telemetry gaps appear. These gaps in your security logs can allow malicious activity to go completely unnoticed.

Common Consequences 1

Scope: Non-Repudiation

Impact: Hide Activities

If security critical information is not recorded, there will be no trail for forensic analysis and discovering the cause of problems or the source of attacks may become more difficult or impossible.

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 4

Phase: Architecture and Design

Use a centralized logging mechanism that supports multiple levels of detail.

Phase: Implementation

Ensure that all security-related successes and failures can be logged. When storing data in the cloud (e.g., AWS S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to enable and capture detailed logging information.

Phase: Operation

Be sure to set the level of logging appropriately in a production environment. Sufficient data should be logged to enable system administrators to detect attacks, diagnose errors, and recover from attacks. At the same time, logging too much data (Logging of Excessive Data) can cause the same problems, including unexpected costs when using a cloud environment.

Phase: Operation

To enable storage logging using Azure's Portal, navigate to the name of the Storage Account, locate Monitoring (CLASSIC) section, and select Diagnostic settings (classic). For each of the various properties (blob, file, table, queue), ensure the status is properly set for the desired logging data. If using PowerShell, the Set-AzStorageServiceLoggingProperty command could be called using appropriate -ServiceType, -LoggingOperations, and -RetentionDays arguments.

Demonstrative Examples 3

The example below shows a configuration for the service security audit feature in the Windows Communication Foundation (WCF).

Code Example:Bad
XML
xml

The previous configuration file has effectively disabled the recording of security-critical events, which would force the administrator to look to other sources during debug or recovery efforts.

Logging failed authentication attempts can warn administrators of potential brute force attacks. Similarly, logging successful authentication events can provide a useful audit trail when a legitimate account is compromised. The following configuration shows appropriate settings, assuming that the site does not have excessive traffic, which could fill the logs if there are a large number of success or failure events (Logging of Excessive Data).

Code Example:Good
XML
xml

In the following Java example the code attempts to authenticate the user. If the login fails a retry is made. Proper restrictions on the number of login attempts are of course part of the retry functionality. Unfortunately, the failed login is not recorded and there would be no record of an adversary attempting to brute force the program.

Code Example:Bad
Java
java

It is recommended to log the failed login action. Note that unneutralized usernames should not be part of the log message, and passwords should never be part of the log message.

Code Example:Good
Java
java

Consider this command for updating Azure's Storage Logging for Blob service, adapted from [REF-1307]:

Code Example:Bad
Shell
shell

The "--log d" portion of the command says to log deletes. However, the argument does not include the logging of writes and reads. Adding the "rw" arguments to the -log parameter will fix the issue:

Code Example:Good
Shell
shell

To enable Azure's storage analytic logs programmatically using PowerShell:

Code Example:Good
Shell
shell

Notice that here, the retention has been limited to 5 days.

Observed Examples 5

CVE-2008-4315server does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected

CVE-2008-1203admin interface does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected

CVE-2007-3730default configuration for POP server does not log source IP or username for login attempts

CVE-2007-1225proxy does not log requests without "http://" in the URL, allowing web surfers to access restricted web content without detection

CVE-2003-1566web server does not log requests for a non-standard request type

References 3

The Art of Software Security Assessment

Mark Dowd, John McDonald, and Justin Schuh

Addison Wesley

2006

ID: REF-62

CIS Microsoft Azure Foundations Benchmark version 1.5.0

Center for Internet Security

16-08-2022

https://www.cisecurity.org/benchmark/azure(2023-01-19)

ID: REF-1307

Enable and manage Azure Storage Analytics logs (classic)

Microsoft

23-01-2023

https://learn.microsoft.com/en-us/azure/storage/common/manage-storage-analytics-logs(2023-01-24)

ID: REF-1308