Insufficient Logging| ID: 778 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
When a security-critical event occurs, the software either does
not record the event or omits important details about the event when logging
it.
Extended DescriptionWhen security-critical events are not logged properly, such as a failed
login attempt, this can make malicious behavior more difficult to detect and
may hinder forensic analysis after an attack succeeds.
Likelihood of Exploit: Medium
Applicable PlatformsLanguage Class: Language-independent
Time Of Introduction
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Non-Repudiation | Hide activities | If security critical information is not recorded, there will be no
trail for forensic analysis and discovering the cause of problems or the
source of attacks may become more difficult or impossible. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | Use a centralized logging mechanism that supports multiple levels of
detail. Ensure that all security-related successes and failures can be
logged. | | |
| Operation | | Be sure to set the level of logging appropriately in a production
environment. Sufficient data should be logged to enable system
administrators to detect attacks, diagnose errors, and recover from
attacks. At the same time, logging too much data (CWE-779) can cause the
same problems. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-778 ChildOf CWE-254 | Category | CWE-699 | |
Demonstrative Examples (Details)
- The example below shows a configuration for the service security
audit feature in the Windows Communication Foundation (WCF).
Observed Examples
- CVE-2008-4315 : server does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
- CVE-2008-1203 : admin interface does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
- CVE-2007-3730 : default configuration for POP server does not log source IP or username for login attempts
- CVE-2007-1225 : proxy does not log requests without "http://" in the URL, allowing web surfers to access restricted web content without detection
- CVE-2003-1566 : web server does not log requests for a non-standard request type
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 2, "Accountability", Page 40.'. Published on 2006.
