Skip to content

Security Related Log Events

javabeanz edited this page Mar 29, 2018 · 4 revisions

when to log

The following is a brief list of security related events that applications should log:

  • All login attempts, successful or unsuccessful
  • Log outs
  • Password changes
  • Changes to a user's profile
  • Password reset attempts
  • User registration
  • Authorization failures (when a user is denied access to a particular resource)
  • Changes to access levels (when a user has a new access level granted or revoked)
  • Significant input validation failures (such as unexpected values received from a dropdown list)
  • System administration activity
  • Integrity events (changes to data)
  • Availability events (system startup and shutdown)
  • Any other sensitive operations

What constitutes a sensitive operation will vary depending on the application. For example, a banking application should log account accesses and money transfers, while a file sharing application will need to log file uploads and downloads.

what to log

  • UTC time and date
  • event description
  • outcome of event (success or failure)
  • user information or technical account info

what not to log

There are also data that explicitly should not be logged, like privacy sensitive data.

See also : [https://www.owasp.org/index.php/Logging_Cheat_Sheet OWASP Logging Cheat Sheet]

CWE categories

[https://cwe.mitre.org/data/definitions/778.html] [https://cwe.mitre.org/data/definitions/532.html] [https://cwe.mitre.org/data/definitions/779.html] [https://cwe.mitre.org/data/definitions/117.html] [https://cwe.mitre.org/data/definitions/534.html] [https://cwe.mitre.org/data/definitions/533.html]