PY-A6006 · Audit required: Configuring loggers can be security-sensitive

Audit required: Configuring loggers can be security-sensitive PY-A6006

Security

Minor

2 years ago — 2 years old

cwe-532 a09 cwe-778 sans top 25 owasp top 10

Configuring loggers is security sensitive

239
240    This configuration is overwritten if running under Gunicorn.
241    """
242    logging.config.dictConfig({243        'version': 1,
244        'formatters': {
245            'default': {

Description

This issue higlights code that initiates loggers configuration. This should be audited to make sure no sensitive information is being logged. Since this is an audit issue, some occurrences may be harmless here. The goal is to bring the issue in attention. Please take a look at the Audit Checklist mentioned later in the description. If the occurrences doesn't seem to be valid, please feel free to ignore them.

The configuration determines the type of information logged and how it is logged. Logs might contain sensitive information which can be used by malicious users. But they should contain sufficient information to understand the damage an attacker might have inflicted.

Audit Checklist: Make sure these points are taken care of:

Logs doesn't contain sensitive information. This can happen when the logger is in the debug mode.
Logs aren't growing without limit. This happens when additional information is written into logs every time a user performs an action and the user can perform the action any number of times.
Logs contain enough information to understand the damage, in case there's a security incident.
Log format is easy to parse and process automatically. Processing logs rapidly is important in case of an attack.
Logs are stored in a secure location which is only accessible to system administrators.

Bad practice

import logging
import os

from logging.config import fileConfig, dictConfig

logging.basicConfig(level=os.environ.get("LOGLEVEL", "INFO"))
fileConfig(fname='file.conf', disable_existing_loggers=False)  # Disabling the loggers.
dictConfig(config)  # Configuring a logger shoud be audited.

logging.disable() # Disabling the logger.

class SomeLogger(logging.Logger):  # A custom logger implementation shoud be audited
    ...

def set_logger_class(logger_class):
    logging.setLoggerClass(logger_class)  # A custom logger implementation shoud be audited

def set_logging_last_resort(last_resort):
    logging.lastResort = last_resort  # Hints the absence of any logging configuration. It is recommended to set up logging properly.

References:

OWASP Top 10 2021 Category A09 - Security Logging and Monitoring Failures
CWE 532 - Insertion of Sensitive Information into Log File
CWE 778 - Insufficient logging

zgoda / bip

Bad practice

References: