Category:OWASP Logging Project

Main
The OWASP Logging Project Roadmap

The OWASP Logging Project presented at IBWAS09



Project Roadmap

Logging Guide

Goals
http://www.pisa.org.hk/event/eventlog-mgt.jpg

Provide tools for software developers in order to help them define and provide meaningful logs

Provide code audit tools to ensure that log messages are consistent and complete (content, format, timestamps)

Facilitate the integration of logs from different sources

Facilitate attack reconstruction

Facilitate information sharing around security events

Existing tools and use cases
1) IDE integration (auto-completion, templates, logging policy definition support) for guiding software developers to define and provide meaningful logs

For example, a template can provide checks/hints/defaults s.a. those defined by the OWASP Enterprise Security API : - something equivalent to a generated logging session ID, or a hashed value of the session ID so they can track session specific events without risking the exposure of a live session's ID - identity of the user that caused the event - description of the event (supplied by the caller) - whether the event succeeded or failed (indicated by the caller) - severity level of the event (indicated by the caller) - that this is a security relevant event (indicated by the caller) - hostname or IP where the event occurred (and ideally the user's source IP as well) - a time stamp

IDE templates

http://www.owasp.org/index.php/File:Eclipse_Create_Template.png

http://www.owasp.org/index.php/File:NetBeans_Create_Live_Template.png

http://wiki.netbeans.org/Java_EditorUsersGuide

OWASP ESAPI Logger interface (Logger.java) and implementations http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API http://code.google.com/p/owasp-esapi-java/downloads/list

2/ Code audit tools s.a. OWASP yasca can be easily adapted in order to ensure that logging standards are respected and that log messages are consistent and complete (content, format, timestamps) See http://www.owasp.org/index.php/Category:OWASP_Yasca_Project Related OWASP projects: http://www.owasp.org/index.php/Category:OWASP_Orizon_Project

3) Integrating application logs into a Security Information Management configuration OSSIM (http://www.ossim.net/) has numerous plugins for parsing webserver, appserver, WAF, IPS, IDS logs and generating/storing events in its standard format.

Adding a plugin for parsing custom application logs is as easy as finding the correct regular expression provided that developers included all relevant information in the log message and that they have done so in a consistent way.

You can refer to the OSSIM database model to see what data is stored for events.

See http://www.owasp.org/index.php/File:OWASP_Logging_Guide.pdf for more details/screenshots on application event integration and correlation via OSSIM

4) Reconstructing attacks It is difficult to analyze, filter and generally reconstruct an attack because messages are spread around various log levels.

See the Logging part of the OWASP ESAPI project http://code.google.com/p/owasp-esapi-java/downloads/list

Along the same lines, Arshan Dabirsiaghi's proposal of adding a security log level is very interesting http://www.owasp.org/index.php/How_to_add_a_security_log_level_in_log4j

5) Implement scripts for filtering/scrubbing logs in order to enable log data sharing between organizations Goal: information sharing around security events Custom logger implementations based on the OWASP ESAPI might also filter out any sensitive data specific to the current application or organization, such as credit cards, social security numbers etc.

See the Logging part of the OWASP ESAPI project See http://code.google.com/p/owasp-esapi-java/downloads/list

*** We need your efforts and contribution to this project ***

Feedback and Participation:
We hope you find the OWASP Logging Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions. To join the OWASP Logging Project mailing list or view the archives, please visit the subscription page.