Cybersecurity, Logging Practices for Application Developers

Security information from Technology Services Privacy and Information Security team.

About Security Events

The purpose of this document is to help development teams associated with the University of Illinois fulfill their responsibility to comply with Illinois Cybersecurity standards.

Properly logging security events helps comply with the Server Security Standard, Application Development Security Standard and Client Computer Security Standard.

A Security Event is defined as "An occurrence in a system that is relevant to the security of the system. (See: security incident.)" [RFC2828]

If applications that handle sensitive information follow good security event logging practices, the system logs can be a critical part of investigating a security incident.

Logging Security Events

Good security event logging makes sure to capture all events that could be critical to a future investigation.

All security events should be logged at the INFO level or higher.

For a full list of security events see section 4.6.1 of the IT Security Standard.

Some example security events are:

Authentication and authorization events
- Login attempt
- Privilege escalation
- Adding or removing users
- Authorization group modification
- Permission modification, including granting or denying elevated (e.g. proxy) access.
Attempts to view, modify or delete sensitive information.
Attempts to view, modify or delete information which could lead to a security compromise.
- For example, e-mail addresses are directory (non-sensitive) information. However, changing a user's e-mail address in the EDE greatly increases the risk that that user's account could be compromised.

Creating Log Messages

Log messages should typically:

Use structured logging - i.e. JSON format.
Use clear key value pairs
Start with a timestamp with at least millisecond precision and time zone information in ISO 8601 format. See also Guidance on Implementing timestamps in your Splunk events

Log messages should typically include:

Timestamp, with at least millisecond precision and time zone information.
User IP address, if applicable.
Username (or one-way hashed username), if applicable.
Session ID (or one-way hashed session ID), if applicable.
Result of action (successful, failed).
A unique identifier for the user making the modification and the record modified, if any sensitive record is modified.

In each case, both successes and failures should be logged.

If possible, failures should also contain a reason (e.g. "User's AD account is disabled," "Authentication failed," "User does not have permission," "User is administratively blocked," etc.)

Log messages should typically not include:

Data that is "Sensitive" or "High Risk" (see Data Classification for details)
Social Security Numbers
University ID Numbers (UIN)
Credit Card Numbers

Additional Resources

OWASP Logging Cheat Sheet
Splunk Logging
- Getting Started: https://wiki.illinois.edu/wiki/display/splunk/Getting+Started
- Timestamp Logging Guidance: https://wiki.illinois.edu/wiki/display/splunk/Guidance+on+implementing+timestamps+in+your+event

Keywords	security, privacy, information, logging, developer Suggest keywords	Doc ID	62904
Owner	Security S.	Group	University of Illinois Technology Services
Created	2016-04-22 13:39:23	Updated	2024-01-24 14:21:10
Sites	University of Illinois Technology Services
CleanURL	https://answers.uillinois.edu/cybersecurity-logging-practices
Feedback	0 0 Comment Suggest a new document Subscribe to changes