Security, Logging Practices for Application Developers

Security information from Technology Services Privacy and Information Security team.

About Security Events

A Security Event is defined as "An occurrence in a system that is relevant to the security of the system. (See: security incident.)" [RFC2828]

If applications that handle sensitive information follow good security event logging practices, the system logs can be a critical part of investigating a security incident.

Logging Security Events

Good security event logging makes sure to capture all event that could be critical to a future investigation.

The following are security events:

  • Authentication and authorization events
    • Login attempt
    • Privilege escalation
    • Adding or removing users
    • Group modification
    • Permission modification, including granting or denying elevated (e.g. proxy) access.
  • Attempts to view, modify or delete sensitive information.
  • Attempts to view, modify or delete information which could lead to a security compromise.
    • For example, e-mail addresses are directory (non-sensitive) information. However, changing a user's e-mail address in the EDE greatly increases the risk that that user's account could be compromised.
      Security events should be logged at the INFO level or higher.

For each event, the following information should be logged:

  • Timestamp, with at least millisecond precision and timezone information. (RFC-3339 format is preferred).
  • User IP address, if applicable.
  • Username, if applicable.
  • Session ID, if applicable. (Note: If knowledge of the session ID could allow access to the application, about a third of it should be censored out. e.g. if a session ID is 21 characters long, the first 7 should be replaced with asterisks).
  • Result of action (successful, failed).
  • A unique identifier for the user making the modification and the record modified, if any sensitive record is modified.

In each case, both successes and failures should be logged. If possible, failures should also contain a reason (e.g. "User's AD account is disabled," "Authentication failed," "User does not have permission," "User is administratively blocked," etc.)

Keywords:security, privacy, information, logging, developer   Doc ID:62904
Owner:Security S.Group:University of Illinois Technology Services
Created:2016-04-22 13:39 CDTUpdated:2016-12-19 17:10 CDT
Sites:University of Illinois Technology Services
Feedback:  0   1