Configuring loggers is security-sensitive. It has led in the past to the following vulnerabilities:
Logs are useful before, during and after a security incident.
Logs are also a target for attackers because they might contain sensitive information. Configuring loggers has an impact on the type of information logged and how they are logged.
This rule flags for review code that initiates loggers configuration. The goal is to guide security code reviews.
There is a risk if you answered yes to any of those questions.
Remember that configuring loggers properly doesn’t make them bullet-proof. Here is a list of recommendations explaining on how to use your logs:
.Net Core: configure programmatically
Imports System
Imports System.Collections
Imports System.Collections.Generic
Imports Microsoft.AspNetCore
Imports Microsoft.AspNetCore.Builder
Imports Microsoft.AspNetCore.Hosting
Imports Microsoft.Extensions.Configuration
Imports Microsoft.Extensions.DependencyInjection
Imports Microsoft.Extensions.Logging
Imports Microsoft.Extensions.Options
Namespace MvcApp
Public Class ProgramLogging
Public Shared Function CreateWebHostBuilder(args As String()) As IWebHostBuilder
WebHost.CreateDefaultBuilder(args) _
.ConfigureLogging(Function(hostingContext, Logging) ' Sensitive
' ...
End Function) _
.UseStartup(Of StartupLogging)()
'...
End Function
End Class
Public Class StartupLogging
Public Sub ConfigureServices(services As IServiceCollection)
services.AddLogging(Function(logging) ' Sensitive
'...
End Function)
End Sub
Public Sub Configure(app As IApplicationBuilder, env As IHostingEnvironment, loggerFactory As ILoggerFactory)
Dim config As IConfiguration = Nothing
Dim level As LogLevel = LogLevel.Critical
Dim includeScopes As Boolean = False
Dim filter As Func(Of String, Microsoft.Extensions.Logging.LogLevel, Boolean) = Nothing
Dim consoleSettings As Microsoft.Extensions.Logging.Console.IConsoleLoggerSettings = Nothing
Dim azureSettings As Microsoft.Extensions.Logging.AzureAppServices.AzureAppServicesDiagnosticsSettings = Nothing
Dim eventLogSettings As Microsoft.Extensions.Logging.EventLog.EventLogSettings = Nothing
' An issue will be raised for each call to an ILoggerFactory extension methods adding loggers.
loggerFactory.AddAzureWebAppDiagnostics() ' Sensitive
loggerFactory.AddAzureWebAppDiagnostics(azureSettings) ' Sensitive
loggerFactory.AddConsole() ' Sensitive
loggerFactory.AddConsole(level) ' Sensitive
loggerFactory.AddConsole(level, includeScopes) ' Sensitive
loggerFactory.AddConsole(filter) ' Sensitive
loggerFactory.AddConsole(filter, includeScopes) ' Sensitive
loggerFactory.AddConsole(config) ' Sensitive
loggerFactory.AddConsole(consoleSettings) ' Sensitive
loggerFactory.AddDebug() ' Sensitive
loggerFactory.AddDebug(level) ' Sensitive
loggerFactory.AddDebug(filter) ' Sensitive
loggerFactory.AddEventLog() ' Sensitive
loggerFactory.AddEventLog(eventLogSettings) ' Sensitive
loggerFactory.AddEventLog(level) ' Sensitive
' Only available for NET Standard 2.0 and above
'loggerFactory.AddEventSourceLogger() ' Sensitive
Dim providers As IEnumerable(Of ILoggerProvider) = Nothing
Dim filterOptions1 As LoggerFilterOptions = Nothing
Dim filterOptions2 As IOptionsMonitor(Of LoggerFilterOptions) = Nothing
Dim factory As LoggerFactory = New LoggerFactory() ' Sensitive
factory = New LoggerFactory(providers) ' Sensitive
factory = New LoggerFactory(providers, filterOptions1) ' Sensitive
factory = New LoggerFactory(providers, filterOptions2) ' Sensitive
End Sub
End Class
End Namespace
Log4Net
Imports System
Imports System.IO
Imports System.Xml
Imports log4net.Appender
Imports log4net.Config
Imports log4net.Repository
Namespace Logging
Class Log4netLogging
Private Sub Foo(ByVal repository As ILoggerRepository, ByVal element As XmlElement, ByVal configFile As FileInfo, ByVal configUri As Uri, ByVal configStream As Stream, ByVal appender As IAppender, ParamArray appenders As IAppender())
log4net.Config.XmlConfigurator.Configure(repository) ' Sensitive
log4net.Config.XmlConfigurator.Configure(repository, element) ' Sensitive
log4net.Config.XmlConfigurator.Configure(repository, configFile) ' Sensitive
log4net.Config.XmlConfigurator.Configure(repository, configUri) ' Sensitive
log4net.Config.XmlConfigurator.Configure(repository, configStream) ' Sensitive
log4net.Config.XmlConfigurator.ConfigureAndWatch(repository, configFile) ' Sensitive
log4net.Config.DOMConfigurator.Configure() ' Sensitive
log4net.Config.DOMConfigurator.Configure(repository) ' Sensitive
log4net.Config.DOMConfigurator.Configure(element) ' Sensitive
log4net.Config.DOMConfigurator.Configure(repository, element) ' Sensitive
log4net.Config.DOMConfigurator.Configure(configFile) ' Sensitive
log4net.Config.DOMConfigurator.Configure(repository, configFile) ' Sensitive
log4net.Config.DOMConfigurator.Configure(configStream) ' Sensitive
log4net.Config.DOMConfigurator.Configure(repository, configStream) ' Sensitive
log4net.Config.DOMConfigurator.ConfigureAndWatch(configFile) ' Sensitive
log4net.Config.DOMConfigurator.ConfigureAndWatch(repository, configFile) ' Sensitive
log4net.Config.BasicConfigurator.Configure() ' Sensitive
log4net.Config.BasicConfigurator.Configure(appender) ' Sensitive
log4net.Config.BasicConfigurator.Configure(appenders) ' Sensitive
log4net.Config.BasicConfigurator.Configure(repository) ' Sensitive
log4net.Config.BasicConfigurator.Configure(repository, appender) ' Sensitive
log4net.Config.BasicConfigurator.Configure(repository, appenders) ' Sensitive
End Sub
End Class
End Namespace
NLog: configure programmatically
Namespace Logging
Class NLogLogging
Private Sub Foo(ByVal config As NLog.Config.LoggingConfiguration)
NLog.LogManager.Configuration = config ' Sensitive
End Sub
End Class
End Namespace
Serilog
Namespace Logging
Class SerilogLogging
Private Sub Foo()
Dim config As Serilog.LoggerConfiguration = New Serilog.LoggerConfiguration() ' Sensitive
End Sub
End Class
End Namespace