CWE-778: Insufficient Logging
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
常见后果
影响范围: Non-Repudiation
技术影响: Hide Activities
说明: If security critical information is not recorded, there will be no trail for forensic analysis and discovering the cause of problems or the source of attacks may become more difficult or impossible.
潜在缓解措施
阶段: Architecture and Design
描述: Use a centralized logging mechanism that supports multiple levels of detail.
阶段: Implementation
描述: Ensure that all security-related successes and failures can be logged. When storing data in the cloud (e.g., AWS S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to enable and capture detailed logging information.
阶段: Operation
描述: Be sure to set the level of logging appropriately in a production environment. Sufficient data should be logged to enable system administrators to detect attacks, diagnose errors, and recover from attacks. At the same time, logging too much data (CWE-779) can cause the same problems, including unexpected costs when using a cloud environment.
阶段: Operation
描述: To enable storage logging using Azure's Portal, navigate to the name of the Storage Account, locate Monitoring (CLASSIC) section, and select Diagnostic settings (classic). For each of the various properties (blob, file, table, queue), ensure the status is properly set for the desired logging data. If using PowerShell, the Set-AzStorageServiceLoggingProperty command could be called using appropriate -ServiceType, -LoggingOperations, and -RetentionDays arguments.
检测方法
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2008-4315
server does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
参考: CVE-2008-1203
admin interface does not log failed authentication attempts, making it easier for attackers to perform brute force password guessing without being detected
参考: CVE-2007-3730
default configuration for POP server does not log source IP or username for login attempts
参考: CVE-2007-1225
proxy does not log requests without "http://" in the URL, allowing web surfers to access restricted web content without detection
参考: CVE-2003-1566
web server does not log requests for a non-standard request type
引入模式
| 阶段 | 说明 |
|---|---|
| Operation | COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic. |