Security/Users and Logs
What to Log
The goal of security based logging is to capture the core security events which may represent malicious actions within the system. While it is important to capture sufficient information to understand an event, it is equally important to be selective in what events are logged to minimize unnecessary “noise” which can obfuscate a malicious action.
Minimal Security Logging:
- Access Denied – A user attempts to perform an action and is denied based on insufficient rights for their account.
- Admin Account Pass Reset Request – A password reset is initiated for an admin account
- Admin Account Pass Change – An admin account has changed their password
- New Privileged Account – A new admin account is created or an existing user is granted admin rights. Avoid generating log events for the creation of low-level accounts.
Considerations for Enhanced Logging:
CEF logging can be used to detect a user performing malicious activity. The key to good CEF logging is to only log events for activity that could not be caused by non-malicious user error. The intent is to keep the false-positive rate as low as possible so that the reported information is actionable.
Generally these "attack detection" CEF logging points are identified during threat modeling work with InfraSec and dev. However, the following detection points will apply in most every application
- CSRF Token that contains non-alphanumeric characters
- More to be identified.
A list of suggested logging points will be provided in CEF Logging Guidance.
Where to Log
- Use the CEF library for Python available here in PyPI
- This will log to syslog
- If configuration is necessary select 'LOG_LOCAL4'
How to Log Events - CEF Library
Setup CEF - [Configuration Guide http://sync.ziade.org/doc/configuration.html#cef]
[cef] use = true file = syslog
syslog.options = PID,CONS syslog.priority = DEBUG syslog.facility = LOCAL4
vendor = mozilla version = 0 device_version = Any number that represents the application version product = A single name (no spaces) to represent the application (addons, sync, etc)
EventName - Please work with InfraSec to identify the correct EventName for each event type. EventNames should not concisely map to 1 particular attack type (e.g. no generic names that are used for multiple types of attacks).
>>> from cef import log_cef >>> log_cef('EventName', 5, environ, config, ... msg='Someone has stolen my chocolate')
How to Log Events - Non-CEF Library
This is the process for rolling your own CEF logging. This is only recommended if the Python CEF library won't work in your app (e.g. not a python app)
- Each log event must be a single line entry
- The following format must be used. The extension area is where most of the specific logged data actually ends up. The other fields are identification information and will be static.
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
- Some characters need to be escaped with a single backslash when placed within the extension area.
* pip | * backslash \ * equal = * newline \n or \r
- Multiple extension entries are separated by a single space (e.g. " ")
Example Log Event
User attempts an action and receives access denied due
Log Entry This should be a single line entry into the log
CEF:0|Mozilla|plugins|1.0 |ACE0|Access Control Violation|8|rt=01 31 2010 18:30:01 suser=janedoe suid=55 act=Action Denied src=22.214.171.124 dst=126.96.36.199 requestMethod=POST request=http://foo.mozilla.org/foo/abc.php?a\=b cs1Label=requestClientApplication cs1=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:188.8.131.52) Gecko/20100316 Firefox/3.6.2 msg=Optional arbitrary message data here.
Basic Log Info
Version – This is important This must be set to '0' (that is a zero, and of course no quotes in the actual log message)
Device Vendor – Vendor of the product generating the event. For websites, use “Mozilla”
Device Product – This is a unique name for the application. Note: there can not be duplicate systems using the same Vendor:Product paring. Consult the table below to ensure your selection is unique.
Device Version – The version of the application.
Products Configured with CEF
- KeyExchange - Sync Key Exchange server - setup.services.mozilla.com
Building the log message
SignatureID, Name, and Severity can be obtained from this table
|| Access Control Violation
|| Access Denied– A user attempts to perform an action and is denied based on insufficient rights for their account.|
|| Account Locked
|| Account Locked – An account is locked due to multiple incorrect password attempts|
||Admin Account Locked|| 9
|| Admin Account Locked – An admin account is locked due to multiple incorrect password attempts. |
|| New Privileged Account
|| Admin Account Pass Reset – A password reset is initiated for an admin account |
- rt=01 31 2010 18:30:01 – time event occurred MMM dd yyyy HH:mm:ss
- suser=janedoe – represents the username of the account that did something warranting the log message. If no user is logged in use “unauthenticated”
- suid=55 – an application specific user id associated with the suser. Many applications use integer IDs to represent users internally, if yours does not then enter 0.
- act=Action Denied - This represents what the application did in response to the action, examples include: Action Denied, Action Allowed, Action Logged.
- src=184.108.40.206 – the source IP address of the user account. Enter 0.0.0.0 if its not available
- dst=220.127.116.11 – the ip address of the webserver which received the request.
- requestMethod=POST – the HTTP method of the request which caused the log event (GET, POST, HEAD, PUT, OPTIONS, etc)
- request=http://foo.mozilla.org/foo/abc.php?a\=b – the full URL from the request
- cs1Label=requestClientApplication - Assigning a name to custom label 1. Use this verbatim no changes needed.
- cs1=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:18.104.22.168) Gecko/20100316 Firefox/3.6.2 – user agent from request
- msg=some text – Optional: Additional message data can be include here up to 1023 characters.