Skip to main content

Sensitive information stored in logs

Description

The system stores sensitive information such as credentials, bank accounts and file paths in log files.

Impact

Obtain sensitive information that may compromise system resources.

Recommendation

Verify that the information stored in logs is not sensitive.

Threat

Authorized local attacker with access to the log files.

Expected Remediation Time

⌚ 30 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: L
  • Attack complexity: L
  • Privileges required: H
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 2.3
    • Temporal: 2.3
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

Log files do not contain any sensitive information

03/22 08:51:01 INFO   :.main: *************** RSVP Agent started ***************
02
03/22 08:51:01 INFO :...locate_configFile: Specified configuration file: /u/user10/rsvpd1.conf
03/22 08:51:01 INFO :.main: Using log level 511
03/22 08:51:01 INFO :..settcpimage: Get TCP images rc - EDC8112I Operation not supported on socket.
03
03/22 08:51:01 INFO :..settcpimage: Associate with TCP/IP image name = TCPCS
03/22 08:51:02 INFO :..reg_process: registering process with the system
03/22 08:51:02 INFO :..reg_process: attempt OS/390 registration
03/22 08:51:02 INFO :..reg_process: return from registration rc=0
04
03/22 08:51:06 TRACE :...read_physical_netif: Home list entries returned = 7
03/22 08:51:06 INFO :...read_physical_netif: index # 0, interface VLINK1 has address 129.1.1.1, ifidx 0
03/22 08:51:06 INFO :....mailslot_create: creating mailslot for timer
03/22 08:51:06 INFO :...mailbox_register: mailbox allocated for timer

Non compliant code

There are passwords and user ids stored in the log files

03/22 08:51:01 INFO   :.main: *************** Profile change***************
03/22 08:51:01 INFO :...locate_configFile: Changed user to "myuser"
03/22 08:51:01 INFO :.main: Changed password to "mypassword"
03/22 08:51:01 INFO :..settcpimage: Get TCP images rc - EDC8112I
03/22 08:51:01 INFO :..settcpimage: Associate with TCP/IP image name = TCPCS
03/22 08:51:02 INFO :..reg_process: registering process with the system
03/22 08:51:02 INFO :..reg_process: attempt OS/390 registration
03/22 08:51:02 INFO :..reg_process: return from registration rc=0

Requirements