# Insufficient Logging (CWE-778) When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. **Stack:** Python - Prevalence: Hoch Häufig ausgenutzt - Impact: Mittel Review empfohlen - Prevention: Dokumentiert 3 Fix-Beispiele **OWASP:** Security Logging and Monitoring Failures (A09:2021-Security Logging and Monitoring Failures) - #9 ## Description Insufficient logging makes it difficult to detect attacks in progress, investigate security incidents, or establish accountability. Logs should capture who did what, when, and from where. ## Prevention Präventionsstrategien für Insufficient Logging basierend auf 2 Shoulder-Erkennungsregeln. ### Key Practices - reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, n ### Python Replace print() with the logging module for structured, level-aware output Log authentication attempts, failures, and admin actions with user/IP context ## Warning Signs - [MEDIUM] Security-critical operation lacks audit logging - [MEDIUM] security-critical operations (authentication, authorization failures, admin actions) without proper - [low] print() calls when the logging module is used in the codebase ## Consequences - Aktivitäten verbergen - Schutzmechanismus umgehen ## Mitigations - Alle sicherheitsrelevanten Ereignisse loggen (Authentifizierung, Autorisierung, Datenzugriff) - Ausreichend Kontext einschließen (Benutzer, Zeitstempel, IP, Aktion, Ergebnis) - Zentralisierte Log-Verwaltung und -Überwachung umsetzen ## Detection - Total rules: 3 - Languages: javascript, typescript, python ## Rules by Language ### Python (2 rules) - **Avoid print() when logging module exists** [low]: Detects print() calls when the logging module is used in the codebase. CAPABILITY-GATED: This rule only fires when Python's logging module or a logging library (loguru, structlog) is detected. If the project only uses print(), that's an architectural choice - not a violation. When logging infrastructure exists, print() calls are outliers that should be reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, n - Remediation: Replace print() with the logging module. ```python import logging logger = logging.getLogger(__name__) logger.info("User logged in: %s", user_id) logger.debug("Processing file: %s", filename) logger.error("Failed to connect: %s", error) ``` Learn more: https://shoulder.dev/learn/python/cwe-778/avoid-print-logging - **Insufficient Security Event Logging** [MEDIUM]: Detects security-critical operations (authentication, authorization failures, admin actions) without proper logging. Insufficient logging prevents detection of attacks and hinders incident response. This rule only triggers on files containing security-critical patterns like: - Authentication (login, logout, authenticate, check_password) - Authorization decorators (@login_required, @permission_required) - Privilege checks (is_staff, is_superuser, is_admin, has_perm) - Session management with aut - Remediation: Log authentication attempts, failures, and security-critical actions with user/IP context. ```python import logging from flask import request from flask_login import login_user logger = logging.getLogger('security') @app.route('/login', methods=['POST']) def login(): username = request.form['username'] user = User.query.filter_by(username=username).first() if user and check_password(user.password, request.form['password']): login_user(user) logger.info(f"Login success: {username} from {request.remote_addr}") return redirect('/dashboard') logger.warning(f"Login failed: {username} from {request.remote_addr}") return 'Invalid credentials', 401 ``` Learn more: https://shoulder.dev/learn/python/cwe-778/insufficient-logging