# Insufficient Logging (CWE-778) When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. - Prevalence: Alta Frecuentemente explotada - Impact: Medio Se recomienda revisión - Prevention: Documentada 3 ejemplos de corrección **OWASP:** Security Logging and Monitoring Failures (A09:2021-Security Logging and Monitoring Failures) - #9 ## Description Insufficient logging makes it difficult to detect attacks in progress, investigate security incidents, or establish accountability. Logs should capture who did what, when, and from where. ## Prevention Estrategias de prevención para Insufficient Logging basadas en 3 reglas de detección de Shoulder. ### Key Practices - reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, n ### JavaScript Replace console.log with a structured logging library like winston or pino ### Python Replace print() with the logging module for structured, level-aware output Log authentication attempts, failures, and admin actions with user/IP context ## Warning Signs - [MEDIUM] Security-critical operation lacks audit logging - [MEDIUM] security-critical operations (authentication, authorization failures, admin actions) without proper - [low] console - [low] print() calls when the logging module is used in the codebase ## Consequences - Ocultar actividades - Eludir mecanismo de protección ## Mitigations - Registra todos los eventos relevantes para la seguridad (autenticación, autorización, acceso a datos) - Incluye contexto suficiente (usuario, marca de tiempo, IP, acción, resultado) - Implementa gestión y monitorización centralizadas de logs ## Detection - Total rules: 3 - Languages: javascript, typescript, python ## Rules by Language ### Python (2 rules) - **Avoid print() when logging module exists** [low]: Detects print() calls when the logging module is used in the codebase. CAPABILITY-GATED: This rule only fires when Python's logging module or a logging library (loguru, structlog) is detected. If the project only uses print(), that's an architectural choice - not a violation. When logging infrastructure exists, print() calls are outliers that should be reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, n - Remediation: Replace print() with the logging module. ```python import logging logger = logging.getLogger(__name__) logger.info("User logged in: %s", user_id) logger.debug("Processing file: %s", filename) logger.error("Failed to connect: %s", error) ``` Learn more: https://shoulder.dev/learn/python/cwe-778/avoid-print-logging - **Insufficient Security Event Logging** [MEDIUM]: Detects security-critical operations (authentication, authorization failures, admin actions) without proper logging. Insufficient logging prevents detection of attacks and hinders incident response. This rule only triggers on files containing security-critical patterns like: - Authentication (login, logout, authenticate, check_password) - Authorization decorators (@login_required, @permission_required) - Privilege checks (is_staff, is_superuser, is_admin, has_perm) - Session management with aut - Remediation: Log authentication attempts, failures, and security-critical actions with user/IP context. ```python import logging from flask import request from flask_login import login_user logger = logging.getLogger('security') @app.route('/login', methods=['POST']) def login(): username = request.form['username'] user = User.query.filter_by(username=username).first() if user and check_password(user.password, request.form['password']): login_user(user) logger.info(f"Login success: {username} from {request.remote_addr}") return redirect('/dashboard') logger.warning(f"Login failed: {username} from {request.remote_addr}") return 'Invalid credentials', 401 ``` Learn more: https://shoulder.dev/learn/python/cwe-778/insufficient-logging ### Javascript (1 rules) - **Avoid console.log when logging library exists** [low]: Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected. - Remediation: Replace console.log with your logging library. ```javascript // winston logger.info('User logged in', { userId }); // pino logger.info({ userId }, 'User logged in'); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-778/avoid-console-log ### Typescript (1 rules) - **Avoid console.log when logging library exists** [low]: Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected. - Remediation: Replace console.log with your logging library. ```javascript // winston logger.info('User logged in', { userId }); // pino logger.info({ userId }, 'User logged in'); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-778/avoid-console-log