# Insufficient Logging (CWE-778) When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. - Prevalence: 높음 자주 악용됨 - Impact: 보통 검토 권장 - Prevention: 문서화됨 3개의 수정 예시 **OWASP:** Security Logging and Monitoring Failures (A09:2021-Security Logging and Monitoring Failures) - #9 ## Description Insufficient logging makes it difficult to detect attacks in progress, investigate security incidents, or establish accountability. Logs should capture who did what, when, and from where. ## Prevention 3개의 Shoulder 탐지 규칙을 기반으로 한 Insufficient Logging 예방 전략. ### Key Practices - reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, n ### JavaScript Replace console.log with a structured logging library like winston or pino ### Python Replace print() with the logging module for structured, level-aware output Log authentication attempts, failures, and admin actions with user/IP context ## Warning Signs - [MEDIUM] Security-critical operation lacks audit logging - [MEDIUM] security-critical operations (authentication, authorization failures, admin actions) without proper - [low] console - [low] print() calls when the logging module is used in the codebase ## Consequences - 활동 은폐 - 보호 메커니즘 우회 ## Mitigations - 인증, 인가, 데이터 접근 등 보안 관련 모든 이벤트를 로그에 남기세요 - 충분한 컨텍스트(사용자, 타임스탬프, IP, 동작, 결과)를 포함하세요 - 중앙 집중식 로그 관리와 모니터링을 구현하세요 ## Detection - Total rules: 3 - Languages: javascript, typescript, python ## Rules by Language ### Python (2 rules) - **Avoid print() when logging module exists** [low]: Detects print() calls when the logging module is used in the codebase. CAPABILITY-GATED: This rule only fires when Python's logging module or a logging library (loguru, structlog) is detected. If the project only uses print(), that's an architectural choice - not a violation. When logging infrastructure exists, print() calls are outliers that should be reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, n - Remediation: Replace print() with the logging module. ```python import logging logger = logging.getLogger(__name__) logger.info("User logged in: %s", user_id) logger.debug("Processing file: %s", filename) logger.error("Failed to connect: %s", error) ``` Learn more: https://shoulder.dev/learn/python/cwe-778/avoid-print-logging - **Insufficient Security Event Logging** [MEDIUM]: Detects security-critical operations (authentication, authorization failures, admin actions) without proper logging. Insufficient logging prevents detection of attacks and hinders incident response. This rule only triggers on files containing security-critical patterns like: - Authentication (login, logout, authenticate, check_password) - Authorization decorators (@login_required, @permission_required) - Privilege checks (is_staff, is_superuser, is_admin, has_perm) - Session management with aut - Remediation: Log authentication attempts, failures, and security-critical actions with user/IP context. ```python import logging from flask import request from flask_login import login_user logger = logging.getLogger('security') @app.route('/login', methods=['POST']) def login(): username = request.form['username'] user = User.query.filter_by(username=username).first() if user and check_password(user.password, request.form['password']): login_user(user) logger.info(f"Login success: {username} from {request.remote_addr}") return redirect('/dashboard') logger.warning(f"Login failed: {username} from {request.remote_addr}") return 'Invalid credentials', 401 ``` Learn more: https://shoulder.dev/learn/python/cwe-778/insufficient-logging ### Javascript (1 rules) - **Avoid console.log when logging library exists** [low]: Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected. - Remediation: Replace console.log with your logging library. ```javascript // winston logger.info('User logged in', { userId }); // pino logger.info({ userId }, 'User logged in'); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-778/avoid-console-log ### Typescript (1 rules) - **Avoid console.log when logging library exists** [low]: Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected. - Remediation: Replace console.log with your logging library. ```javascript // winston logger.info('User logged in', { userId }); // pino logger.info({ userId }, 'User logged in'); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-778/avoid-console-log