This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP Logging Project"

From OWASP
Jump to: navigation, search
(Logging Overview)
 
(41 intermediate revisions by 7 users not shown)
Line 1: Line 1:
The OWASP Logging Project [[OWASP Logging Project Roadmap]] .
+
{|
 +
|-
 +
! width="700" align="center" | <br>
 +
! width="500" align="center" | <br>
 +
|-
 +
| align="right" | [[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]]  
 +
| align="right" |
  
==Logging Overview==
+
|}
 +
If you are looking for the [[OWASP Security Logging Project]], it is [[OWASP_Security_Logging_Project | here]].
  
This is the project initiated by Hong Kong Chapter. The idea is sparked when I am required to review various system logs and establish the log standard and review practice as well as process.
+
==== Main  ====
  
In fact, how many people could spend time and put it as a serious item in their routine checklist? Logs review seems to be a low-tech without skills. However, there are many state of arts behind the scene.
+
The OWASP Logging Project [[:Category:OWASP Logging Project - Roadmap|Roadmap]] <br> <br>
  
Anthony Lai, Chapter Leader and Sam Ng, member of Hong Kong Chapter will be responsible to lead this group and please feel free to join us.
+
<b>The OWASP Logging Project presented at IBWAS09</b><br>
 +
[[Image:IBWAS09_OWASP_Logging_Project_Presentation.ppt]]<br>
  
We need your voice and knowledge to strengthen our detective control.
+
[[Image:IBWAS09_Proyecto_OWASP_Logging_Presentación_en_Español.ppt]]<br><br>
  
[[Category:OWASP Project]]
+
Project Roadmap <br>
 +
[[Image:Owasp_Logging_Project_Roadmap.pdf]]<br>
 +
 
 +
Logging Guide <br>
 +
[[Image:OWASP Logging Guide.pdf]]<br>
 +
 
 +
== Goals  ==
 +
 
 +
http://www.pisa.org.hk/event/eventlog-mgt.jpg
 +
 
 +
<br> Provide tools for software developers in order to help them define and provide meaningful logs
 +
 
 +
Provide code audit tools to ensure that log messages are consistent and complete (content, format, timestamps)
 +
 
 +
Facilitate the integration of logs from different sources
 +
 
 +
Facilitate attack reconstruction
 +
 
 +
Facilitate information sharing around security events
 +
 
 +
== Existing tools and use cases  ==
 +
 
 +
<br>'''1) IDE integration''' (auto-completion, templates, logging policy definition support) for guiding software developers to define and provide meaningful logs
 +
 
 +
For example, a template can provide checks/hints/defaults s.a. those defined by the OWASP Enterprise Security API :<br>- something equivalent to a generated logging session ID, or a hashed value of the session ID so they can track session specific events without risking the exposure of a live session's ID<br>- identity of the user that caused the event<br>- description of the event (supplied by the caller)<br>- whether the event succeeded or failed (indicated by the caller)<br>- severity level of the event (indicated by the caller)<br>- that this is a security relevant event (indicated by the caller)<br>- hostname or IP where the event occurred (and ideally the user's source IP as well)<br>- a time stamp <br>
 +
 
 +
<br>'''IDE templates'''<br>
 +
 
 +
http://www.owasp.org/index.php/File:Eclipse_Create_Template.png<br>
 +
 
 +
http://www.owasp.org/index.php/File:NetBeans_Create_Live_Template.png<br>
 +
 
 +
http://wiki.netbeans.org/Java_EditorUsersGuide<br>
 +
 
 +
<br>'''OWASP ESAPI Logger''' interface (Logger.java) and implementations<br>http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API<br>http://code.google.com/p/owasp-esapi-java/downloads/list
 +
 
 +
<br>'''2/ Code audit tools''' s.a. OWASP yasca can be easily adapted in order to ensure that logging standards are respected and that log messages are consistent and complete (content, format, timestamps)<br>See http://www.owasp.org/index.php/Category:OWASP_Yasca_Project<br>Related OWASP projects: http://www.owasp.org/index.php/Category:OWASP_Orizon_Project
 +
 
 +
<br>
 +
 
 +
'''3) Integrating application logs into a Security Information Management configuration'''<br>OSSIM (http://www.ossim.net/) has numerous plugins for parsing webserver, appserver, WAF, IPS, IDS logs and generating/storing events in its standard format.
 +
 
 +
Adding a plugin for parsing custom application logs is as easy as finding the correct regular expression provided that developers included all relevant information in the log message and that they have done so in a consistent way.
 +
 
 +
You can refer to the OSSIM database model to see what data is stored for events.
 +
 
 +
See http://www.owasp.org/index.php/File:OWASP_Logging_Guide.pdf for more details/screenshots on application event integration and correlation via OSSIM
 +
 
 +
<br>'''4) Reconstructing attacks'''<br>It is difficult to analyze, filter and generally reconstruct an attack because messages are spread around various log levels.
 +
 
 +
See the Logging part of the OWASP ESAPI project<br>http://code.google.com/p/owasp-esapi-java/downloads/list
 +
 
 +
Along the same lines, Arshan Dabirsiaghi's proposal of adding a security log level is very interesting<br>http://www.owasp.org/index.php/How_to_add_a_security_log_level_in_log4j
 +
 
 +
<br>'''5) Implement scripts for filtering/scrubbing logs in order to enable log data sharing between organizations'''<br>Goal: information sharing around security events<br>Custom logger implementations based on the OWASP ESAPI might also filter out any sensitive data specific to the current application or organization, such as credit cards, social security numbers etc.
 +
 
 +
See the Logging part of the OWASP ESAPI project<br>See http://code.google.com/p/owasp-esapi-java/downloads/list
 +
 
 +
==== Project Details ====
 +
 
 +
[[Category:OWASP_Project|Logging Project]]  
 +
[[Category:OWASP_Document]]
 +
[[Category:OWASP_Alpha_Quality_Document]]
 +
 
 +
{{Template:OWASP Project Identification Tab
 +
| project_name = OWASP Logging Project
 +
| project_description = The goals of this project are:
 +
* Provide tools for software developers in order to help them define and provide meaningful logs
 +
* Provide code audit tools to ensure that log messages are consistent and complete (content, format, timestamps)
 +
* Facilitate the integration of logs from different sources
 +
* Facilitate attack reconstruction
 +
* Facilitate information sharing around security events
 +
| leader_name = Marc Chisinevski
 +
| leader_email =
 +
| leader_username = Marc_Chisinevski
 +
| maintainer_name = Marc Chisinevski
 +
| maintainer_email =
 +
| maintainer_username = Marc_Chisinevski
 +
| contributor_name1 = Marc Chisinevski
 +
| contributor_email1 =
 +
| contributor_username1 = Marc_Chisinevski
 +
| contributor_name2 = Anthony Lai
 +
| contributor_email2 =
 +
| contributor_username2 =
 +
| contributor_name3 = Sam Ng
 +
| contributor_email3 =
 +
| contributor_username3 =
 +
| contributor_name4 =
 +
| contributor_email4 =
 +
| contributor_username4 =
 +
| contributor_name5 =
 +
| contributor_email5 =
 +
| contributor_username5 =
 +
| contributor_name6 =
 +
| contributor_email6 =
 +
| contributor_username6 =
 +
| contributor_name7 =
 +
| contributor_email7 =
 +
| contributor_username7 =
 +
| contributor_name8 =
 +
| contributor_email8 =
 +
| contributor_username8 =
 +
| contributor_name9 =
 +
| contributor_email9 =
 +
| contributor_username9 =
 +
| contributor_name10 =
 +
| contributor_email10 =
 +
| contributor_username10 = 
 +
| pamphlet_link =
 +
| mailing_list_name = owasp-logging
 +
| links_url1 =
 +
| links_name1 =
 +
| links_url2 =
 +
| links_name2 =
 +
| links_url3 =
 +
| links_name3 =
 +
| links_url4 =
 +
| links_name4 =
 +
| links_url5 =
 +
| links_name5 =
 +
| links_url6 =
 +
| links_name6 =
 +
| links_url7 =
 +
| links_name7 =
 +
| links_url8 =
 +
| links_name8 =
 +
| links_url9 =
 +
| links_name9 =
 +
| links_url10 =
 +
| links_name10 =
 +
| project_road_map = Category:OWASP_Logging_Project_-_Roadmap
 +
| project_health_status =
 +
| current_release_name = First Release
 +
| current_release_date =
 +
| current_release_download_link =
 +
| current_release_rating =
 +
| current_release_leader_name =
 +
| current_release_leader_email =
 +
| current_release_leader_username =
 +
| last_reviewed_release_name =
 +
| last_reviewed_release_date =
 +
| last_reviewed_release_download_link =
 +
| last_reviewed_release_rating =
 +
| last_reviewed_release_leader_name =
 +
| last_reviewed_release_leader_email =
 +
| last_reviewed_release_leader_username =
 +
| old_release_name1 =
 +
| old_release_date1 =
 +
| old_release_download_link1 =
 +
| old_release_name2 =
 +
| old_release_date2 =
 +
| old_release_download_link2 =
 +
| old_release_name3 =
 +
| old_release_date3 =
 +
| old_release_download_link3 =
 +
| old_release_name4 =
 +
| old_release_date4 =
 +
| old_release_download_link4 =
 +
| old_release_name5 =
 +
| old_release_date5 =
 +
| old_release_download_link5 =
 +
}}
 +
 
 +
__NOTOC__ <headertabs />

Latest revision as of 21:25, 18 April 2016



OWASP Inactive Banner.jpg

If you are looking for the OWASP Security Logging Project, it is here.

Main

The OWASP Logging Project Roadmap

The OWASP Logging Project presented at IBWAS09
File:IBWAS09 OWASP Logging Project Presentation.ppt

File:IBWAS09 Proyecto OWASP Logging Presentación en Español.ppt

Project Roadmap
File:Owasp Logging Project Roadmap.pdf

Logging Guide
File:OWASP Logging Guide.pdf

Goals

eventlog-mgt.jpg


Provide tools for software developers in order to help them define and provide meaningful logs

Provide code audit tools to ensure that log messages are consistent and complete (content, format, timestamps)

Facilitate the integration of logs from different sources

Facilitate attack reconstruction

Facilitate information sharing around security events

Existing tools and use cases


1) IDE integration (auto-completion, templates, logging policy definition support) for guiding software developers to define and provide meaningful logs

For example, a template can provide checks/hints/defaults s.a. those defined by the OWASP Enterprise Security API :
- something equivalent to a generated logging session ID, or a hashed value of the session ID so they can track session specific events without risking the exposure of a live session's ID
- identity of the user that caused the event
- description of the event (supplied by the caller)
- whether the event succeeded or failed (indicated by the caller)
- severity level of the event (indicated by the caller)
- that this is a security relevant event (indicated by the caller)
- hostname or IP where the event occurred (and ideally the user's source IP as well)
- a time stamp


IDE templates

http://www.owasp.org/index.php/File:Eclipse_Create_Template.png

http://www.owasp.org/index.php/File:NetBeans_Create_Live_Template.png

http://wiki.netbeans.org/Java_EditorUsersGuide


OWASP ESAPI Logger interface (Logger.java) and implementations
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
http://code.google.com/p/owasp-esapi-java/downloads/list


2/ Code audit tools s.a. OWASP yasca can be easily adapted in order to ensure that logging standards are respected and that log messages are consistent and complete (content, format, timestamps)
See http://www.owasp.org/index.php/Category:OWASP_Yasca_Project
Related OWASP projects: http://www.owasp.org/index.php/Category:OWASP_Orizon_Project


3) Integrating application logs into a Security Information Management configuration
OSSIM (http://www.ossim.net/) has numerous plugins for parsing webserver, appserver, WAF, IPS, IDS logs and generating/storing events in its standard format.

Adding a plugin for parsing custom application logs is as easy as finding the correct regular expression provided that developers included all relevant information in the log message and that they have done so in a consistent way.

You can refer to the OSSIM database model to see what data is stored for events.

See http://www.owasp.org/index.php/File:OWASP_Logging_Guide.pdf for more details/screenshots on application event integration and correlation via OSSIM


4) Reconstructing attacks
It is difficult to analyze, filter and generally reconstruct an attack because messages are spread around various log levels.

See the Logging part of the OWASP ESAPI project
http://code.google.com/p/owasp-esapi-java/downloads/list

Along the same lines, Arshan Dabirsiaghi's proposal of adding a security log level is very interesting
http://www.owasp.org/index.php/How_to_add_a_security_log_level_in_log4j


5) Implement scripts for filtering/scrubbing logs in order to enable log data sharing between organizations
Goal: information sharing around security events
Custom logger implementations based on the OWASP ESAPI might also filter out any sensitive data specific to the current application or organization, such as credit cards, social security numbers etc.

See the Logging part of the OWASP ESAPI project
See http://code.google.com/p/owasp-esapi-java/downloads/list

Project Details


PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What does this OWASP project release offer you?
what is this project?
OWASP Logging Project

Purpose: The goals of this project are:

  • Provide tools for software developers in order to help them define and provide meaningful logs
  • Provide code audit tools to ensure that log messages are consistent and complete (content, format, timestamps)
  • Facilitate the integration of logs from different sources
  • Facilitate attack reconstruction
  • Facilitate information sharing around security events

License: N/A

who is working on this project?
Project Leader: Marc Chisinevski

Project Maintainer: Marc Chisinevski

Project Contributor(s):

how can you learn more?
Project Pamphlet: N/A

3x slide Project Presentation: N/A

Mailing list: Subscribe or read the archives

Project Roadmap: To view, click here

Main links: N/A

Project Health: Yellow button.JPG Not Reviewed (Provisional)
To be reviewed under Assessment Criteria v2.0

Key Contacts
  • Contact Marc Chisinevski to contribute, review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
First Release - Unknown Date - (no download available)

Release Leader: N/A

Release details: N/A :

Rating: Yellow button.JPG Not Reviewed
To be reviewed under Assessment Criteria v2.0


Pages in category "OWASP Logging Project"

The following 2 pages are in this category, out of 2 total.