How To Use OWASP Security Logging

by August Detlefsen, Sytze van Koningsveld, and Milton Smith

About the Presenters

August Detlefsen(California) Senior Application Security Consultant with more than eighteen years experience in software development and information security. August authored several Burp Suite extensions, CodeMagi’s Clickjacking Defense, and book author for Iron-Clad Java: Building Secure Web Applications. Twitter @codemagi or augustd@codemagi.com

Sytze van Koningsveld(Netherlands) Senior Software Developer at KLM specialised in security and quality assurance with over eighteen years of Java development experience. sytze.vankoningsveld@owasp.org

Milton Smith(California) Security principal developing cloud security tools at Oracle. Previously Milton was the leader for Java Platform Security and the Java Security Track at Oracle’s JavaOne conference. Past security principal at Yahoo. Twitter @spoofzu or milton.smith@owasp.com

Exercises

Exercises for this demo are available on GitHub:

https://github.com/augustd/securitylogging

https://github.com/augustd/securitylogging-webapp

Security Logging BackgroundWhy do we need a security logging platform?

OWASP Security Logging Project

Started in 2014, project born out of the need for a logger with better support for security

Implemented in Java, popular platform and language

Built with open standards(SLF4J), open source project written to open logging standards, SLF4J

Security & Compliance Distinct from Diagnostics

• Logger priorities, debug, info, warn, fatal - meaningless for security & logging

• Retention, losing diagnostics log messages is a pain, losing security logs raises eyebrows, losing compliance logs - ouch!

• Context, knowing the action or activity is not good enough. Need to know who, what, where, when.

What Would a Better Logging Platform Look Like?

• 3-broader use cases, diagnostics, security, and compliance

• Framework encouraging robust logging, current frameworks leave what to log and when to log up to developers. Improved automation for common use-cases

• Legacy support, must add some value to older applications or 3rd party applications where we don’t have source code

Why Use Security Logging?

Powerful features w/automation, associate current logged on user w/activities, log system state on start for later forensics, import into SIEM tools, log trends like heap space, open file counts, users logged on, etc.

Let us help you log, most logging systems put bits on disk. What, when, and where to log is important. Let us help.

Get going fast, know how to use log4j? Leverage your existing skills. You're ready to go!

Building A Better Logging Framework

Java Logging Log4j/Log4j 2 logbackLog Platforms

SLF4J

OWASP Security Logging

Interface

Security & Compliance

SLF4J and JSR-47

Confused? Specifications dogfight

Subtle but important differences, logger inheritance, log level names

For details see, http://www.jajakarta.org/log4j/jakarta-log4j-1.1.3/docs/critique.html

Benefits of OWASP Security LoggingSecurity logging encourages positive design

Benefit, Designed for 3-Use Cases: Diag,Sec,Comp

Diagnostics/Forensics - What just happened? History of memory usage? History of security events ? What command line args executed app? Disk use over time.

Security - Door open/closed, user logged in/out, resource created/read/update/deleted, information classification

Compliance - Log messages remotely, sign logs, discourage tampering

Security Log Events

Successful loginsFailed loginsLog outsChanged password or security questionsProfile changes, such as change of email addressPassword reset attemptsAuthorization failuresChanges to privilege levelsInput validation failuresAny other sensitive operation…

Benefit, Encourage Improved Logging Via Automation

Standalone Application - log command line arguments, system environment variables, Java system properties

J2EE/Servlet - All standalone logging + HTTP Request Parameters like current user logged on

Benefit, Popular Logging Support & Ease of Use

Popular logging platforms, support for popular platforms like Java logging, log4j, log4j 2, logback

Large base of developer knowledge, years of experience w/these logging platforms

Open source & commercial support, many development organizations offer creative products services in this space

Introduction to OWASP Security LoggingSecurity logging encourages positive design

Planning Your Project Logging

Formalize your objectives, diagnostics/forensics, security, compliance

Map features to your objectives, understand/implement the features that support your projects needs

New project or legacy, for new projects you can use a battery of features. However, even old projects that console log (e.g. System.out) receive some benefits.

https://www.owasp.org/index.php/OWASP_Security_Logging_Project

Quick Start, info to get started

Source Code, GitHub project Java code

Issue Tracker, report bugs, feature requests

Messaging leaders, work in progress. Temporary OWASP leaders email list or issue tracker link

Including OWASP Security Logging Binaries

GitHub releases, download release binaries from project, https://github.com/javabeanz/owasp-security-logging/releases

Building and Dependency Resolution

Maven Central, include Maven dependency declaration in your project POM

<dependency> <groupId>org.owasp</groupId> <artifactId>security-logging-log4j</artifactId> <version>LATEST</version></dependency>

<dependency> <groupId>org.owasp</groupId> <artifactId>security-logging-logback</artifactId> <version>LATEST</version></dependency>

log4j logback

Running Test Cases & Project Badges

OWASP Security Logging hosted on Github https://github.com/javabeanz/owasp-security-logging :• Continuous Integration with Travis• Quality assurance with Codecov, Codacy and Versioneye• Security analysis with Coverity• License and Maven version badge• Core infrastructure badge in progress• Many more : collaboration, deployment, project

management, …. : https://github.com/integrations

Community Support, Suggestions, Contributing

OWASP Security logging github page offers :• issue management• #owaspsecurity-logging channel on OWASP Slack for chat• wiki pages for documentation

– contributing : clone the git repo, create a pull request for your change. If code change passes the tests, builds OK, and badges green then the pull request is accepted

Help Us Think of a Better Name for This Project

OWASP Security Logging Project name is too long! We invite ideas for a distinctive name and logo. A single word and simple project icon would be best, clean, simple for everyone remember

Introduction to Security Logging FeaturesFeatures to encourage positive design & save time

Feature, Security Markers

Federal and State government agencies as well as companies supporting those agencies are often required to classify information.

Log routing, log messages with privileged classifications to secure logs

Exclude sensitive, exclude log messages with privileged classifications from being logged

Feature, Log HTTP Session Parameters

Sometimes is helpful to have information associated with the session associated with log messages

SessionPlugin, adds the current user logged on to the web application to Mapped Diagnostic Context(MDC). Information easily used to include/correlate user id with activity in log messages

Feature, Log HTTP Session Parameters (cont)

ForwardedIPAddressPlugin, add remote IP address to the MDC by using value of X-Forwarded-For in header appended by load balancer

IPAddressPlugin, add remote IP address to the MDC by using value of HttpServletRequest.getRemoteAddr() in header

UserNamePlugin, grab HttpServletRequest.getAttribute(“username”) and place value in MDC

Feature, Log Command Line Args on Startup

Log the command line arguments that initialized your program. Useful if your application has problems.

SecurityUtil.logCommandLineArguments(args);

Use WebApplicationInitializer in Spring web applications

Feature, Log System Environment on Startup

Shell variables can be useful to diagnose problems your application may be experiencing. Do this to log your environment properties.

SecurityUtil.logShellEnvironmentVariables();

Feature, Log System Properties on Startup

Knowing the Java System properties at startup (or other times) can be helpful. Log them easily by doing this.

SecurityUtil.logJavaSystemProperties();

Feature, Interval Logging

Beneficial for diagnostics/forensics to keep record of system state for later follow-up

You want this every in your logs every 15-sec,20:10:10.204 [Thread-0] INFO Watchdog: MemoryTotal=64.5MB, FreeMemory=58.2MB, MaxMemory=947.7MB, Threads Total=5, Threads New=0, Threads Runnable=3, Threads Blocked=0, Threads Waiting=2, Threads Terminated=0

Add this code,IntervalLoggerController wd = SecurityLoggingFactory.getControllerInstance();wd.start();

Feature, Redirection Streams, System.out/err

Redirect the system streams of your legacy console logging code to your SLF4J logger. Set this on start-up.

SecurityUtil.bindSystemStreamsToSLF4J();

If you need to disable for some reason do this,

SecurityUtil.unbindSystemStreams();

Feature, Filtering Sensitive Log Messages

There are also times where it’s desirable to filter unstructured data within log messages. Fields like SSN, password, are examples. An example of what to code,

LOGGER.info("userid={}", userid); LOGGER.info(SecurityMarkers.CONFIDENTIAL, "password={}", password);

2014-12-16 13:54:48,860 [main] INFO - userid=joebob2014-12-16 13:54:48,860 [main] [CONFIDENTIAL] INFO - password=***********

Attendee LabNo substitute for hand-on experience

If you have a laptop AND if you don’t

If you brought a laptop you can participate in the coding exercise. If not, don’t worry. You can shoulder surf or watch us on the big screen.

Exercise: HelloWorld w/Security Logging

Step 1, download securitylogging from GitHub

https://github.com/augustd/securitylogging

Exercise: HelloWorld w/Security Logging

Step 2, integrate securitylogging with your favorite IDE

Exercise: HelloWorld w/Security Logging

Step 3, update POM.xml to include SLF4J logger (log4J 2 or logback)... </plugins> </build> <dependencies> <dependency>

<groupId>org.owasp</groupId> <artifactId>security-logging-log4j</artifactId> <version>1.1.2</version>

</dependency> </dependencies></project>

Exercise: HelloWorld w/Security Logging

Step 4, download Mavendependencies

Exercise: HelloWorld w/Security Logging

Step 4, compile and run the project

You should see something like this,17:00:30.984 [main] INFO com.owasp.securitylogging.bin.HelloWorld - It's alive!Log message outside log4j 2

Exercise: HelloWorld w/Security Logging

INFORMATION, at this point you have a functioning program that implements log4j 2 and OWASP Security Logging. Now for some fun!

Exercise: HelloWorld with Security Markers

Step 5, add the following code to HelloWorld.java to tag log events as security-specific. Add after logger.info() call.

logger.info(SecurityMarkers.SECURITY_SUCCESS, "User '{}' logged in", "augustd");logger.error(SecurityMarkers.SECURITY_FAILURE, "User '{}' attempted to access invalid account '{}'", "snidely", 5555785);

Exercise: HelloWorld with Security Markers

Step 5, in log4j.xml, modify the PatternLayout definition to include markers:

<Console name="Console" target="SYSTEM_OUT"> <PatternLayout pattern="%d{HH:mm:ss.SSS} %marker [%t] %-5level %logger{36} - %msg%n"/></Console>

Exercise: HelloWorld with Startup Properties

Step 5, compile and run the project. Your output should look like this:

13:30:55.370 SECURITY SUCCESS [main] INFO com.owasp.securitylogging.bin.HelloWorld - User 'augustd' logged in13:30:55.370 SECURITY FAILURE [main] ERROR com.owasp.securitylogging.bin.HelloWorld - User 'snidely' attempted to access invalid account '5555785'

...

Exercise: HelloWorld with Startup Properties

Step 6, add the following code to HelloWorld.java to print system properties on startup. Add after logger.info() call.

// log command line argumentsSecurityUtil.logCommandLineArguments(args);

// log shell environment variablesSecurityUtil.logShellEnvironmentVariables();

// log java system propertiesSecurityUtil.logJavaSystemProperties();

Exercise: HelloWorld with Startup Properties

Step 6, compile and run the project. Your output should look like this:17:37:30.678 [main] INFO com.owasp.securitylogging.bin.HelloWorld - It's alive!17:37:30.690 [main] INFO org.owasp.security.logging.util.SecurityUtil - Env, PATH=/usr/bin:/bin:/usr/sbin:/sbin17:37:30.690 [main] INFO org.owasp.security.logging.util.SecurityUtil - Env, SHELL=/bin/bash17:37:30.690 [main] INFO org.owasp.security.logging.util.SecurityUtil - Env, JAVA_STARTED_ON_FIRST_THREAD_4018=117:37:30.690 [main] INFO org.owasp.security.logging.util.SecurityUtil - Env, APP_ICON_4018=../Resources/Eclipse.icns17:37:30.690 [main] INFO org.owasp.security.logging.util.SecurityUtil - Env, JAVA_MAIN_CLASS_7073=com.owasp.securitylogging.bin.HelloWorld17:37:30.690 [main] INFO org.owasp.security.logging.util.SecurityUtil - Env, USER=milton...

Exercise: HelloWorld with Stream Redirection

Step 7, add the following code to HelloWorld.java to caputure logging to system streams by legacy or commericial programs. Add after the interval logging code, SecurityUtil.bindSystemStreamsToSLF4J();

// Intercept system streams.SecurityUtil.bindSystemStreamsToSLF4J();

// Test stream interceptionSystem.out.println("This is a system.out");System.err.println("This is a system.err");

Exercise: HelloWorld with Stream Redirection

Step 7, check to see logging to system streams is redirected. Notice how the log message routed to log4j 2 includes time, msg priority, etc:

12:34:09.084 [main] INFO org.owasp.security.logging.util.SecurityUtil - SysProp, sun.cpu.isalist=12:34:09.084 [main] INFO org.owasp.security.logging.util.SecurityUtil - This is a system.out12:34:09.084 [main] ERROR org.owasp.security.logging.util.SecurityUtil - This is a system.err

Exercise: HelloWorld with Interval Logging

Step 8, now add the following code to HelloWorld.java to add interval logging. Add after SecurityUtil.logJavaSystemProperties(); type:

// start the interval loggerIntervalLoggerController wd = SecurityLoggingFactory.getControllerInstance();wd.start();

Exercise: HelloWorld with Interval Logging

Step 8, with interval logging on you should see a few messages print at the end of your log each 15-sec like this:

Log message outside log4j 217:47:53.714 [Thread-1] INFO org.owasp.security.logging.util.DefaultIntervalLoggerView - Watchdog: MemoryTotal=64.5MB, MemoryFree=56.2MB, MemoryMax=954.7MB, ThreadNew=0, ThreadRunnable=3, ThreadBlocked=0, ThreadWaiting=2, ThreadTerminated=0,

INFORMATION: to exit you need to press stop in debugger or call wd.stop() in your code

Exercise: HelloWorld with Interval Logging

CONGRATULATIONS, your program now has:• command line arg logging• logging shell environment properties• logging Java system properties• Intercepting System streams• and interval logging every 15-secs

...but wait, there’s more!

Exercise: HelloWorld Web App w/Security Logging

Step 1, download securitylogging-webapp from GitHub

https://github.com/augustd/securitylogging-webapp

Exercise: HelloWorld Web App

Step 2, integrate securitylogging-webapp with your favorite IDE

The logging API is already included in pom.xml

Exercise: HelloWorld Web App

Step 3, compile and run the project

You should see something like this,Info: Loading application [securitylogging-webapp] at [/securitylogging-webapp]Info: securitylogging-webapp was successfully deployed in 237 milliseconds.

Exercise: HelloWorld Web App

Step 4, Hit the web app URL: http://localhost:8080/securitylogging-webapp/HelloWorld?name=august

You should see something like this:Info: 18:03:08.729 SECURITY SUCCESS [http-listener-1(1)] INFO org.owasp.securitylogging.webapp.HelloWorld - User august logged in

Exercise: HelloWorld Web App

At this point you have a functioning web app that implements log4j 2 and OWASP Security Logging. Now for some fun!

Exercise: HelloWorld Web App

Step 5, update web.xml to include MDC Filter:...<filter> <filter-name>LoggingFilter</filter-name> <filter-class>org.owasp.security.logging.mdc.MDCFilter

</filter-class> <init-param> <!-- component name is a free-from text value --> <param-name>ProductName</param-name> <param-value>securitylogging-webapp</param-value> </init-param></filter>

Exercise: HelloWorld Web App

Step 5, map the MDC Filter to all URLs in your app:

<filter-mapping> <filter-name>LoggingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

Exercise: HelloWorld Web App

Step 5, Add some plugins to MDC Filter:

<filter>… <init-param> <param-name>ipAddress</param-name> <param-value>org.owasp.security.logging.mdc.plugins.ForwardedIPAddressPlugin

</param-value> </init-param> <init-param> <param-name>username</param-name> <param-value>org.owasp.security.logging.mdc.plugins.UsernamePlugin

</param-value> </init-param></filter>

Exercise: HelloWorld Web App

Step 5, update log4j2.xml to include MDC info in layouts:... <Appenders> <Appender type="console" name="Console"> <PatternLayout pattern="%d{HH:mm:ss.SSS} %marker [%t] %mdc{username}:%mdc{session} %mdc{ipAddress} %mdc{productName} %-5level %logger{36} - %msg%n"/> </Appender> </Appenders>

Exercise: HelloWorld Web App

Step 6, Hit the web app URL: http://localhost:8080/securitylogging-webapp/HelloWorld?name=august

Your logs should show something like this:Info: 18:24:21.077 SECURITY SUCCESS [http-listener-1(3)] august:019397a165a49dd2a03e5e3002dd0505219796e00296b33ec82107e5d0da63da 127.0.0.1 securitylogging-webapp INFO org.owasp.securitylogging.webapp.HelloWorld - User august logged in

Automatically, every request, no code required!

Exercise: HelloWorld Web App

CONGRATULATIONS, your program now has:• Automatic gathering of diagnostic data• Diagnostic data added to every log statement• Done all in configuration, no coding required

...but wait, there’s (going to be) more!

Ideas for the FuturePossible future directions with security logging

Forward Looking Information

The ideas presented are forward look future ideas for platform secure features. No guarantees are provided that any ideas described in this section will be implemented in future releases. We present these ideas for the purpose of gauging public interest and support

Idea, High Frequency Ring Logging

When diagnostic or forensic incident occurs it’s often desirable to understand the state of the system prior to event of interest. To achieve this, two logs are necessary. The normal low frequency application log and a short duration high frequency log

High Freq Ring Logger, 10-15 mins of highly detailed diagnostic information. Overwritten as necessary by the system

Idea, Improved Message Correlation

Explore different ways to correlate messages with each other. For example, time/date establish a timeline, user id is useful, etc. Maybe other types of information like application instance ID. Scoping rules different for each application, single user, multi-user, service instance, etc.

Idea, Async Message Logging

Beneficial for some situations to log a message to a queue and return execution to the caller rather than block while message is being sent. Also useful to have offline logging and forward messages later when Internet connectivity is restored

Idea, Guaranteed Delivery

In some situations like non-repudiation reliable logging is essential. A hypothetical example of operation would be, client logs message, the client is blocked until message is sent to log server and successfully logged after which the client is unblocked. On errors when a message cannot be logged a runtime exception can be thrown. This allows callers to rollback activities if logging is not possible

Idea, Improved J2EE Logging

Plugin code used to correlate user ID with log messages can be improved to allow callers to specify arbitrary HTTPRequest parameters. For example, different web applications provide a number of custom request attributes that may provide additional meaningful context to log messages

Idea, Transport Encryption/Compression

Safe and efficient data transport, HTTPS support w/gzip and deflate compression

Idea, Authenticated Client Logging

X.509 client certs, for cases where authenticated client end-point is desirable. Industrial strength secure point to point encryption.

Password or OAuth2, encrypted password solution using PBKDF2. Lighter weight, easier to manage than client certs. Also may be a good option for IoT devices that have limited software/hardware resources

Idea, Signed Log Messages

In some scenarios it may be advantageous to sign messages on the client to ensure they are free from tampering when received on the server

About the Presenters

August Detlefsen(California) Senior Application Security Consultant with more than eighteen years experience in software development and information security. August authored several Burp Suite extensions, CodeMagi’s Clickjacking Defense, and book author for Iron-Clad Java: Building Secure Web Applications. Twitter @codemagi or augustd@codemagi.com

Sytze van Koningsveld(Netherlands) Senior Software Developer at KLM specialised in security and quality assurance with over eighteen years of Java development experience. sytze.vankoningsveld@owasp.org

Milton Smith(California) Security principal developing cloud security tools at Oracle. Previously Milton was the leader for Java Platform Security and the Java Security Track at Oracle’s JavaOne conference. Past security principal at Yahoo. Twitter @spoofzu or milton.smith@owasp.com