Security and Audit Logs

Changing subjects, let's look at a topic that is crucial to application security but will not be discussed elsewhere in this book (and is often overlooked in other books). If you are building a server application, one area of functionality, while not being one of the more glamorous areas of security programming, cannot be overlooked. This is the area of creating and writing security and audit logs. The creation of security and audit logs is crucial to the detection of security breaks and the pursuit of the guilty parties.

Why Do You Need Audit Logs?

Yes, writing security and audit logs is something that the operating system is already doing, so why do you need to concern yourself with building another audit log? If a user is interacting directly with your application, the operating system is not likely to recognize that a security breach has occurred. Only your application is in a position to recognize this situation and have the information necessary to identify what happened, who did it, and how it was done.

If a security breach occurs through your application, a security log can provide you with valuable information on how your application was compromised, so you can correct the problem and make your application more secure than it was. It can also provide key information for identifying and prosecuting the cracker who broke through your defenses, assuming that either damage was done or valuable information was stolen.

If your application accesses sensitive information, in a database or other information source, it is often important to maintain an audit log of who accessed what sensitive information and what information was accessed. This information will be important if sensitive information is revealed to someone who is not privy to the information, or if someone is abusing his or her access to this information. The information in the audit log will be used to determine who might be guilty of these indiscretions and what corrective action should be taken.

What Information Needs to Be Included?

In a security or audit log, you need to include as much information as you possibly can. For a security log, you need to include the IP address of the perpetrator, the login or username (if available), what was done or what command was issued, the data passed to the command that caused the error, the time and date, and any other relevant data (depending on your application).

For instance, if someone is trying to find a valid username/password combination for your application, you should record in the security log the IP address of the person, the username used, the date and time, and the fact that the login attempt failed. If subsequent attempts are made, you should include the number of failed attempts that have been made. It is debatable whether you should include the passwords tried in the log. Including the passwords tried in the log may enable you to tell whether the person is trying a brute-force method to find a valid password. At the same time, if someone is simply mistyping his or her password, recording the password in the log could compromise that user's account.

The information an audit log records is dependent on the particular situation. For controlling sensitive information in a database, an audit log would record the username of every user who accesses the sensitive information. The audit log would also record any changes made to this information, who made the change, and the before and after values for the information that was changed. As with security logs, the times and dates of all actions would be recorded in the audit log.

For instance, if someone were accessing and altering sensitive medical records, you would probably want to record the username, which records were accessed, what information was changed, and what the information was prior to being changed. You would also want to record the time and date the records were accessed and changed. Finally, if you have this information available, you would want to record how the user accessed the records, whether through an application screen or via some other known means.