CWE-778: Insufficient Logging

Ensure you have sufficient logging in order to adequately record important events within an application and/or system.

Without comprehensive and sufficient logging, it becomes challenging to identify and respond to security incidents, leading to delayed and/or inefficient incident response efforts.

Insufficient logging also negatively affects forensic analysis, hindering the ability to reconstruct events accurately after a breach.

Writing exceptions to stdout, stderr or local files is not sufficient as:

• The stdout or stderr buffer may be exhausted or closed, preventing subsequent writes
• Trust level of stdout or stderr may be the end-user or attacker
• Logfiles which are only on a local filesystem can be deleted by an attacker

If errors occur while recording logs, they can hinder the logging process unless preventive measures are implemented. Security risks can occur when these errors occur. For example, an attacker hiding crucial security issues by refraining the attacker from being logged. Therefore it is essential that logging functions in applications are effective, even when exceptions arise when completing the logging process.

Non-Compliant Code Example

In noncompliant01.py, if a risky operation occurs such as the division by zero, the try block catches the ZeroDivisionError exception and prints it to the console without logging it, leaving the system vulnerable to undetected issues. The error print is also vague.

noncompliant01.py:

""" Non-compliant Code Example """
 
try:
    result = 10 / 0
except ZeroDivisionError as e:
    print("Error occurred:", e)

The noncompliant01.py code prints the error to stdout instead of allowing central logging to take place.

Compliant Solution

The security exception output in compliant01.py is using the logger. The program catches the ZeroDivisionError exception and logs it with the critical level, ensuring that errors are properly recorded. Production projects should setup log forwarding to a remote logging service.

compliant01.py:

""" Compliant Code Example """
 
import logging
 
try:
    result = 10 / 0
except ZeroDivisionError:
    logging.critical("Error occurred: Division by zero")

In compliant01.py, using logging and loglevels allows better integration with a centralized logging system.

Automated Detection

Tool	Version	Checker	Description
Bandit	1.6.2	No Detection

Related Guidelines

MITRE CWE Pillar	CWE-693: Protection Mechanism Failure (4.16) (mitre.org)
MITRE CWE Base	CWE-778: Numeric Truncation Error
SEI CERT	ERR02-J. Prevent exceptions while logging data

This site is open source. Improve this page.