Configuring loggers is security-sensitive. It has led in the past to the following vulnerabilities:
Logs are useful before, during and after a security incident.
Logs are also a target for attackers because they might contain sensitive information. Configuring loggers has an impact on the type of information logged and how they are logged.
This rule flags for review code that initiates loggers configuration. The goal is to guide security code reviews.
You are at risk if you answered yes to any of those questions.
Remember that configuring loggers properly doesn't make them bullet-proof. Here is a list of recommendations explaining on how to use your logs:
Basic PHP configuration:
function configure_logging() {
error_reporting(E_RECOVERABLE_ERROR); // Questionable
error_reporting(32); // Questionable
ini_set('docref_root', '1'); // Questionable
ini_set('display_errors', '1'); // Questionable
ini_set('display_startup_errors', '1'); // Questionable
ini_set('error_log', "path/to/logfile"); // Questionable - check logfile is secure
ini_set('error_reporting', E_PARSE ); // Questionable
ini_set('error_reporting', 64); // Questionable
ini_set('log_errors', '0'); // Questionable
ini_set('log_errors_max_length', '512'); // Questionable
ini_set('ignore_repeated_errors', '1'); // Questionable
ini_set('ignore_repeated_source', '1'); // Questionable
ini_set('track_errors', '0'); // Questionable
ini_alter('docref_root', '1'); // Questionable
ini_alter('display_errors', '1'); // Questionable
ini_alter('display_startup_errors', '1'); // Questionable
ini_alter('error_log', "path/to/logfile"); // Questionable - check logfile is secure
ini_alter('error_reporting', E_PARSE ); // Questionable
ini_alter('error_reporting', 64); // Questionable
ini_alter('log_errors', '0'); // Questionable
ini_alter('log_errors_max_length', '512'); // Questionable
ini_alter('ignore_repeated_errors', '1'); // Questionable
ini_alter('ignore_repeated_source', '1'); // Questionable
ini_alter('track_errors', '0'); // Questionable
}
Definition of custom loggers with psr/log
abstract class MyLogger implements \Psr\Log\LoggerInterface { // Questionable
// ...
}
abstract class MyLogger2 extends \Psr\Log\AbstractLogger { // Questionable
// ...
}
abstract class MyLogger3 {
use \Psr\Log\LoggerTrait; // Questionable
// ...
}
No issue will be raised for logger configuration when it follows recommended settings for production servers. The following examples are all valid:
ini_set('docref_root', '0');
ini_set('display_errors', '0');
ini_set('display_startup_errors', '0');
error_reporting(E_ALL);
error_reporting(32767);
error_reporting(-1);
ini_set('error_reporting', E_ALL);
ini_set('error_reporting', 32767);
ini_set('error_reporting', -1);
ini_set('log_errors', '1');
ini_set('log_errors_max_length', '0');
ini_set('ignore_repeated_errors', '0');
ini_set('ignore_repeated_source', '0');
ini_set('track_errors', '1');