Configuring loggers is security-sensitive. It has led in the past to the following vulnerabilities:

Logs are useful before, during and after a security incident.

Logs are also a target for attackers because they might contain sensitive information. Configuring loggers has an impact on the type of information logged and how they are logged.

This rule flags for review code that initiates loggers configuration. The goal is to guide security code reviews.

Ask Yourself Whether

You are at risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Remember that configuring loggers properly doesn't make them bullet-proof. Here is a list of recommendations explaining on how to use your logs:

Questionable Code Example

Basic PHP configuration:

function configure_logging() {
  error_reporting(E_RECOVERABLE_ERROR); // Questionable
  error_reporting(32); // Questionable

  ini_set('docref_root', '1'); // Questionable
  ini_set('display_errors', '1'); // Questionable
  ini_set('display_startup_errors', '1'); // Questionable
  ini_set('error_log', "path/to/logfile"); // Questionable - check logfile is secure
  ini_set('error_reporting', E_PARSE ); // Questionable
  ini_set('error_reporting', 64); // Questionable
  ini_set('log_errors', '0'); // Questionable
  ini_set('log_errors_max_length', '512'); // Questionable
  ini_set('ignore_repeated_errors', '1'); // Questionable
  ini_set('ignore_repeated_source', '1'); // Questionable
  ini_set('track_errors', '0'); // Questionable

  ini_alter('docref_root', '1'); // Questionable
  ini_alter('display_errors', '1'); // Questionable
  ini_alter('display_startup_errors', '1'); // Questionable
  ini_alter('error_log', "path/to/logfile"); // Questionable - check logfile is secure
  ini_alter('error_reporting', E_PARSE ); // Questionable
  ini_alter('error_reporting', 64); // Questionable
  ini_alter('log_errors', '0'); // Questionable
  ini_alter('log_errors_max_length', '512'); // Questionable
  ini_alter('ignore_repeated_errors', '1'); // Questionable
  ini_alter('ignore_repeated_source', '1'); // Questionable
  ini_alter('track_errors', '0'); // Questionable
}

Definition of custom loggers with psr/log

abstract class MyLogger implements \Psr\Log\LoggerInterface { // Questionable
    // ...
}

abstract class MyLogger2 extends \Psr\Log\AbstractLogger { // Questionable
    // ...
}

abstract class MyLogger3 {
    use \Psr\Log\LoggerTrait; // Questionable
    // ...
}

Exceptions

No issue will be raised for logger configuration when it follows recommended settings for production servers. The following examples are all valid:

  ini_set('docref_root', '0');
  ini_set('display_errors', '0');
  ini_set('display_startup_errors', '0');

  error_reporting(E_ALL);
  error_reporting(32767);
  error_reporting(-1);
  ini_set('error_reporting', E_ALL);
  ini_set('error_reporting', 32767);
  ini_set('error_reporting', -1);

  ini_set('log_errors', '1');
  ini_set('log_errors_max_length', '0');
  ini_set('ignore_repeated_errors', '0');
  ini_set('ignore_repeated_source', '0');
  ini_set('track_errors', '1');

See