How to know if it is safe to log sensitive information to a log aggregator

Question

Fortify has flagged data written to a log file as leaking sensitive or system information. My application (or microservice, etc.) running in a container is logging data to a log aggregator. How can I know if it safe to log sensitive information to the log aggregator?

Answer

Fortify views all data that leaves an application as potentially exposed to a malicious party. Therefore sensitive and system data that leaves an application is marked as potentially being exposed. This includes data written to log files and other files stored on the local filesystem, container mounted volume, or sent to a log aggregator.

Best practice is to assume that data written to files or a log aggregator could be read by an attacker. Vulnerabilities in the operating system, the container itself, the log aggregator, other applications running on the server, and misconfiguration can all lead to compromise of any data written to the container, persistent data in volumes, stored by the log aggregator, etc. Recommendations therefore include:

  • Sensitive and system data should not be written out to files unless required for auditing or business purposes.
  • System data should not be written out to trusted files unless precautions are used to protect those files.
  • Sensitive data, such as PII, should not be written out to files unless they are appropriately encrypted, including while in transport if the log aggregator sends the data over the network.

Additional Guidance

OIS Software Assurance recognizes that the above is not always feasible for all applications. To alternately show that files written to the container or a persisted volume is safe, see this technical note. To show that log data that is additionally written to a log aggregator is safe, the following criteria must be met:

  • Requirement: The developer will need to provide documentation[1] that attests that:
    • The container hosting the application and the container or sidecar hosting the log aggregator were instantiated using authorized [2] infrastructure configuration files, DevSecOps tool configuration scripts, and/or application run-time configuration scripts to ensure that the container data in question is protected from unauthorized access, and
    • Required system security monitoring and system configuration monitoring is being performed to ensure that logging data written by an application running in a container is protected from unauthorized read and/or write access., and
    • Required system security monitoring and system configuration monitoring is being performed to ensure that logging data written by the log aggregator is protected from unauthorized read and/or write access., and
    • If the log aggregator transports the data on the network, it is encrypted in transit.
  • Requirement: Any sensitive data such as PII or PHI should be encrypted or written to an encrypted file:
    • This applies to both the local log and the aggregated copy of the log.
    • If the log aggregator transports the sensitive data on the network, it must be encrypted in transit.
    • If the sensitive data are not encrypted the developer will need to provide documentation that attests that the sensitive data is being handled securely according to VA policy.

[1] There are no specific presentation or content requirements for the above attestation documentation, aside from addressing the specific technical concerns.

[2] The VA office or organizational entity that provided the authorization must be identified in the attestation.