-\begin{enumerate}[label={8.\arabic*}]
+\begin{enumerate}[label={V8.\arabic*}]
\item\fail{} Verify that the application does not output error
messages or stack traces containing sensitive data
that could assist an attacker,
Documentation suggesting users should verify that the database driver they end up using doesn't include sensitive data in exception messages is absent.
\end{result}
- \item\pass{} Verify that all non-printable symbols and field
+\notapplicable{\item Verify that all non-printable symbols and field
separators are properly encoded in log entries, to
- prevent log injection.
+ prevent log injection.}
- \begin{result}
- \end{result}
-
- \item\pass{} Verify that log fields from trusted and untrusted
- sources are distinguishable in log entries.
-
- \begin{result}
- \end{result}
+\notapplicable{\item Verify that log fields from trusted and untrusted
+ sources are distinguishable in log entries.}
\item\fail{} Verify that an audit log or similar allows for non-repudiation of key transactions.
\begin{result}
- Failed login attempts, password reset, login/logout... are not logged at all.
+ Failed login attempts, password reset, login/logout\ldots are not logged at all.
It's not possible to retreive the IP address from which a password reset has been issued.
Only potential requests are logged even before it's verified such an action exists.
\end{result}
- \item\pass{} Verify that security logs have some form of
+\notapplicable{\item Verify that security logs have some form of
integrity checking or controls to prevent
- unauthorized modification.
-
- \begin{result}
- \end{result}
+ unauthorized modification.}
- \item\pass{} Verify that the
+\notapplicable{\item Verify that the
logs are stored on a different
partition than the application is running with
- proper log rotation.
-
- \begin{result}
- \end{result}
+ proper log rotation.}
\item\fail{} Time sources should be synchronized to ensure
logs have the correct time.
Time information is not inserted into log messages.
The actual log files however are named after the current system date, this gives a precision of 24 hours.
\end{result}
-\end{enumerate}
\ No newline at end of file
+\end{enumerate}