X-Git-Url: https://git.martlubbers.net/?a=blobdiff_plain;ds=sidebyside;f=report%2Fv8_error.tex;h=fc47ee0dd1ed94ecc7ca9c16b1c8c61e4f15ebee;hb=84ccdc4ce4f26fb002215f25495fb134d06e7096;hp=58e782a9dc4d2c97f7b4d5d80cb0c9eea9ec4346;hpb=be9ba2c694a92558b710fcf7bd2858558466741a;p=ssproject1617.git diff --git a/report/v8_error.tex b/report/v8_error.tex index 58e782a..fc47ee0 100644 --- a/report/v8_error.tex +++ b/report/v8_error.tex @@ -20,7 +20,7 @@ The software passes this check, this however is a side effect of limited error handling. \end{result} - \item\pass{} Verify security logging controls provide the ability + \item\fail{} Verify security logging controls provide the ability to log success and particularly failure events that are identified as security-relevant. @@ -31,7 +31,7 @@ Failed/unauthorized installation attempts won't get logged either. \end{result} - \item\pass{} Verify that each log event includes necessary + \item\fail{} Verify that each log event includes necessary information that would allow for a detailed investigation of the timeline when an event happens. @@ -77,47 +77,35 @@ Documentation suggesting users should verify that the database driver they end up using doesn't include sensitive data in exception messages is absent. \end{result} - \item\pass{} Verify that all non-printable symbols and field +\notapplicable{\item Verify that all non-printable symbols and field separators are properly encoded in log entries, to - prevent log injection. + prevent log injection.} - \begin{result} - \end{result} - - \item\pass{} Verify that log fields from trusted and untrusted - sources are distinguishable in log entries. - - \begin{result} - \end{result} +\notapplicable{\item Verify that log fields from trusted and untrusted + sources are distinguishable in log entries.} - \item\pass{} Verify that an audit log or similar allows for non-repudiation of key transactions. + \item\fail{} Verify that an audit log or similar allows for non-repudiation of key transactions. \begin{result} - Failed login attempts, password reset, login/logout... are not logged at all. + Failed login attempts, password reset, login/logout\ldots are not logged at all. It's not possible to retreive the IP address from which a password reset has been issued. Only potential requests are logged even before it's verified such an action exists. \end{result} - \item\pass{} Verify that security logs have some form of +\notapplicable{\item Verify that security logs have some form of integrity checking or controls to prevent - unauthorized modification. - - \begin{result} - \end{result} + unauthorized modification.} - \item\pass{} Verify that the +\notapplicable{\item Verify that the logs are stored on a different partition than the application is running with - proper log rotation. - - \begin{result} - \end{result} + proper log rotation.} - \item\pass{} Time sources should be synchronized to ensure + \item\fail{} Time sources should be synchronized to ensure logs have the correct time. \begin{result} Time information is not inserted into log messages. The actual log files however are named after the current system date, this gives a precision of 24 hours. \end{result} -\end{enumerate} \ No newline at end of file +\end{enumerate}