Documentation suggesting users should verify that the database driver they end up using doesn't include sensitive data in exception messages is absent.
\end{result}
- \item\pass{} Verify that all non-printable symbols and field
+\notapplicable{\item Verify that all non-printable symbols and field
separators are properly encoded in log entries, to
- prevent log injection.
+ prevent log injection.}
- \begin{result}
- \end{result}
-
- \item\pass{} Verify that log fields from trusted and untrusted
- sources are distinguishable in log entries.
-
- \begin{result}
- \end{result}
+\notapplicable{\item Verify that log fields from trusted and untrusted
+ sources are distinguishable in log entries.}
\item\fail{} Verify that an audit log or similar allows for non-repudiation of key transactions.
Only potential requests are logged even before it's verified such an action exists.
\end{result}
- \item\pass{} Verify that security logs have some form of
+\notapplicable{\item Verify that security logs have some form of
integrity checking or controls to prevent
- unauthorized modification.
-
- \begin{result}
- \end{result}
+ unauthorized modification.}
- \item\pass{} Verify that the
+\notapplicable{\item Verify that the
logs are stored on a different
partition than the application is running with
- proper log rotation.
-
- \begin{result}
- \end{result}
+ proper log rotation.}
\item\fail{} Time sources should be synchronized to ensure
logs have the correct time.
repositories / ssproject1617.git / commitdiff