From 9b6a1d649ba72d713cacf742489807ef4947e114 Mon Sep 17 00:00:00 2001 From: charlie Date: Fri, 11 Nov 2016 19:36:33 +0100 Subject: [PATCH] Added empty verdicts for all 8.x checks. --- report/v8_error.tex | 99 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) diff --git a/report/v8_error.tex b/report/v8_error.tex index e69de29..d61dcef 100644 --- a/report/v8_error.tex +++ b/report/v8_error.tex @@ -0,0 +1,99 @@ +\begin{enumerate}[label={8.\arabic*}] + \item\pass{} Verify that the application does not output error + messages or stack traces containing sensitive data + that could assist an attacker, + including session id, + software/framework versions and personal + information. + + \begin{result} + \end{result} + + \item\pass{} Verify that error handling logic in security controls + denies access by default. + + \begin{result} + \end{result} + + \item\pass{} Verify security logging controls provide the ability + to log success and + particularly failure events that + are identified as security-relevant. + + \begin{result} + \end{result} + + \item\pass{} Verify that each log event includes necessary + information that would allow for a detailed + investigation of the timeline when an event + happens. + + \begin{result} + \end{result} + + \item\pass{} Verify that all + events that include untrusted data + will not execute as code in the intended log + viewing software. + + \begin{result} + \end{result} + + \item\pass{} Verify that security logs are protected from + unauthorized access and modification. + + \begin{result} + \end{result} + + \item\pass{} Verify that the application does not log + sensitive + data as defined under local privacy laws or + regulations, organizational sensitive data as + defined by a risk assessment, or sensitive + authentication data that could assist an attacker, + including user's session identifiers, passwords, + hashes, or AP + I tokens. + + \begin{result} + \end{result} + + \item\pass{} Verify that all non-printable symbols and field + separators are properly encoded in log entries, to + prevent log injection. + + \begin{result} + \end{result} + + \item\pass{} Verify that log fields from trusted and untrusted + sources are distinguishable in log entries. + + \begin{result} + \end{result} + + \item\pass{} Verify that an audit log or similar allows for non-repudiation of key transactions. + + \begin{result} + \end{result} + + \item\pass{} Verify that security logs have some form of + integrity checking or controls to prevent + unauthorized modification. + + \begin{result} + \end{result} + + \item\pass{} Verify that the + logs are stored on a different + partition than the application is running with + proper log rotation. + + \begin{result} + \end{result} + + \item\pass{} Time sources should be synchronized to ensure + logs have the correct time. + + \begin{result} + \end{result} +\end{enumerate} \ No newline at end of file -- 2.20.1