
The article deals with security logging and monitoring vulnerabilities. It addresses common logging errors such as insufficient logging, lack of monitoring, or unreliable access to logs.
Security logging and monitoring errors are deficiencies in security event monitoring and recording systems.
Description: Logging does not provide a sufficient level of detail for incident detection and investigation.
Example: Failure to record important events or insufficient detail in event logs.
Description: Lack of continuous monitoring to detect abnormal or dangerous events.
Example: A web application has no monitoring configured to detect suspicious requests or access attempts.
Description: Untrusted access to event logs, which allows attackers to manipulate or delete entries.
Example: Logs are stored in open access without proper protection, which allows attackers to modify or delete them.
Logging must be enabled to monitor events and anomalies in the system. To do this, configure logging in Nginx by making sure access and error logging is enabled in the /etc/nginx/nginx.conf configuration file. This will allow recording all important events and help identify potential threats.
Attackers may try to disable or delete logs to cover their tracks. It is worth checking whether there is an option to disable logging in the system. To do this, use commands to change the configuration files and observe how the system reacts to these changes. This will reveal potential weaknesses in logging.
Error messages should be clear and useful for diagnosing problems. Configure Sentry to handle PHP errors:
Configure Sentry or similar tools to monitor and alert errors, provide detailed messages.
Testing the system for the possibility of generating vague or generic error messages. Use invalid queries to check if the system generates common errors:
Observe errors and test their clarity and usefulness to attackers.
Logs should be stored in a centralized system to prevent them from being deleted during an attack. Configuring ELK Stack (Elasticsearch, Logstash, Kibana) for centralized log storage.
Testing for the possibility of deleting local logs or affecting their storage. Try deleting or modifying local logs: