logging-log4j-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Sicker <boa...@gmail.com>
Subject Re: Logging requirement for PCI (payment card industry)
Date Mon, 08 Sep 2014 23:46:19 GMT
On that note, actually, I've been trying to slowly make Log4j not require
higher security permissions. A lot of stuff would still work just fine in a
highly restricted environment (e.g., an applet), but we hadn't really been
checking permissions and providing fallbacks everywhere. Then again, that
just might be due to the fact that in order to get any sort of plugin
system working in Java (without something like OSGi), you need
ClassLoaders, and the getClassLoader runtime permission can really open up
a can of worms security-wise.


On 8 September 2014 18:41, Matt Sicker <boards@gmail.com> wrote:

> How secure does it need to be? Because there are usually ways around Java
> security (hence all the security patches). Oftentimes, a misconfigured
> policy file is enough to let the house of cards come tumbling down!
>
>
> On 8 September 2014 18:36, Ralph Goers <ralph.goers@dslextreme.com> wrote:
>
>> Christian,
>>
>> I started work on Log4j 2 primarily for use by my employer at the time,
>> who performs internet banking activities. As such, losing audit events is
>> not acceptable in that environment.
>>
>> I am not really clear on what you are asking.  If you don’t specify a
>> monitorInterval on your configuration then you will not be able to
>> reconfigure logging during execution, which sounds like what you are
>> wanting. If you want a start and stop message one way to do that is to
>> specify a start and stop message in the header and footer elements of the
>> PatternLayout.  If you are running in a servlet container you can also use
>> a ServletContextListener to do that.
>>
>> Ralph
>>
>> On Sep 8, 2014, at 8:22 AM, Christian Müller <christian.mueller@gmail.com>
>> wrote:
>>
>> > Hello list!
>> >
>> > For PCI requirement 10.2.6 (Initialization, stopping, or pausing of the
>> > audit logs) [1], I'm wondering what the best solution would be from your
>> > point of view?
>> >
>> > The PCI requirement are detailed further in the spec:
>> > Verify the following are logged:
>> > - Initialization of audit logs
>> > - Stopping or pausing of audit logs
>> >
>> > Turning the audit logs off (or pausing them) prior to performing illicit
>> > activities is a common practice for malicious users wishing to avoid
>> > detection. Initialization of audit logs could indicate that the log
>> > function was disabled by a user to hide their actions.
>> >
>> > The PCI auditor told us, "it's enoght" if the application logs when it's
>> > started and when it's stopped.
>> >
>> > [1] https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
>> >
>> > Thanks in advance,
>> > Christian
>> > -----------------
>> >
>> > Software Integration Specialist
>> >
>> > Apache Member
>> > V.P. Apache Camel | Apache Camel PMC Member | Apache Camel committer
>> > Apache Incubator PMC Member
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: log4j-user-unsubscribe@logging.apache.org
>> For additional commands, e-mail: log4j-user-help@logging.apache.org
>>
>>
>
>
> --
> Matt Sicker <boards@gmail.com>
>



-- 
Matt Sicker <boards@gmail.com>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message