Logging and Auditing Web Applications

Auditing access and activity logs on a regular basis helps in detecting attempted or successful intrusions. If there has been unauthorized access of your web application, you need to be able to show the signs of intrusion and prove a user's actions. You should also minimize the information provided in error pages.

A web application is accessible to anyone on the internet who can authenticate themselves in some way. You need to be able to prove when and how access or intrusions occurred. Log files are typically used to capture critical events such as starting and stopping processes, HTTP access, and I/O events.

Guidelines

To ensure you can trace access to your application, you need to enable logging for the application, and its servers and processes.

  • Log significant application actions, such as user logon attempts, and database access
  • Configure your Web server to log HTTP access. For more information, consult your web server documentation.
  • Configure the Uniface Router and Uniface Server to log information using the $PUTMESS_LOG_FILE and $IOPRINT assignment settings
  • Minimize the information on error pages to prevent someone gathering details about your application and server environment. Instead, write detailed information to an application log file and report less detail, with a reference to the entry in the log file, to the user. For more information, see Web Application Error Pages.

Threats

Logging Application Events

To identify and log users you can capture the IP address and session ID using $webinfo[‘WEBSERVERCONTEXT’]. For example. 

; --- Script container
entry PUTLOG
params
  string pUser   : IN
  string pAction : IN
endparams
variables
  string   vWebServerContext, vSessionID, vServerVariables, vIP
  datetime vCurdatim
endvariables
  ; get client's session ID and IP address.
  vWebServerContext = $webinfo("WEBSERVERCONTEXT")
  getitem/id vSessionID, vWebServerContext, "SESSION"
  getitem/id vServerVariables, vWebServerContext, "SERVERVARIABLES"
  getitem/id vvIP, vServerVariables, "REMOTE_ADDR"

  ; log date, time, IP, Session ID, User and Action.
  vCurdatim = $datim
  putmess "%%vCurdatim[#date]%%% vCurdatim[#clock]%%% IP:%%vIP%%% SID:%%vSessionID%%% User:%%pUser%%% Action:%%pAction%%%"

  return 0
end
trigger detail ; for authentication
if (LoginSuccess)
  call PUTLOG(USER, "Login Success")
else
  call PUTLOG(USER, "Login Failure")
  return -1
endif
end
trigger detail ; for query data
retrieve/e "ITEMS"
call PUTLOG(USER, "Query Data '%%ITEM%%%'")
end

This code results in logged data as follows:

23-nov-2010 12:10:36 IP:123.4.5.67 SID:D562930950F2206E523A3E0A38B32BCE User:foo Action:Login Success
23-nov-2010 12:11:24 IP:123.4.5.67 SID:D562930950F2206E523A3E0A38B32BCE User:foo Action:Query Data ‘Gibson’
23-nov-2010 12:12:19 IP:222.33.44.55 SID:A51DAE4469F6716F897D31D42525BD0D User:bar Action:Login Failure

Logging HTTP Access in Apache Tomcat

To log HTTP access on Tomcat, check the Tomcat server configuration file TOMCAT_HOME/conf/server.xml, and check either the AccessLogValve configuration. For detailed information, consult the Logging section in the Tomcat documentation.

<!-- Access log processes all example.
     Documentation at: /docs/config/valve.html
     Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
       prefix="localhost_access_log." suffix=".txt"
       pattern="%h %l %u %t &quot;%r&quot; %s %b" />

By default, Uniface configures AccessLogValve in the Context container in TOMCAT_HOME/conf/Catalina/localhost/uniface.xml. 

<Context docBase="C:\Program Files\Uniface\Uniface 96\uniface\webapps\uniface">
  <Valve className="org.apache.catalina.valves.AccessLogValve"
           prefix="uniface-" suffix=".log" pattern="common"/>
</Context>

Related Topics