Logging and Auditing Web Applications
Auditing access and activity logs on a regular basis helps in detecting attempted or successful intrusions. If there has been unauthorized access of your web application, you need to be able to show the signs of intrusion and prove a user's actions. You should also minimize the information provided in error pages.
A web application is accessible to anyone on the internet who can authenticate themselves in some way. You need to be able to prove when and how access or intrusions occurred. Log files are typically used to capture critical events such as starting and stopping processes, HTTP access, and I/O events.
Guidelines
To ensure you can trace access to your application, you need to enable logging for the application, and its servers and processes.
- Log significant application actions, such as user logon attempts, and database access
- Configure your Web server to log HTTP access. For more information, consult your web server documentation.
- Configure the Uniface Router and Uniface Server to log information using the $PUTMESS_LOG_FILE and $IOPRINT assignment settings
- Minimize the information on error pages to prevent someone gathering details about your application and server environment. Instead, write detailed information to an application log file and report less detail, with a reference to the entry in the log file, to the user. For more information, see Web Application Error Pages.
Threats
Logging Application Events
To identify and log users you can capture the IP
address and session ID using $webinfo[‘WEBSERVERCONTEXT’]
. For
example.
; --- Script container entry PUTLOG params string pUser : IN string pAction : IN endparams variables string vWebServerContext, vSessionID, vServerVariables, vIP datetime vCurdatim endvariables ; get client's session ID and IP address. vWebServerContext = $webinfo("WEBSERVERCONTEXT") getitem/id vSessionID, vWebServerContext, "SESSION" getitem/id vServerVariables, vWebServerContext, "SERVERVARIABLES" getitem/id vvIP, vServerVariables, "REMOTE_ADDR" ; log date, time, IP, Session ID, User and Action. vCurdatim = $datim putmess "%%vCurdatim[#date]%%% vCurdatim[#clock]%%% IP:%%vIP%%% SID:%%vSessionID%%% User:%%pUser%%% Action:%%pAction%%%" return 0 end
trigger detail ; for authentication if (LoginSuccess) call PUTLOG(USER, "Login Success") else call PUTLOG(USER, "Login Failure") return -1 endif end
trigger detail ; for query data retrieve/e "ITEMS" call PUTLOG(USER, "Query Data '%%ITEM%%%'") end
This code results in logged data as follows:
23-nov-2010 12:10:36 IP:123.4.5.67 SID:D562930950F2206E523A3E0A38B32BCE User:foo Action:Login Success 23-nov-2010 12:11:24 IP:123.4.5.67 SID:D562930950F2206E523A3E0A38B32BCE User:foo Action:Query Data ‘Gibson’ 23-nov-2010 12:12:19 IP:222.33.44.55 SID:A51DAE4469F6716F897D31D42525BD0D User:bar Action:Login Failure
Logging HTTP Access in Apache Tomcat
To log HTTP access on Tomcat, check the Tomcat
server configuration file TOMCAT_HOME/conf/server.xml, and
check either the AccessLogValve
configuration. For detailed information, consult
the Logging section in the Tomcat documentation.
<!-- Access log processes all example. Documentation at: /docs/config/valve.html Note: The pattern used is equivalent to using pattern="common" --> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t "%r" %s %b" />
By default, Uniface configures
AccessLogValve
in the Context container in
TOMCAT_HOME/conf/Catalina/localhost/uniface.xml.
<Context docBase="C:\Program Files\Uniface\Uniface 96\uniface\webapps\uniface"> <Valve className="org.apache.catalina.valves.AccessLogValve" prefix="uniface-" suffix=".log" pattern="common"/> </Context>