Abstract:

The program is configured not to generate an exception when it fails to write to an audit log.

Explanation:

If WCF is configured not to throw an exception when it is unable to write to an audit log, the program will not be notified of the

failure and auditing of critical security events may not occur.

Example 1: The <behavior/> element of the WCF configuration file below instructs WCF to not notify the application when

WCF fails to write to an audit log.

<behaviors>

<serviceBehaviors>

<behavior name="NewBehavior">

<serviceSecurityAudit auditLogLocation="Application"

suppressAuditFailure="true"

serviceAuthorizationAuditLevel="Success"

messageAuthenticationAuditLevel="Success" />

</behavior>

</serviceBehaviors>

</behaviors>

Recommendations:

Configure WCF to notify the program whenever it is unable to write to an audit log. The program should have an alternative

notification scheme in place to alert the organization that audit trails are not being maintained.

Web.config, line 80 (WCF Misconfiguration: Insufficient Audit Failure Handling)

Fortify Priority: Low Folder Low

Kingdom: Environment

Abstract: The program is configured on line 80 of Web.config not to generate an exception

when it fails to write to an audit log.

Sink: Web.config:80 null()

78 <serviceBehaviors>

79 <behavior name="">

80 <serviceSecurityAudit auditLogLocation="Default" suppressAuditFailure="false"

serviceAuthorizationAuditLevel="SuccessOrFailure"

messageAuthenticationAuditLevel="SuccessOrFailure" />

81 <serviceThrottling maxConcurrentCalls="20" maxConcurrentSessions="20"

maxConcurrentInstances="20" />

82 </behavior>

WCF Misconfiguration: Insufficient Audit Failure Handling的更多相关文章

  1. WCF Misconfiguration: Security Not Enabled

    Abstract: No transport or message security has been defined. Explanation: Applications that transmit ...

  2. Audit logon events&Logon type

    表一.Logon type 表二.Audit logon events 表三.Logon type details Logon type Logon title Description 2 Inter ...

  3. General-Purpose Operating System Protection Profile

    1 Protection Profile Introduction   This document defines the security functionality expected to be ...

  4. 简单bat语法

    一.简单批处理内部命令简介 1.Echo 命令 打开回显或关闭请求回显功能,或显示消息.如果没有任何参数,echo 命令将显示当前回显设置. 语法 echo [{on off}] [message] ...

  5. What is Zeebe?

    转自:https://zeebe.io/what-is-zeebe/ Zeebe is a workflow engine for microservices orchestration. This ...

  6. Spring mvc解析

    方案时间 ,写代码时间 ,解决技术难点时间 , 自测时间,解决bug时间 , 联调时间 ,数据库优化,代码走查1个接口:2个小时 把那个字段再复原回来,不然兼容性不强还有一个刷数据的接口 public ...

  7. RFC 8684---TCP Extensions for Multipath Operation with Multiple Addresses

    https://datatracker.ietf.org/doc/rfc8684/?include_text=1 TCP Extensions for Multipath Operation with ...

  8. Java资源大全中文版(Awesome最新版)

    Awesome系列的Java资源整理.awesome-java 就是akullpp发起维护的Java资源列表,内容包括:构建工具.数据库.框架.模板.安全.代码分析.日志.第三方库.书籍.Java 站 ...

  9. business knowledge

    Finance knowledge Trading---At the core of our business model is Trading, which involves the buying ...

随机推荐

  1. iPhone4下window各个部分的高度

  2. PHPWord

    PHPWord中文乱码 我在 使用PHPWord$section->addText(),输出中文是遇到乱码,PHPWord 中文乱码解决如下: 第一步:打开phpword/Section.php ...

  3. C#Winform连接Oracle数据库 , 及角色讲解

    http://blog.sina.com.cn/s/blog_900ca29d0102vn3r.html 一.连接方法 (1)System.Data.OracleClient 注意1:此方法在.NET ...

  4. Discrete.Differential.Geometry-An.Applied.Introduction(sig2008)笔记

    -------------------------------------------------------------- Chapter 1: Introduction to Discrete D ...

  5. sip协议注册时response值的计算方法

    sip注册时有四个步骤, 1.客户端向服务端发送不带Authorization字段的注册请求 2.服务端回401,在回复消息头中带WWW_Authorization 3.客户端向服务端发送带Autho ...

  6. 【学】jQuery的源码思路6——增加each,animaion,ajax以及插件机制

    each() 插件机制 animation ajax //each() //这里第一个参数指定将this指向每次循环到的那个元素身上,而第三个参数element其实就是this本身所以和第一个参数是一 ...

  7. jquery.cookie() 的使用(原)

    jquery.cookie()是一个轻量级的cookie 插件,可以读取.写入.删除 cookie. 步奏: 1. 添加jQuery插件和jQuery.cookie插件 <script src= ...

  8. UILable

    //UILable的大小自适应实例 UILabel *myLable = [[UILabel alloc] initWithFrame:CGRectMake(, , , )];//设定位置与大小 [m ...

  9. Python体验(08)-图形界面之工具栏和状态栏

    # coding=utf-8 import wx # 导入必须的Python包 class MenuForm(wx.Frame): def OnQuit(self,event): self.Close ...

  10. cctype头文件中的一些内容

    1. string 标准库 1.1初始化 string s1; 默认构造函数s1为空 string s2(s1); 将s2初始化为s1的一个副本 string s3(“value”); 将s3初始化为 ...