Abstract:

The program is configured not to generate an exception when it fails to write to an audit log.

Explanation:

If WCF is configured not to throw an exception when it is unable to write to an audit log, the program will not be notified of the

failure and auditing of critical security events may not occur.

Example 1: The <behavior/> element of the WCF configuration file below instructs WCF to not notify the application when

WCF fails to write to an audit log.

<behaviors>

<serviceBehaviors>

<behavior name="NewBehavior">

<serviceSecurityAudit auditLogLocation="Application"

suppressAuditFailure="true"

serviceAuthorizationAuditLevel="Success"

messageAuthenticationAuditLevel="Success" />

</behavior>

</serviceBehaviors>

</behaviors>

Recommendations:

Configure WCF to notify the program whenever it is unable to write to an audit log. The program should have an alternative

notification scheme in place to alert the organization that audit trails are not being maintained.

Web.config, line 80 (WCF Misconfiguration: Insufficient Audit Failure Handling)

Fortify Priority: Low Folder Low

Kingdom: Environment

Abstract: The program is configured on line 80 of Web.config not to generate an exception

when it fails to write to an audit log.

Sink: Web.config:80 null()

78 <serviceBehaviors>

79 <behavior name="">

80 <serviceSecurityAudit auditLogLocation="Default" suppressAuditFailure="false"

serviceAuthorizationAuditLevel="SuccessOrFailure"

messageAuthenticationAuditLevel="SuccessOrFailure" />

81 <serviceThrottling maxConcurrentCalls="20" maxConcurrentSessions="20"

maxConcurrentInstances="20" />

82 </behavior>

WCF Misconfiguration: Insufficient Audit Failure Handling的更多相关文章

  1. WCF Misconfiguration: Security Not Enabled

    Abstract: No transport or message security has been defined. Explanation: Applications that transmit ...

  2. Audit logon events&Logon type

    表一.Logon type 表二.Audit logon events 表三.Logon type details Logon type Logon title Description 2 Inter ...

  3. General-Purpose Operating System Protection Profile

    1 Protection Profile Introduction   This document defines the security functionality expected to be ...

  4. 简单bat语法

    一.简单批处理内部命令简介 1.Echo 命令 打开回显或关闭请求回显功能,或显示消息.如果没有任何参数,echo 命令将显示当前回显设置. 语法 echo [{on off}] [message] ...

  5. What is Zeebe?

    转自:https://zeebe.io/what-is-zeebe/ Zeebe is a workflow engine for microservices orchestration. This ...

  6. Spring mvc解析

    方案时间 ,写代码时间 ,解决技术难点时间 , 自测时间,解决bug时间 , 联调时间 ,数据库优化,代码走查1个接口:2个小时 把那个字段再复原回来,不然兼容性不强还有一个刷数据的接口 public ...

  7. RFC 8684---TCP Extensions for Multipath Operation with Multiple Addresses

    https://datatracker.ietf.org/doc/rfc8684/?include_text=1 TCP Extensions for Multipath Operation with ...

  8. Java资源大全中文版(Awesome最新版)

    Awesome系列的Java资源整理.awesome-java 就是akullpp发起维护的Java资源列表,内容包括:构建工具.数据库.框架.模板.安全.代码分析.日志.第三方库.书籍.Java 站 ...

  9. business knowledge

    Finance knowledge Trading---At the core of our business model is Trading, which involves the buying ...

随机推荐

  1. winform中生成TreeView树

    无论是webform还是winform,TreeView都是常用功能.使用递归方法很方便. 下面分享一个小实例. 数据库中3个字段,分别是:ID,itemType_name,itemType_PID ...

  2. Unable to create Azure Mobile Service: Error 500

    I had to go into my existing azure sql database server and under the configuration tab select " ...

  3. MySQL服务 - 客户端工具mysql及mysqladmin使用介绍

    mysql客户端: mysql工具是MySQL官方提供的连接工具,用户可以通过mysql连接到mysqld上进行一系列的SQL操作.mysql工具有两种模式:交互模式和命令行模式.交互模式指令需要连接 ...

  4. AMD高级应用(翻译)

    Dojo now supports modules written in the Asynchronous Module Definition (AMD) format, which makes co ...

  5. Python的第一天

    一.Python的简介 Python诞生于作者是Guido van Rossum,Python来自Guido所挚爱的电视剧Monty Python's Flying Circus (BBC1960-1 ...

  6. Visual Studio远程调试

    Visual Studio支持调试远程机器上的程序,经过简单设置后,就像调试本地代码一样方便. 第一步:将vs工具里的Remote Debugger文件夹拷贝到目标机器.大致的目录应该是:D:\Pro ...

  7. 使用C#进行图像处理的几种方法(转)

    本文讨论了C#图像处理中Bitmap类.BitmapData类和unsafe代码的使用以及字节对齐问题. Bitmap类 命名空间:System.Drawing 封装 GDI+ 位图,此位图由图形图像 ...

  8. 怎么打开sql server 数据库日志文件

    To Open Log File Viewer, 1. Expand Server Node > 2. Expand SQL Server Agent > 3. Expand Jobs & ...

  9. inteview que2

    1.spring的缓存,mybatis缓存a.基于注解的方式 三种注解b.mybatis分为一级session和二级缓存mapperc.采用LRU算法(近期最少使用) http://www.iteye ...

  10. 【菜鸟学习jquery源码】数据缓存与data()

    前言 最近比较烦,深圳的工作还没着落,论文不想弄,烦.....今天看了下jquery的数据缓存的代码,参考着Aaron的源码分析,自己有点理解了,和大家分享下.以后也打算把自己的jquery的学习心得 ...