Abstract:

The program is configured not to generate an exception when it fails to write to an audit log.

Explanation:

If WCF is configured not to throw an exception when it is unable to write to an audit log, the program will not be notified of the

failure and auditing of critical security events may not occur.

Example 1: The <behavior/> element of the WCF configuration file below instructs WCF to not notify the application when

WCF fails to write to an audit log.

<behaviors>

<serviceBehaviors>

<behavior name="NewBehavior">

<serviceSecurityAudit auditLogLocation="Application"

suppressAuditFailure="true"

serviceAuthorizationAuditLevel="Success"

messageAuthenticationAuditLevel="Success" />

</behavior>

</serviceBehaviors>

</behaviors>

Recommendations:

Configure WCF to notify the program whenever it is unable to write to an audit log. The program should have an alternative

notification scheme in place to alert the organization that audit trails are not being maintained.

Web.config, line 80 (WCF Misconfiguration: Insufficient Audit Failure Handling)

Fortify Priority: Low Folder Low

Kingdom: Environment

Abstract: The program is configured on line 80 of Web.config not to generate an exception

when it fails to write to an audit log.

Sink: Web.config:80 null()

78 <serviceBehaviors>

79 <behavior name="">

80 <serviceSecurityAudit auditLogLocation="Default" suppressAuditFailure="false"

serviceAuthorizationAuditLevel="SuccessOrFailure"

messageAuthenticationAuditLevel="SuccessOrFailure" />

81 <serviceThrottling maxConcurrentCalls="20" maxConcurrentSessions="20"

maxConcurrentInstances="20" />

82 </behavior>

WCF Misconfiguration: Insufficient Audit Failure Handling的更多相关文章

  1. WCF Misconfiguration: Security Not Enabled

    Abstract: No transport or message security has been defined. Explanation: Applications that transmit ...

  2. Audit logon events&Logon type

    表一.Logon type 表二.Audit logon events 表三.Logon type details Logon type Logon title Description 2 Inter ...

  3. General-Purpose Operating System Protection Profile

    1 Protection Profile Introduction   This document defines the security functionality expected to be ...

  4. 简单bat语法

    一.简单批处理内部命令简介 1.Echo 命令 打开回显或关闭请求回显功能,或显示消息.如果没有任何参数,echo 命令将显示当前回显设置. 语法 echo [{on off}] [message] ...

  5. What is Zeebe?

    转自:https://zeebe.io/what-is-zeebe/ Zeebe is a workflow engine for microservices orchestration. This ...

  6. Spring mvc解析

    方案时间 ,写代码时间 ,解决技术难点时间 , 自测时间,解决bug时间 , 联调时间 ,数据库优化,代码走查1个接口:2个小时 把那个字段再复原回来,不然兼容性不强还有一个刷数据的接口 public ...

  7. RFC 8684---TCP Extensions for Multipath Operation with Multiple Addresses

    https://datatracker.ietf.org/doc/rfc8684/?include_text=1 TCP Extensions for Multipath Operation with ...

  8. Java资源大全中文版(Awesome最新版)

    Awesome系列的Java资源整理.awesome-java 就是akullpp发起维护的Java资源列表,内容包括:构建工具.数据库.框架.模板.安全.代码分析.日志.第三方库.书籍.Java 站 ...

  9. business knowledge

    Finance knowledge Trading---At the core of our business model is Trading, which involves the buying ...

随机推荐

  1. [JBoss] - 解决URI提交时乱码问题

    JBoss 7 AS解决url提交数据乱码的问题: 打开jboss-as-7.1.1.Final\standalone\configuration\standalone.xml文件,在<exte ...

  2. 文章汇总(包括NVMe SPDK vSAN Ceph xfs等)

    基础部分 NVMe驱动解析-前言 NVMe驱动解析-注册设备 NVMe驱动解析-关键的BAR空间 NVMe驱动解析-DMA传输(热门) NVMe驱动解析-响应I/O请求 用一个简单的例子窥探NVMe的 ...

  3. log4net 配置

    1.是直接在代码中通过调用XmlConfigurator.Configure()来解析配置文件,配置日志环境. log4net.Config.XmlConfigurator.Configure(); ...

  4. java安全沙箱(一)之ClassLoader双亲委派机制

    java是一种类型安全的语言,它有四类称为安全沙箱机制的安全机制来保证语言的安全性,这四类安全沙箱分别是: 类加载体系 .class文件检验器 内置于Java虚拟机(及语言)的安全特性 安全管理器及J ...

  5. 13 年的 Bug 调试经验总结

    在<Learning From Your Bugs>一文中,我写了关于我是如何追踪我所遇到的一些最有趣的bug.最近,我回顾了我所有的194个条目(从13岁开始),看看有什么经验教训是我可 ...

  6. U盘安装CentOS 7.0

    U盘安装CentOS 7.0 由于学习需要centos环境,so上网下载centos安装镜像,发现版本已经到7.0了,(╮(╯▽╰)╭,上次折腾还是6.4的版本呢,)花了一点时间下载下来按照装6.4的 ...

  7. (Collection)350. Intersection of Two Arrays II

    /* Given two arrays, write a function to compute their intersection. Example: Given nums1 = [1, 2, 2 ...

  8. Windows消息机制知识点总结

    1.windows消息类型 以下四种,前三种是系统消息,范围在[0x0000, 0x03ff],第四种是用户自定义消息. 1.1 窗口消息 与窗口的内部运作有关,如创建窗口,绘制窗口,销毁窗口等.可以 ...

  9. Linux 开机启动

    Linux开机启动(bootstrap)   作者:Vamei 出处:http://www.cnblogs.com/vamei 欢迎转载,也请保留这段声明.谢谢! 计算机开机是一个神秘的过程.我们只是 ...

  10. xcode 插件地址

    http://finalshares.com/read-1104 curl -fsSL https://raw.githubusercontent.com/supermarin/Alcatraz/de ...