WCF Misconfiguration: Insufficient Audit Failure Handling
Abstract:
The program is configured not to generate an exception when it fails to write to an audit log.
Explanation:
If WCF is configured not to throw an exception when it is unable to write to an audit log, the program will not be notified of the
failure and auditing of critical security events may not occur.
Example 1: The <behavior/> element of the WCF configuration file below instructs WCF to not notify the application when
WCF fails to write to an audit log.
<behaviors>
<serviceBehaviors>
<behavior name="NewBehavior">
<serviceSecurityAudit auditLogLocation="Application"
suppressAuditFailure="true"
serviceAuthorizationAuditLevel="Success"
messageAuthenticationAuditLevel="Success" />
</behavior>
</serviceBehaviors>
</behaviors>
Recommendations:
Configure WCF to notify the program whenever it is unable to write to an audit log. The program should have an alternative
notification scheme in place to alert the organization that audit trails are not being maintained.
Web.config, line 80 (WCF Misconfiguration: Insufficient Audit Failure Handling)
Fortify Priority: Low Folder Low
Kingdom: Environment
Abstract: The program is configured on line 80 of Web.config not to generate an exception
when it fails to write to an audit log.
Sink: Web.config:80 null()
78 <serviceBehaviors>
79 <behavior name="">
80 <serviceSecurityAudit auditLogLocation="Default" suppressAuditFailure="false"
serviceAuthorizationAuditLevel="SuccessOrFailure"
messageAuthenticationAuditLevel="SuccessOrFailure" />
81 <serviceThrottling maxConcurrentCalls="20" maxConcurrentSessions="20"
maxConcurrentInstances="20" />
82 </behavior>
WCF Misconfiguration: Insufficient Audit Failure Handling的更多相关文章
- WCF Misconfiguration: Security Not Enabled
Abstract: No transport or message security has been defined. Explanation: Applications that transmit ...
- Audit logon events&Logon type
表一.Logon type 表二.Audit logon events 表三.Logon type details Logon type Logon title Description 2 Inter ...
- General-Purpose Operating System Protection Profile
1 Protection Profile Introduction This document defines the security functionality expected to be ...
- 简单bat语法
一.简单批处理内部命令简介 1.Echo 命令 打开回显或关闭请求回显功能,或显示消息.如果没有任何参数,echo 命令将显示当前回显设置. 语法 echo [{on off}] [message] ...
- What is Zeebe?
转自:https://zeebe.io/what-is-zeebe/ Zeebe is a workflow engine for microservices orchestration. This ...
- Spring mvc解析
方案时间 ,写代码时间 ,解决技术难点时间 , 自测时间,解决bug时间 , 联调时间 ,数据库优化,代码走查1个接口:2个小时 把那个字段再复原回来,不然兼容性不强还有一个刷数据的接口 public ...
- RFC 8684---TCP Extensions for Multipath Operation with Multiple Addresses
https://datatracker.ietf.org/doc/rfc8684/?include_text=1 TCP Extensions for Multipath Operation with ...
- Java资源大全中文版(Awesome最新版)
Awesome系列的Java资源整理.awesome-java 就是akullpp发起维护的Java资源列表,内容包括:构建工具.数据库.框架.模板.安全.代码分析.日志.第三方库.书籍.Java 站 ...
- business knowledge
Finance knowledge Trading---At the core of our business model is Trading, which involves the buying ...
随机推荐
- delphi如何让程序最小化到任务栏(转)
现在很多的应用程序都有这样一种功能,当用户选择最小化窗口时,窗口不是象平常那样最小化到任务栏上,而是“最小化”成一个任务栏图标.象FoxMail 3.0 NetVampire 3.0等都提供了这样的功 ...
- javascript基础二数据类型
1.数据类型 javascript中的基本数据类型有4中,undefined,number,string,boolean 1.1 typeof关键字 typeof关键字可以获取一个变量的的类型.先举个 ...
- [zz]谱聚类
了凡春秋USTC 谱聚类 http://chunqiu.blog.ustc.edu.cn/?p=505 最近忙着写文章,好久不写博客了.最近看到一个聚类方法--谱聚类,号称现代聚类方法,看到它简洁的公 ...
- VES Hand Book Contents
3...ABOUT THE VES4...Foreword 6...Chapter 1......Introduction6......Visual Effects and Special Effec ...
- PHP手机,邮箱正则匹配
/*此处用于验证手机*/ $phone_preg = '/^1[3|4|5|7|8]\d{9}$/'; $email_preg = '/^[a-zA-Z0-9_]+([.][a-zA-Z0-9_]+) ...
- mfc MemoryAdressRead
内涵图 address
- js 毫秒转日期(yy-MM-dd hh:mm:ss)
var seconds = "133343241342";//毫秒数 var objtime = new Date();//声明一个日期内建函数 objtime.setTime(s ...
- LinkedList
- Linux学习笔记之——安装虚拟机后,如何启用网卡
版本:CentOS-6.5-i386-minimal 虚拟机:vmware 11.1.2 安装完之后是看不到网卡信息的,如下: 我们编辑网卡etho的配置信息: 将 ...
- [转]Linux软连接和硬链接
1.Linux链接概念 Linux链接分两种,一种被称为硬链接(Hard Link),另一种被称为符号链接(Symbolic Link).默认情况下,ln命令产生硬链接. [硬连接]硬连接指通过索引节 ...