Abstract:

The program is configured not to generate an exception when it fails to write to an audit log.

Explanation:

If WCF is configured not to throw an exception when it is unable to write to an audit log, the program will not be notified of the

failure and auditing of critical security events may not occur.

Example 1: The <behavior/> element of the WCF configuration file below instructs WCF to not notify the application when

WCF fails to write to an audit log.

<behaviors>

<serviceBehaviors>

<behavior name="NewBehavior">

<serviceSecurityAudit auditLogLocation="Application"

suppressAuditFailure="true"

serviceAuthorizationAuditLevel="Success"

messageAuthenticationAuditLevel="Success" />

</behavior>

</serviceBehaviors>

</behaviors>

Recommendations:

Configure WCF to notify the program whenever it is unable to write to an audit log. The program should have an alternative

notification scheme in place to alert the organization that audit trails are not being maintained.

Web.config, line 80 (WCF Misconfiguration: Insufficient Audit Failure Handling)

Fortify Priority: Low Folder Low

Kingdom: Environment

Abstract: The program is configured on line 80 of Web.config not to generate an exception

when it fails to write to an audit log.

Sink: Web.config:80 null()

78 <serviceBehaviors>

79 <behavior name="">

80 <serviceSecurityAudit auditLogLocation="Default" suppressAuditFailure="false"

serviceAuthorizationAuditLevel="SuccessOrFailure"

messageAuthenticationAuditLevel="SuccessOrFailure" />

81 <serviceThrottling maxConcurrentCalls="20" maxConcurrentSessions="20"

maxConcurrentInstances="20" />

82 </behavior>

WCF Misconfiguration: Insufficient Audit Failure Handling的更多相关文章

  1. WCF Misconfiguration: Security Not Enabled

    Abstract: No transport or message security has been defined. Explanation: Applications that transmit ...

  2. Audit logon events&Logon type

    表一.Logon type 表二.Audit logon events 表三.Logon type details Logon type Logon title Description 2 Inter ...

  3. General-Purpose Operating System Protection Profile

    1 Protection Profile Introduction   This document defines the security functionality expected to be ...

  4. 简单bat语法

    一.简单批处理内部命令简介 1.Echo 命令 打开回显或关闭请求回显功能,或显示消息.如果没有任何参数,echo 命令将显示当前回显设置. 语法 echo [{on off}] [message] ...

  5. What is Zeebe?

    转自:https://zeebe.io/what-is-zeebe/ Zeebe is a workflow engine for microservices orchestration. This ...

  6. Spring mvc解析

    方案时间 ,写代码时间 ,解决技术难点时间 , 自测时间,解决bug时间 , 联调时间 ,数据库优化,代码走查1个接口:2个小时 把那个字段再复原回来,不然兼容性不强还有一个刷数据的接口 public ...

  7. RFC 8684---TCP Extensions for Multipath Operation with Multiple Addresses

    https://datatracker.ietf.org/doc/rfc8684/?include_text=1 TCP Extensions for Multipath Operation with ...

  8. Java资源大全中文版(Awesome最新版)

    Awesome系列的Java资源整理.awesome-java 就是akullpp发起维护的Java资源列表,内容包括:构建工具.数据库.框架.模板.安全.代码分析.日志.第三方库.书籍.Java 站 ...

  9. business knowledge

    Finance knowledge Trading---At the core of our business model is Trading, which involves the buying ...

随机推荐

  1. visual studio 2013快捷键与2012不同

    升级了Visual Studio2013后发现有些快捷键不能使用,于是自己尝试设置找回,还真给发现了: 依次选择(工具-->选项-->环境-->键盘)把映射方案改成Visual C# ...

  2. IOS开发-UIScrollView陷阱之----删除所有子view, 滚动条(indicator) 消失

    使用UIScrollView经常会执行清空视图的操作,我们普遍的做法是: for (UIView *subview in self.scrollView.subviews) { [subview re ...

  3. AngularJS---表达式

    AngularJS的表达式是放在{{}}里面,用{{ }}符号将一个变量绑定到$scope上. angularJS中的表达式有如下特点: 1.只能在其所属作用域内部 所有的表达式都在其所属的作用域内部 ...

  4. 深入详解DataTable

    在学习DataTable知识之前,我们有必要了解下ADO.NET.以下摘自MSDN: ADO.NET 对 Microsoft SQL Server 和 XML 等数据源以及通过 OLE DB 和 XM ...

  5. 【学】jQuery的源码思路6——增加each,animaion,ajax以及插件机制

    each() 插件机制 animation ajax //each() //这里第一个参数指定将this指向每次循环到的那个元素身上,而第三个参数element其实就是this本身所以和第一个参数是一 ...

  6. JSTL 核心标签库 使用

    JSTL 核心标签库标签共有13个,功能上分为4类: 1.表达式控制标签:out.set.remove.catch 2.流程控制标签:if.choose.when.otherwise 3.循环标签:f ...

  7. php 运行脚本shell

    F:\phpStudy\php53\php.exe -f F:\phpStudy\WWW\qh\qh.php /usr/local/php/bin/php -f test.php Usage: php ...

  8. iOS 8潜在的取证问题

    Apple于今天正式发布了iOS 8推送升级 大概琢磨了一下: 1. 可以确定,iOS 7中存在的File relay等所谓后门服务已经被修正,目前Oxygen和我们采用这种服务提取的功能将不再适用于 ...

  9. 视频演示eworkflow集成定制aspx页面的过程

    eworkflow自定义工作流系统,集成eform自定义表单,可以做到在线编辑流程,在线编辑表单.eform也提供在线建立业务表,维护表字段等,所以通过eworkflow+eform可以在线完成业务流 ...

  10. android 绑定spinner键值对显示内存地址的问题

    初学android,估计是.net学傻了,觉得android好麻烦. 绑定下拉菜单Spinner键值对. 参照这篇文章,地址:http://blog.csdn.net/shouliang52000/a ...