WCF Misconfiguration: Insufficient Audit Failure Handling
Abstract:
The program is configured not to generate an exception when it fails to write to an audit log.
Explanation:
If WCF is configured not to throw an exception when it is unable to write to an audit log, the program will not be notified of the
failure and auditing of critical security events may not occur.
Example 1: The <behavior/> element of the WCF configuration file below instructs WCF to not notify the application when
WCF fails to write to an audit log.
<behaviors>
<serviceBehaviors>
<behavior name="NewBehavior">
<serviceSecurityAudit auditLogLocation="Application"
suppressAuditFailure="true"
serviceAuthorizationAuditLevel="Success"
messageAuthenticationAuditLevel="Success" />
</behavior>
</serviceBehaviors>
</behaviors>
Recommendations:
Configure WCF to notify the program whenever it is unable to write to an audit log. The program should have an alternative
notification scheme in place to alert the organization that audit trails are not being maintained.
Web.config, line 80 (WCF Misconfiguration: Insufficient Audit Failure Handling)
Fortify Priority: Low Folder Low
Kingdom: Environment
Abstract: The program is configured on line 80 of Web.config not to generate an exception
when it fails to write to an audit log.
Sink: Web.config:80 null()
78 <serviceBehaviors>
79 <behavior name="">
80 <serviceSecurityAudit auditLogLocation="Default" suppressAuditFailure="false"
serviceAuthorizationAuditLevel="SuccessOrFailure"
messageAuthenticationAuditLevel="SuccessOrFailure" />
81 <serviceThrottling maxConcurrentCalls="20" maxConcurrentSessions="20"
maxConcurrentInstances="20" />
82 </behavior>
WCF Misconfiguration: Insufficient Audit Failure Handling的更多相关文章
- WCF Misconfiguration: Security Not Enabled
Abstract: No transport or message security has been defined. Explanation: Applications that transmit ...
- Audit logon events&Logon type
表一.Logon type 表二.Audit logon events 表三.Logon type details Logon type Logon title Description 2 Inter ...
- General-Purpose Operating System Protection Profile
1 Protection Profile Introduction This document defines the security functionality expected to be ...
- 简单bat语法
一.简单批处理内部命令简介 1.Echo 命令 打开回显或关闭请求回显功能,或显示消息.如果没有任何参数,echo 命令将显示当前回显设置. 语法 echo [{on off}] [message] ...
- What is Zeebe?
转自:https://zeebe.io/what-is-zeebe/ Zeebe is a workflow engine for microservices orchestration. This ...
- Spring mvc解析
方案时间 ,写代码时间 ,解决技术难点时间 , 自测时间,解决bug时间 , 联调时间 ,数据库优化,代码走查1个接口:2个小时 把那个字段再复原回来,不然兼容性不强还有一个刷数据的接口 public ...
- RFC 8684---TCP Extensions for Multipath Operation with Multiple Addresses
https://datatracker.ietf.org/doc/rfc8684/?include_text=1 TCP Extensions for Multipath Operation with ...
- Java资源大全中文版(Awesome最新版)
Awesome系列的Java资源整理.awesome-java 就是akullpp发起维护的Java资源列表,内容包括:构建工具.数据库.框架.模板.安全.代码分析.日志.第三方库.书籍.Java 站 ...
- business knowledge
Finance knowledge Trading---At the core of our business model is Trading, which involves the buying ...
随机推荐
- kali 初始化
关于kali使用前的一些配置,网上有很多版本,但是几乎都很雷同,或者是不全,或者是根本就没有测试过,或者是有的方法是错的(换句话说是版本变化的差异),因此让很多人接触kali时百度无数,效果一般,浪费 ...
- Window 消息大全
消息,就是指Windows发出的一个通知,告诉应用程序某个事情发生了.例如,单击鼠标.改变窗口尺寸.按下键盘上的一个键都会使Windows发送一个消息给应用程序. 消息本身是作为一个记录传递给应用程序 ...
- jersy服务,将图片发送另个服务器,再将异步返回
今天在学习新项目时,遇到了jersy服务,完成,将图片发送到另一台服务器.下面介绍一下jersy服务的一个简单例子. 1.建立一个jersy一个java项目,先导入jersy服务相应的jar包 com ...
- spring mvc 用freemarker实现/user/edit?id=${id}=${type} 的替换
java 中实现/user/edit?id=${id}=${type} 的替换; 引入包: freemark.jar ,以及 类代码如下: public class FreeMarkerTextTe ...
- MyXls: 导出Excel的各种设置
MyXls是一个操作Excel的开源类库,支持设置字体.列宽.行高(由BOSSMA实现).合并单元格.边框.背景颜色.数据类型.自动换行.对齐方式等,通过众多项目的使用表现,证明MyXls对于创建简单 ...
- collectionview使用
创建UICollectionViewFlowLayout 对象来设置相关的布局,包括itemSize,headerReferenceSize,sectionInset.设置对应的布局大小,相关的和顶部 ...
- Microsoft Capicom 2.1 On 64bit OS
第一步下载capicom.dll http://files.cnblogs.com/files/chen110xi/DLL.7z 第二步注册capicom.dll至SysWow64 第三步VS中设置 ...
- Android 蓝牙打印超时问题的处理
http://stackoverflow.com/questions/18657427/ioexception-read-failed-socket-might-closed-bluetooth-on ...
- 实例存储支持的AMI创建步骤
实例存储支持的AMI创建步骤 一.Windows AMI 1. 选择实例存储支持的AMI创建实例. 2. 远程登录实例进行定制化配置. 3. 通过Web控制台或命令行Bundle实例(并自动上传到S3 ...
- (原)android4.2以后获取应用程序和缓存大小的方法(源码有改变)
以前获取应用的大小是用 PackageManager mPackageManager= getPackageManager(); try {Method getPackageSizeInfoMetho ...