diff options
Diffstat (limited to 'doc/development/secure_coding_guidelines.md')
-rw-r--r-- | doc/development/secure_coding_guidelines.md | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/doc/development/secure_coding_guidelines.md b/doc/development/secure_coding_guidelines.md index 8d6f36bb189..186239cc547 100644 --- a/doc/development/secure_coding_guidelines.md +++ b/doc/development/secure_coding_guidelines.md @@ -1412,3 +1412,64 @@ If circumstances dictate that local storage is the only option, a couple of prec - Local storage should only be used for the minimal amount of data possible. Consider alternative storage formats. - If you have to store sensitive data using local storage, do so for the minimum time possible, calling `localStorage.removeItem` on the item as soon as we're done with it. Another alternative is to call `localStorage.clear()`. + +## Logging + +Logging is the tracking of events that happen in the system for the purposes of future investigation or processing. + +### Purpose of logging + +Logging helps track events for debugging. Logging also allows the application to generate an audit trail that you can use for security incident identification and analysis. + +### What type of events should be logged + +- Failures + - Login failures + - Input/output validation failures + - Authentication failures + - Authorization failures + - Session management failures + - Timeout errors +- Account lockouts +- Use of invalid access tokens +- Authentication and authorization events + - Access token creation/revocation/expiry + - Configuration changes by administrators + - User creation or modification + - Password change + - User creation + - Email change +- Sensitive operations + - Any operation on sensitive files or resources + - New runner registration + +### What should be captured in the logs + +- The application logs must record attributes of the event, which helps auditors identify the time/date, IP, user ID, and event details. +- To avoid resource depletion, make sure the proper level for logging is used (for example, `information`, `error`, or `fatal`). + +### What should not be captured in the logs + +- Personal data, except for integer-based identifiers and UUIDs, or IP address, which can be logged when necessary. +- Credentials like access tokens or passwords. If credentials must be captured for debugging purposes, log the internal ID of the credential (if available) instead. Never log credentials under any circumstances. + - When [debug logging](../ci/variables/index.md#enable-debug-logging) is enabled, all masked CI/CD variables are visible in job logs. Consider using [protected variables](../ci/variables/index.md#protect-a-cicd-variable) when possible so that sensitive CI/CD variables are only available to pipelines running on protected branches or protected tags. +- Any data supplied by the user without proper validation. +- Any information that might be considered sensitive (for example, credentials, passwords, tokens, keys, or secrets). Here is an [example](https://gitlab.com/gitlab-org/gitlab/-/issues/383142) of sensitive information being leaked through logs. + +### Protecting log files + +- Access to the log files should be restricted so that only the intended party can modify the logs. +- External user input should not be directly captured in the logs without any validation. This could lead to unintended modification of logs through log injection attacks. +- An audit trail for log edits must be available. +- To avoid data loss, logs must be saved on different storage. + +### Who to contact if you have questions + +For general guidance, contact the [Application Security](https://about.gitlab.com/handbook/security/security-engineering/application-security/) team. + +### Related topics + +- [Log system in GitLab](../administration/logs/index.md) +- [Audit event development guidelines](../development/audit_event_guide/index.md)) +- [Security logging overview](https://about.gitlab.com/handbook/security/security-engineering/security-logging/) +- [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html) |