Central Log Service (CLS): Logs Contain Sensitive Data


Introduction

  • Poorly written applications may log sensitive data and Personally Identifiable Information (PII), such as password, Social Security Number, Credit Card Number
  • User errors may result in sensitive data in logs, such as a password entered in a username field
  • Error logs may intentionally include sensitive data, such as user name, account information, table name, database version
  • Normal logs include data that can be misused, such as user name, user location, host name, IP address, log and application path, software and OS name and version number

Explanation

Some of this is avoidable - do not write secrets into log files. Some is not - users and applications will make errors. Many logs that contain sensitive data are good, necessary, and merit protection.

In the VT Central Log Service (CLS), the trust boundary which protects your logs is made up of a combination of VT login and 2-factor authentication, VT IP space enforcement, and membership in the Enterprise Directory Group that you registered with CLS when you started sending logs.

When you email log data from the CLS as a report, display a dashboard in an area visible to the public, or do a simple "export results" from a search, your data is no longer protected by this multi-layered trust boundary. You become the primary steward of the data. This is your right, privilege, and responsibility. 

Please keep in mind that even innocuous-looking data can be combined with other sources to provide information that can be misused.

Examples (simulated data):


The above table of simulated data exposes usernames and a password entered in the user field

 

The above table of simulated data exposes usernames, printer names, some printer models, and information about departmental structure

 

Questions?


If you have questions about securely sharing your data outside of CLS or would like a review of any tables, reports, dashboards or other log-related data that you plan to share, please open a ServiceNow ticket mentioning CLS or visit the #central_log channel on VT Slack.

Further Reading: