Abstract:

The program is configured not to generate an exception when it fails to write to an audit log.

Explanation:

If WCF is configured not to throw an exception when it is unable to write to an audit log, the program will not be notified of the

failure and auditing of critical security events may not occur.

Example 1: The <behavior/> element of the WCF configuration file below instructs WCF to not notify the application when

WCF fails to write to an audit log.

<behaviors>

<serviceBehaviors>

<behavior name="NewBehavior">

<serviceSecurityAudit auditLogLocation="Application"

suppressAuditFailure="true"

serviceAuthorizationAuditLevel="Success"

messageAuthenticationAuditLevel="Success" />

</behavior>

</serviceBehaviors>

</behaviors>

Recommendations:

Configure WCF to notify the program whenever it is unable to write to an audit log. The program should have an alternative

notification scheme in place to alert the organization that audit trails are not being maintained.

Web.config, line 80 (WCF Misconfiguration: Insufficient Audit Failure Handling)

Fortify Priority: Low Folder Low

Kingdom: Environment

Abstract: The program is configured on line 80 of Web.config not to generate an exception

when it fails to write to an audit log.

Sink: Web.config:80 null()

78 <serviceBehaviors>

79 <behavior name="">

80 <serviceSecurityAudit auditLogLocation="Default" suppressAuditFailure="false"

serviceAuthorizationAuditLevel="SuccessOrFailure"

messageAuthenticationAuditLevel="SuccessOrFailure" />

81 <serviceThrottling maxConcurrentCalls="20" maxConcurrentSessions="20"

maxConcurrentInstances="20" />

82 </behavior>

WCF Misconfiguration: Insufficient Audit Failure Handling的更多相关文章

  1. WCF Misconfiguration: Security Not Enabled

    Abstract: No transport or message security has been defined. Explanation: Applications that transmit ...

  2. Audit logon events&Logon type

    表一.Logon type 表二.Audit logon events 表三.Logon type details Logon type Logon title Description 2 Inter ...

  3. General-Purpose Operating System Protection Profile

    1 Protection Profile Introduction   This document defines the security functionality expected to be ...

  4. 简单bat语法

    一.简单批处理内部命令简介 1.Echo 命令 打开回显或关闭请求回显功能,或显示消息.如果没有任何参数,echo 命令将显示当前回显设置. 语法 echo [{on off}] [message] ...

  5. What is Zeebe?

    转自:https://zeebe.io/what-is-zeebe/ Zeebe is a workflow engine for microservices orchestration. This ...

  6. Spring mvc解析

    方案时间 ,写代码时间 ,解决技术难点时间 , 自测时间,解决bug时间 , 联调时间 ,数据库优化,代码走查1个接口:2个小时 把那个字段再复原回来,不然兼容性不强还有一个刷数据的接口 public ...

  7. RFC 8684---TCP Extensions for Multipath Operation with Multiple Addresses

    https://datatracker.ietf.org/doc/rfc8684/?include_text=1 TCP Extensions for Multipath Operation with ...

  8. Java资源大全中文版(Awesome最新版)

    Awesome系列的Java资源整理.awesome-java 就是akullpp发起维护的Java资源列表,内容包括:构建工具.数据库.框架.模板.安全.代码分析.日志.第三方库.书籍.Java 站 ...

  9. business knowledge

    Finance knowledge Trading---At the core of our business model is Trading, which involves the buying ...

随机推荐

  1. SQL:安装多个实例,修改实例端口号,和IP加端口号连接实例

    sql server 安装第一个实例,默认实例的端口是1433, 一个库中如果有多个实例,从第二个实例开始的端口是动态端口,需要的话,自己手工指定为静态端口,如指定第二个实例为1434 或着随意一个如 ...

  2. Flexigrid从对象中加载数据

    (有问题,在找…………) Flexigrid是用来动态加载数据的一种比较好(老)的Jquery表插件,然后有些时候,我们需要其从本地或者jQuery对象中加载数据,比如有这么个需求,页面显示中有两个表 ...

  3. Redis执行Lua脚本的情况

    第一个测试: 往Redis里面存入1000个Hash,每个Hash里面有100个元素(Key 0-99,值是Key^2). PHP代码,执行33s左右 <?php $redis = new Re ...

  4. 【MySQL】分页优化

    前段时间由于项目的原因,对一个由于分页而造成性能较差的SQL进行优化,现在将优化过程中学习到关于分页优化的知识跟大家简单分享下. 分页不外乎limit,offset,在这两个关键字中,limit其实不 ...

  5. day4 函数

    面向对象:-->类-->class面向过程:-->过程-->def函数式编程:-->函数-->def 函数是逻辑结构化和过程化的一种编程方法 使用函数的三大优点:减 ...

  6. VS中的活动debug和活动cpu

    “活动”的含义就是当前项目所用的模式和平台.项目中的”活动“继承于解决方案中的配置.

  7. Visual Studio 插件AnkhSvn 更改Svn URL和登录信息

    AnkhSvn配置文件:%AppData%\Subversion\auth\ 删除这个文件夹中所有内容 然后连接,重新设置相关信息 设置静态地址 设置路由器 以TP-LINK路由器为例,其他路由器类似 ...

  8. 常用SQL Server日期格式化

    Select CONVERT(varchar(100), GETDATE(), 8): 10:57:46 Select CONVERT(varchar(100), GETDATE(), 24): 10 ...

  9. 03-c#入门(简易存款利息计算器v1.0)

    本想把练习题做了的结果放上来,不过发现附录是有答案的,就算了吧,自己做了没问题就行了哈.之前提到过,要是有朋友有想法,需要做小工具我可以帮忙实现,不过貌似大家都很忙.SO,自己学完第4章后,决定做一个 ...

  10. [转载]反无人机企业DroneShield利用声音识别侦测无人机

    原文:http://www.cnbeta.com/articles/495071.htm 无人机产业正在蓬勃发展,受益的不仅仅是那些生产小型飞行设备的企业.专家估计仅在澳大利亚就有5万架商用无人机以及 ...