A09 — Security Logging & Monitoring Secure

1000-ft view: reliable detection needs structured logs, redaction, timestamps in UTC, alerting on thresholds, and tamper evidence. Each section shows the secure design and writes to the demo logs under /a09_logging/logs.

Attack 1 Attack 2 Attack 3 Attack 4 Attack 5

Attack 1 — Auth & Privileged Action Events

structured JSONL + correlation id

Secure idea: log who, what, where (IP), when (UTC), and outcome as structured JSON with a corr_id to tie related events.

  1. Submit a login (success or failure).
  2. Perform an admin action with the same corr_id to see correlation.

Attack 2 — Sensitive Data in Logs

redaction + allowlist fields

Secure idea: never log raw passwords, tokens, or full PII. Redact to hints (e.g., last 4 of SSN), hash tokens, and assign an event_id for correlation.

  1. Submit the form — the secure endpoint redacts secrets before writing.

Attack 3 — Structure & Timestamps

JSON lines + ISO-8601 UTC

Secure idea: every line is valid JSON with an ISO-8601 UTC timestamp and stable keys (ts, evt, user, ip, meta).

  1. Write a sample structured event to app.jsonl.

Attack 4 — Thresholded Alerts

windowed counts → alerts.log

Secure idea: track failures per source in a time window and emit to an alerts.log when a threshold is crossed (e.g., 10 failed logins in 5 minutes).

  1. Send one or multiple “failed login” events.
  2. When the threshold is crossed, an alert entry is written.

Attack 5 — Log Integrity

hash chain + HMAC

Secure idea: each JSONL entry is accompanied by a signature in app.sigchain that chains from the previous line. Verification reveals the first tampered line.

  1. Append a signed entry.
  2. Verify the chain.
Verify Chain