-
Notifications
You must be signed in to change notification settings - Fork 35
Masking
The OWASP Security Logging API provides a Converter implementation to mask confidential information from log output. The MaskingConverter class masks arguments to logging methods by converting input characters to '*'.
In Java source code, add the CONFIDENTIAL marker to log statements that could contain confidential information:
LOGGER.info("userid={}", userid);
LOGGER.info(SecurityMarkers.CONFIDENTIAL, "password={}", password);
The intent is to produce the following output in the log:
2014-12-16 13:54:48,860 [main] INFO - userid=joebob
2014-12-16 13:54:48,860 [main] [CONFIDENTIAL] INFO - password=***********
First add a <conversionRule> element to the logger configuration. The conversionWord attribute will define the pattern that should be replaced with masked output:
<conversionRule conversionWord="mask"
converterClass="org.owasp.security.logging.mask.MaskingConverter" />
In the <appender> definition, modify the <pattern> element to use the conversionWord (%mask) that was specified in the <conversionRule>:
<appender name="APP_CONSOLE" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%date [%thread] [%marker] %-5level - %mask%n</pattern>
</encoder>
</appender>
Within the <Appenders> element, add a <Rewrite> element. The <AppenderRef> element specifies which appenders will have masking applied:
<Appenders>
<Console name="SecureConsole" target="SYSTEM_OUT">
<PatternLayout pattern="SECURITY %d{HH:mm:ss.SSS} %marker [%t] %-5level %logger{36} - %encode{%msg}%n"/>
</Console>
<Rewrite name="MaskingRewritePolicy">
<MaskingRewritePolicy />
<AppenderRef ref="SecureConsole"/>
</Rewrite>
</Appenders>
In the <Loggers> section, specify name of your rewrite in the <AppenderRef> element:
<Loggers>
<Root level="debug">
<AppenderRef ref="MaskingRewritePolicy"/>
</Root>
</Loggers>