Add V7 requirement for when shared accounts are accessed?

[tghosth]

In #1188 we moved and clarified a requirement related to default user accounts. This issue was also noted in #1395 but the following suggestion was made by @mgargiullo:

Along this vein, should we ensure a complimentary req in 7.x that states something like "Alert on, or at the minimum log, login events for default or shared accounts."?

At least then, if a break-glass account is used, it is recorded and ideally generates an alert.

This is an interesting idea but kinda depends on how we restructure V7. @elarlang what do you think?

[elarlang]

It actually does not depend on V7 structure - if we want to have special attention to it, we need to find the way.

Logs - what it gives extra for usual authentication log? It should be logged anyway.

Alerting - we don't have systematic approach to alerting and I consider it out of scope for ASVS - in scope should be ability to build alerting system, that application can provide enough details and information to do it, but alerting itself I think it's outside of application responsibilities.

From logging requirements, via https://github.com/OWASP/ASVS/issues/1444#issuecomment-1357306856 I would like to split current 7.1.3 to separate requirements per topic, and if it is important to get attention to shared accounts in logs, maybe it should be part of authentication requirement.

(a bit joke, but in reality maybe not that funny) If authentication is done with only asking username and password (no MFA), we should consider every account as shared account.

[elarlang]

V7 got some updates. Can you see it somehow part of current 7.2.1 (or 7.2.2)?

#	Description	L1	L2	L3	CWE
7.2.1	[MODIFIED] Verify that all authentication decisions are logged.		✓	✓	778
7.2.2	[MODIFIED] Verify that all access control decisions can be logged and all failed decisions are logged.		✓	✓	285

... or is it something so widespread, it requires a separate mention in a requirement?

[csfreak92]

Along this vein, should we ensure a complimentary req in 7.x that states something like "Alert on, or at the minimum log, login events for default or shared accounts."? At least then, if a break-glass account is used, it is recorded and ideally generates an alert.

@tghosth, I like the idea of logging login, usage and events for default or shared accounts even when a "break glass in-case of emergency account" is used for V7.2 Security Events section. I guess that should also cover one-time recovery codes that should be logged when they are used?

V7 got some updates. Can you see it somehow part of current 7.2.1 (or 7.2.2)? 7.2.1 [MODIFIED] Verify that all authentication decisions are logged. ✓ ✓ 778 7.2.2 [MODIFIED] Verify that all access control decisions can be logged and all failed decisions are logged. ✓ ✓ 285

@elarlang, I also cannot see it part of the current 7.2.1 and/or 7.2.2 as those are very generalized and those requirements do not talk about logging usage of a shared account/default account. :)

[elarlang]

Well, if we could have a logging requirement project, this separate requirement could make sense. But at the moment, we have abstract requirements to cover many events to one requirement, and then.. boom.. one really into detail and niche requirement. It just does not fit the scene at the moment.

Using a shared account still has common authentication (7.2.1) and authorization decisions (7.2.2) to log, there is just one extra piece of information ("share account") in the meta info (7.1.4). All this must be analyzed and documented before (1.7.3).

[jmanico]

@elarlang do you think a section on secure logging would be a good addition to ASVS? If so, I can take it on.

[elarlang]

@elarlang do you think a section on secure logging would be a good addition to ASVS? If so, I can take it on.

@jmanico - this discussion should be carried on here https://github.com/OWASP/ASVS/issues/1795

[jmanico]

@elarlang do you think a section on secure logging would be a good addition to ASVS? If so, I can take it on.

@jmanico - this discussion should be carried on here #1795

My apologies and I'll do so.

[tghosth]

Well, if we could have a logging requirement project, this separate requirement could make sense. But at the moment, we have abstract requirements to cover many events to one requirement, and then.. boom.. one really into detail and niche requirement. It just does not fit the scene at the moment.

Using a shared account still has common authentication (7.2.1) and authorization decisions (7.2.2) to log, there is just one extra piece of information ("share account") in the meta info (7.1.4). All this must be analyzed and documented before (1.7.3).

Yep and I am still in favour of abstracted requirements with references to more detailed resources so I think the original suggestion would need to be incorporated into one of those more detailed resources.

[tghosth]

Cheatsheet is here: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Logging_Cheat_Sheet.md

[tghosth]

I added this to the cheatsheet: https://github.com/OWASP/CheatSheetSeries/pull/1394/commits/ab9e710065d9552c641a08375fddd9b5565126ae

Do you think there is any other action here @elarlang or can this be closed?