Lets just not log the session info. You can't expect somebody to protect the box, it sort of defeats the purpose of the log. The whole idea of the log is to know what is going on and troubleshoot things. So you would be inclined to give a level 1 support tech person access to that log to see whats going on at the moment, but that same person you probably don't want them to have full admin access to ACS.
Darren On Wed, Sep 18, 2013 at 1:43 AM, Rajesh Battala <rajesh.batt...@citrix.com>wrote: > Disabling api log might not be a good idea, instead while logging the > request remove the sensitive details (session details, passwords etc ) and > dump it. > > Thanks > Rajesh Battala > > -----Original Message----- > From: Abhinandan Prateek [mailto:abhinandan.prat...@citrix.com] > Sent: Wednesday, September 18, 2013 12:33 PM > To: dev@cloudstack.apache.org > Subject: Re: security around api.log > > We can provide a way to disable the api.log ? > > On 18/09/13 11:27 am, "Rajesh Battala" <rajesh.batt...@citrix.com> wrote: > > >If anybody got access to the api.log using the session details we can > >do execute api's and cause harm. > >But the api.log is present in the mgmt server and if anybody got access > >to it, he can corrupt anything. > >Not just accessing api.log, any other services logs and get the data. I > >feel it's up to admin how to protect his system and services. > > > >Thanks > >Rajesh Battala > > > >-----Original Message----- > >From: Darren Shepherd [mailto:darren.s.sheph...@gmail.com] > >Sent: Saturday, September 14, 2013 2:10 AM > >To: dev@cloudstack.apache.org > >Subject: security around api.log > > > >I just noticed api.log which seems to log all the API access in a form > >like > > > >2013-09-13 00:02:09,451 INFO [a.c.c.a.ApiServer] > >(2011638958@qtp-657397168-0:ctx-81b1e088 ctx-174e4a62) (userId=2 > >accountId=2 sessionId=7asvmtwoesbc6ia3e4kxtzrl) 127.0.0.1 -- GET > >command=listZones&response=json&sessionkey=ec6h46Om8a1y3d%2BhrdIpQ85cAf > >c%3 > >D&_=1379055729422 > >200 { "listzonesresponse" : { "count":1 ,"zone" : [ > >{"id":"cdaf82f1-3b57-4aa4-b3ce-b60173ed45f2","name":"zone1","dns1":"8.8.8. > >8","dns2":"8.8.4.4","internaldns1":"8.8.4.4","networktype":"Basic","sec > >uri > >tygroupsenabled":true,"allocationstate":"Enabled","zonetoken":"6dce94e8 > >-e8 > >dc-3077-bfde-c6e8594bd449","dhcpprovider":"VirtualRouter","localstorage > >ena > >bled":false} > >] } } > > > >The sessionId and sessionKey is logged in the file. I haven't tried it > >yet, but can't I use that info to hijack the session? That introduces > >a security issue in that any server operator can now hijack anybody's > >session. So that api.log file really needs to be protected in the same > >way a file with a password in it would be. > > > >I would suggest that we just don't log the sessionId or sessionKey. > > > >Darren > >
