Disabling api log might not be a good idea, instead while logging the request remove the sensitive details (session details, passwords etc ) and dump it.
Thanks Rajesh Battala -----Original Message----- From: Abhinandan Prateek [mailto:abhinandan.prat...@citrix.com] Sent: Wednesday, September 18, 2013 12:33 PM To: dev@cloudstack.apache.org Subject: Re: security around api.log We can provide a way to disable the api.log ? On 18/09/13 11:27 am, "Rajesh Battala" <rajesh.batt...@citrix.com> wrote: >If anybody got access to the api.log using the session details we can >do execute api's and cause harm. >But the api.log is present in the mgmt server and if anybody got access >to it, he can corrupt anything. >Not just accessing api.log, any other services logs and get the data. I >feel it's up to admin how to protect his system and services. > >Thanks >Rajesh Battala > >-----Original Message----- >From: Darren Shepherd [mailto:darren.s.sheph...@gmail.com] >Sent: Saturday, September 14, 2013 2:10 AM >To: dev@cloudstack.apache.org >Subject: security around api.log > >I just noticed api.log which seems to log all the API access in a form >like > >2013-09-13 00:02:09,451 INFO [a.c.c.a.ApiServer] >(2011638958@qtp-657397168-0:ctx-81b1e088 ctx-174e4a62) (userId=2 >accountId=2 sessionId=7asvmtwoesbc6ia3e4kxtzrl) 127.0.0.1 -- GET >command=listZones&response=json&sessionkey=ec6h46Om8a1y3d%2BhrdIpQ85cAf >c%3 >D&_=1379055729422 >200 { "listzonesresponse" : { "count":1 ,"zone" : [ >{"id":"cdaf82f1-3b57-4aa4-b3ce-b60173ed45f2","name":"zone1","dns1":"8.8.8. >8","dns2":"8.8.4.4","internaldns1":"8.8.4.4","networktype":"Basic","sec >uri >tygroupsenabled":true,"allocationstate":"Enabled","zonetoken":"6dce94e8 >-e8 >dc-3077-bfde-c6e8594bd449","dhcpprovider":"VirtualRouter","localstorage >ena >bled":false} >] } } > >The sessionId and sessionKey is logged in the file. I haven't tried it >yet, but can't I use that info to hijack the session? That introduces >a security issue in that any server operator can now hijack anybody's >session. So that api.log file really needs to be protected in the same >way a file with a password in it would be. > >I would suggest that we just don't log the sessionId or sessionKey. > >Darren
