Details

If your application is handling sensitive data or you are regulated by any data security compliance, you may want to reduce the log level of the sensitive classes of your application to avoid logging sensitive data on production system.

If your log file is for some reason compromised, the attacker may reach sensitive data stored in the logs if the class log level is not set up properly.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Review all entries and their levels to match requirements.

Supportive Information

The following resource is also helpful.

• https://docs.jboss.org/author/display/AS72/Hardening+Guidelines

This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.

References

• 800-53|AU-9(2)

Source

• Tenable.com/audits