[OWASP_PHPSEC] Daily Report - 23 July, 2013

Chris White cwhite at remarinc.com
Wed Jul 24 19:44:01 UTC 2013

This may have been addressed already, but I strongly endorse the use of Monolog (https://github.com/Seldaek/monolog) as a logging utility.  Not only does it follow RFC 5425 log levels (http://tools.ietf.org/html/rfc5424), but also the PSR-3 (https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-3-logger-interface.md) logging standard.  Using libraries that follow this standard decouples the logging library used from PHPSEC.  At the very least, I suggest following the suggested standards if you decide to build a proprietary logging library.  The best approach might be to create a wrapper for other logging libraries that fulfills security considerations.

Example of Monlog instantiation and use:
// create a log channel
$log = new Logger('name');
$log->pushHandler(new StreamHandler('path/to/your.log', Logger::WARNING));

// add records to the log

Chris White
Network Administrator
Remar, Inc.
Work: 615-449-0231
Cell: 615-948-1388

From: owasp_php_security_project-bounces at lists.owasp.org [mailto:owasp_php_security_project-bounces at lists.owasp.org] On Behalf Of Abbas Naderi
Sent: Wednesday, July 24, 2013 7:21 AM
To: rahul chaudhary
Cc: owasp_php_security_project at lists.owasp.org
Subject: Re: [OWASP_PHPSEC] Daily Report - 23 July, 2013

Hi Rahul,
Congrats on ur exam.
The approach with the log lib is not what we're looking for.
We need something simple, flexible and scalable, no config files and 20 lines of initiating the library before using it.
We don't want PHPSEC to be yet another ESAPI, with all the bloat that made it drown. Make everything as simple and working as possible. If somebody needs more features, either they will expand it or they will ask us to make a more thorough version.
Notice: This message is digitally signed, its source and integrity are verifiable.
If you mail client does not support S/MIME verification, it will display a file (smime.p7s), which includes the X.509 certificate and the signature body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in AbiusX.com<http://AbiusX.com>

On Mordad 2, 1392, at 12:12 PM, rahul chaudhary <rahul300chaudhary400 at gmail.com<mailto:rahul300chaudhary400 at gmail.com>> wrote:

Hello All,

So as you all know, I tool leave for sunday and monday. Now I am back. You would be glad to know that I have passed my test. Tomorrow (Tuesday) I am having an HR round and possibly after that I will have technical rounds.

Before my report, please add me in the contributor list. I am not able to push my codes.

So here's my tuesday report.

Today I worked on the "logs" library. I added support for storing logs in files and in DB.
I also created a template that makes user define in what format they want their logs to be stored in.

Our logs work like this:
You create an instance of log and then you pass it a configuration file. From that configuration file, the logger will collect all the settings and do all the necessary works. This conf file will contain the type of storing mode such as Db, file etc. It will also tell table name, filename, which mode to open file in etc etc. Once this has been done, the developer can call the log function to store their logs using logger->log("mylogmessage"); They can also specify additional details such as file where the error was generated, type of error, priority of error etc.

With our logs library, the developers can also make their own template if they would like to store additional data such as which class generated the error. To do this, they would just have to make minor changes in code.

Currently the configuration file just supports arrays. Later I will add XML support also.

Since I am not familiar with XML, I am reading it now. once I do this, then we can also store logs in XML format (if desired). Abbas also told me to store logs in syslogs....I do not know what that is...so I have to read it...that might take time....I am also working on functions such as mailing of important logs to admins.....and searching for 1 or multiple entries in logs.

Rahul Chaudhary
Ph - 412-519-9634
OWASP_PHP_Security_Project mailing list
OWASP_PHP_Security_Project at lists.owasp.org<mailto:OWASP_PHP_Security_Project at lists.owasp.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130724/a9e64ba3/attachment.html>

More information about the OWASP_PHP_Security_Project mailing list