Sensitive data in logs

The GAS logs may include some sensitive or personal user data that is gathered during the normal course of running applications.

Important: Sensitive and personal data may be written to the output. Make sure that the log output is written to files that can only be read by administrators, and review the management strategy for log files.
HTTP messages.
Proxy logs contain HTTP messages, including the request and response content. Messages may include full documents. HTTP headers may contain query strings and cookies. Cookies may contain user credentials.
VM protocol
The proxy communicates with the DVM and can log all information exchanged. On the client side (GDC, GBC), for example, the contents of a log-in screen, including user name and password, may appear as clear text in the AUI tree and in the logs.
Note: Passwords appearing in the logs may be avoided if authentication and authorization is kept separate from the application by using a Single Sign On solution. The recommended practice for applications requiring user login is to implement the Genero SSO solution. See How to implement Single sign-on (SSO).
Command lines
If proxies start DVM processes, all the command lines with their parameters and working directories may be logged. For example:
"Start process" Directory: /opt/fourjs/fglgws/demo, 
         Command line: "/opt/fourjs/fglgws/bin/fglrun" demo.42m
VM output

All VM content written to the standard output (stdout and stderr) is redirected to the session log files (vm-<session-id>.log).

FastCGI dispatcher

If you are using the fastcgi dispatcher, all the FastCGI protocol parameters can be logged, including IP addresses, and authentication information (REMOTE_USER, etc).

Environment and Configuration

The GAS may log all environment at start up, including all system environment variables, system limits, etc. In the proxy log, some information on where the DVM will connect is also logged. For example, ... "FGLSERVER" 127.0.0.1:49913:

Clients send additional environment information to the logs at start up. For example, the GDC sends device MAC address, user name, host name, etc.

Monitor page

The monitor page, though not directly related to the log files, provides access to dispatcher and proxies / VM log files. It also provides a list of active sessions, with detailed information on the user agent, IP addresses, command lines used to start applications, authenticated user (CGI REMOTE_USER), environment variables, and access to configuration of available applications and services.

Reviewing the management of logs

Addressing the following questions can help towards a strategy for managing logs and protecting sensitive data.
  • What are you using the data for?

    Gas log files are essential for debugging and support response, and for that purpose are used for collecting status information on the VMs and the proxies.

  • Where is the data being stored?

    The data is stored on the server running the GAS. Consider who has access to the log files, and ensure access is restricted to administrators and users who need to work with the GAS log files.

  • Do you still need the data?

    Consider how long you need to keep logs. Review your log file management system and remove log files after a predefined period. See Manage the Genero Application Server log files.