-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: Sensitive Information like ssn are logged #7343
Comments
@bradymiller Doesn't this suggestion of implementing ASVS 7.1.2 contradict some of our required guidelines for ONC audit log records? There's one thing of masking the output and then having ACL's required to access the unmasked output, but from what I see in the PR, this removes the data before it even goes into the audit log. Note @sathiya06 this is not a file log, rather the logging here is our audit log to track data access, modifications, etc as required by federal law for our ONC certification requirements if I'm remembering this correctly. I don't recall there being a carve-out exception for logging SSN especially if someone were to tamper with that data. |
hi @adunsulag , very good point. Will look into the ONC cert log guidelines. May need to revert the following PR: |
Describe the bug
ASVS 7.1.2 Verify that the application does not log other sensitive data as defined under local privacy laws or relevant security policy
CWE-532: Insertion of Sensitive Information into Log File
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The social security number should not be displayed/masked.
Client configuration
The text was updated successfully, but these errors were encountered: