Unverified Commit 092dbb25 authored by Miguel Fornés's avatar Miguel Fornés Committed by Aki Braun
Browse files

Clarify remote logging mandate and local logging use cases (#328)

parent 6456d48c
Loading
Loading
Loading
Loading
+2 −0
Original line number Diff line number Diff line
@@ -1177,6 +1177,8 @@ The log messages shall not include any confidential information such as Personal

> NOTE: One type of event for which log messages must take care to not accidentally include a secret is failed password authentication attempts. Since users often type their password into the username field, including the username field in the log message may result in including a secret in the log message.

> NOTE: According to the Risk Mitigation Sets in Clause 5.3, this mitigation (MI-LOGG-2) is optional and dependent on the product's intended use case and corresponding security profile; becoming a mandatory mitigation only for specific use cases defined by higher-risk or enterprise profiles where centralized log management is a standard security expectation.

#### 5.2.15.4 MI LOGG 3: No-Logs Policy and Traffic Anonymization (### 5.13.N LOG)

* **\[REQ-LOG-jg2hq]** The remote data processing solutions of the VPN manufacturer shall technically enforce a strict "no-logs" policy.