High-level security events are now logged for auditing purposes. Events impacting security have been assigned security specific event codes. These event codes have been standardized within Learn. In SP12 these events codes have been introduced in predefined areas of application activity so validity may be demonstrated. For this release the authentication log will continue to be used to capture login attempts. For full security analysis, it is necessary to download all security-related logs, including, but not limited to, the Input Validation Filter log and the authentication log.
The types of security events captured cover high-risk activities enabling the tracking and source identification of the event through analysis of logged source internet address, source session, user id, and event time.
Log entries are based on industry standards for identification and description of security events that may be the result of system attacks making them suitable for importing/use-with third party tools for forensic analysis reporting. Additionally the logs themselves provide the ability for identification of specific events as immediately visible in the logs.
Log location
The log is located in Blackboard_Home/logs/bb-security-validation-log.txt prior to Release 9.1, Service Pack 14
Blackboard_Home/logs/bb-security-log.txt
Event codes
These Event Codes are part of the Standard Security Event Codes.
| Event Code | Security Event | Description |
|---|---|---|
| 13 | Invalid or Missing Cross-site Request Forgery Nonce Detected | Missing cross-site request forgery nonce for request authenticity and exception thrown. May be an indicator of a cross-site request forgery attack. |
| 14 | Invalid URL Redirection Detected | Invalid url in request and exception thrown. May an indicator of attempts to perform arbitrary redirects to malicious websites. |
| 17 | Invalid Resource Link in Course Package | Invalid resource link in course package detected and ignored due to. May be an indicator of attempts to gain unauthorized access to resources. |
| 23 | Security Library OWASP ESAPI B2 Not Available but is called | Page not displayed and request not processed due to missing OWASP ESAPI Security Module B2 and exception thrown. Ensure the B2 is enabled since it is required.
In later releases, the ESAPI Security Module Building Block API is part of Blackboard Learn’s core code and is available by default. |
| 24 | Inline Receipt Message Signature Validation Failure Detected and Exception Thrown | Page not displayed due to missing inline receipt message signature and exception thrown. May be an indicator of attempts to perform phishing or cross-site scripting attacks. |
| 26 | Invalid Input Detected | Invalid input detected and dropped. May be an indicator of attempts to perform phishing or cross-site scripting attacks. |
Generate sample log activity
Certain application sensors throughout the Blackboard Learn platform will write to this log. To generate a sample event, one may go to the following URL after replacing "SERVER_NAME" with your server name:
https://SERVER_NAME/webapps/portal/execute/tabs/tabManageModules?cmd=manageModules&layoutType=custom&tabId=_1_1&recallUrl=http://www.blackboard.com
The following log entry is generated:
timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.120113.0|evt_code=14|evt_name=url redirection violated|sev=6|cat=input validation|outcome=failure|dhost=appsec-targ07|src_ip=10.100.100.100|suid=_1_1|suser=administrator|session_id=1095|msg=Invalid url in request and exception thrown. May an indicator of attempts to perform arbitrary redirects to malicious websites.|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22|act=exception|request=/webapps/portal/execute/tabs/tabManageModules|requestparam=|requestval=http://www.blackboard.com
