Below we share the threat model shared by all Logging Services projects.
All Logging Services software release distributions are signed using GPG using a key from the Logging Services PMC KEYS file. Information on how to verify releases signatures are explained further in the Download page. Thus, GPG signatures should be validated in your build process.
All configuration sources to an application must be trusted by the programmer. When loading a configuration file from disk (especially when a monitor interval is configured to reload the file periodically), the location of the configuration file must be kept safe from unauthorized modifications. Similarly, when loading a configuration file over the network such as through HTTP, this should be configured to use TLS or a secure connection in general with strong authentication guarantees. This remote location must be kept safe from unauthorized modifications.
For Java-based projects supporting JNDI or JMX,
when configurations are modified through JMX, the JMX server should be safely configured to require authentication and a secure connection if being accessed over the network.
When configurations are provided through JNDI, these should only use the java
scheme for sharing configurations in a Java EE or Jakarta EE application service.
JNDI-sourced configurations should not use other JNDI providers such as LDAP, DNS, or RMI, as all these providers are difficult to properly secure.
Java Object Serialization Stream Protocol should not be used to deserialize data from untrusted sources. See the related OWASP guide for details.