Admin user access log against authentication attempts
Is your feature request related to a problem? Please describe.
Security requirements in some cities require us to maintain an admin user access log about the system. This log should consist of successful and unsuccessful authentication attempts, including any 3rd party authentication methods (OAuth).
This is a completely separate log table from the "ActionLog" entries that we currently have in the Decidim. By analyzing the access control log, you can identify security violations: whether there was an attempt to crack passwords or authentication attempt with expired usernames.
Describe the solution you'd like
The suggested log should allow us to get the following information about the admin user sessions:
- The user account that attempted the authentication
- The time of the authentication attempt
- The IP address where the authentication attempt was made from
- The used authentication method, e.g. "password", "microsoft ad", "google", etc (i.e. the used OAuth method identifier)
- The status flag of the attempt (successful, unsuccessful, cancelled, etc.)
- Details/reason/ (optional), e.g. "invalid password"
- Email address (or OAuth uid if its an OAuth attempt)
The purpose of this logging is different and it does not need to have a user interface attached to it.
This should only include authentication attempts at least made against admin users or users who have limited admin access to the admin panel, e.g. participatory process admins (admin, collaborator, moderator, valuator, etc.).
Describe alternatives you've considered
As an alternative solution, we can use third party solutions and integrate it into our system.
In case we want to identify also authentication attempts against "expired usernames" (e.g. old admin user that was removed from the system), we should collect this log from every login attempt. But within the Decidim context, it would possibly mean a very large log table and it would likely be unnecessary because these users either will no longer have admin access or their accounts were removed completely. However, in Decidim we would have the possibility to identify old admin users as well because we maintain the anonymized base user accounts in the database even after the account has been deleted. But this would require further development and is not likely to improve the security of the system as long as the system administrators maintain the admin users lists properly.
Does this issue could impact on users private data?
This would affect only the privacy of the admin users (and users with limited admin access like contributors, etc.), and public users' privacy would not be affected.
List of Endorsements
Report inappropriate content
Is this content inappropriate?