Open Bug 562505 Opened 14 years ago Updated 11 years ago

Detailed audit logging for specific user actions within Bugzilla

Categories

(Bugzilla :: Administration, task, P4)

Product:
Bugzilla
Component:
Administration
Type:
task

Tracking

()

People

(Reporter: clyon, Unassigned)

References

(Depends on 1 open bug)

Details

(Whiteboard: [infrasecq2][wanted-bmo]) 

There should be detailed logs for the following user actions.

1. If a user requests a password reset (forgot password), a log should be written with the requested account name and requesting ip address. 
2. If there is a forgot password request and it expires, we should log that a user has attempted to access an expired password request.
3. If there is a successful password change, we should also log that a password has been changed (account name and IP address). 
4. Failed attempts and Account Lockouts should be logged. (Separate from the current database logging)
This is not a security issue.
Group: bugzilla-security
Priority: -- → P4
(In reply to comment #1)
> This is not a security issue.

Currently there isn't any tracking for this type of data. So I would say it is security sensitive.
(In reply to comment #2)
> Currently there isn't any tracking for this type of data. So I would say it is
> security sensitive.

  It doesn't represent a security risk to users--it's not a security hole in Bugzilla. There's no reason to keep this bug confidential.
I confirm it's not a security bug. Anyway, you are requesting several things in a single bug, which should probably have been filed separately.

#2 I don't see why this would be useful
#3 is already covered by bug 366178
#4 is already fixed by bug 355283, AFAICT
Depends on: 622943
Whiteboard: [infrasecq2] → [infrasecq2][wanted-bmo]
Depends on: 366178
You need to log in before you can comment on or make changes to this bug.