Audit Log

[ptman]

I would very much like to have an audit log in bitwarden. It would be good to be able to find out later who has viewed or changed a certain item and when. Also which items a person has viewed so that those passwords can be changed. It should probably be structured in some way in order to allow queries. Stored in the DB? Or just output as JSON-object per line to a log-file or similar destination?

I know bitwarden enterprise offers some kind of audit log. Does the vault app make use of api endpoints to view it?

[mprasil]

Hi Paul, a lot of those things aren't possible due to the nature of how Bitwarden works. The ciphers are just synced to the client - all in one request - and then viewing is completely client-side, so server has no such information. As far as you should be concerned, all passwords could be potentially viewed by the client once the ciphers have been synced.

As for saving, we could perhaps log those events optionally with user name? There's no such interface in Vault interface though, so someone would have to create interface just for that or it would be only down to logs or DB records.

If you're really concerned about changing passwords once the user is removed from organization or his privilege removed, maybe something like HashiCorp's Vault would be a better fit? Though that one is meant to be used via API mostly.

[ptman]

Thanks, I understand. I wonder what bitwarden enterprise audit log looks like. And while vault is good, and I use it for some stuff, bitwarden is useful for other stuff.

Also, some web password managers offer support for automatically changing passwords on supported sites: https://blog.lastpass.com/2014/12/introducing-auto-password-changing-with.html/ . That would be awesome in combination with a proper audit log, but I understand that it's a lot of work and probably needs integration from the client as well.

[mprasil]

Yeah, unfortunately (or luckily, depending who you ask 😉) bitwarden works with almost zero knowledge about the stored data. This includes things like password name or for which site it is. Essentially everything except the owner id is encrypted. So things like automatic password change would have to be implemented on the client side and you need to ask for that feature upstream.

As for API call log, I guess we could log which user called which API if the call is authenticated. This would be probably something you would have to enable via configuration option and with the understanding that there's generally very little that you would see anyways as the server usually has very little knowledge by design.

[ptman]

Yes, I understood that from you explanation. But bitwarden enterprise does record an audit log. The web vault code makes references to accessEvents, eventLogs, useEvents, etc. and there's EventService, apparently for translating events when viewing the history. But how are they recorded? Can an API be implemented so that the clients will take care of that?

[mprasil]

This would probably require some significant effort - most likely also implementing actual admin interface. I think we will need to find someone motivated enough to submit a PR, which would be very welcome provided it's an optional feature that can be turned on.

[dani-garcia]

To keep the issue tracker more focused, I'm closing this issue in favor of the meta issue at #246.