We want to use passbolt to store some sensitive passwords, that should be used only in emergency cases.
To be sure the password wasn’t used without an emergency case, we would like to trace “password reads”: is there any kind of log file where we could find this information?
Passbolt log files would be located in the following folder:
/var/log/passbolt/*
You could try this:
Instead of trying to get passbolt to notice those changes, the system that is going to use those passwords should be accessed by only 1 person and the system that is taking the login information should register that an One Time Password has been used and by who.
In /var/log/passbolt I can only find error.log and nothing about creation, modification or password read?
Note: Each user has a unique login/password, but sometimes we should need a “superuser” (root or Administrator), we currently store these passwords offline, but albeit we can know if somebody has accessed the password (seal break), we can’t know who did it.
In fact, more than a password manager, we need an “electronic seal”
All passbolt actions are logged in action_logs, even in the CE version.
You can get a list of passwords accessed by a user with this SQL request:
SELECT
al.created,
u.username,
r.name,
r.uri,
r.deleted
FROM
action_logs al
INNER JOIN actions a ON al.action_id = a.id
INNER JOIN users u ON u.id = al.user_id
INNER JOIN secret_accesses sa ON sa.created = al.created
INNER JOIN resources r ON sa.resource_id = r.id
WHERE
a.name = "ResourcesView.view";
Another request example, if you want to search all actions made between last september 14th and 15th:
SELECT al.created AS Datetime, u.username AS Username, a.name AS ActionName, al.context AS Context
FROM action_logs al
JOIN actions a on a.id = al.action_id
JOIN users u on u.id = al.user_id
WHERE al.created > "2022-09-14 00:00:00" AND al.created < "2022-09-15 00:00:00"
ORDER BY al.created asc;