Login password read

GeorgesMC · September 29, 2022, 12:56pm

We want to use passbolt to store some sensitive passwords, that should be used only in emergency cases.
To be sure the password wasn’t used without an emergency case, we would like to trace “password reads”: is there any kind of log file where we could find this information?

JamesBond · September 29, 2022, 1:05pm

Hi @GeorgesMC,

Passbolt log files would be located in the following folder:
/var/log/passbolt/*

You could try this:
Instead of trying to get passbolt to notice those changes, the system that is going to use those passwords should be accessed by only 1 person and the system that is taking the login information should register that an One Time Password has been used and by who.

Regards
Bond

GeorgesMC · September 29, 2022, 1:24pm

Thank you for your answer.

In /var/log/passbolt I can only find error.log and nothing about creation, modification or password read?

Note: Each user has a unique login/password, but sometimes we should need a “superuser” (root or Administrator), we currently store these passwords offline, but albeit we can know if somebody has accessed the password (seal break), we can’t know who did it.

In fact, more than a password manager, we need an “electronic seal”

JamesBond · September 29, 2022, 1:43pm

That was a misunderstanding, so to view creation, modification changes you have to setup SMTP in the passbolt config file /etc/passbolt/passbolt.php

To view who read the password and used it, I am not too sure if passbolt registers that. It may be in the Enterprise edition.

I have not personally used the Enterprise edition so I’m not too sure if there is that feature.

Unfortunately Passbolt may not be able to do that since its only a Password Manager.

This problem can be solved by probably placing cameras in the location where you store the password and only trusted people can enter that room/safe.

AnatomicJC · September 29, 2022, 3:02pm

Hi

All passbolt actions are logged in action_logs, even in the CE version.

You can get a list of passwords accessed by a user with this SQL request:

SELECT
       al.created,
       u.username,
       r.name,
       r.uri,
       r.deleted
FROM
       action_logs al
       INNER JOIN actions a ON al.action_id = a.id
       INNER JOIN users u ON u.id = al.user_id
       INNER JOIN secret_accesses sa ON sa.created = al.created
       INNER JOIN resources r ON sa.resource_id = r.id
WHERE
       a.name = "ResourcesView.view";

Another request example, if you want to search all actions made between last september 14th and 15th:

SELECT al.created AS Datetime, u.username AS Username, a.name AS ActionName, al.context AS Context
FROM action_logs al 
JOIN actions a on a.id = al.action_id
JOIN users u on u.id = al.user_id
WHERE al.created > "2022-09-14 00:00:00" AND al.created < "2022-09-15 00:00:00"
ORDER BY al.created asc;

Best,

yoyo00 · January 11, 2024, 2:59pm

Hello, can someone tell me whre this action_logs file is located ? Thanks

AnatomicJC · January 12, 2024, 1:20pm

Hi,

You have to execute these SQL requests on your passbolt database.

Cheers,