Hi,
As I wrote my previous email, regarding audit trail, I also checked the login process in the DB.
I think, recording the login processes would be useful (security).
At this moment there are some tables, regarding users and sessions, but login information did not save.
My proposal:
- Keep a log about successful and unsuccessful login attempts to a new table, including login name, timestamp, IP address, successful/unsuccessful flag
- If a company also probed (not valid), it should be registered in a system wide table.
- It would be handy to send out an email (option) or send an xmpp message to the user about the login attempt.
- Above a limit, like 5 unsuccessful login attempts, an alert could be sent to the system admin.
- Supporting 2 factors login, like using a one time password sent by email or sms after a successful login. A plugin-like system can be ok, where the end user can develop his preferred method, for example how to send the sms. One time password could provided by the system.
Any more idea?
Thanks,
István
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Ledger-smb-devel mailing list ..hidden.. https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel