[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposal for tracking logins

On Thu, Sep 25, 2014 at 12:20 AM, Pongrácz István <..hidden..> wrote:


As I wrote my previous email, regarding audit trail, I also checked the login process in the DB.

I think, recording the login processes would be useful (security).

At this moment there are some tables, regarding users and sessions, but login information did not save.

My proposal:

  • Keep a log about successful and unsuccessful login attempts to a new table, including login name, timestamp, IP address, successful/unsuccessful flag
  • If a company also probed (not valid), it should be registered in a system wide table.
  • It would be handy to send out an email (option) or send an xmpp message to the user about the login attempt.
  • Above a limit, like 5 unsuccessful login attempts, an alert could be sent to the system admin.
  • Supporting 2 factors login, like using a one time password sent by email or sms after a successful login. A plugin-like system can be ok, where the end user can develop his preferred method, for example how to send the sms. One time password could provided by the system.

Any more idea?

I think one would have to write to log files and have other programs monitoring the log file and processing it, handling notification etc.  I don't see us abandoning the idea that LSMB should only have the permissions of the current logged in user but that doesn't prevent other ways of getting the data into the db via a helper program.



Best Wishes,
Chris Travers

Efficito:  Hosted Accounting and ERP.  Robust and Flexible.  No vendor lock-in.
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
Ledger-smb-devel mailing list