Requested feature: Auditing

If you are having a problem using Vault, post a message here.

Moderator: SourceGear

Post Reply
ThomasC
Posts: 38
Joined: Mon Mar 12, 2007 3:20 pm

Requested feature: Auditing

Post by ThomasC » Wed Jan 14, 2015 6:07 pm

As far as I can tell, there is no means to determine when a user got latest on a file or folder. For security and auditing purposes, this would be useful information to have.

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Re: Requested feature: Auditing

Post by Beth » Thu Jan 15, 2015 4:26 pm

Your options currently would be to:

1) Turn on debug level logging and have something watch the log file for users performing a Get. Or, if you only really need to see the logins, then you could leave the level at Quiet and see the logins.

2) Turn on Notifications. It won't say when you perform a Get, but it can tell when a person logs in.
Beth Kieler
SourceGear Technical Support

ThomasC
Posts: 38
Joined: Mon Mar 12, 2007 3:20 pm

Re: Requested feature: Auditing

Post by ThomasC » Fri Jan 16, 2015 11:28 am

Beth wrote:Your options currently would be to:

1) Turn on debug level logging and have something watch the log file for users performing a Get. Or, if you only really need to see the logins, then you could leave the level at Quiet and see the logins.

2) Turn on Notifications. It won't say when you perform a Get, but it can tell when a person logs in.
I understand that you are providing workarounds for achieving the equivalent using the existing tools. However, neither of those solutions are ideal. Natively we have a record of check-ins. It seems logical to want a list of Gets.

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Re: Requested feature: Auditing

Post by Beth » Fri Jan 16, 2015 2:43 pm

I can put in a feature request, but so that we understand better what is needed, can you explain how this would be used?

You mentioned Security, but it would be possible to have you see what all users' rights are for either the repository or folders. In addition, a logged in user could view data without actually running the Get command.
Beth Kieler
SourceGear Technical Support

ThomasC
Posts: 38
Joined: Mon Mar 12, 2007 3:20 pm

Re: Requested feature: Auditing

Post by ThomasC » Fri Jan 16, 2015 5:22 pm

Beth wrote:I can put in a feature request, but so that we understand better what is needed, can you explain how this would be used?

You mentioned Security, but it would be possible to have you see what all users' rights are for either the repository or folders. In addition, a logged in user could view data without actually running the Get command.
How can a logged-in user view the data without pulling the data? They can obviously view what they have already pulled from source. To be clear, what I'm seeking is an audit of every request to pull a file to be viewed/edited. I presume this is the Get Latest command. The scenario is that there is a suspicion that a developer has connected to the source control system after they were released. We can obviously use the Windows logs to determine if they logged into AD but if we determine they were, the next question is "to what did they have access and what did they actually access?" It is this later question to which I'd like to be able to answer.

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Re: Requested feature: Auditing

Post by Beth » Mon Jan 19, 2015 11:01 am

It does pull the data down, but it's not actually performing a Get Latest. I guess it might be possible to see all data requested by a user machine instead of just what happens in the Get Latest command. Either way, I can put in a feature request for this.

What you can do right now to help your situation is:

1) Immediately make the developer inactive. This should be one of the steps performed either before the actual notice or within seconds of receiving notice. That is performed by going into the Vault admin web page, click on users, then click on the user name, and change the setting from Active to Inactive. Then the user can no longer login or access anything. If you need to use that user's login for something, it can be dealt with by changing the user's login name and password, though really, all stuff can be dealt with without that user being active.

2) If you use Active Directory logins, then the user should be disabled in Active Directory as well. If using AD logins with Vault, then when their AD login fails, the user can't get into Vault.

3) If the user had access to admin passwords, change the admin passwords.

4) Besides seeing if the user logged in with the AD logs, you can see if the user logged in with the Vault server logs. Check logs for logins after the user was released.

5) Vault security reports will indicate to you what the user had access to. You can additionally remove all access for that user's username. In the Vault admin web page where you can view the list of all the users are links to View Access Rights. Click that to see what the user had access to. You can then go to each repository under Source Control Repositories and click on Repository Access and set the user to No Access.
Beth Kieler
SourceGear Technical Support

Post Reply