-
Notifications
You must be signed in to change notification settings - Fork 149
Auditing
RatticDB audits all actions that are performed on a credential. This enables staff members to analyse who has seen what passwords and when they have been changed. RatticDB also uses this functionality to help you decide what passwords to change when you disable a user account, or remove groups from their access.
Staff users will see the audit logs on the credentials pages and the user details page. They will also have access to the audit log pages which can audit by user, credential or show all audit entries in the past X days. Users that do not have staff access will not see audit logs on any pages and they will get a 404 error when trying to view the logs.
This is when the credential was originally added to the RatticDB database. This log entry occurs when a credential is manually added, or imported from an external source.
This audit record notes that the password was changed, however only metadata fields were changed. For example if only the description field were changed. The following fields are counted as metadata:
-
Description
-
Group
-
Tags
-
Icon
This entry signifies that the credential has been changed by a user. For this log entry to be written the fields that have changed must include some non-metadata fields. For example changing the password or the attachment.
This log entry occurs when the password details page is viewed. On this page the password is not visible unless the user activates the password field by hovering over it or clicking the button to show it in cleartext. This will cause the page to make an API call to fetch the actual password.
In the log a Password Viewed record means that either the credential was fetched through the API (which provides the password field). This can happen on the password details page if the password is viewed in cleartext or copied into the clipboard.
A password with a log entry of Exported has been included in a file export. For example it has been included in a Keepass file sent to the user. RatticDB cannot audit it beyond this point as we have no way of knowing if the password has been viewed in the KeePass file, so it is safer to assume it has been seen.
Deleted indicated that the password was placed in the trash can. If it was removed from the trash can then it will have an added entry after this. Items in the trash can still accumulate the audit logs. Removing a password from the trash can will permanently delete it and all its associated audit logs.
When a password enters the change queue it will get the Scheduled For Change entry marked on it. This could be used to measure the time between a password being marked as needing a change to when it actually got changed.