Skip to content

User account audit log

I put this here for comment, let me know what you think, or if you have additional idea.

Now that we have the per-user encrypted transaction log in iapi, I really want an audit log for user accounts. The audit events can be listed by the user and some of the more important ones should also generate a notification email.

Ideas for entries:

  • pw settings change (pw / app pw / 2fa)
  • security settings change: recovery email, recovery token displayed or mailed, pgp key changed
  • invite code created
  • services (resources) created / deleted
  • logins (where and how), this one probably with a short ttl, e.g. stored just for 1-2 weeks

maybe longterm (if we can implement it in a reasonable way):

  • login with new / unknown device