I think a nice touchup would be a hard-coded option in config.php to disable clearing logs, if a super-admin account was compromised actions would at least be logged that couldn't be cleared due to the option in config.php disablingĀ as a last resort security measure. This would of course only protect you if your file-system (FTP/SFTP) remained secure. Thoughts?
To be honest, I think clearing admin logs should be a super admin level action along with downloading backups rather than having this be permissions based. These are things lower tier admins have no business in touching.
As for a setting in config.php, I'm not sure. Ideally, it would be like that out of the box rather than an option, but the logs table might wind up being really big.
(2017-11-16, 08:19 AM)Azah Wrote: [ -> ]To be honest, I think clearing admin logs should be a super admin level action along with downloading backups rather than having this be permissions based. These are things lower tier admins have no business in touching.
As for a setting in config.php, I'm not sure. Ideally, it would be like that out of the box rather than an option, but the logs table might wind up being really big.
A compromised super admin account at the moment could be used and then covered up - with only a 24 hour timeframe where the most recent logs can't be cleared. With a config.php option an attacker would not only have to compromise a super admin but also the file system in order to clear logs.
Sounds good; it could be used to limit other potentially problematic areas like templates and stylesheets, too.
(2017-11-16, 03:48 PM)Devilshakerz Wrote: [ -> ]Sounds good; it could be used to limit other potentially problematic areas like templates and stylesheets, too.
Yup I think it'd be a really cool security feature, we could add other flags too - like allow forum edits, allow settings changes, etc, the ideas are endless and could reduce attack surface. Only allow soft-delete, etc.
I got a better suggestion...how about a non-database option for logging? Would be nice to flat-file store at least recent logs.
Most likely an easy plugin that would be a decent security benefit.
But you should have better acp protection anyways. It has PIN/2FA and you should htaccess protect it with htpasswd and IP addresses.
(2017-11-17, 05:25 AM)labrocca Wrote: [ -> ]I got a better suggestion...how about a non-database option for logging? Would be nice to flat-file store at least recent logs.
Most likely an easy plugin that would be a decent security benefit.
But you should have better acp protection anyways. It has PIN/2FA and you should htaccess protect it with htpasswd and IP addresses.
Pin & 2FA are great ways to protect the admin panel - but f*ck-ups happen and sometimes an admin account is compromised - and a "paper trail" (closest thing to it) will provide insight into what happened and how to fix it.
Better logging would be great, in my opinion.
(2017-11-18, 10:21 AM)Euan T Wrote: [ -> ]Better logging would be great, in my opinion.
An ability to make clearing logs impossible without core edits or a plugin would also be great.
Server logs can also give you what you need normally. Some shared hosts allow you access.