Do not monitor subject search
See !2478 (closed) for prior discussion.
Castellum keeps an audit log (monitoring log) of security-critical actions. This includes:
- login/logout
- pseudonym access
- attribute export
- subject search
- subject deletion
- study start/stop/delete
- study member management
Most of these entries only contain database IDs, so the log is harmless without the database. However, subject search entries are special because they contain the full search string, which typically contains full names or email addresses.
Arguments for monitoring subject search:
- We want to be able to detect if users try to enumerate all subjects by entering many possible combinations at a rapid speed.
- We want to be able to detect if users search for famous people with well known names (e.g. pop singers or politicians).
Arguments against monitoring subject search:
- Including search strings in the monitoring log increases the target surface.
- This is unexpected, so admins may not handle the monitoring logs with the necessary care.
- Enumeration attacks can more easily be prevented by using a dumb rate limiter.
@stefan.fuertinger did I miss anything?
I do not have a strong preference either way. I would be fine with removing monitoring logs for subject search.