any idea how can i see my account audit log details for here on the GitLab Forum?
about 3 hours ago someone tried to logon to my account and they tried to use the “login via email link” method… i got an email message with the following SMTP headers (among others)
[...] dkim=pass [...] spf=pass [...] dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=discoursemail.com
Date: Fri, 24 Dec 2021 11:06:21 +0000
From: GitLab Forum <gitlab@discoursemail.com>
[...]
Message-ID: <603770a4-49c6-4a44-8aeb-67d2ed489454@forum.gitlab.com>
Subject: [GitLab Forum] Log in via link
the message was properly authenticated with DKIM, SPF and DMARC… but i cannot find any trace of an Audit log here on the forum and there is no trace of this fake login attempt in the main GitLab Audit Log either https://gitlab.com/-/profile/audit_log
There’s not an audit log per se, but you can review all Recently Used Devices under the User Preferences > Security (https://forum.gitlab.com/u/<your_username>/preferences/security). If anyone logged into your account, you should be able to see it there and have the option to log out of any unrecognized devices.
While you’re on that page, I suggest setting up two-factor authentication.
@gitlab-greg - i checked there… there’s nothing out of the ordinary, the only login session is my current browser one. Must have been someone who didn’t remember their username and just typed mine instead.
As for 2FA - i already have 2FA set up, with multiple FIDO hardware USB/NFC tokens…
… however… since the main GitLab Audit Log has long been having a nasty issue where it will not show failed login events at all when the password is correct but the second factor is not… i just assumed the same issue was present here on the forums too.
That security issue with the Audit Log was supposedly fixed … but the fix is only available for paying GitLab users. Free users are currently still exposed to the security vulnerability where failed 2FA login events will not be visible at all in their audit log so they have no clue that their password might be compromised and only 2FA saved their bacon. Audit log does not show 2-factor failed logins (#16826) · Issues · GitLab.org / GitLab · GitLab
update: i checked just to be sure (i tried the “Manage Two-Factor Authentication” button) … and… discovered that my account here on the forum was only set up for passwordless OAuth2 link to my GitLab account and that is the one that was protected by 2FA.
I have now configured proper pw and 2FA here on forum too, but doing that has broken the OAuth2 link to GitLab… i can no longer use GitLab OAuth2 SSO to login here.
