Log Exports of the vault - restrict export of organisation

[4lexRed]

Hi,

as far as I have noticed, exports of the vault are not logged.
Probably the export is only done by the client software with the cached data -
but maybe Bitwarden clients do send an info to the server that an export was requested?

Yet, exports through the vaultwarden web interface could be traceable.
(Log Entry: YYYY-MM-DD hh:mm:ss -- User X exported his entries)

Also restricting the option to export passwort entries that belong to an organisation would be great.
(An option like "only admins can export organisation entries")

Background is a data breach by a user who (very likely) exported all his available entries - including the ones belonging to the organisation.

Would be great to see if there are possibilities to prevent theft by organisation users.

Kind regards
Alex

[BlackDex]

Have you checked https://github.com/dani-garcia/vaultwarden/blob/main/.env.template#L275-L278 ?

[BlackDex]

And here the documentation of Bitwarden it self https://bitwarden.com/help/event-logs/

[4lexRed]

Thx - the logs are now being written.
We did not have ORG_EVENTS_ENABLED set to true.

Also the organisation events (in the bitwarden documentation) in the web -interface just now appeared.
I'd suggest to set the org_events_enabled to true as default or display a hint to enable set the env variable to true to see the orgs log, when ORG_EVENTS_ENABLED is false.

The exports are events of the type INFO.
So also set LOG_LEVEL: "info" to see the exports

additional info:
Exports from the chrome-plugin (client) ARE NOT recorded in the events
Exports from the desktop client ARE recorded.
(I know, this is a client feature - not a server feature)

Can the feature "limiting exports of an organisation to admins" be implemented?
Or do I need to request that at the bitwarden server?

[BlackDex]

We do not set it default to true as it might potentially cause lots of data to be stored. It's better to let someone activate it manually, that is why the default is false.

Not sure where we need to add the hint, we can't do that in the client (which includes the web-vault), so other than reading the settings you can change I'm not really sure where to show it.

Regarding the limit export feature, I'm not aware of such a feature, and do not see it listed here https://bitwarden.com/help/policies/ either. I might have missed something of course. But we try to keep as close as possible to the Bitwarden way of working and options.

[4lexRed]

well, there is the option to remove the exports for users in the Bitwarden documentation.
https://bitwarden.com/help/policies/#remove-individual-vault-export

How to show a hint for Org Event Logs :
as long as the ORG_EVENTS_ENABLED was set to false, the menu did not show the "reporting" -> "Event logs" button.

Only after enabling Org Event Logs, the button did show.

So instead of not showing the menu button, you could show the button and display in the right pane (where events are usually shown) : "to turn events on, set the ENV Variable ORG_EVENTS_ENABLED to true. Details see here"

If this would have been the case, I wouldn't bother you with this post ;-)
(thx for your help though)

[BlackDex]

Ah that is a Bitwarden licensed feature not an open source one.

https://github.com/bitwarden/clients/tree/main/bitwarden_license/bit-web/src/app/admin-console/policies/policy-edit-definitions