On 05/15/2018 03:18 AM, Andrew Hodgson wrote:
At the moment the list administrator and moderator account is accessed
via no username and a single password. If that password is shared,
I have no audit trail of who logged into the system.
ACK
I like to run Mailman (et al) administration pages behind htaccess
protection. Thus I have the username that authenticated to the web
server to corroborate who's actually accessing things.
Also the system currently doesn't log specific access, for example admin
A exported a load of addresses, admin B added 100 subscribers to the
mailing list etc.
Can you not tell what was done based on the web server logs and the
requested URLs? I know that won't catch POST data, but it will give you
more information than not looking at the web server logs.
Aside: I personally consider the web server to be part of the
application framework. As such, I exercise and use it to (what I think
is) my advantage.
--
Grant. . . .
unix || die
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
