My company is looking at Bitwarden to help managing shared passwords, but we came across a scenario that could be a show stopper for us.
We are looking at Bitwarden with the following goals:
- Get a full log of events, so we know what users are viewing and changing
- When a user leaves the org, the details on (1) give us a full log of what credentials need updating
That would work well if there was an option to disable local caching. At the moment, a malicious user could:
- Install the desktop app
- Log in and sync the entire vault
- Disconnect from the network
- Export the vault whilst offline
- Delete the app
And no trace of the events would be left on the event log.
Is there some way to address this issue if we self-host Bitwarden? At the moment I cannot see any options on the web vault for this.
I think I understand what you’re getting, so not to criticize your concern, but your description of “log in, sync, disconnect, export” is no worse than “log in, export”.
It comes down to this. There is nothing you can do to prevent a semi-terminologically-competent malicious user from nearly instantly exporting everything they have access to. The fact of the matter is if you give someone data, you cannot control how they use that data.
That said, you can make the barrier more difficult up to the point the end user has to use or make a tool that emulates the client, which is open source. Someone could just download the client and modify it. Even if it wasn’t open source, someone could “just” reverse engineer the client. My brother does this kind of stuff as a pen tester. He’ll sniff the traffic, see what it’s doing, and whip up a proof of concept that gets the immediate job done in a few hours. Mind you, this is his job.
You’re probably more concerned about a casual malicious user. Just don’t think you have any real control of data once you’ve given someone permission to it.
There’s a good chance that what you actually want/need is SSO integration with 3rd-party services, but maybe that’s too expensive for you. Might be something to look into.
The point was more about having the user actions on the event log, which we do not get on an offline vault for obvious reasons. This is why an option to disable caching would be useful.
If the event log was an accurate description of user actions on a vault (which it cannot be if the user has an offline copy of it), then it could be used as a reference for remediation (e.g. update all passwords an user that walked out of the door actually saw / used
We would also get a log for a vault export, unless the person had gone through the trouble of doing this only when offline.
Having said all that there are also good reasons to ensure there is a local copy of the vault. This request was for an option to be available.
Can’t agree more, this is the crux of the issue really. But it is hard to constrain privilege on a small team where a few people need to do a lot of privileged stuff.