Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Logging of user activity

Discussion in 'Security' started by kenneth-vkd, Dec 5, 2018.

  1. kenneth-vkd

    kenneth-vkd Active Member

    Joined:
    Apr 1, 2017
    Messages:
    31
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Denmark
    cPanel Access Level:
    DataCenter Provider
    Hi
    We have some customers, who have created multiple users on their cPanel account.
    These customers are now asking if it is possible to see what settings the users have changed. They are especially interested in changes made to DNS.
    Is there such a feature available in WHM/cPanel so that we can see it from WHM or maybe the user can see it themselves from within cPanel?
    If this feature is not currently available, is there then any plans to introduce this in the near future.
    Our European customers have been told by security advisors that their hosting provider must have this feature to be GDPR compliant, so we just wanted to be sure if such a feature exists or not.
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I am NOT a lawyer, so the following is my personal observations and opinion.

    Whilst every EU member country that is subject to the GDPR is free to introduce their own interpretation into law, I believe we should examine the overall intention of the regulation.

    The GDPR was intended to quantify what personally identifiable information was being collected about anyone, and how that information was recorded/stored/processed/disseminated.

    Of course, with the above in mind, we should need to ascertain if the recorded information meets the definition of being personally identifiable - and that is not something that is easy to do, and indeed there are many and varied (sometime conflicting) opinions as to exactly what combinations of data are required to fulfil any such criteria.

    My take on this statement is that either the advisors have got it fundamentally wrong, or that they are actually trying to make an entirely different point.

    Starting from the requirement that a person is entitled to ask for all records about them to be made available in a digital format, it would follow that if cPanel recorded anything, in any log, that may be of a personally identifiable nature, the operator of the WHM/cPanel server would be obligated to extract and make any such data available to that person on demand.

    So what we are looking at is not a requirement to log the information (if nothing is logged, it cant possibly be personally identifiable information) but rather to have an easy way of extracting any information that is logged, and being able to present it in an acceptable digital format to the person who has demanded it.

    The lack of any such utility or tool encourages server operators to discontinue logging of anything that might possibly be considered to be personally identifiable in order to remain compliant (the fines for non compliance are ridiculous, and can be millions of Euros), and results in a significant reduction in server security and their ability to audit and troubleshoot both security and technical issues.

    I consider that it is the responsibility of any company that is marketing software into the EU GDPR compliance zone, to ensure that their software includes any, and all, facilities, features and tools necessary for full compliance with the GDPR and any other EU requirement. If software does not meet, or cannot comply with, the legislative requirements of a country or area, it should not be be sold into that zone. The old caveat of 'Buyer Beware' with the usual clause about the software 'suitability for use' just does not stand up either morally or ethically in my opinion, even if it does legally.

    Thanks for reading.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. kenneth-vkd

    kenneth-vkd Active Member

    Joined:
    Apr 1, 2017
    Messages:
    31
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Denmark
    cPanel Access Level:
    DataCenter Provider
    Hi
    I do agree that different countries have different ways on understanding GDPR. Even different "security" advisors have different opinions on how to understand and implement GDPR compliance.
    This is also why it can be problematic and we have also seen competitors simply disable all server logs to avoid issues since they have found, or been told, that the IP-address is personally identifying information.

    Anyhow, the main question is still if there is a way to either see user activity or enable a feature to be able to log user activity.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,877
    Likes Received:
    482
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Could you expand on this a bit more please? How ere these users created exactly? Was the User Manager in cPanel, used? Those users would not have any access to modify DNS settings, AFAIK.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. kenneth-vkd

    kenneth-vkd Active Member

    Joined:
    Apr 1, 2017
    Messages:
    31
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Denmark
    cPanel Access Level:
    DataCenter Provider
    Hi
    Our customers have created multiple users inside cPanel under User Manager. This is done to avoid sharing one password.
    But for example when they give the marketing department access, then they can see many things and could perhaps make a breaking change to the DNS settings.
    Currently we have no way to see what was changed by who, using the UI. But if there is a way for us to see it in a logfile on the server, then it is also fine.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,877
    Likes Received:
    482
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren and rpvw like this.
  7. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I don't understand that.

    When you create users under the cPanel user manager, the only things they can access is Email/FTP/Web Disk (whatever combination that they were allocated) and I don't see how any of those would be able to access or alter eg DNS settings ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
  8. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,124
    Likes Received:
    474
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice