I am in a need for advice in the matters of auditing a project.
Currently the project I am developing has many actions a "user" can perform such as:
All these actions which are reachable to a User, are audited, however I don't know if its usual to for example audit the following:
Password policies state that the User password must include at least 1 symbol and 1 digit. Certain user at certain time tries to change his password without caring about the policies, of course he will get a message stating password policies are not respected, but should this be audited? I just want opinions from people that have audited before, or know on the matter.
Another possible case can be, when a user, tries to delete something that doesn't exist, for instance, having an empty list of permissions and trying to delete a non existing one, once again the user will get a message saying to select at least one permission to delete, but should this action be audited?
Any feedback is welcomed, my first time auditing a project, thanks :)
It strongly depends on you requirements. What does the client or regulations of the business require? Do you want to audit to make your system more secure? (by learning what malevolent users do)
And by "auditing", do you mean to log it in a file or to insert it in a DB to grab statistics?
EDIT Auditing everything might be a bit expensive, so I suggest you to make a list of items in order of priority. My list would look something like this.
Again, that my list, you'll probably need to come up with your own. As you might want to have more advanced auditing such as "time spent on the site".
Another important thing: make the logs readable and search-able as much as you can.