Add disable two factor authentication to audit events
Audit need
Currently if a user (or an admin on behalf of the user) has disabled two factor authentication, we don't currently track this in the audit logs.
There are currently two scenarios that warrant this audit event:
-
This MR !88799 (merged) (if accepted) will allow admins to disable two factor authentication for users via the REST API. Ideally we want to have some kind of log to capture this action for auditing purposes.
-
In GitLab Support, if customers require 2FA to be disabled on GitLab.com, they must go through a vigorous workflow to verify the ownership of the account. If the user is successful in proving their account ownership, our engineers will follow this workflow:
For disabling 2FA: If you agree with the decision, sign into your admin account and locate the username in the users table or by going to
https://gitlab.com/admin/users/usernamegoeshere- Under the account tab, click
Edit, add an Admin Note, and save. - On the account tab, click on
Disable 2FA. - Use the
Support::SaaS::2FA::2FA Removal Verification - Successfulmacro.
Using the Admin Note as the audit log is prone to human errors - engineers might forget to add the note, or someone might accidentally delete the note later on, and so on.
- Under the account tab, click
Proposal
Add an instance-level audit event that shows when two factor authentication has been disabled for a user, and indicate who initiated the action.
There also might be benefits to add this at the group-level as well.
The best place to implement this would be in the TwoFactor::DestroyService class.