Compile, organize and schedule various Wikimedia security-related user audits
Closed, DeclinedPublic
Actions

Assigned To

Authored By

	sbassett
	Jun 1 2020, 9:27 PM

Description

There are a handful of user audits that the Security-Team should be regularly performing:

T237696: Wikimedia deployers audit
{https://phabricator.wikimedia.org/T252465}
T245526: Audit @wikimedia GitHub org access (2020)
{https://phabricator.wikimedia.org/T225069}
{https://phabricator.wikimedia.org/T263784}
{https://phabricator.wikimedia.org/T273829}
{https://phabricator.wikimedia.org/T263237}
T299400: Audit members of acl*security for more than x duration of no activity (Jan 2022)
T274475: Audit WM maintained libraries for lack of phan
T391150: Audit Phabricator security policies and groups membership

Likely some others too, which we should catalog here and automate/schedule in the simplest way possible.

Related Objects
Search...

Status	Assigned	Task
Declined	sbassett	T254201 Compile, organize and schedule various Wikimedia security-related user audits
Open	None	T391150 Audit Phabricator security policies and groups membership
		Restricted Task
Resolved	• Jly	T368224 Audit members of acl*security for more than 12 months of no activity (May 2025)

Event Timeline

sbassett created this task.Jun 1 2020, 9:27 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 1 2020, 9:27 PM

sbassett triaged this task as Medium priority.Jun 1 2020, 9:27 PM

sbassett added a project: Security-Team.

sbassett moved this task from Incoming to Back Orders on the Security-Team board.

sbassett removed sbassett as the assignee of this task.Jun 29 2020, 3:35 PM

sbassett updated the task description. (Show Details)Sep 15 2020, 9:32 PM

sbassett updated the task description. (Show Details)Sep 24 2020, 7:57 PM

Peachey88 moved this task from Backlog to config on the Wikimedia-GitHub board.Nov 22 2020, 4:42 AM

sbassett updated the task description. (Show Details)Feb 4 2021, 3:32 PM

Krinkle awarded a token.Feb 4 2021, 4:30 PM

sbassett updated the task description. (Show Details)Feb 22 2021, 10:08 PM

sbassett updated the task description. (Show Details)Jan 18 2022, 4:02 PM

sbassett updated the task description. (Show Details)Jan 20 2022, 3:58 PM

sbassett updated the task description. (Show Details)

Interesting blog post on further securing Github orgs, which is somewhat related to the Github user audits we've done previously. Not all of these apply to us, of course, and some might translate nicely for Gitlab, as well. https://alsmola.medium.com/securing-github-organizations-9c33c850638

A possibly-helpful tool for github (and gitlab?) audits: https://github.com/scribe-public/gitgat

Yet another github org auditing tool: https://github.com/Legit-Labs/legitify

Ladsgroup awarded a token.Apr 23 2024, 9:54 PM

Pppery subscribed.May 15 2024, 4:11 AM

sbassett mentioned this in T391150: Audit Phabricator security policies and groups membership.Apr 7 2025, 1:58 PM

Johannnes89 subscribed.Apr 8 2025, 5:37 PM

sbassett updated the task description. (Show Details)Apr 8 2025, 6:12 PM

sbassett mentioned this in T397734: Audit members of acl*security for more than 12 months of no activity (May 2026).Jun 30 2025, 4:17 PM

sbassett mentioned this in T398840: Modify security-related Phabricator projects related to incidents and audits.Jul 7 2025, 2:57 PM

sbassett added a project: Security-Audits.Jul 23 2025, 7:20 PM

Declining this for now as most of these should now be tracked via Security-Audits (https://phabricator.wikimedia.org/project/profile/8069/).

sbassett moved this task from Backlog to Done on the user-sbassett board.Jul 23 2025, 7:24 PM

sbassett removed subscribers: • Dsharpe, • chasemp.

Compile, organize and schedule various Wikimedia security-related user auditsClosed, DeclinedPublicActions

Description

Related ObjectsSearch...

Event Timeline

Compile, organize and schedule various Wikimedia security-related user audits
Closed, DeclinedPublic
Actions

Related Objects
Search...