000033020 - Generating a Report on who has Accessed the Operations Console and Logged onto the Command Line for RSA Authentication Manager 8.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033020
Applies ToRSA Product Set : SecurID
RSA Product/Service Type : RSA Authentication Manager
RSA Version/Condition: 8.1 Service Pack 1
Platform : SUSE Enterprise Linux
O/S Version : 11 Service Pack 3
Product Description : SecurID Appliance
IssueAn administrator needs to generate a report on who has accessed the Operations Console and logged on at the command line.
ResolutionAn administrator can list and add more Operations Console users via the Security Console. Managing who has access to the Operations Console is done via the Security Console > Administration > Manage OC Administrators
 The Authentication Activity template can report on who has performed a logon and logout of Operations Console. The activity keys are as follows:
 


  
Activity Key

  

  
Description

  

  
OC Admin authentication

  

  
Operations Console admin {name} attempted to authentication to the Operations Console

  

  
OC Admin session logout

  

  
Operations Console admin {name} attempted to log out of Operations Console

  

Generating a Report

 
To create a report use the Security Console > Reporting > Reports > Add New.
 
Select the Authentication Activity template and then click the Next button
Only enter a Report Name (e.g. Authentication Activity Report) and click the Save button
 
To run the report use the Security Console > Reporting > Reports > Manage Existing > left-click the Report name and select Run Report Job Now > enter minimal or no Input Parameters Values and click Run Report

The authentication manager primary instance does not report on the rsaadmin account usage as rsaadmin is a LINUX operating system account. An administrator can review the /var/log/messages file to check when the rsaadmin account accessed the command line via an SSH session and from which IP address.
Example:
Apr 26 09:15:18 app81p sshd[27551]: Accepted keyboard-interactive/pam for rsaadmin from 192.168.17.64 port 63591 ssh2
NOTE: the /var/log/messages does not report when the rsaadmin account performs a logon to the local console but will show failed authentications or attempts to access the local console.
Examples:
Apr 26 09:13:08 app81p login[80907]: FAILED LOGIN 1 FROM /dev/tty1 FOR UNKNOWN, User not known to the underlying authentication module
Apr 26 09:13:50 app81p login[80981]: FAILED LOGIN 1 FROM /dev/tty1 FOR root, Authentication failure

Attachments

    Outcomes