|Applies To||RSA Product Set : SecurID|
RSA Product/Service Type : RSA Authentication Manager
RSA Version/Condition: 8.1 Service Pack 1
Platform : SUSE Enterprise Linux
O/S Version : 11 Service Pack 3
Product Description : SecurID Appliance
|Issue||An administrator needs to generate a report on who has accessed the Operations Console and logged on at the command line.|
|Resolution||An administrator can list and add more Operations Console users via the Security Console. Managing who has access to the Operations Console is done via the Security Console > Administration > Manage OC Administrators|
The Authentication Activity template can report on who has performed a logon and logout of Operations Console. The activity keys are as follows:
Generating a Report
To create a report use the Security Console > Reporting > Reports > Add New.
Select the Authentication Activity template and then click the Next button
Only enter a Report Name (e.g. Authentication Activity Report) and click the Save button
To run the report use the Security Console > Reporting > Reports > Manage Existing > left-click the Report name and select Run Report Job Now > enter minimal or no Input Parameters Values and click Run Report
The authentication manager primary instance does not report on the rsaadmin account usage as rsaadmin is a LINUX operating system account. An administrator can review the /var/log/messages file to check when the rsaadmin account accessed the command line via an SSH session and from which IP address.
Apr 26 09:15:18 app81p sshd: Accepted keyboard-interactive/pam for rsaadmin from 192.168.17.64 port 63591 ssh2
NOTE: the /var/log/messages does not report when the rsaadmin account performs a logon to the local console but will show failed authentications or attempts to access the local console.
Apr 26 09:13:08 app81p login: FAILED LOGIN 1 FROM /dev/tty1 FOR UNKNOWN, User not known to the underlying authentication module
Apr 26 09:13:50 app81p login: FAILED LOGIN 1 FROM /dev/tty1 FOR root, Authentication failure