Password Change Audit Logs for Operations, Security and Operating System Admins
Article Number
Applies To
RSA Product/Service Type: RSA Authentication Manager
RSA Version/Condition: 8.5 or later
Issue
Resolution
- If the Operations console administrator's password is changed, the logs will appear in the administration activity monitor/report as shown below.
- If the Security console administrator's password is changed, the logs will appear in the administration activity monitor/report as shown below.
- If the Operating System administrator's (rsaadmin) password is changed, the logs will appear /var/log/messages in Linux logs as shown below.
- SSH on the RSA AM Instance.
- Take the root privileges by executing: sudo su
- Execute this command: if ! [ -e /tmp/messages ]; then mkdir /tmp/messages; fi;cp /var/log/messages* /tmp/messages;bzip2 -d /tmp/messages/*.bz2 2> /dev/null;rm -rf /tmp/messages/*.bz2 ; grep "password changed for rsaadmin" /tmp/messages/message*; rm -rf /tmp/messages
To show the password change activity on the CLI for OS admin in all messages files (compressed and not compressed) and save it in a text file:
- SSH on the RSA AM Instance.
- Take the root privileges by executing: sudo su
- Execute this command: if ! [ -e /tmp/messages ]; then mkdir /tmp/messages; fi;cp /var/log/messages* /tmp/messages;bzip2 -d /tmp/messages/*.bz2 2> /dev/null;rm -rf /tmp/messages/*.bz2 ; grep "password changed for rsaadmin" /tmp/messages/message* | tee /tmp/os_password_change_report.txt; rm -rf /tmp/messages
- The report is saved as: /tmp/os_password_change_report.txt, The file /tmp/os_password_change_report.txt contains the output that appears on the CLI.
- You can use any file transfer protocol program (WinSCP, Filezilla, ....) to get this report and save it on the desktop.
