This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
DanShires
Contributor
Contributor
‎2022-10-14 05:01 PM

Last password change audit evidence

I have an audit requirement to show evidence for all OS and system accounts that their password is changed at a minimum annually.  Running the Admin Activity report shows when the Operations Console user pw is changed but not the built in Security Console nor the OS account.  Has anyone already solved this and if so, how?

 

Thanks

Dan Shires
Reply
3 Replies
EricaChalfin
Moderator Moderator
Moderator
‎2022-10-17 10:21 AM

@DanShires,

The rsaadmin account is an OS level account, so any password changes would not be stored in the Authentication Manager log database. Try looking in /var/log/messages.

As an aside, Authentication Manager only retains the data contained in the log database for 100 days. 


Best regards,
Erica
0 Likes
Reply
DanShires
Contributor
Contributor
In response to EricaChalfin
‎2022-10-24 10:59 AM

ok but how about the security console internal id source account?

Dan Shires
0 Likes
Reply
EricaChalfin
Moderator Moderator
Moderator
In response to DanShires
‎2022-10-26 07:06 PM

@DanShires,

As you have seen, password changes for your Authentication Manager admins are be logged to in the admin activity monitor with an entry such as:

User "admin" attempted to update principal "alicent", stored in identity source "Internal Database" and managed in security domain "SystemDomain."

Your rsaadmin user is an OS account and password changes are tracked there. 

Are you referring to the @PROXYUSER@ and trustedapp accounts that Authentication Manager uses? 

The passwords for the @PROXYUSER@ and trustedapp accounts are created dynamically when Quick Setup is completed on the Authentication Manager server.  These passwords are unique to each Authentication Manager environment.  Since they are generated by the system, they are extraordinarily complex and are never read or input during the use of the system. 

The PROXYUSER@ user

@PROXYUSER@ is a built in administrative account that is used internally by the RSA Authentication Manager software to handle all Self-Service operations. It is not an account that logs in, as the account is disabled by default and the password is randomly generated. Never change the password. 

The trustedapp user

The trustedapp user is the API connection that is used for back-end communication between the web tier and the RSA Authentication Manager primary. The trustedapp user cannot be removed, disabled, or renamed. 

More information about @PROXYUSER@ and trustedapp

The passwords for the @PROXYUSER@ and trustedapp accounts are created dynamically when Quick Setup is completed on the RSA Authentication Manager server. These passwords are unique to each Authentication Manager environment. Since they are generated by the system, they are extraordinarily complex and are never read or input during the use of the system. 

The rsaadmin account

Another default account is the RSA Authentication Manager operating system account user ID named rsaadmin. This user ID cannot be changed. The operating system account password is set during the Quick Setup process. This account is used to access the operating system when performing advanced maintenance or troubleshooting tasks. The rsaadmin account is a privileged account to which access should be strictly limited and audited. 

Individuals who know the rsaadmin password and who are logged on as rsaadmin have sudo privileges and shell access.

Best regards,
Erica
0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.