Last password change audit evidence
I have an audit requirement to show evidence for all OS and system accounts that their password is changed at a minimum annually. Running the Admin Activity report shows when the Operations Console user pw is changed but not the built in Security Console nor the OS account. Has anyone already solved this and if so, how?
The rsaadmin account is an OS level account, so any password changes would not be stored in the Authentication Manager log database. Try looking in /var/log/messages.
As an aside, Authentication Manager only retains the data contained in the log database for 100 days.
As you have seen, password changes for your Authentication Manager admins are be logged to in the admin activity monitor with an entry such as:
User "admin" attempted to update principal "alicent", stored in identity source "Internal Database" and managed in security domain "SystemDomain."
Your rsaadmin user is an OS account and password changes are tracked there.
Are you referring to the @PROXYUSER@ and trustedapp accounts that Authentication Manager uses?
The passwords for the @PROXYUSER@ and trustedapp accounts are created dynamically when Quick Setup is completed on the Authentication Manager server. These passwords are unique to each Authentication Manager environment. Since they are generated by the system, they are extraordinarily complex and are never read or input during the use of the system.
The PROXYUSER@ user@PROXYUSER@ is a built in administrative account that is used internally by the RSA Authentication Manager software to handle all Self-Service operations. It is not an account that logs in, as the account is disabled by default and the password is randomly generated. Never change the password.
The trustedapp userThe trustedapp user is the API connection that is used for back-end communication between the web tier and the RSA Authentication Manager primary. The trustedapp user cannot be removed, disabled, or renamed.
More information about @PROXYUSER@ and trustedappThe passwords for the @PROXYUSER@ and trustedapp accounts are created dynamically when Quick Setup is completed on the RSA Authentication Manager server. These passwords are unique to each Authentication Manager environment. Since they are generated by the system, they are extraordinarily complex and are never read or input during the use of the system.
The rsaadmin accountAnother default account is the RSA Authentication Manager operating system account user ID named rsaadmin. This user ID cannot be changed. The operating system account password is set during the Quick Setup process. This account is used to access the operating system when performing advanced maintenance or troubleshooting tasks. The rsaadmin account is a privileged account to which access should be strictly limited and audited.
Individuals who know the rsaadmin password and who are logged on as rsaadmin have sudo privileges and shell access.