When adding or removing users from an Administrative role (role = Service Desk Master Policy) I do not find this action logged to the sourcetype: rsa:securid:system:syslog, rsa:securid:runtime:syslog, or rsa:securid:syslog. I would like this action to be logged to splunk. Is this possible?
We discourage the posting of sensitive data on RSA Link. See Tips for Posting Questions to the RSA SecurID Access Community for more information. I edited your post to remove the hyperlinks that contained the names of your servers.
Regards,
Erica
Great. Please answer the question.
We are audited all the time and need to have real time reporting on administrative changes to the system and elevated administrative groups. How is this done? If it was intuitive I would have already done it.
Associating a user with an Admin Role puts a record with Action ID 10024 in the Administrative Activity Log; disassociating a user from an Admin Role puts a record with Action ID 10025 in the same Log.
Here is what they look like in an Admin Activity Report on my test system:
2020-06-02 14:19:59 | INFO | 10024 | Associate principal with administrative role | Administrator “admin.id” attempted to associate principal “user.id”, stored in identity source “Internal Database” and managed in security domain “SystemDomain”, with administrative role “Auth Mgr Help Desk” managed in security domain “SystemDomain” | Success |
2020-06-02 14:22:48 | INFO | 10025 | Disassociate principal from administrative role | Administrator “admin.id” attempted to disassociate principal “user.id”, stored in identity source “Internal Database” and managed in security domain “SystemDomain”, from administrative role “Auth Mgr Help Desk” managed in security domain “SystemDomain” | Success |
Associating a user with an Admin Role puts a record with Action ID 10024 in the Administrative Activity Log; disassociating a user from an Admin Role puts a record with Action ID 10025 in the same Log.
Here is what they look like in an Admin Activity Report on my test system:
2020-06-02 14:19:59
INFO
10024
Associate principal with administrative role
Administrator “admin.id” attempted to associate principal “user.id”, stored in identity source “Internal Database” and managed in security domain “SystemDomain”, with administrative role “Auth Mgr Help Desk” managed in security domain “SystemDomain”
Success
2020-06-02 14:22:48
INFO
10025
Disassociate principal from administrative role
Administrator “admin.id” attempted to disassociate principal “user.id”, stored in identity source “Internal Database” and managed in security domain “SystemDomain”, from administrative role “Auth Mgr Help Desk” managed in security domain “SystemDomain”
Success