Chat now with support
Chat with Support

InTrust 11.3 - Preparing for Auditing Privilege Manager for Sudo

Step 5. Enable Schedule for Daily Collection Task

To enable schedule for the daily collection task, take the following steps:

  1. In Quest InTrust Manager | Workflow | Tasks | Predefined tasks, right-click PM for SUDO Syslog - daily collection and select Properties.
  2. Select the Schedule Enabled check box and click OK.
  3. Click Commit button on the toolbar to apply changes.

Step 6. Run Daily Collection Task

To start collecting events from Privilege Manager for SUDO master hosts, right-click the: PM for SUDO Syslog - daily collection in the left-pane and then click Run.

This task collects all events from Privilege Manager for SUDO and stores the events in the default repository. To view current state of the task, use the Workflow | Sessions node in the left pane.

When daily collection task is finished, you can open InTrust Repository Viewer and start processing event data according to your needs. For possible use case scenarios, follow information from the Usage Scenario section.

Step 7. Run Weekly Reporting Task

To import all Privilege Manager for SUDO events from the default repository to the default database and then build reports, you need to run weekly reporting task as follows:

  1. Select the PM for SUDO Syslog - weekly reporting task in the left pane, and then select the PM for SUDO reporting on the right.
  2. Open the Delivery tab and configure the Export to the shared folder and Save report as type options according to your needs.
  3. Click the Commit button on the toolbar to apply changes.
  4. To start reports building based on events collected on previous step, right-click the PM for SUDO Syslog - weekly reporting in the left-pane and then click Run.

To view current state of the task, use the Workflow | Sessions node in the left-pane.

When weekly reporting task is finished, you can view reports stored in place, selected on the Delivery tab of the reporting job.

Usage Scenario

This topic describes a typical situation in a production environment and shows how InTrust with the Privilege Manager for SUDO Knowledge Pack help handle it.

Suppose you need to get information whether an unauthorized person tried to access passwords using the passwd command on particular hosts managed by Privilege Manager for SUDO.

To do that, in Repository Viewer open repository to which InTrust collects logs from Privilege Manager for SUDO, and then take the following steps:

  1. Select the Auditing Unix and Linux | Auditing Privilege Manager for SUDO | All events by Submit user (last 7 days) predefined search.
  2. If necessary, perform additional configuration for the predefined search. For instance, you may change the When field value according to your needs.
  3. Use the Where field to narrow down the scope of hosts on which suspicious password access might take place.
  4. After that, in the Search Filter pane click Add or Remove Parameters, select Named Insertion Strings from the drop-down list and then select the Command line parameter. Close the Select Filter Parameters dialog box.
  5. Specify Contains "passwd" as a Command line parameter value.

Now you can review resulting list of events to find suspicious password access events.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating