Environment
Privileged User Manager 2.3.0 HF4
Situation
Compliance Auditor Enhancements added in 2.3.0 HF4 (2.3.0-4)
This enhancements adds the following new functionality to the Compliance Auditor:
* Ability to pull events into the Compliance Auditor based off of 'Command Risk Level'
* Ability to limit Framework Users to see certain events in 'Reporting' if Compliance Auditor roles are configured.
This enhancements adds the following new functionality to the Compliance Auditor:
* Ability to pull events into the Compliance Auditor based off of 'Command Risk Level'
* Ability to limit Framework Users to see certain events in 'Reporting' if Compliance Auditor roles are configured.
Additional Information
The below configuration will use the following names as examples:
User: Manager1
Group: Manager1 Compliance Audit
Group: Reporting-Audit
1. Create a new Group in Framework User Manager called 'Reporting-Audit'. On the roles tab, add the following Module and Role:
Module Role
audit command
audit console
audit read
2. Create/Edit 'Manager1 Compliance Audit' group in the Framework User Manager. On the roles tab, add the following Module and Role:
Module Role
audit Manager1 Compliance Audit
secaudit Manager1 Compliance Audit
secaudit audit
secaudit console
auth read
audit report
Note: 'Manager1 Compliance Audit' will NOT be in the drop down list, you'll need to manually type these into the corresponding roles.
3. Add desired Framework user (Manager1) as Members of Groups used in step 1 and step 2.
4. Create/edit Compliance Auditor Rule to pull in events based off of desired 'Command Risk Level'
Home | Compliance Auditor | Audit Rules | 'Manager1 Compliance Audit'
5. Reporting - Home | Reporting - Create a Report called "Manager1 Audit". On the general tab, add the following:
Roles Update
Manager1 Compliance Audit Manager1 Compliance Audit
When a user runs a command that meets your command risk criteria, it will only pull in that event when the audit rule pulls in (which in Unit is hourly.) Managers will only see the 'risky' events (command risk greater than or equal to 5) pulled into the compliance auditor. All the other events, they can view via the reporting console, under their own report. They won't have rights to change any of the reports but their own within the Reporting Console. Managers can filter by date, etc with reporting.
User: Manager1
Group: Manager1 Compliance Audit
Group: Reporting-Audit
1. Create a new Group in Framework User Manager called 'Reporting-Audit'. On the roles tab, add the following Module and Role:
Module Role
audit command
audit console
audit read
2. Create/Edit 'Manager1 Compliance Audit' group in the Framework User Manager. On the roles tab, add the following Module and Role:
Module Role
audit Manager1 Compliance Audit
secaudit Manager1 Compliance Audit
secaudit audit
secaudit console
auth read
audit report
Note: 'Manager1 Compliance Audit' will NOT be in the drop down list, you'll need to manually type these into the corresponding roles.
3. Add desired Framework user (Manager1) as Members of Groups used in step 1 and step 2.
4. Create/edit Compliance Auditor Rule to pull in events based off of desired 'Command Risk Level'
Home | Compliance Auditor | Audit Rules | 'Manager1 Compliance Audit'
5. Reporting - Home | Reporting - Create a Report called "Manager1 Audit". On the general tab, add the following:
Roles Update
Manager1 Compliance Audit Manager1 Compliance Audit
When a user runs a command that meets your command risk criteria, it will only pull in that event when the audit rule pulls in (which in Unit is hourly.) Managers will only see the 'risky' events (command risk greater than or equal to 5) pulled into the compliance auditor. All the other events, they can view via the reporting console, under their own report. They won't have rights to change any of the reports but their own within the Reporting Console. Managers can filter by date, etc with reporting.