Is there any way in PIM we can generate audit events manually( by command)?
HINT- In eTrustAudit we used to generate events by etSAPIsend command.
Thanks in advance.
I will demonstrate how to generate a basic denial against a file. I am logged in as root. Here is the sewhoami utility verifying my identity as 'root':
[root@gomer02 install]# sewhoami -arootACEE Contents User's Name : root ACEE's Handle : 22 Group Connections Table:<Empty>Categories : <None>Profile Group : <None>Security Label : <None>User's Audit Mode : Failure LoginSuccess LoginFailureUser's Security Level : 0Source Terminal : <Unknown>Process Count for ACEE : 39User's Mode : Admin AuditorACEE's Creation Time : Tue Jul 31 08:17:25 2018
Next, I created a flat file named 'test.txt':
[root@gomer02 install]# touch test.txt
Then, I created a file rule stating no one has access to it:
AC> ef /install/test.txt defaccess(none) owner(nobody)
(localhost)Successfully created FILE /install/test.txt
In the next SSH session, I am logged in as local_user1. Here is the sewhoami utility verifying my identity as 'local_user1':
-sh-4.2$ sewhoami -alocal_user1ACEE Contents User's Name : local_user1 ACEE's Handle : 30 Group Connections Table:<Empty>Categories : <None>Profile Group : <None>Security Label : <None>User's Audit Mode : Failure LoginSuccess LoginFailureUser's Security Level : 0Source Terminal : 126.96.36.199Process Count for ACEE : 3User's Mode : AuditorACEE's Creation Time : Tue Jul 31 11:58:39 2018
Here is me getting the denial of access:
-sh-4.2$ cat /install/test.txtcat: /install/test.txt: Permission denied
I went back to my original SSH session as root. I used the seaudit utility to ensure that there was a denial when local_user1 accessed, '/install/test.txt':
[root@gomer02 install]# seaudit -a -st now-15 | grep ' D 'CA Privileged Access Manager Server Control seaudit v14.01.0.412 - Audit log listerCopyright (c) 2016 CA. All rights reserved.31 Jul 2018 11:58:47 D FILE local_user1 Read 69 2 /install/test.txt /usr/bin/cat gomer02-w10a.ca.com local_user1
Here is the code below which provides a definition as to why there was a resource being blocked. As you can see, we blocked the access from happening:
[root@gomer02 install]# seaudit -t | grep 69CA Privileged Access Manager Server Control seaudit v14.01.0.412 - Audit log listerCopyright (c) 2016 CA. All rights reserved.69 No Step that allowed access
I hope this helps.
This will definitely help to generate audit event. Actually I was looking for some command to write some dummy events in seaudit so that I can collect them in SIEM to ensure there is no loss of event as well as load test.
I think, I can use your suggestion and write a script to access resource so that it can generate audit events.
Do we have any command to generate events in PIM?
You can accomplish this in numerous ways. However, the scenario I have described earlier in the thread is the most basic use-case of trying to generate a denial within the seaudit utility when a user does not have access to said filesystem resource.
Let us take the same example and break down the syntax:
The defaccess() flag will take effect for all users who are not explicitly defined. The defaccess(R) is for access, whereas defaccess(W) is for administrative access.
As for the owner() flag, we put nobody in there as a placeholder because the owner of a rule is not restricted by the rule. If we do not specify an owner, then the user who created the rule is the owner