Symantec IGA

Dear Team,

Our Customer security team wants to know from which log and message code the following information are generated.
1. The critical parameters for which logging should be enabled are:
a. user authentication for ex. unauthorized attempts to connect to the network using an incorrect user ID or password; and
b. configuration changes (ex. commands executed, patch update, security parameter change).

2. Parameters like username, node identifier, IP Address (source and destination) , Date/Time, result of operation/authentication request etc. should be captured in the logs.

Version information
CA Identity Suite, Virtual Appliance Version 14.2.0
Cumulative Patch Level
ProductVersion
Virtual Appliance14.2.0 GA
Identity Manager14.2.0 CP5
Identity Governance14.2.0 CP3
Identity Portal14.2.0 CP2
Operating System14.2.0 GA
Database: 2016 standard version

Thank you,

------------------------------
Technical Associate
CAS
------------------------------

1. The critical parameters for which logging should be enabled are:
a. user authentication for ex. unauthorized attempts to connect to the network using an incorrect user ID or password; and
b. configuration changes (ex. commands executed, patch update, security parameter change).

Identity Suite does not log or monitor network activity.  From PuTTy you can review the "history" log for your second request above.

2. Parameters like username, node identifier, IP Address (source and destination) , Date/Time, result of operation/authentication request etc. should be captured in the logs.

There is nothing in the IGA suite that logs this.  You may want to review information from our Siteminder product.  You can review the audit tables to review login attempts.

------------------------------
Best regards,

Scott Owens
Sr Support Engineer

------------------------------
And, as always Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.

Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.com. https://www.hcltech.com/enterprise-studio
------------------------------
------------------------------

Original Message:
Sent: 08-03-2020 07:26 AM
From: Ribesh Shrestha
Subject: Log Detail and message code

Dear Team,

Our Customer security team wants to know from which log and message code the following information are generated.
1. The critical parameters for which logging should be enabled are:
a. user authentication for ex. unauthorized attempts to connect to the network using an incorrect user ID or password; and
b. configuration changes (ex. commands executed, patch update, security parameter change).

2. Parameters like username, node identifier, IP Address (source and destination) , Date/Time, result of operation/authentication request etc. should be captured in the logs.

Version information
CA Identity Suite, Virtual Appliance Version 14.2.0
Cumulative Patch Level
ProductVersion
Virtual Appliance14.2.0 GA
Identity Manager14.2.0 CP5
Identity Governance14.2.0 CP3
Identity Portal14.2.0 CP2
Operating System14.2.0 GA
Database: 2016 standard version

Thank you,

------------------------------
Technical Associate
CAS
------------------------------

Original Message:
Sent: 08-03-2020 07:26 AM
From: Ribesh Shrestha
Subject: Log Detail and message code

Dear Team,

Our Customer security team wants to know from which log and message code the following information are generated.
1. The critical parameters for which logging should be enabled are:
a. user authentication for ex. unauthorized attempts to connect to the network using an incorrect user ID or password; and
b. configuration changes (ex. commands executed, patch update, security parameter change).

2. Parameters like username, node identifier, IP Address (source and destination) , Date/Time, result of operation/authentication request etc. should be captured in the logs.

Version information
CA Identity Suite, Virtual Appliance Version 14.2.0
Cumulative Patch Level
ProductVersion
Virtual Appliance14.2.0 GA
Identity Manager14.2.0 CP5
Identity Governance14.2.0 CP3
Identity Portal14.2.0 CP2
Operating System14.2.0 GA
Database: 2016 standard version

Thank you,

------------------------------
Technical Associate
CAS
------------------------------

To add to the information provided by Scott and William
1. Enabling Audit in Identity Manager (https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-manager/14-3/management-console-help/how-to-configure-auditing/configure-audit-settings.html) to ensure the login / logout events are audited
<AuditEvent name="Login" enabled="true" auditlevel="BOTHCHANGED">
<AuditProfile objecttype="USER" auditlevel="BOTHCHANGED"/>
<EventState name="COMPLETE" severity="NONE"/>
<EventState name="INVALID" severity="CRITICAL"/>
</AuditEvent>
<AuditEvent name="Logout" enabled="true" auditlevel="BOTHCHANGED">
<AuditProfile objecttype="USER" auditlevel="BOTHCHANGED"/>
<EventState name="COMPLETE" severity="NONE"/>
<EventState name="INVALID" severity="CRITICAL"/>
</AuditEvent>

2. Configuration changes are done on the OS level, so indeed history (and other Linux OS commands, if available) can be used. In addition,  /opt/CA/VirtualAppliance/logs/ca_vapp_main.log can be used

3. Additional monitoring options are available via https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-suite/14-2/virtual-appliance/monitoring-virtual-appliance.html

Regards
Rinat
Original Message:
Sent: 08-03-2020 07:26 AM
From: Ribesh Shrestha
Subject: Log Detail and message code

Dear Team,

Our Customer security team wants to know from which log and message code the following information are generated.
1. The critical parameters for which logging should be enabled are:
a. user authentication for ex. unauthorized attempts to connect to the network using an incorrect user ID or password; and
b. configuration changes (ex. commands executed, patch update, security parameter change).

2. Parameters like username, node identifier, IP Address (source and destination) , Date/Time, result of operation/authentication request etc. should be captured in the logs.

Version information
CA Identity Suite, Virtual Appliance Version 14.2.0
Cumulative Patch Level
ProductVersion
Virtual Appliance14.2.0 GA
Identity Manager14.2.0 CP5
Identity Governance14.2.0 CP3
Identity Portal14.2.0 CP2
Operating System14.2.0 GA
Database: 2016 standard version

Thank you,

------------------------------
Technical Associate
CAS
------------------------------