Privileged Action Logging

book

Article ID: 186090

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - System Agent (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) CA Workload Automation Agent CA Workload Automation AE

Issue/Introduction

Our auditors are asking us to provide them with all the log files where privileged actions/IDs are logged. They are looking for everything from configuration to policy changes.

Can you provide a list of all the files and utilities that log privileged activity?

 

Environment

Release : 11.3.6

Component : CA Workload Automation AE (AutoSys)

Resolution

AutoSys has the autotrack feature.
If enabled, you can then use the autotrack command to display actions against objects by users.
See:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/intelligent-automation/workload-automation-ae-and-workload-control-center/11-3-6-SP8/reference/ae-commands/monitor-and-report-on-workload/autotrack-command-tracks-changes-to-the-database.html
A number of clients schedule a job to run the autotrack report daily and save the output for record keeping purposes as it is more user friendly than attempting to view the $AUTOUSER/archive/archived_audit* files.
NOTE - the autotrack details are initially in the database and then are archived as part of DBMaint to the files mentioned above.

For WCC there is not any specific audit trail aside from just who logged in/out by default in the newer versions.
See /opt/CA/WorkloadCC/log/audit/*

For EEM there is an /opt/CA/SharedComponents/EmbeddedEntitlementsManager/logs/audit.log file that contains auditing details details.
The log can show that policyX was either inserted, removed, or modified by userX at timeX but it will not show the specifics of the modification.
Meaning it does not include a complete before and after picture of the object/policy similar to the way autotrack does for Autosys.

It will not have the specifics of your change like adding userY to the list of selected identities or changing the resource to ACE.job123.

Example of when I modified a dynamic user group policy named "userdefined-dug1"

/iTechPoz/Store/WCC0004/userdefined-dug1
Policy
EiamAdmin
49f316531864b3d59f65a353b2294f0e-5e415ef3-e4240960-9
IAM.Admin.soModify.S.I
93
c9bed1762aaad8819a02cf9376b8bc39-5e415ef3-e4240960-1
lvntest002922.bpc.broadcom.net
iPoz
Success
1582820485
Linux 2.6.32-754.14.2.el6.x86_64
Info

In the example above, Eiamadmin is the id that made the change.
The type of record is soModify as apposed to an soInsert or soRemove (meaning I modified an existing policy).
The change was made on 1582820485.
That is unix epoch time for 02/27/2020 11:21:25.
You can use the autosys "time0" utility to convert that into a human friendly format.

There is an EEM reporting utility that can be installed/configured to help make the results easier to view.
For details on EEM reporting see::
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/intelligent-automation/workload-automation-ae-and-workload-control-center/11-3-6-SP8/getting-started/ca-eem-reporting-utility.html