Monitor user login attempts in DX UIM Operator Console (OC)

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) CA Unified Infrastructure Management SaaS (Nimsoft / UIM)

Issue/Introduction

Our security team would like to monitor user sign-ins to the OC portal. Is there a way to collect audit logs from Operator Console that shows sign-ins with timestamps of Account Users and Bus users and maybe even source IP?

Is it possible to Audit Operator Console login attempts?

Environment

Release: UIM 20.4.x
Component: UNIFIED INFRASTRUCTURE MGMT

Cause

Guidance

Resolution

■ At a DB level, it is possible to monitor the Last Login Succes time for any user that successfully logs into the OC.

In the CM_USER table an entry is created each time any user (nimbus user or account user or LDAP user, or LDAP account link users) logs into OC for the first time.

After this when the same user successfully logs in again, it updates the "lastLoginSuccessTime" field in the table.

Examples:

To Audit the Last time a user called '<bususer>' has logged into OC the following query can be used:

select screenName,firstName,lastName,userType,lastLoginSuccessTime from CM_USER where screenName = '<bususer>'

To Audit what is the last user that has logged into OC:

select TOP 1 screenName,firstName,lastName,userType,lastLoginSuccessTime from CM_USER order by lastLoginSuccessTime DESC

■ A possible way of monitoring Logins in the Operator Console is observing the wasp.log and hub.log

Note: OC wasp loglevel needs to be set to 5 to see log in attempts in wasp.log

(Active monitoring of the activty can be achieved using the logmon probe)

Examples:

The wasp.log logs the logging attempts as shown below:

Administrator logs into OC

Tested on UIM 20.4 OC CU8: Wasp.log (hosted on the OC server):

Sep 08 10:12:24:401 DEBUG [http-nio-80-exec-9, com.firehunter.ump.auth.JWTVerificationFilter] Recieved request from: xxxxxxxx 
Sep 08 10:12:24:401 DEBUG [http-nio-80-exec-9, com.firehunter.ump.auth.OCAuth] Login from request usr <admin_user>
Sep 08 10:12:24:401 DEBUG [http-nio-80-exec-9, com.firehunter.ump.auth.OCAuth] Login from request accountOverride null 
Sep 08 10:12:24:401 DEBUG [http-nio-80-exec-9, com.firehunter.ump.auth.OCAuth] Login from request accountOverride from request null 
Sep 08 10:12:24:401 DEBUG [http-nio-80-exec-9, com.firehunter.ump.auth.OCAuth] Check account override null 
Sep 08 10:12:24:938 DEBUG [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] User '<admin_user>' trying to log in. 
Sep 08 10:12:24:938 DEBUG [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query FRNpSELECT acl, contact_id, account_id FROM CM_CONTACT WHERE login_name = ? AND password = ? 
Sep 08 10:12:24:938 DEBUG [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query FRNp took: 0.0s 
Sep 08 10:12:24:938 DEBUG [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] non-contact user found: <admin_user> 
Sep 08 10:12:25:440 INFO  [http-nio-80-exec-9, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] authorizeNim<user>: user: <admin_user>

Account user logs in: (<account_user>)

Wasp.log

Sep 08 10:28:59:319 DEBUG [http-nio-80-exec-10, com.firehunter.ump.auth.JWTVerificationFilter] Recieved request from: 10.xxxxxx
Sep 08 10:28:59:335 DEBUG [http-nio-80-exec-10, com.firehunter.ump.auth.OCAuth] Login from request usr 
Sep 08 10:28:59:335 DEBUG [http-nio-80-exec-10, com.firehunter.ump.auth.OCAuth] Login from request accountOverride null
Sep 08 10:28:59:335 DEBUG [http-nio-80-exec-10, com.firehunter.ump.auth.OCAuth] Login from request accountOverride from request null
Sep 08 10:28:59:335 DEBUG [http-nio-80-exec-10, com.firehunter.ump.auth.OCAuth] Check account override null
Sep 08 10:28:59:826 DEBUG [http-nio-80-exec-10, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] User 'test1/<account_user>' trying to log in.
Sep 08 10:28:59:826 DEBUG [http-nio-80-exec-10, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query AUAQSELECT acl, contact_id, account_id FROM CM_CONTACT WHERE login_name = ? AND password = ?
Sep 08 10:28:59:826 DEBUG [http-nio-80-exec-10, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query AUAQ took: 0.0s
Sep 08 10:28:59:826 DEBUG [http-nio-80-exec-10, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query NlRh
SELECT account_id FROM CM_ACTIVE_ACCOUNT WHERE login_name = '<account_user>'

Sep 08 10:28:59:826 DEBUG [http-nio-80-exec-10, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query NlRh took: 0.0s
Sep 08 10:28:59:826 DEBUG [http-nio-80-exec-10, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query eCiy
SELECT COUNT(account_id) FROM CM_ACCOUNT WHERE account_id = '1' AND name = '<test>'

[...[

Sep 08 10:28:59:826 DEBUG [http-nio-80-exec-10, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query AYEU took: 0.0s
Sep 08 10:29:00:076 DEBUG [http-nio-80-exec-10, com.nimsoft.nimbus.probe.service.wasp.auth.LoginManager] <<<<<ACL_QUERY___REMOVESD>>>%::%' 


Sep 08 10:29:00:076 DEBUG [http-nio-80-exec-10, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query DzvL took: 0.0s

--> Sep 08 10:29:00:076 DEBUG [http-nio-80-exec-10, com.nimsoft.nimbus.probe.service.wasp.auth.LoginModule] <account_user> logged in.

Sep 08 10:29:00:076 DEBUG [http-nio-80-exec-10, com.firehunter.ump.auth.OCAuth] User: test1/<account_user>, NimBUS login milliseconds: 250
Sep 08 10:29:00:076 DEBUG [http-nio-80-exec-10, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query LHDTselect ID,CONTACT_ID,PASSWORD,PASSWORD_STATUS,CREATION_DATE from CM_CONTACT_PASSWORD_LOG where password_status = 1 and contact_id = (select contact_id from CM_CONTACT where login_name =? and account_id =?)
Sep 08 10:29:00:076 DEBUG [http-nio-80-exec-10, com.nimsoft.nimbus.probe.service.wasp.db.DbPreparedStatement] Query LHDT took: 0.0s
Sep 08 10:29:00:076 DEBUG [http-nio-80-exec-10, com.firehunter.ump.auth.TokenManager] generating new token for <account_user>
Sep 08 10:29:00:076 DEBUG [http-nio-80-exec-10, com.firehunter.ump.auth.TokenManager] Generated new token for session idd37<<<<<TOKEN HIDDEN>>>>>K-sPwg
Sep 08 10:29:00:076 DEBUG [http-nio-80-exec-10, com.firehunter.ump.auth.OCAuth] User prin com.nimsoft.nimbus.probe.service.wasp.auth.<account_user><account_name>(<account_user>) found for <account_user>

The hub log logs the login attempts in the Operator Console as below: (Hub log level 3 tested in UIM 20.4 CU8)

Bus user called "<bususer>" logs into OC:

NOTE: In the example below LDAP Authentication is enabled, therefore the HUB will always try to first log to the AD server. The login fails to the AD. After this the user is searched in the real nimbus users. The OC IP address called the HUB and requests the authentication of the nimbus user.

Sep  8 10:53:58:284 [32208] 2 hub: login from ctrl <IP_ADDRESS_OF_THE_OC_SERVER>/55783
Sep  8 10:53:58:285 [32208] 3 hub: expand_vars Size=666
Sep  8 10:53:58:285 [32208] 3 hub: host            PDS_PCH          14 xxxxxxxxxxxxx
Sep  8 10:53:58:285 [32208] 3 hub: base            PDS_PCH          17 DC=dx-uim,DC=com
Sep  8 10:53:58:285 [32208] 3 hub: user_base       PDS_PCH          17 DC=dx-uim,DC=com
Sep  8 10:53:58:285 [32208] 3 hub: domain          PDS_PCH          11 dx-uim.com
Sep  8 10:53:58:285 [32208] 3 hub: attr_grp_name   PDS_PCH           5 name
Sep  8 10:53:58:285 [32208] 3 hub: attr_grp_member_name PDS_PCH           7 member
Sep  8 10:53:58:285 [32208] 3 hub: attr_usr_firstname PDS_PCH          10 givenName
Sep  8 10:53:58:285 [32208] 3 hub: attr_usr_lastname PDS_PCH           3 sn
Sep  8 10:53:58:285 [32208] 3 hub: attr_usr_mail   PDS_PCH           5 mail
Sep  8 10:53:58:285 [32208] 3 hub: attr_usr_www    PDS_PCH          12 wWWHomePage
Sep  8 10:53:58:285 [32208] 3 hub: attr_usr_phone  PDS_PCH          16 telephoneNumber
Sep  8 10:53:58:285 [32208] 3 hub: attr_usr_cellphone PDS_PCH           7 mobile
Sep  8 10:53:58:285 [32208] 3 hub: attr_usr_office PDS_PCH          27 physicalDeliveryOfficeName
Sep  8 10:53:58:285 [32208] 3 hub: attr_usr_company PDS_PCH           8 company
Sep  8 10:53:58:285 [32208] 3 hub: attr_usr_title  PDS_PCH           6 title
Sep  8 10:53:58:285 [32208] 3 hub: attr_usr_department PDS_PCH          11 department
Sep  8 10:53:58:285 [32208] 3 hub: attr_usr_description PDS_PCH          12 description
Sep  8 10:53:58:285 [32208] 3 hub: attr_usr_restrict_view PDS_PCH          25 restrictViewToUserAssets
Sep  8 10:53:58:285 [32208] 3 hub: attr_usr_name   PDS_PCH          12 displayName
Sep  8 10:53:58:285 [32208] 3 hub: attr_usr_id     PDS_PCH          18 userPrincipalName
Sep  8 10:53:58:285 [32208] 3 hub: attr_usr_member_of PDS_PCH           9 memberOf
Sep  8 10:53:58:286 [32208] 3 hub: (nim_ldap_get_connection): successful contact with LDAP server 'xxxxxxxx', secure=0
Sep  8 10:53:58:288 [32208] 0 hub: (nim_ldap_query) ldap_search_ext_s(base:=DC=dx-uim,DC=com scope:=LDAP_SCOPE_SUBTREE filter:=(|($userPrincipalName=<bususer>@example.com)(userPrincipalName=<bususer>@example.com)) attrs:=userPrincipalName, memberOf, name
Sep  8 10:53:58:288 [32208] 3 hub: (nim_ldap_query) ldap_search_ext_s: LDAP_SUCCESS
Sep  8 10:53:58:288 [32208] 3 hub: (nim_ldap_query) entries count:= 0, paging results:=no
Sep  8 10:53:58:288 [32208] 3 hub: login [LDAP] - basic login took 3 ms
Sep  8 10:53:58:288 [32208] 0 hub: login [LDAP] - (logon_user) 0 user found for (|($userPrincipalName=<bususer>@example.com)(userPrincipalName=<bususer>@example.com)), do not know which to use.
Sep  8 10:53:58:288 [32208] 0 hub: login [NimBUS] - user does not exist user=<bususer>@example.com ip=xxxxxxxxx
Sep  8 10:53:58:288 [32208] 0 hub: Login: failed for <bususer>@example.com, ip = xxxxxxxxxx
[...]
Sep  8 10:53:58:651 [32208] 3 hub: login [NimBUS] - success for user=<bususer> ip=<IP_ADDRESS_OF_THE_OC_SERVER>

Additional Information

DX Unified Infrastructure Management / UIM Users Explained (broadcom.com)