9.3 Compliance Audit Reports

You can configure customized reports of events that require compliance auditing. The reports are dynamically created and e-mailed to selected users at defined intervals. You can use filtering and Perl template scripting to extract the appropriate event information and format it into an e-mail for each target user.

Audit reporting uses a tokens object that contains all the user information and other information. You can use keyword anchors in your report configuration, which are replaced by the appropriate values from the tokens object. It is also possible for the Perl code in the report template to set values in the tokens object. Sample report templates are supplied to assist you with creating your own.

9.3.1 Adding, Copying and Modifying an Audit Report

To use this feature, you must provide details of your e-mail server to the Messaging Component (msgagnt) so that reports can be e-mailed. See Configuring SMTP Settings for the Messaging Component Package for details.

To add or modify an audit report:

  1. Click Compliance Auditor on the home page of the console.

  2. Click Audit Reports in the task pane.

  3. Select one of the following:

    • To add a new report, click Add in the task pane.

    • To modify an existing report, select the required report, then click Modify in the task pane.

    • To copy an existing report, select the report, then click Copy in the task pane.

  4. Configure the following fields:

    Report Name: Specify a name for the report.

    Disabled: To disable the report, select the Disabled check box.

    By default, disabled reports are not shown on the report list.

    Run Report: To determine the time and frequency of each audit report, use the calendar to set the initial date, then set the frequency as required

    Report Category: To limit the report to one category, select the category, or to include all categories, select All.

    Report Target: (Conditional) To send the report to a user or all users in a group, click User Report in the Report Target section, then select the user or group from the drop-down list.

    Ensure that the users’ e-mail addresses are defined in the Account Details section in the Framework User Account definitions. You must define a keyword anchor in the Email To field.

    Report Filter: Set the Report Filter to include the required event records:

    • Select one or more from New, Pending, Authorized, and Unauthorized.

    • Select the age of events you want to include in the report. Events older than the number of days you specify are included.

    • Select the escalation level of events you want to include in the report. Events at this escalation level and above are included.

    Age(Days): Enter the Age of the report in days.

    Escalation Level: Enter the Escalation Level of the report.

    Email To: Specify the e-mail address of the user who is to receive the report:

    • If you want the report to be sent to a user who is not defined as a Framework user, specify the user’s e-mail address in the Email To field.

    • If you want the report to be sent to a user or group defined as the Report Target above, specify the following keyword anchor in the Email To field:

       $User.ACT_EMAIL.value$

    You can view the format in XML of the object tokens passed into the audit report by entering $<>$ in the Report Template field, deselecting the HTML check box, then clicking Test Report (ensure that you have defined a Report Target). To view just the user subtree, use $<User>$.

    The tokens that appear are dependent upon what has been configured for the users. If the ACT_EMAIL.value token is not present for the target, an email address has not been defined for the user. For user configuration information, see Modifying a Framework User.

    Email From: Specify the email address of the user sending the report.

    You can also use a keyword anchor in the Email From field.

    Receipt: Select if you want to enable notification when the receiver has read the message. The message is sent to the email address specified in the Email From field.

    Email Subject: Specify a subject for the email message.

    This can be a text string or you can use a keyword anchor in the Email Subject field. For example, if you wanted to display the target user’s name in the e-mail subject, you could enter the following in the Email Subject field.

    Report for $User.ACT_FULL_NAME.value$

    Report Template: Specify a Perl script in the Report Template field to control how the e-mail messages are formatted and what they contain. If you want the messages to be displayed in HTML, select the HTML check box.

    For an example report template, see Sample Command Control Report Template.

  5. Click Test Report to view the report that is sent to each e-mail target.

    Use the arrow buttons with the mouse to page through the reports. In the test, the reports are not shown in HTML format. If there are errors in the Report Template, these are shown.

  6. Click Back to return to the report configuration screen.

  7. Click Finish.

9.3.2 Sample Command Control Report Template

If you are using this sample as a base for your own report templates, select HTML to correctly display the messages. The sample displays a message to the recipients of the e-mail messages, requesting them to log in to the Compliance Auditor and review activity. It extracts selected events and lists them in tables according to the age of the events, and provides information about the events.

As shown in the sample, you can use the user name keyword anchor $User.ACT_FULL_NAME.value$ to display a user’s name in the e-mail, if you are using the Report Target option. You must ensure that a Display name is entered for the user in the Account Details section in the Framework User Account definitions.

<%!
my @lvl0;
my @lvl1;
my @lvl2;
my @lvl3;
my @gt0;
my @gt5;
my @gt10;
my @gt20;
%>
<%
my @audit_records = @{$tokens->{'AuditRecords'}->{'AuditRecord'}} if (defined($tokens->{'AuditRecords'}) && defined($tokens->{'AuditRecords'}->{'AuditRecord'}));
foreach my $ar (@audit_records) {
  my $age = $ar->{'age'};
  my $lvl = $ar->{'level'};
 
  if ($age > 5 && $age < 10) {
    push(@gt5,$ar);
  } elsif ($age >= 10 && $age < 20) {
    push(@gt10,$ar);
  } elsif ($age >= 20) {
    push(@gt20,$ar);
  } else {
    push(@gt0,$ar);
  }
  if ($lvl == 1) {
    push(@lvl1,$ar);
  } elsif ($lvl == 2) {
    push(@lvl2,$ar);
  } elsif ($lvl >= 3) {
    push(@lvl3,$ar);
  } else {
    push(@lvl0,$ar);
  }
}
%>
<%
my $total = @audit_records;
if ($total > 0) {
%>
<style type="text/css">
<!--
.style1 {
 color: #000000;
 font-family: Arial, Helvetica, sans-serif;
 font-size: 12px;
}
.style2 {
 color: #000000;
 font-family: Arial, Helvetica, sans-serif;
 font-size: 12px;
 font-weight:bold;
}
.style4 {
 color: #000000
}
-->
</style>
<p class="style1"> Hello $User.ACT_FULL_NAME.value$,<br/>
  <br/>
  This is an automated event notification email from the Compliance Auditor. <br/>
<br/>
 
  It is the responsibility of management to log into the Compliance Auditor each day and review their team's keystroke logs.  <br/> <br/>
 
  Please log on to the Compliance Auditor at your earliest convenience using this link: <a href="https://admin.company.com">https://admin.company.com</a></p>
 
<%
my $gt0 = @gt0;
%>
<span class="style2">Events &lt; 5 days old (<%= "$gt0" %>)</span>
<table border="1">
  <tr class="style1">
    <td>Time</td>
    <td>User</td>
    <td>Run As</td>    
    <td>Host</td>
    <td>Command</td>
  </tr>
  <%
foreach my $ar (@gt0) {
  my $cmd = $ar->{'cmdctrl'}->{'cmd'};
  my $usr = $ar->{'cmdctrl'}->{'user'};
  my $ras = $ar->{'cmdctrl'}->{'runAs'};
  my $hst = $ar->{'cmdctrl'}->{'host'};
  my $tme = $ar->{'cmdctrl'}->{'time'};
 $tme = localtime($tme);
%>
  <tr class="style1">
    <td><%= "$tme" %></td>
    <td><%= "$usr" %></td>
    <td><%= "$ras" %></td>    
    <td><%= "$hst" %></td>
    <td><%= "$cmd" %></td>
  </tr>
<%
}
%>
</table>
<br/>
 
<%
my $gt5 = @gt5;
%>
<span class="style2">Events &gt; 5 days old (<%= "$gt5" %>)</span>
<table border="1">
  <tr class="style1">
    <td>Time</td>
    <td>User</td>
    <td>Run As</td>
    <td>Host</td>
    <td>Command</td>
  </tr>
<%
foreach my $ar (@gt5) {
  my $cmd = $ar->{'cmdctrl'}->{'cmd'};
  my $usr = $ar->{'cmdctrl'}->{'user'};
  my $ras = $ar->{'cmdctrl'}->{'runAs'};  
  my $hst = $ar->{'cmdctrl'}->{'host'};
  my $tme = $ar->{'cmdctrl'}->{'time'};
 $tme = localtime($tme);
%>
  <tr class="style1">
    <td><%= "$tme" %></td>
    <td><%= "$usr" %></td>
    <td><%= "$ras" %></td>        
    <td><%= "$hst" %></td>
    <td><%= "$cmd" %></td>
  </tr>
<%
}
%>
</table>
<br/>
 
<%
my $gt10 = @gt10;
%>
<span class="style2">Events &gt; 10 days old (<%= "$gt10" %>)</span>
<table border="1">
  <tr class="style1">
    <td>Time</td>
    <td>User</td>
    <td>Run As</td>
    <td>Host</td>
    <td>Command</td>
  </tr>
<%
foreach my $ar (@gt10) {
  my $cmd = $ar->{'cmdctrl'}->{'cmd'};
  my $usr = $ar->{'cmdctrl'}->{'user'};
  my $ras = $ar->{'cmdctrl'}->{'runAs'};  
  my $hst = $ar->{'cmdctrl'}->{'host'};
  my $tme = $ar->{'cmdctrl'}->{'time'};
 $tme = localtime($tme);
%>
  <tr class="style1">
    <td><%= "$tme" %></td>
    <td><%= "$usr" %></td>
    <td><%= "$ras" %></td>        
    <td><%= "$hst" %></td>
    <td><%= "$cmd" %></td>
  </tr>
<%
}
%>
</table>
<br/>

<%
my $gt20 = @gt20;
%>
<span class="style2">Events &gt; 20 days old (<%= "$gt20" %>)</span>
<table border="1">
  <tr class="style1">
    <td>Time</td>
    <td>User</td>
    <td>Run As</td>
    <td>Host</td>
    <td>Command</td>
  </tr>
<%
foreach my $ar (@gt20) {
  my $cmd = $ar->{'cmdctrl'}->{'cmd'};
  my $usr = $ar->{'cmdctrl'}->{'user'};
  my $ras = $ar->{'cmdctrl'}->{'runAs'};  
  my $hst = $ar->{'cmdctrl'}->{'host'};
  my $tme = $ar->{'cmdctrl'}->{'time'};
 $tme = localtime($tme);
%>
  <tr class="style1">
    <td><%= "$tme" %></td>
    <td><%= "$usr" %></td>
    <td><%= "$ras" %></td>        
    <td><%= "$hst" %></td>
    <td><%= "$cmd" %></td>
  </tr>
<%
}
%>
</table>
<br/>
 
<p class="style2">Total Events = <%= $total %></p>
 
<%
}
%>

9.3.3 Deleting a Report

  1. Click Compliance Auditor on the home page of the console.

  2. Click Audit Reports in the task pane.

  3. Select the report you want to delete.

  4. Click Delete in the task pane.

  5. Click Finish to confirm the deletion.