7.4 Compliance Auditor Records

The Compliance Auditor main page lists the records (events) collected according to defined audit rules.

By default, all new and pending events are displayed, as indicated in the Status column. To view authorized and unauthorized events, select the appropriate check boxes and click Refresh. Pending events are events that have been viewed and their records edited, but they have not been classified as authorized or unauthorized. You can click any of the column headings to sort by that column.

To view events for a specific time period, select the From and To check boxes, select the required dates, specify the required times, and click Refresh.

The table displays the following information about each event:

Column

Description

First

The color-coded indicators for Command Control command risk level and rule risk level, ranging from green (low) to red (high). For more information, see Setting the Command Risk.

Level

The escalation level set by the auditor editing the event record.

Status

The status of the event, indicating whether an auditor has classified the event as authorized or unauthorized. New events have not been viewed. Pending events have been viewed and edited, but have not been marked as authorized or unauthorized.

Time

The date and time the event occurred.

Event

A description of what the record contains.

Note

Any notes made by the auditor when editing the event record.

Assigned

The user the event has been assigned to by the auditor of the event record.

Rule

The audit rule that pulled in the event.

Type

The type of event.

Size

The size of the keystroke capture with the total time of the session displayed between parentheses.

Event ID

The unique event ID.

From this page, you can perform the following tasks:

7.4.1 Viewing a Compliance Audit Record

  1. Click Compliance Auditor on the home page of the console.

  2. Select the record you want to view.

  3. Click View Record in the task pane.

    Record data for this event is shown, including the submit user and host, the run user and host, the command, whether it was authorized by Command Control, and whether the session was captured.

From here you can view a Command Control keystroke report, if it exists, or edit the record. If a keystroke report exists, you must review it before you can edit the record. See Section 7.4.2, Viewing and Editing a Command Control Keystroke Report for more information.

7.4.2 Viewing and Editing a Command Control Keystroke Report

  1. Click Compliance Auditor on the home page of the console.

  2. Select the record for which you want to view a keystroke report.

  3. Click View Record in the task pane.

  4. Click View Keystroke Report in the task pane, or click the Keystroke button.

    The text that the user entered during the session is shown on the Input page. The first column displays color-coded indicators for command risk level and rule risk level, ranging from green (low) to red (high). For more information, see Setting the Command Risk and Modifying a Rule.

  5. On the Command Control Keystroke Report page, edit the following fields:

    Terminal Type: Change the terminal type if it is set incorrectly.

    Find: To find a specify command or string in the report, specify the text in the text box, then click Find.

    Decryption key: If an encryption password has been defined on the Command Control Audit Settings page to encrypt the sensitive password data in the reports (see Defining Audit Settings), specify this password in the text box, then click Refresh to display the passwords.

    Show control characters: Use the Show control characters check box to show or hide control characters on the screen.

    Show audited commands: Use the check box to show or hide the full list of audited commands. If this option is enabled, the screen shows the actual commands that are being run when a user types a command. You can also view each input command individually by mousing over the command.

    Show profile commands: Use the check box to show or hide the commands run in the user’s login profile when the user’s pcksh login shell has auditing configured to level 2.

  6. (Optional) To see the keystroke text being played back with the screen output, click Output.

    You can start the playback from a specific line in the input by selecting that line before clicking Output.

    • Click Play to play the keystroke entries and view the output.

    • Click Rewind to go back to the beginning.

    • Click Pause to pause the playback.

    • Click Forward to skip any pauses in the playback where the user might have taken a break from typing.

    • Set the Playback Speed to Real Time, Double Speed, or Full Speed.

    • Set the Scrollback field to the amount of text you want to be able to scroll back through, in kilobytes.

    • Change the Terminal Type to the one you want.

  7. Click Cancel to return to the record list.

7.4.3 Viewing a Change Management Audit Record

  1. Click Compliance Auditor on the home page of the console.

  2. Select the Command Control Change Management record you want to view.

    The record type is shown in the Type column. You might need to scroll to the right to see this column.

  3. Click View Record in the task pane.

    Information about the Change Management action is displayed, including the name of the user who made changes to the database, and any entries the user made when committing the Command Control transaction.

  4. To edit the record, see Section 7.4.5, Editing an Audit Record.

7.4.4 Viewing a Report Audit Record

  1. Click Compliance Auditor on the home page of the console.

  2. Click the record you want to view.

    The record type is shown in the Type column. You might need to scroll to the right to see this column.

  3. Click View Record in the task pane.

    Record data for this report is shown, including the contents of the report sent.

  4. To edit the record, see Section 7.4.5, Editing an Audit Record.

7.4.5 Editing an Audit Record

For each event listed in the Compliance Auditor, you can edit the audit record to authorize the event, or mark it as unauthorized, escalate it, and assign it to another user. You can also add notes for display in the event record, and comments that are permanently recorded in the event history.

NOTE:For Command Control events for which a keystroke report exists, you must view the keystroke report before editing the audit record. See Section 7.4.2, Viewing and Editing a Command Control Keystroke Report for more information.

To edit an audit record:

  1. Click Compliance Auditor on the home page of the console.

  2. Select the record you want to edit.

  3. Click View Record in the task pane.

  4. Click Edit Record.

  5. (Optional) Authorize the event:

    1. Select the Authorized check box.

    2. In the Note field, specify a note to be displayed on the event list and event record.

    3. In the Comment field, specify a comment to be permanently displayed in the History on the View Record page.

  6. (Optional) Mark the event as unauthorized:

    1. Select the Unauthorized check box.

    2. If necessary, set an Escalation Level to be displayed on the event list.

      This can be used as a report filter when setting up reports. See Section 7.3.1, Adding or Modifying an Audit Report.

    3. If necessary, use the Assigned to field to assign the record to a different user.

    4. Specify a Note or a Comment to explain why the event is unauthorized.

  7. Click Finish.

7.4.6 Archiving Records

Audit records can be archived from the console or from the command line. For information about the command line options, see Section 10.7.2, Managing Compliance Auditor Records.

To archive records from the console:

  1. Click Compliance Auditor on the home page of the console.

  2. Select the records you want to archive.

    To select multiple records, press the Ctrl key and select the records one at a time, or press the Shift key to select a consecutive list of records.

  3. Click Archive Records in the task pane.

    A list of the selected records is displayed.

  4. Configure the following fields:

    Comment: (Required) Specify the reason for the archive.

    Keep Online: (Optional) Select if you want the archived records to continue to be displayed in the list of records.

  5. Configure the types of records to archive.

    By default, authorized and unauthorized records are selected. New and pending records are not displayed. If you want to archive these records, select the New and Pending options.

    IMPORTANT:After a record is archived, it cannot be modified. If you archive new or pending records, their status can never change.

  6. Click Finish.

7.4.7 Managing Archived Records

From the Framework Manager console, you can restore an archive and move archives from an online state (viewable in the console) and to an offline state (not viewable in the console) and from an offline state to an online state. You must use the command line options to purge an archive. See Section 10.7.2, Managing Compliance Auditor Records.

To manage archived records from the console:

  1. Click Compliance Auditor on the home page of the console.

  2. Click Manage Archives in the task pane.

  3. To restore an archive to an online status, select the archive, then click Restore.

  4. To move an archive from an online status to an offline status, select the archive, then click Remove.

  5. Click Close.