The Compliance Auditor main page lists the records (events) collected according to defined audit rules.
By default, all new and pending events are displayed, as indicated in the
column. To view authorized and unauthorized events, select the appropriate check boxes and click . Pending events are events that have been viewed and their records edited, but they have not been classified as authorized or unauthorized. You can click any of the column headings to sort by that column.To view events for a specific time period, select the
and check boxes, select the required dates, specify the required times, and click .The table displays the following information about each event:
Column |
Description |
---|---|
First |
The color-coded indicators for Command Control command risk level and rule risk level, ranging from green (low) to red (high). For more information, see Setting the Command Risk. |
Level |
The escalation level set by the auditor editing the event record. |
Status |
The status of the event, indicating whether an auditor has classified the event as authorized or unauthorized. New events have not been viewed. Pending events have been viewed and edited, but have not been marked as authorized or unauthorized. |
Time |
The date and time the event occurred. |
Event |
A description of what the record contains. |
Note |
Any notes made by the auditor when editing the event record. |
Assigned |
The user the event has been assigned to by the auditor of the event record. |
Rule |
The audit rule that pulled in the event. |
Type |
The type of event. |
Size |
The size of the keystroke capture with the total time of the session displayed between parentheses. |
Event ID |
The unique event ID. |
From this page, you can perform the following tasks:
Click
on the home page of the console.Select the record you want to view.
Click
in the task pane.Record data for this event is shown, including the submit user and host, the run user and host, the command, whether it was authorized by Command Control, and whether the session was captured.
From here you can view a Command Control keystroke report, if it exists, or edit the record. If a keystroke report exists, you must review it before you can edit the record. See Section 7.4.2, Viewing and Editing a Command Control Keystroke Report for more information.
Click
on the home page of the console.Select the record for which you want to view a keystroke report.
Click
in the task pane.Click
in the task pane, or click the button.The text that the user entered during the session is shown on the Input page. The first column displays color-coded indicators for command risk level and rule risk level, ranging from green (low) to red (high). For more information, see Setting the Command Risk and Modifying a Rule.
On the Command Control Keystroke Report page, edit the following fields:
Terminal Type: Change the terminal type if it is set incorrectly.
Find: To find a specify command or string in the report, specify the text in the text box, then click
.Decryption key: If an encryption password has been defined on the Command Control Audit Settings page to encrypt the sensitive password data in the reports (see Defining Audit Settings), specify this password in the text box, then click to display the passwords.
Show control characters: Use the
check box to show or hide control characters on the screen.Show audited commands: Use the check box to show or hide the full list of audited commands. If this option is enabled, the screen shows the actual commands that are being run when a user types a command. You can also view each input command individually by mousing over the command.
Show profile commands: Use the check box to show or hide the commands run in the user’s login profile when the user’s pcksh login shell has auditing configured to level 2.
(Optional) To see the keystroke text being played back with the screen output, click
.You can start the playback from a specific line in the input by selecting that line before clicking
.Click
to play the keystroke entries and view the output.Click
to go back to the beginning.Click
to pause the playback.Click
to skip any pauses in the playback where the user might have taken a break from typing.Set the
to , , or .Set the
field to the amount of text you want to be able to scroll back through, in kilobytes.Change the
to the one you want.Click
to return to the record list.Click
on the home page of the console.Select the Command Control Change Management record you want to view.
The record type is shown in the
column. You might need to scroll to the right to see this column.Click
in the task pane.Information about the Change Management action is displayed, including the name of the user who made changes to the database, and any entries the user made when committing the Command Control transaction.
To edit the record, see Section 7.4.5, Editing an Audit Record.
Click
on the home page of the console.Click the record you want to view.
The record type is shown in the
column. You might need to scroll to the right to see this column.Click
in the task pane.Record data for this report is shown, including the contents of the report sent.
To edit the record, see Section 7.4.5, Editing an Audit Record.
For each event listed in the Compliance Auditor, you can edit the audit record to authorize the event, or mark it as unauthorized, escalate it, and assign it to another user. You can also add notes for display in the event record, and comments that are permanently recorded in the event history.
NOTE:For Command Control events for which a keystroke report exists, you must view the keystroke report before editing the audit record. See Section 7.4.2, Viewing and Editing a Command Control Keystroke Report for more information.
To edit an audit record:
Click
on the home page of the console.Select the record you want to edit.
Click
in the task pane.Click
.(Optional) Authorize the event:
Select the
check box.In the
field, specify a note to be displayed on the event list and event record.In the
field, specify a comment to be permanently displayed in the on the View Record page.(Optional) Mark the event as unauthorized:
Select the
check box.If necessary, set an
to be displayed on the event list.This can be used as a report filter when setting up reports. See Section 7.3.1, Adding or Modifying an Audit Report.
If necessary, use the
field to assign the record to a different user.Specify a
or a to explain why the event is unauthorized.Click
.Audit records can be archived from the console or from the command line. For information about the command line options, see Section 10.7.2, Managing Compliance Auditor Records.
To archive records from the console:
Click
on the home page of the console.Select the records you want to archive.
To select multiple records, press the Ctrl key and select the records one at a time, or press the Shift key to select a consecutive list of records.
Click
s in the task pane.A list of the selected records is displayed.
Configure the following fields:
Comment: (Required) Specify the reason for the archive.
Keep Online: (Optional) Select if you want the archived records to continue to be displayed in the list of records.
Configure the types of records to archive.
By default, authorized and unauthorized records are selected. New and pending records are not displayed. If you want to archive these records, select the
and options.IMPORTANT:After a record is archived, it cannot be modified. If you archive new or pending records, their status can never change.
Click
.From the Framework Manager console, you can restore an archive and move archives from an online state (viewable in the console) and to an offline state (not viewable in the console) and from an offline state to an online state. You must use the command line options to purge an archive. See Section 10.7.2, Managing Compliance Auditor Records.
To manage archived records from the console:
Click
on the home page of the console.Click
in the task pane.To restore an archive to an online status, select the archive, then click
.To move an archive from an online status to an offline status, select the archive, then click
.Click
.