Change Audit
On critical, service-responsible servers, it is very common for changes executed in these environments to be highly controlled.
In cases like these, the user requests access to a device and the administrator releases access where he will perform the task. The auditor needs to know exactly what script, device and time the activity will be performed. For the compliance, it is necessary to physically follow or check the logs of executed commands.
These activities have a very high risk, because the user can make an execution that directly affects the productivity of a company, for example, stopping an Apache server that is hosted on the company's commercial site, or even making improper actions in order to steal information.
To facilitate auditing and compliance, the Change Audit module assists the administrator in ensuring that the necessary changes to a server are executed correctly, providing an approval flow to an access, confirming that everything that was proposed in the change was actually executed by the user.
And also calculating its effectiveness with evaluations indicating whether the user has reached the expected result, made more executions than should have been done or if not even managed to make the change correctly.
This demonstrates more security to the professional responsible for the environments, having audit and compliance of the commands executed inside their devices.
Another point is the possibility of splitting the workflow, where one user can be responsible for planning and creating the script and another for executing it.
Among other benefits this module can help:
Granting privileges to users in the authorized environment only
Prevention, detection and correction of security abnormalities in the environment
Creation of inviolable audit trails for privileged operations
Follow the instructions in the following sections to understand how to use this module:
Registering a change
To create a change follow the menu: Change Audit ➔ Change and follow the instructions:
Click on the More actions button in the report and choose the New option
In the report fill in the ID and the Title of this change.
If you wish to complete a Description of the purpose of this change.
In the Start Time field select the day and time that the change should start to be executed
Consequently, in the Due Date field, select the day and time that the change should be completed.
Select the Access group related to this change.
infoIf you need to create a dedicated access group for change activities or edit an existing one, entering users who can execute changes and those who have approved that changes be made.
If you do not know how to create an access group please refer to the section Access of this document.
Go to the Devices tab and click the add icon to select the devices that have gone through the change.
Click the desired devices in the list, and then click Add to select them.
cautionThis guide must be completed, otherwise the change will not be registered.
Going to the Script tab enter the commands that will be executed to make the change
cautionRemember that this script will be used as a comparison to prove the success of the change, so it must be entered correctly.
To finish click Save
Requesting a change
To request and execute a change you need to perform a remote session. To do so, follow the instructions:
Access the menu: PAM Core ➔ Credentials ➔ All
Choose the device you want to access to perform the change.
You can use the filter at the top of the report to find it.
cautionIn order for the change to be properly audited, it is necessary to search the devices associated with the desired changes.
Click the action button Start session.
If your access group requires justification, it will be necessary to fill it out, if not the request will be generated, wait for the change to be approved.
To check the status of your request access the menu: Change Audit ➔ My requests.
If you are an approved check the requests made to you through the menu: Change Audit ➔ My approvals.
When the request is approved or disapproved you will receive a notification and you will be able to perform the access (perform steps 1 to 3 again).
infoCheck with your senhasegura administrator to see if notifications are active to receive the notification of your request.
In the section perform the scheduled change.
Auditing the sessions
After a change you can check what was done during the session and see if the entered script was followed.
Access the menu: Change Audit ➔ Audited sessions and you can view the following data:
Change details
Choose the change you want to see the details.
You can use the filter at the top of the report to find it.
Click on the change action button and select the option Change details.
In the displayed report you will see the duration of the change, the IP and the user who made the change in addition to the score given to this one.
Change Audit
Choose the change you want to see the audit.
You can use the filter at the top of the report to find it.
Click on the change action button and select the option Change Audit.
A board with the executed commands will be displayed.
The lines in red are commands that should have been executed, according to the registered script, but were not.
And the green lines display the commands that were executed and were not present in the script.
Session Logs
Choose the change you want to see session logs.
You can use the filter at the top of the report to find it.
Click the action button for the change and select the Session Logs option.
In the report displayed you can see in detail the logs of the session that was performed to execute the change.
Watching the session video
It is also possible to watch the recording of what was done during the session:
Choose the change you wish to watch the recording.
You can use the filter at the top of the report to find it.
Click the action button for the change and select the Video of Session option.
The video will start automatically.