Active IQ Unified Manager Discussions

trigger an alert when someone is added to the admin group?

scottgelb
3,728 Views

Is there a way to check when useradmin adds users to the local administrator group?  Without having to write a script to query local and domain user accounts in the admin group is there a way to trigger an alert that anyone knows of?

5 REPLIES 5

hiyer
3,728 Views

You could create an alarm for the 'host-user-discovered' event. rbacmon runs once a day by default, so expect the notifications to be delayed a bit. You can reduce the polling interval by using the "dfm option set" CLI to modify the 'rbacmoninterval' option. I wouldn't advise too low a value as this is a rather heavy monitor, especially when domain users are also involved.

mrcwillis
3,728 Views

hiyer - Thanks, Scott was nice enough to post this on my behalf.  I looked in DFM, assuming that is where you are referring to host user discovered.  We are ok with a 24 hour turn monitoring period.

To verify, I created a DFM Alarm to monitor the specific event "host user dicovered".  I setup my alarm with notification and created a user and added them to the Administrators group.  I literally just did this, so I'm waiting to see if an alarm is triggered and at what interval since I can seem to find where to set the polling so it is at the default which I think you said is 24 hours.

Thanks!

-- Carl

hiyer
3,728 Views

You can run

dfm host discover -m rbac <host-name-or-id>

to hasten the discovery process once.

To permanently reduce the interval, run

dfm option set rbacmoninterval=<some-value>

mrcwillis
3,728 Views

That works perfectly. 

Users Discovered: notification_test (Usergroup Membership Added: Administrators).

Sent that to my auditors and they liked it, but (isnt there always a but!), we need to know who.  Who added the user to the group.  Of course when I look back on the box I just get:

Tue Jun  7 13:10:45 CDT [NETAPP: useradmin.added.deleted:info]: The user 'notification_test' has been added.

Is there a way to track back the to the user that added them? 

hiyer
3,728 Views

I guess you'll have to check the filer audit logs for that information. It should be in /etc/log/auditlog I think. Of course trudging through 24 hours of logs would be quite a chore. You might want to check for specific commands or apis.

Public