Auditing Administrator Logins - Hitachi ID Privileged Access Manager
Hitachi ID Privileged Access Manager logs and can report on every disclosure of access to every privileged account. This means that the time interval during which a user was connected to a privileged account or during which a password was disclosed to a program or person is always recorded, is retained definitely and is visible in reports.
Privileged Access Manager also logs all attempts by users to search for managed systems and to connect to privileged accounts, even if login attempts were denied. This means that even rejected attempts and requests to access privileged accounts are visible in reports.
Privileged Access Manager also logs auto-discovery and auto-configuration process status as well as manual changes to its own configuration. This means that the health of systems on the network can be inferred from Privileged Access Manager reports.
Exit traps can be used to forward copies of Privileged Access Manager log entries to another system (e.g., an SIEM, typically via SYSLOG) for analytics and tamper-proof archive.
All data in Privileged Access Manager is available via SQL or ODBC and accessible using standard analytical tools (Crystal Reports, Cognos, MS-Excel, SQL queries, etc). The schema is well documented and is available to all product licensees and evaluators under NDA. The current release schema documentation is about 127 pages long, and includes detailed descriptions of every field, table, relation, value constraint, etc.
Data available through Privileged Access Manager includes:
- A list of IDs per target system.
- A list of managed systems per managed system policy.
- A list of users per user group.
- Full detail of transaction history.
- Additional user attributes (e.g., roles, employee ID)
- Select user attributes drawn from target systems.
Privileged Access Manager includes a number of standard reports, executed or scheduled through the web user interface and delivered interactively or by e-mail:
- Users: who can sign into Privileged Access Manager, who can authorize requests for privileged access, who have temporarily been delegated approval rights, who can manage Privileged Access Manager itself, etc.
- Policies: user classes, ACLs assigned to users and user groups, segregation of duties policies.
- Workflow: open requests, request history, non-responsive authorizers.
- Managed systems: target systems and policies.
- Access disclosure: password checkout history, currently checked out passwords, expired passwords (due to be randomized).
- System operation: event log, authentication history, history of updates made to target systems.
- System audit: configuration and policy changes made to Privileged Access Manager.
Each report includes a set of search parameters that enables users (who must have the right to run reports) to fine-tune the data they retrieve.