Auditing and compliance
Each action performed by the mangement console on a remote host is logged to the local syslog file. The syslog messages show you who performed the action, when, and the output (standard error, standard out).
Syslog reports any action that changes on the host, for example:
- Add, delete, modify user or group account information
- Add user to (or remove user from) users.allow
- Configure Privilege Manager policy server
- Enable (or disable) Auto Profile, SSH Key login, Auto Authentication Services agent status
- Install software
- Join to (or unjoin from) Active Directory or Privilege Manager policy group
- Map user to (or unmap user from) Active Directory
Note: The messages are logged in the local syslog file. Local host logs messages to local audit log files based on your host configuration.
Cannot create a service connection point
To create an SCP for Management Console for Unix
- While the mangement console does not need to be configured for Active Directory, Management Console for Unix must be installed on a computer that is joined to an Active Directory domain.
- The computer object must have access to create child objects under its own computer object.
Note: The ability for SELF to create and delete child objects is allowed by default, so you should not have problems creating Service Connection Points (SCPs) unless the Discretionary Access Control List (DACL) has been changed to deny the Create all child objects permission.
- If the console is installed on a Windows host, SSPI must be enabled.
If you cannot create an SCP, check whether the computer where Management Console for Unix is installed is joined to the Active Directory domain.
- If the computer is NOT joined to the domain, then the Register a Service Connection Point with Active Directory option on the Console Information settings is disabled.
Note: When Management Console for Unix is installed on a Unix or Linux computer, it might be possible that the Management Console for Unix server does not have access to the keytab file. When Management Console for Unix cannot read the keytab file, it acts as if it is installed on a Unix computer that is not joined to the domain.
- If the computer is joined to the domain and the creation of the SCP fails, the most likely cause is that the computer Discretionary Access Control List (DACL) 'Create all child objects' was denied for SELF. Using the Active Directory Users and Computers (ADUC) tool, you can check and modify these permissions on the Security tab of the computer's properties. Consult the Microsoft documentation for information about using ADUC.
Check Authentication Services agent status commands not available
The "Check QAS" commands are only available for hosts that have the Authentication Services 220.127.116.11 (or later) Agent software installed. If your version of Authentication Services is not using the 18.104.22.168 version of the vas_status.sh script, the mangement console will not report QAS agent status. Furthermore, if you customize the vas_status.sh script, ensure the output for customized tests are in CSV format so that the mangement console will correctly report the results.
CSV or PDF reports do not open
If you are having trouble opening CVS or PDF reports, here are some suggestions:
- Make sure your browser does not have a pop-up blocker enabled for the site. PDF and CSV files are opened as a window pop-up and require you to disable any browser pop ups before the report will open.
- If you are running Management Console for Unix on Internet Explorer, you may need to adjust your IE settings, as explained below:
To adjust your IE settings
- From the Tools menu, select Internet Options.
- On the Advanced tab, scroll to Security section.
- Clear the Do not save encrypted pages to disk option.
- Apply the changes.
- Close and reopen your browser.
- Try downloading that file again.
Or, you may need to reset your Download options.
To modify the Download Internet options
From your Internet Explorer browser, navigate to Tools | Internet Options and click the Security tab.
In the Security Settings dialog, click the Custom level button, scroll down to Downloads, and ensure that the Automatic prompting for file downloads and File download settings are set to Enable.
Note: If you hold down the Ctrl key after you open the Export drop-down menu and select PDF, it allows the download to happen even if you have the Automatic prompting for file downloads setting disabled.