Accounts

Accounts#

Endpoint Analytics uses two types of accounts to control access to the system and its functions. In addition to the appliance-level root and beacon accounts configured during the deployment process, there are also user accounts that are exclusively tied to the web interface.

Account administration tasks for web interface user accounts are primarily handled via the Configuration > Accounts submenu.

Web interface account roles#

User accounts fall under one of three roles within the web interface:

Administrator#

The administrator is the highest privileged role within the web interface and can make configuration changes, in addition to being able to view all system data.

Only one administrator account exists per system, and it is primarily used for initial access to the web interface after deployment as well as managing other user accounts.

Note

Only one administrator account session is permitted from a given IP address.

Operator

Operator accounts have full access to the web interface and can make configuration changes, but they cannot change the user account settings.

Analyst

Apart from customizing their dashboard page, Analyst accounts have access to most Endpoint Analytics data pages and utilities, but they cannot view or modify the system configuration.

Hint

There is no limit to the number of Operator and Analyst accounts that can be created.

The password for the administrator web interface account can be changed by logging into the Endpoint Analytics appliance as the beacon user and running the following command:

# sudo /usr/beacon/www/bin/userAdmin.php -u 1 password <new_password>

Note

By default, all web interface sessions will automatically time out after being idle for 30 minutes. The idle timers cannot be disabled, but they can be adjusted between 5, 15, and 30 minutes for operator and analyst accounts.

Adding a new user#

To add a new web interface user or account, select Add Account from the Accounts configuration submenu, and then do the following:

  1. Under Username:, enter a unique username for the new user. The following characters cannot be used in usernames (or passwords): ;’|”()[]{}``

  2. Under Password:, enter a password for the account, and then retype the password in the next field for verification.

  3. Under Access Level:, select the role for the account. Operator is selected by default.

  4. Under Timezone Region: and Select Timezone:, select a region and timezone for the user.

  5. Under Timeout:, select the number of minutes a session must be idle before the account is automatically logged out.

  6. Under Enabled:, select whether to enable the account once it is created.

  7. After verifying that all details are correct, click Save to create the account.

Hint

The password, region, and timezone can be changed by the user by clicking the user menu button in the web interface banner and then selecting My Settings once the user is logged in.

New accounts can also be created by navigating to Configuration > List Accounts, and then clicking Add Account on the summary page.

Managing user accounts#

Selecting List Accounts from the Accounts configuration submenu opens a summary page that lists all existing web interface accounts.

The Accounts list page displays the current settings for each configured user account and functions as the main hub for the following account management tasks:

Adding a new user or account

As an alternative to using the Add Account option under the Accounts configuration submenu, click Add Account at the bottom of the table to open the Add Account page.

Editing account settings

To edit the details of an account, click the username in the list to open the Edit Account page, and then make the necessary changes.

The following actions can also be performed from the Edit Account page:

  • Resetting or changing the account password

  • Enabling or disabling the account

  • Deleting the account

Single Sign-On (SSO)#

By default, the web server hosting the web interface handles all user authentication functions locally. As an alternative, Endpoint Analytics supports SSO authentication through third-party services.

Note

Only the operator and analyst accounts can be routed through third-party authentication services. The administrator account is always authenticated locally to make sure that it has permanent access to the system.

For additional information and instructions on configuring third-party identity providers, see the subsection on SSO integration.

Audit Logging#

Endpoint Analytics can log UI activity either locally (to /var/log/audit.log) or to an external syslog server. UI audit logging is disabled by default.

Note

UI audit log messages delivered to /var/log/audit.log require root privileges to view using the tail, cat, more, or less commands.

To enable audit logging, rename the audit.xml.sample file found in /usr/beacon/config to audit.xml, and then edit it to set the desired level of audit logging. The default configuration of the file is for full UI audit logging with delivery to the internal syslog.

Audit log message formats

Endpoint Analytics supports five audit logging formats for output to internal or external syslog. The following audit logging formats can be enabled by setting their respective rule values to true in the audit.xml file:

  • page - Basic format used for auditing page access.

    <rule name="page" type="boolean" default="false" value="true"/>

  • rpc - Format used for auditing all json-rpc methods.

    <rule name="rpc" type="boolean" default="false" value="true"/>

  • formRender - Overrides page format when a form appears on a page.

    <rule name="formRender" type="boolean" default="false" value="true"/>

  • formSubmit - Overrides page format when a form is submitted.

    <rule name="formSubmit" type="boolean" default="false" value="true"/>

    Note

    The args value will only show what was changed by the form submission.

  • content - Open entry for adding a special audit point.

    <rule name="content" type="boolean" default="false" value="true"/>

Hint

The use rule (<rule name="use" type="boolean" default="false" value="true"/>) disables all auditing when its value is set to false.

Audit log message contents

Audit log messages consist of a single line and include the following fields:

  1. IP-Address: IP address of the client provided by the web server.

  2. Mode: Either r (read), w (write), or x (execute).

  3. User(id): Username and serial_id of the user.

  4. Page: The page requested.

  5. Args: Either the rpc command and its arguments or the fields of the form.

Audit logging to external syslog

If desired, Endpoint Analytics can also be configured to send audit log messages to a remote syslog server.

To enable audit logging to an external syslog server, do the following:

  1. Run the following command:

    # sudo vi /etc/syslog.conf to edit /etc/syslog.conf

  2. Find the line #*.* @log.host.address and uncomment it by deleting the #.

  3. Replace log.host.address with the IP address or FQDN of the syslog server to which audit log messages should be delivered.

  4. Save the changes to syslog.conf and restart the syslog process by running:

    #service rsyslog restart
Contents