The Compliance Auditor collects, filters, and generates reports of audit data for analysis and sign-off by authorized personnel. The Compliance Auditor can be used in conjunction with Command Control to enable auditors to view security transactions and play back recordings of user activity. Auditors can record notes against each record, creating permanent archives of activity.
Rules can be configured to pull any number of audit events matching a given filter into the Compliance Auditor at specific intervals. Examples of filters include username, host, and command for Command Control. Roles can be assigned to each rule to ensure that an auditor is able to view only extracted records with a matching role defined in his or her user account. In addition, Access Control Levels (ACLs) can be defined to restrict access to individual events, and to prevent users from auditing their own activity.
When an audit event is viewed, auditors can authorize the event, or mark it as unauthorized, escalate it, and assign it to someone else. Each change is recorded in an indelible audit trail within each record, along with any notes made by the auditor. Automatic reports can be generated and e-mailed to the appropriate personnel, and can be used, for example, for daily reporting to managers on audit activity awaiting sign-off, or hourly reporting triggered by an escalation value to notify senior management of activity.
To use the Compliance Auditor:
Define roles in user groups to control user access to the Compliance Auditor. See Section 7.1, Controlling Access to the Compliance Auditor.
Create one or more rules to pull the required events into the Compliance Auditor. See Section 7.2.1, Adding or Modifying an Audit Rule.
Define ACLs for individual users. See Section 7.5, Access Control Levels.
View event records and authorize them, or mark them as unauthorized and define further action. See Section 7.4, Compliance Auditor Records.
Configure auditing reports to be automatically e-mailed to the appropriate personnel. See Section 7.3.1, Adding or Modifying an Audit Report.
Provide failover and load balancing by installing the Compliance Auditor on multiple hosts. See Section 7.6, Deploying the Compliance Auditor.
Export and import compliance auditing settings. See Section 10.7.1, Exporting and Importing Compliance Auditor Settings.