[cisco-voip] cdrtime for password changes cucm 5.1.2.x

Thorsten.Mayr at barclayscapital.com Thorsten.Mayr at barclayscapital.com
Fri May 9 08:16:14 EDT 2008 

So close.. I even looked at fkenduser and tried to list any/all
references.. But somehow I always... Oh well - next time maybe
Found the output of systables, syscolumns, sysindexes, and sysdistrib
quite interesting

second question, non db related unfortunately:
Is there a way to get the log for commands issued on the CLI on 5.1.X
and pwd changes, since this information is more likely to be in passwd
shadow.. I wouldn't expect to be lucky twice ;)

Thanks for clarification Wes.








> -----Original Message-----
> From: Wes Sisk [mailto:wsisk at cisco.com] 
> Sent: Friday, May 09, 2008 1:02 PM
> To: Mayr, Thorsten: IT (LDN)
> Cc: cisco-voip at puck.nether.net
> Subject: Re: [cisco-voip] cdrtime for password changes cucm 5.1.2.x
> 
> Thorsten,
> 
> Nice investigation and you got so very close to the answer.
> In Cm5.x and 6.x "Credential Policy" was introduced just for 
> this.  From the CM6.1 data dictionary:
> http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/datadict/6_
> 1_1/dd_611.pdf
> 
> we find the credentialhistory table that captures when each 
> user last changed their password:
> 
> admin:run sql select first 1 * from enduser
> pkid                                 assocpc firstname 
> middlename lastname userid manager department telephonenumber tku
> serlocale mailid status facsimiletelephonenumber mobile pager 
> homephone title building site fkdirectorypluginconfig uniq
> ueidentifier nickname deletedtimestamp passwordreverse 
> fkmatrix_presence                    tkuserprofile fkcallingsearc
> hspace_restrict allowcticontrolflag enablemobilevoice 
> maxdeskpickupwaittime enablemobility remotedestinationlimit 
> ==================================== ======= ========= 
> ========== ======== ====== ======= ========== =============== 
> === ========= ====== ====== ======================== ====== 
> ===== ========= ===== ======== ==== ======================= 
> ==== ============ ======== ================ =============== 
> ==================================== ============= 
> ============== =============== =================== 
> ================= ===================== ============== 
> ======================
> 61c1002c-2ea5-4a92-e1c8-8b1be0918523         wes              
>     sisk     wsisk                                     1
>                  1                                            
>                               NULL
>                       NULL                             
> ad243d17-98b4-4118-8feb-5ff2e1b781ac 1             NULL
>                 t                   f                 10000   
>               f              4
> 
> admin:run sql select first 1 * from credentialhistory where 
> fkenduser like '%8523'
> pkid                                 changeid fkenduser       
>                      fkapplicationuser tkcredential creden
> tials                              timechanged
> ==================================== ======== 
> ==================================== ================= 
> ============ ====== ================================== ===========
> 1d27508e-73f5-440c-a5c4-94a5bc37e5d1 1        
> 61c1002c-2ea5-4a92-e1c8-8b1be0918523 NULL              4      
>       2fa694
> ffcd062c1e9a45a68cadf5a83facc2d7c9 1192218565
> 
> /Wes
> 
> Thorsten.Mayr at barclayscapital.com wrote: 
> 
> 	admin:run sql select first * from enduser
> 	
> 	Must have been mistyping it... looking at the systable 
> confirmed this
> 	existed...
> 	But seems like no timestamp on the password, only on 
> the overall enduser
> 	- unless there is a "crossreference" which I am not aware of?
> 	
> 	Apologies, could have figured that one out before, but 
> am not really a
> 	database person.
> 	
> 	Thx anyway ;)
> 	T
> 	
> 	  
> 
> 		-----Original Message-----
> 		From: cisco-voip-bounces at puck.nether.net 
> 		[mailto:cisco-voip-bounces at puck.nether.net] On 
> Behalf Of 
> 		Mayr, Thorsten: IT (LDN)
> 		Sent: Friday, May 09, 2008 10:05 AM
> 		To: cisco-voip at puck.nether.net
> 		Subject: [cisco-voip] cdrtime for password 
> changes cucm 5.1.2.x
> 		
> 		A question for audit purposes...
> 		
> 		I have to prove that passwords are being 
> changed/have been 
> 		changed in a non AD integrated CUCM environment 
> for all admin 
> 		accounts... Usual story..
> 		
> 		I was wondering if there was a timestamp for password 
> 		changes/updates/last touch... in the database on 5.1.2?
> 		Or is there only one general timestamp assigned 
> to the "user/account"
> 		which counts for all updates to it ):
> 		
> 		As Wes once pointed out there is a hidden 
> timestamp called 
> 		cdrtime... I am sure we are not the first ones 
> being audited 
> 		on CUCM... 
> 		
> 		What have you guys done to produce audit trails?
> 		
> 		We have requested an audit functionality as a 
> new feature.
> 		
> 		Thanks
> 		Thorsten
> 		
> 		PS: I wasn't inventive enough to figure out the 
> name of the 
> 		table-,column-, name for application/end user 
> accounts - 
> 		hence wasn't able to check it out myself 
> 		_______________________________________________
> 		
> 		This e-mail may contain information that is 
> confidential, 
> 		privileged or otherwise protected from 
> disclosure. If you are 
> 		not an intended recipient of this e-mail, do 
> not duplicate or 
> 		redistribute it by any means. Please delete it and any 
> 		attachments and notify the sender that you have 
> received it 
> 		in error. Unless specifically indicated, this 
> e-mail is not 
> 		an offer to buy or sell or a solicitation to 
> buy or sell any 
> 		securities, investment products or other 
> financial product or 
> 		service, an official confirmation of any 
> transaction, or an 
> 		official statement of Barclays. Any views or opinions 
> 		presented are solely those of the author and do not 
> 		necessarily represent those of Barclays. This e-mail is 
> 		subject to terms available at the following link: 
> 		www.barcap.com/emaildisclaimer. By messaging 
> with Barclays 
> 		you consent to the foregoing.  Barclays Capital is the 
> 		investment banking division of Barclays Bank 
> PLC, a company 
> 		registered in England (number 1026167) with its 
> registered offi!
> 		 ce at 1 Churchill Place, London, E14 5HP.  
> This email may 
> 		relate to or be sent from other members of the 
> Barclays Group.
> 		_______________________________________________
> 		_______________________________________________
> 		cisco-voip mailing list
> 		cisco-voip at puck.nether.net
> 		https://puck.nether.net/mailman/listinfo/cisco-voip
> 		
> 		    
> 
> 	_______________________________________________
> 	
> 	This e-mail may contain information that is 
> confidential, privileged or otherwise protected from 
> disclosure. If you are not an intended recipient of this 
> e-mail, do not duplicate or redistribute it by any means. 
> Please delete it and any attachments and notify the sender 
> that you have received it in error. Unless specifically 
> indicated, this e-mail is not an offer to buy or sell or a 
> solicitation to buy or sell any securities, investment 
> products or other financial product or service, an official 
> confirmation of any transaction, or an official statement of 
> Barclays. Any views or opinions presented are solely those of 
> the author and do not necessarily represent those of 
> Barclays. This e-mail is subject to terms available at the 
> following link: www.barcap.com/emaildisclaimer. By messaging 
> with Barclays you consent to the foregoing.  Barclays Capital 
> is the investment banking division of Barclay
> 	s Bank PLC, a company registered in England (number 
> 1026167) with its registered offi!
> 	 ce at 1 Churchill Place, London, E14 5HP.  This email 
> may relate to or be sent from other members of the Barclays Group.
> 	_______________________________________________
> 	_______________________________________________
> 	cisco-voip mailing list
> 	cisco-voip at puck.nether.net
> 	https://puck.nether.net/mailman/listinfo/cisco-voip
> 	  
> 
> 
_______________________________________________

This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unless specifically indicated, this e-mail is not an offer to buy or sell or a solicitation to buy or sell any securities, investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Barclays. Any views or opinions presented are solely those of the author and do not necessarily represent those of Barclays. This e-mail is subject to terms available at the following link: www.barcap.com/emaildisclaimer. By messaging with Barclays you consent to the foregoing.  Barclays Capital is the investment banking division of Barclays Bank PLC, a company registered in England (number 1026167) with its registered office at 1 Churchill Place, London, E14 5HP.  This email may relate to or be sent from other members of the Barclays Group.
_______________________________________________

More information about the cisco-voip mailing list