[cisco-voip] Enable/Disable SSO Logs

Daniel Pagan dpagan at fidelus.com
Tue Aug 4 13:50:10 EDT 2015 

On occasion I’ll also review the Tomcat logs for identifying who accessed a specific portion of CCMAdmin, then use that information to begin digging deeper in other trace files. You can try collecting Tomcat logs off all nodes (because we don’t know which node was accessed via HTTP), and search for “samlSingleSignOn”. The localhost_access files collected should tell you where the HTTP GET request came from by source IP address and authenticated user.

Sample from a lab server:

[04/Aug/2015:10:42:41 -0700] 192.168.100.101 192.168.100.101 ccmadministrator - 443 GET /ccmadmin/samlSingleSignOn.do HTTP/1.1 200 75654 8910

While it doesn’t give you specific detail on what change was made, it will show you if and when someone accessed the SSO configuration page. You can then use the timestamp for that localhost_access file and begin a deeper inspection in Audit or CLI logs. If someone made a change (and this might not apply to the SSO page), then you’ll see the typical ____Save.do POST. Again, just something to give you basic information for starting a more aggressive investigation.

Hope this helps.

Dan

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Matthew Loraditch
Sent: Tuesday, August 04, 2015 12:55 PM
To: Matthew Loraditch <MLoraditch at heliontechnologies.com>; Brian Meade <bmeade90 at vt.edu>
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] Enable/Disable SSO Logs

Odd I’m not seeing much of anything. The Audit logs don’t appear to show me turning SSO back on today either… Wonder if it’s logged differently.

Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA
Network Engineer
Direct Voice: 443.541.1518
Facebook<https://www.facebook.com/heliontech?ref=hl> | Twitter<https://twitter.com/HelionTech> | LinkedIn<https://www.linkedin.com/company/helion-technologies?trk=top_nav_home> | G+<https://plus.google.com/+Heliontechnologies/posts>

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Matthew Loraditch
Sent: Tuesday, August 4, 2015 12:22 PM
To: Brian Meade <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>>
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Enable/Disable SSO Logs

Thanks! Checking both.

Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA
Network Engineer
Direct Voice: 443.541.1518
Facebook<https://www.facebook.com/heliontech?ref=hl> | Twitter<https://twitter.com/HelionTech> | LinkedIn<https://www.linkedin.com/company/helion-technologies?trk=top_nav_home> | G+<https://plus.google.com/+Heliontechnologies/posts>

From: bmeade90 at gmail.com<mailto:bmeade90 at gmail.com> [mailto:bmeade90 at gmail.com] On Behalf Of Brian Meade
Sent: Tuesday, August 4, 2015 12:10 PM
To: Matthew Loraditch <MLoraditch at heliontechnologies.com<mailto:MLoraditch at heliontechnologies.com>>
Cc: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: Re: [cisco-voip] Enable/Disable SSO Logs

If it was SAML SSO disabled from CM Administration, you should be able to find it in the normal Audit Logs under "activelog audit/AuditApp/*" or download Audit Logs via RTMT.

On Tue, Aug 4, 2015 at 12:06 PM, Brian Meade <bmeade90 at vt.edu<mailto:bmeade90 at vt.edu>> wrote:
If it was done via CLI, you can do this on the publisher:

file search activelog /platform/log/cli* "utils sso disable"

You'll get something like this:
/var/log/active//platform/log/cli00045.log:2015-08-04 12:00:46,842 INFO [main] sdMain.main - running command -> [utils sso disable]

You can then do "file view activelog platform/log/cli00045.log" and find who logged in at the beginning of the file:
2015-08-04 12:00:16,918 INFO [main] sdMain.main - Startup of CLI
Getting Platform XML interface file
2015-08-04 12:00:16,949 INFO [main] sdMain.main - name = admin, privilege = 4


On Tue, Aug 4, 2015 at 11:30 AM, Matthew Loraditch <MLoraditch at heliontechnologies.com<mailto:MLoraditch at heliontechnologies.com>> wrote:
Does anyone know what exactly to look for to see when this was done? We have one customer where we share admin with the client and SSO got “disabled” during a “power outage”.
It’d be really awesome if it said what login did this as well…

Matthew G. Loraditch – CCNP-Voice, CCNA-R&S, CCDA
Network Engineer
Direct Voice: 443.541.1518<tel:443.541.1518>
Facebook<https://www.facebook.com/heliontech?ref=hl> | Twitter<https://twitter.com/HelionTech> | LinkedIn<https://www.linkedin.com/company/helion-technologies?trk=top_nav_home> | G+<https://plus.google.com/+Heliontechnologies/posts>


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20150804/7e298745/attachment.html>

More information about the cisco-voip mailing list