Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
flachance
Contributor

Admin account login alert

Jump to solution

Hi,

We need to create a ‘break-glass’ type admin account in case of emergency if nobody from firewall admin group is available.

The account requires full admin but should ‘normally’ never be used.

We’re trying to find a way to get notified if the account is being used.

For console or ssh access we can use the .bash_profile of the account with sendmail & last commands

For SmartConsole access, we can’t find a way to get an alert but we could always schedule a daily report based on the Audit Overview view.

We can’t seem to find a way to get an alert or report for Web UI access. Anyway this can be done?

 

thanks

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

Logins to Gaia via SSH/console and Gaia web interface are logged to syslog in /var/log/messages like this:

httpd2: HTTP login from 192.0.2.1 as admin

clish[75304]: User admin logged in with ReadWrite permission

clish[75304]: cmd by admin: Start executing : expert

If you forward these messages into your Check Point logs as detailed in sk102995, you should then be able to create an automatic reaction in SmartEvent.

sk102995: How to export syslog messages from Gaia Security Gateway to a Log Server and view them in ...

You could also probably script something at the Gaia level to do this if you don't have SmartEvent.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

6 Replies
the_rock
Champion
Champion
0 Kudos
flachance
Contributor

Helps with SmartConsole login but it doesn't look like it reports on logins from the web UI.

0 Kudos
G_W_Albrecht
Legend
Legend

I would ask TAC if this is  possible at all - but i do not think so...

CCSE CCTE SMB Specialist
0 Kudos
Timothy_Hall
Champion
Champion

Logins to Gaia via SSH/console and Gaia web interface are logged to syslog in /var/log/messages like this:

httpd2: HTTP login from 192.0.2.1 as admin

clish[75304]: User admin logged in with ReadWrite permission

clish[75304]: cmd by admin: Start executing : expert

If you forward these messages into your Check Point logs as detailed in sk102995, you should then be able to create an automatic reaction in SmartEvent.

sk102995: How to export syslog messages from Gaia Security Gateway to a Log Server and view them in ...

You could also probably script something at the Gaia level to do this if you don't have SmartEvent.

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
flachance
Contributor

Thanks Timothy. I now can see Web UI logins in smartconsole logs.  Now I have to figure out SmartEvent to get a reaction for logins with a specific admin account.

0 Kudos
AaronCP
Collaborator
0 Kudos