Scheduled audit jobs in Service Now

Owned by David Backeberg (Unlicensed)
Last updated: Sept 22, 2015
2 min read

Unix System has two scheduled audit jobs.

The scripts themselves are distributed and maintained by cf-engine. cf-engine determines the set of hosts where the script(s) will run, and also defines the run schedule. The script takes care of attaching to Service Now using a Service Account and posting https content to the web API using Perl.

There have been a series of changes to these scripts in UnixSys spaces, and they are now enforced onto AIX systems via cf-engine policy using vm-cfgprdapp-02, as of Sept. 2015.

The daily audit job

This comes in with the SN subject "Review Secure Logs"

Inside the Description says:

This incident contains a daily digest of root login reports that must be reviewed. Instructions:
* the on call person should self-assign this incident
* change Incident State to "In Progress"
* review the logs for any unauthorized activity
* add your findings, or "no findings", to the comments field
* reassign this incident to the group manager

There are also entries for each host whose log is reviewed, and those contents are pasted in as the s_unixsys service now user. This is a special service account used for the purpose of writing directly to the ServiceNow API using Perl.

The quarterly audit job

This comes in with the SN subject "Quarterly Audit Tasks"

Inside the Description says:

This incident contains a quarterly digest of host reports that must be reviewed. Instructions:
* the on call person should self-assign this incident
* change Incident State to "In Progress"
* review the ROOT password change dates for the hosts. These should be changed at least once per quarter.
* review the members of Unix Systems group for each host. These should be the complete current team, with no other accounts.
* add your findings, or "no findings", to the comments field
* reassign this incident to the group manager

The actual cf-engine files is: ./trunk/unixsys/aix/pub/usr/local/bin/quarterly-credential-audit

Then there are controls in main.cf and classes.cf. Grep -i for quarter and you'll find the stuff you're looking for.