You can specify the following site policies related to user activity using the cfg-utils utility:
To configure a setting for any of the following policies, run:
For more information about the cfg-utils utility and its usage, see cfg-utils.
You can configure the audit log policy to choose what user activities are logged, how often audit log backups are created, and whether the audit log is updated in real time.
You can view the complete audit log at any time by running user-utils --print-audit-log. For more information about the user-utils utility, see user-utils.
By default, Tenable Log Correlation Engine tracks the following user activities in the audit log:
- account administration, such as adding and unlocking accounts
- session-scope actions with failure outcome, such as login failures or users logged out involuntarily
If enabled, Tenable Log Correlation Engine tracks the following additional activities:
If a directory is specified, Tenable Log Correlation Engine saves the entire audit log to a file every audit_log_backup__interval__days days.
Note: The name of the audit log file includes the timestamp of when the file was created. For example: /mnt/backups-nas/compliance/Tenable/LCE_Audit_Log__2020May27_00h31m02s.txt.
|audit_log__backup_interval__days||7||In days, sets how frequently Tenable Log Correlation Engine saves the audit file to the directory you specify using audit_log__backup_destination_directory.|
|audit_log__notify_updates||false||If enabled, Tenable Log Correlation Engine writes each audit log entry to the host's syslog as it is created in real time. Site administrators can use this setting to receive notifications of new audit log entries.|
You can configure the password format policy to customize user password requirements.
|web_UI__password__minimum_length||4||Specifies the minimum number of characters that must be used when creating user passwords.|
When enabled, user passwords must contain at least one of each of the following:
You can configure the password reuse policy to specify how long passwords can be used, how frequently the same password can be reused, and how much new passwords must differ from previously-used passwords.
Specifies the number of hours a user must wait before changing their password after the last non-administrative password change.
Note: Administrators can change another user's password at any time, regardless of this setting.
|web_UI__password__max_lifetime__days||0||Specifies how frequently users must change their passwords. If a user has not changed their password before the specified number of days, the user account locks automatically. For more information, see Locked User Accounts.|
|web_UI__password__fewest_changes_ere_reuse||1||Specifies how frequently users can re-use the same password. By default, users cannot use the same password twice in a row. For example, if the value is set to 2, the user must use two other unique passwords before using the same password again.|
|web_UI__password__minimum_edit_distance||0||When set, requires new passwords to differ from previous passwords based on the edit distance value specified. New passwords must have at least x characters that differ from the previous password.|
You can configure the login session policy to specify when user accounts are locked due to failed login attempts, set the maximum number of concurrent sessions per user, and set user accounts to be locked or logged out following a period of inactivity.
For more information about locked user accounts, see Locked User Accounts.
|web_UI__login__max_failures_during_window||0||Specifies the number of times a user can attempt to log in during the window specified by web_UI__login__failure_window_size__minutes-minute before their account is locked.|
|web_UI__login__failure_window_size__minutes||15||Specifies the login window during which users will have web_UI__login__max_failures_during_window chances to try logging in before their account is locked.|
|web_UI__login__max_concurrent_sessions||5||Specifies the maximum number of concurrent login sessions per user.|
|web_UI__account__lock_if_inactive__hours||0||When set, Tenable Log Correlation Engine locks the account of any user who has not been active (logged in an interacting with the Tenable Log Correlation Engine web UI) in the specified number of hours.|
|webserver__idle_session_timeout__minutes||60||Specifies the number of minutes a user can be idle before being automatically logged out.|
If web_UI__login__max_failures_during_window > 0, Tenable Log Correlation Engine will automatically lock (see <link to About Locked Accounts section>) the account of any user who has attempted but failed to log in web_UI__login__max_failures_during_window times in a web_UI__login__failure_window_size__minutes-minute period.