CMC No Logging? Really?

Anybody ever wonder why SEM has an administrative account CMC that doesn't log when it's used and you can't alert off of it?  Do you run any product, let alone a security product, that doesn't log logon or logoff events either success or failure on all accounts, especially administrative accounts?  After allowing all of us customers to be breached through Solarwinds Orion hasn't Solarwinds made it a priority to fix known and requested security controls and gaps as glaring as this one?

  • I think it must log locally on the appliance in /var/log somewhere?  I think you could configure it to log to itself.  This is a workaround mind you.  You'll also need the root password for you appliance (which you have to get from support).  I may look into this myself later this week now that you brought it up.

    Bill

  • Tech support did a  work around conf to get CMC to log.  Wasn't much for the tech to add it, though it has to be re-implemented after every upgrade.  It does point to Solarwinds' culture of unconscionable security defects in their products.  If they don't even consider logging of administrative accounts in their products as a requirement when it's that easy to correct, is it any wonder that Solarwinds Orion hacked the world?  The answer is no...

  • In your WebUI create a filter on internalInfo, it will be there.

    InternalInfo.EventInfo will be "The CMC script has been started.

    On exit: InternalInfo.EventInfo will be: The CMC script has been terminated.

    Cheers:  Steve

  • By default SEM does not log when someone successfully or fails to login with CMC.  This is still the case.  The administrative account CMC does not log and cannot be alerted on etc.  Continues to be a very serious vulnerability and flaw in this product.