How to Enable Assertion Attribute Logging on UNIX or Linux Operating Environments

Policy Server Guides › Policy Server Administration Guide › Configuring Policy Server Logging › How to Enable Assertion Attribute Logging on UNIX or Linux Operating Environments

How to Enable Assertion Attribute Logging on UNIX or Linux Operating Environments

You can record information about the assertion attributes to the audit logs. Use these logs for a security audit, or during an investigation. The type of event determines the information that is recorded in the log. The following events are recorded when you enable assertion‑attribute logging:

Any assertion generations
Any assertion consumptions
Any authentication success
Any authentication failures
Any authentication attempts
Any application access

The logging of assertion attributes is disabled by default. Enable assertion‑attribute logging on your Policy Server.

The following graphic describes how to enable assertion‑attribute logging:

This diagram describes the workflow for enabling assertion attribute logging on the UNIX and Linux operating environments.

Follow these steps:

Open the sm.registry file with a text editor.
Change the value of the line in the registry file.
Restart your Policy Server with the following steps:
1. Stop your Policy Server.
2. Start your Policy Server.

Open the sm.registry File with a Text Editor

Change this setting on UNIX or Linux operating environments by opening the sm.registry file with a text editor. The sm.registry file is stored on your Policy Server.

Follow these steps:

Navigate to the following directory:
```
Installation_Directory/registry
```
installation_directory

Specifies the location in the file system where the Policy Server is installed.

Default: /opt/CA/siteminder
Open the following file with a text editor:
```
sm.registry
```
You can now change the settings.

Change the Value of the Line in the Registry File

The following entry in the sm.registry file controls attribute assertion logging:

Enable Enhance Tracing

Indicates whether attribute assertions are recorded in the audit logs. A value of 2 enables logging. A value of 3 enables logging and records the authentication method of the user. A value of 4 enables logging for Enhanced Session Assurance with DeviceDNA™

Limits: 0, 2, 3, 4

Default: 0 (logging disabled)

Follow these steps:

Locate the following section of the sm.registry file:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Reports=

Locate the following line in the Reports section:
```
Enable Enhance Tracing=	0; REG_DWORD
```
Change the zero to one of the following values:
- 2 (enables logging)
- 3 (enables logging and records the authentication method)
- 4 (enables logging for Enhanced Session Assurance with DeviceDNA™)

Verify that the line in your sm.registry file matches one of the following examples:

Enable Enhance Tracing=	2; REG_DWORD

Enable Enhance Tracing=	3; REG_DWORD

Enable Enhance Tracing=	4; REG_DWORD

Save the changes to the sm.registry file, and then close the text editor.
The value of the line in the registry file is changed.

Stop a UNIX Policy Server

Stopping a Policy Server has the following results:

The Policy Server is temporarily removed from your environment.
Agents who need authorization or authentication decisions cannot contact the stopped Policy Server. Those Agents can still connect to other Policy Servers that are available.
All logging activity stops.

Follow these steps:

Log in to the system hosting the Policy Server with the same user account that installed the Policy Server originally.
Stop all Policy Server processes, with one of the following actions:
- Open the Management Console, click the Status tab, and then click the Stop buttons.
- Use the following script. This script also stops the UNIX executive so that the processes do not restart automatically.
```
installation_path/siteminder/stop-all
```
The Policy Server logs all UNIX executive activity in the installation_directory/log/smexec.log file. Log entries are always appended to the existing log file.

Start a UNIX Policy Server

Starting Policy Server has the following results:

Agents contact the Policy Server for authorization or authentication decisions.
Logging begins.

Start all Policy Server processes, with one of the following actions:

Open the Management Console, click the Status tab, and then click the Start buttons.
Use the following script. This script also starts the UNIX executive.
```
installation_path/siteminder/start-all
```

The Policy Server logs all UNIX executive activity in the installation_directory/log/smexec.log file. Log entries are always appended to the existing log file.