Signed Audit Events

Overview

This page describes audit events that are common in all PKI subsystems. The complete list of events, the message format, and the event description are stored in audit-events.properties.

Subsystem-specific audit events are described in the following pages:

• CA Audit Events

• KRA Audit Events

• OCSP Audit Events

• TKS Audit Events

• TPS Audit Events

See also PKI Server Audit Events Design.

Authentication Events

AUTH_SUCCESS

See AUTH_SUCCESS Audit Event.

AUTH_FAIL

See AUTH_FAIL Audit Event.

AUTH

See AUTH Audit Event.

Authorization Events

AUTHZ_SUCCESS

This event is triggered when authorization is successful.

Properties:

• Outcome must be Success for this event

• aclResource must be the ACL resource ID as defined in ACL resource list

• Op must be one of the operations as defined with the ACL statement, e.g. read for an ACL statement containing (read,write)

For example, use CLI to authenticate as admin user:

$ pki -n caadmin ca-user-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.users][Op=execute][Info=UserResource.findUsers] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to AUTHZ.

AUTHZ_FAIL

This event is triggered when authorization has failed.

Properties:

• Outcome must be Failure for this event

• aclResource must be the ACL resource ID as defined in ACL resource list

• Op must be one of the operations as defined with the ACL statement, e.g. read for an ACL statement containing (read,write)

For example, execute the following command:

$ pki -n caadmin ca-audit-file-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_FAIL][SubjectID=caadmin][Outcome=Failure][aclResource=certServer.log.content.signedAudit][Op=read][Info=Authorization Error] authorization failure
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to AUTHZ.

AUTHZ

In PKI 10.5 the AUTHZ_SUCCESS and AUTHZ_FAIL events have been merged into AUTHZ event.

ROLE_ASSUME

See ROLE_ASSUME Audit Event.

Configuration Events

CONFIG_AUTH

See CONFIG_AUTH Audit Event.

CONFIG_ROLE

See CONFIG_ROLE Audit Event.

CONFIG_SIGNED_AUDIT

See CONFIG_SIGNED_AUDIT Audit Event.

CONFIG_TRUSTED_PUBLIC_KEY

See CONFIG_TRUSTED_PUBLIC_KEY Audit Event.

Access Session Events

ACCESS_SESSION_ESTABLISH_SUCCESS

See ACCESS_SESSION_ESTABLISH_SUCCESS Audit Event.

ACCESS_SESSION_ESTABLISH_FAILURE

See ACCESS_SESSION_ESTABLISH_FAILURE Audit Event.

ACCESS_SESSION_ESTABLISH

See ACCESS_SESSION_ESTABLISH Audit Event.

ACCESS_SESSION_TERMINATED

See ACCESS_SESSION_TERMINATED Audit Event.

Outbound Connection Events

OUTBOUND_CONNECTION_ESTABLISH

OUTBOUND_CONNECTION_TERMINATED

Random Number Generator Events

RANDOM_GENERATION

See RANDOM_GENERATION Audit Event.

See Also

• Configuring Signed Audit

• Signed Audit Event Filters