Difference between revisions of "KRA Audit Events"

From Dogtag
Jump to: navigation, search
(SECURITY_DATA_RECOVERY_REQUEST_PROCESSED, SECURITY_DATA_EXPORT_KEY)
m (Replaced content with "This page has been moved to https://github.com/dogtagpki/pki/wiki/KRA-Audit-Events.")
 
(30 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Overview =
+
This page has been moved to https://github.com/dogtagpki/pki/wiki/KRA-Audit-Events.
 
 
This document describes KRA audit events.
 
 
 
<pre>
 
log.instance.SignedAudit.events=\
 
AUDIT_LOG_STARTUP,\
 
AUDIT_LOG_SHUTDOWN,\
 
ROLE_ASSUME,\
 
CONFIG_CERT_POLICY,\
 
CONFIG_CERT_PROFILE,\
 
CONFIG_CRL_PROFILE,\
 
CONFIG_OCSP_PROFILE,\
 
CONFIG_AUTH,\
 
CONFIG_ROLE,CONFIG_ACL,\
 
CONFIG_SIGNED_AUDIT,\
 
CONFIG_ENCRYPTION,\
 
CONFIG_TRUSTED_PUBLIC_KEY,\
 
CONFIG_DRM,SELFTESTS_EXECUTION,\
 
AUDIT_LOG_DELETE,\
 
LOG_PATH_CHANGE,\
 
PRIVATE_KEY_ARCHIVE_REQUEST,\
 
PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,\
 
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,\
 
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,\
 
KEY_RECOVERY_REQUEST,\
 
KEY_RECOVERY_REQUEST_ASYNC,\
 
KEY_RECOVERY_AGENT_LOGIN,\
 
KEY_RECOVERY_REQUEST_PROCESSED,\
 
KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,\
 
KEY_GEN_ASYMMETRIC,\
 
NON_PROFILE_CERT_REQUEST,\
 
PROFILE_CERT_REQUEST,\
 
CERT_REQUEST_PROCESSED,\
 
CERT_STATUS_CHANGE_REQUEST,\
 
CERT_STATUS_CHANGE_REQUEST_PROCESSED,\
 
AUTHZ_SUCCESS,\
 
AUTHZ_FAIL,\
 
INTER_BOUNDARY,\
 
AUTH_FAIL,\
 
AUTH_SUCCESS,\
 
CERT_PROFILE_APPROVAL,\
 
PROOF_OF_POSSESSION,\
 
CRL_RETRIEVAL,\
 
CRL_VALIDATION,\
 
CMC_SIGNED_REQUEST_SIG_VERIFY,\
 
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,\
 
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,\
 
SERVER_SIDE_KEYGEN_REQUEST,\
 
COMPUTE_SESSION_KEY_REQUEST,\
 
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,\
 
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,\
 
DIVERSIFY_KEY_REQUEST,\
 
DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS,\
 
DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,\
 
ENCRYPT_DATA_REQUEST,\
 
ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,\
 
ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,\
 
OCSP_ADD_CA_REQUEST,\
 
OCSP_ADD_CA_REQUEST_PROCESSED,\
 
OCSP_REMOVE_CA_REQUEST,\
 
OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,\
 
OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,\
 
COMPUTE_RANDOM_DATA_REQUEST,\
 
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,\
 
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,\
 
CIMC_CERT_VERIFICATION,\
 
CONFIG_SERIAL_NUMBER,\
 
SECURITY_DATA_ARCHIVAL_REQUEST,\
 
SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,\
 
SECURITY_DATA_RECOVERY_REQUEST,\
 
SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,\
 
SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,\
 
SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,\
 
SYMKEY_GENERATION_REQUEST_PROCESSED,\
 
ASYMKEY_GENERATION_REQUEST,\
 
ASYMKEY_GENERATION_REQUEST_PROCESSED,\
 
SECURITY_DATA_RETRIEVE_KEY,\
 
KEY_STATUS_CHANGE,\
 
ACCESS_SESSION_ESTABLISH_FAILURE,\
 
ACCESS_SESSION_ESTABLISH_SUCCESS,\
 
ACCESS_SESSION_TERMINATED
 
</pre>
 
 
 
= Key Archival Events =
 
 
 
== SECURITY_DATA_ARCHIVAL_REQUEST, SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED ==
 
 
 
These events are triggered when an archival request is received through the REST interface or from the CA.
 
Because they are generated by different threads, they may be created in reversed order.
 
 
 
Properties: (SECURITY_DATA_ARCHIVAL_REQUEST):
 
* SubjectID: UID of agent that initiated the request
 
* Outcome: success or failure
 
* ArchivalRequestID: The request ID for the archival request created (could be ephemeral)
 
* ClientKeyID: The client key ID that was passed in by the client to identify the secret.
 
 
 
Properties: (SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED):
 
* SubjectID: UID of agent that initiated the request
 
* Outcome: success or failure
 
* ArchivalRequestID: The request ID for the archival request (as created above)
 
* ClientKeyID: The client key ID that was passed in by the client to identify the secret.
 
* KeyID: Key record that was created for the archival
 
* FailureReason: reason for failure (or None if success)
 
* PubKey: public key associated with the archival
 
 
 
Pubkey is only relevant when archiving a private key, and will only be set when the key is archived through the CA connector.
 
 
For example, use the PKI CLI to archive a passphrase:
 
 
 
<pre>
 
pki -d ./alias/ -c redhat123 -n "PKI Administrator for example.com" key-archive --clientKeyID "my_pass1" --passphrase  "goodbye cruel world!"
 
</pre>
 
 
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain]  [Outcome=Success] access session establish success
 
  [AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login] authorization success
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain]  [Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SystemCertResource.getTransportCert] authorization success
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.keyrequests][Op=execute][Info=KeyRequestResource.submitRequest] authorization success
 
  <font color="red">[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID=kraadmin][Outcome=Success][ArchivalRequestID=314][ClientKeyID=my_pass1] security data archival request made
 
  [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][ArchivalRequestID=314][ClientKeyID=my_pass1][KeyID=156][FailureReason=None][PubKey=null] security data archival request processed </font>
 
  [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID=kraadmin][Outcome=Success][ArchivalRequestID=314][ClientKeyID=my_pass1] security data archival request made
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout] authorization success
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
 
 
For example, archive a private key from the CA:
 
 
 
<pre>
 
pki -d ./alias/ -c redhat123 client-cert-request uid=testuser --profile caDualCert --type crmf --transport transport.pem
 
</pre>
 
 
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=][Outcome=Success] access session establish success
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=Subsystem Certificate,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTH_SUCCESS][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][aclResource=certServer.kra.connector][Op=submit] authorization success
 
  [AuditEvent=ROLE_ASSUME][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][Role=Data Recovery Manager Agents, Trusted Managers] assume privileged role
 
  [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ReqID=35][ProfileID=kraConnector][CertSubject=UID=testuser] certificate request made with certificate profiles
 
  <font color="red">[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ArchivalRequestID=35][ClientKeyID=null] security data archival request made
 
  [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ArchivalRequestID=315][ClientKeyID=null][KeyID=157][FailureReason=null][PubKey=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyElB1jEDpzcP7SI6JmbS/BGGwAVftpxv4pD5AByWt31Buzzj17ujzD+JXAx06On+DN4n1HTwH/vfVpSRd/0NUaQld6m1hvljRNMhOcP6PfsVPQf0SweLWbZM2aRt3GJss5oynKeS4kSsNp3kyLSE7u008vOE8fQrfBdGl/zgLIwIDAQAB] security data archival request processed </font>
 
  [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Failure][ReqID=35][InfoName=rejectReason][InfoValue=<null>] certificate request processed
 
  [AuditEvent=INTER_BOUNDARY][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ProtectionMethod=ssl][ReqType=enrollment][ReqID=35] inter-CIMC_Boundary communication (data exchange) success
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=Subsystem Certificate,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
 
 
= Key Recovery Events =
 
 
 
== SECURITY_DATA_RECOVERY_REQUEST ==
 
 
 
These events occur when a recovery request is created, either through the Web UI or through the CLI.
 
 
 
Properties:
 
SubjectID: UID of agent that is generating request
 
Outcome: success/failure
 
Recovery ID: ID of recovery request
 
DataID: Key that needs to be recovered
 
PubKey: public key associated with the key to be recovered.
 
 
 
If the recovery request is made through the UI, then pubkey will be populated.  If through the REST API,
 
then the keyID will be populated.
 
 
 
For example, this is creating a recovery request through the UI.
 
 
 
[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST][SubjectID=kraadmin][Outcome=Success][RecoveryID=316][DataID=null][PubKey=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyElB1jEDpzcP7SI6JmbS/BGGwAVftpxv4pD5AByWt31Buzzj17ujzD+JXAx06On+DN4n1HTwH/vfVpSRd/0NUaQld6m1hvljRNMhOcP6PfsVPQf0SweLWbZM2aRt3GJss5oynKeS4kSsNp3kyLSE7u008vOE8fQrfBdGl/zgLIwIDAQAB] security data recovery request made
 
 
 
And this is through the CLI:
 
 
 
<pre>
 
pki -d ./alias/ -c redhat123 -n "PKI Administrator for example.com" key-recover --keyID 0x9c
 
</pre>
 
 
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login] authorization success
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SystemCertResource.getTransportCert] authorization success
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.keyrequests][Op=execute][Info=KeyRequestResource.submitRequest] authorization success
 
  <font color="red">[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST][SubjectID=kraadmin][Outcome=Success][RecoveryID=318][DataID=156][PubKey=null] security data recovery request made </font>
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout] authorization success
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
 
 
== SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE ==
 
Occurs when the state of a recovery request is changed, for example by having an agent approve the request either through the UI or through the CLI.
 
 
 
Properties:
 
* SubjectID: agent who is performing the action
 
* Outcome: success/ failure
 
* RecoveryID: ID of recovery request
 
* Operation: operation (approve, cancel etc.)
 
 
 
For example, approving a request through the CLI.
 
<pre>
 
pki -d ./alias/ -c redhat123 -n "PKI Administrator for example.com" key-request-review --action approve 0x13e
 
</pre>
 
 
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login] authorization success
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SystemCertResource.getTransportCert] authorization success
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.keyrequests][Op=execute][Info=KeyRequestResource.approveRequest] authorization success
 
  <font color="red">[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE][SubjectID=kraadmin][Outcome=Success][RecoveryID=319][Operation=approve] security data recovery request state change</font>
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.keyrequests][Op=execute][Info=KeyRequestResource.getRequestInfo] authorization success
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout] authorization success
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
 
 
Here are the logs created when a request is approved from the UI.  Note, this needs to be consolidated:
 
 
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.request][Op=read] authorization success
 
  [AuditEvent=ROLE_ASSUME][SubjectID=kraadmin][Outcome=Success][Role=Data Recovery Manager Agents, Administrators] assume privileged role
 
  [AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.key][Op=recover] authorization success
 
  [AuditEvent=ROLE_ASSUME][SubjectID=kraadmin][Outcome=Success][Role=Data Recovery Manager Agents, Administrators] assume privileged role
 
  <font color="red">[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID=kraadmin][Outcome=Success][RecoveryID=316][RecoveryAgent=kraadmin] key recovery agent login </font>
 
 
 
== SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,  SECURITY_DATA_EXPORT_KEY ==
 
These events occur when an approved key recovery request is processed and the key is retrieved, wrapped appropriately and returned to the client.
 
 
 
Properties: (SECURITY_DATA_RECOVERY_REQUEST_PROCESSED)
 
* SubjectID: UID of agent that is recovering the key
 
* Outcome: Success/ Failure
 
* RecoveryID=: ID of recovery request
 
* KeyID: ID of key being retrieved.
 
* FailureReason: Null if successful.
 
* RecoveryAgents: list of agents who have approved the recovery request.
 
 
 
Properties: (SECURITY_DATA_EXPORT_KEY)
 
* SubjectID: UID of agent that is retrieving the key/secret
 
* Outcome: Success/ Failure
 
* RecoveryID: ID of recovery request
 
* Info: Information about the request, including failure reason if the request fails.
 
* PukKey: public key associated with the export
 
 
 
If the key is recovered from the UI, info will not be populated (except for failure cases).
 
For a request through the REST API, info such as the following may be seen:
 
Info=KeyService.getKey:;keyID=156;requestID=319;synchronous=false;ephemeral=false
 
 
 
For example, these are the logs created when the key is retrieved as a pk12 file from the KRA UI.
 
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.request][Op=read] authorization success
 
  [AuditEvent=ROLE_ASSUME][SubjectID=kraadmin][Outcome=Success][Role=Data Recovery Manager Agents, Administrators] assume privileged role
 
  [AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.key][Op=download] authorization success
 
  [AuditEvent=ROLE_ASSUME][SubjectID=kraadmin][Outcome=Success][Role=Data Recovery Manager Agents, Administrators] assume privileged role
 
  <font color="red">[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][RecoveryID=316][KeyID=157][FailureReason=null][RecoveryAgents=kraadmin,kraadmin] security data recovery request processed
 
  [AuditEvent=SECURITY_DATA_EXPORT_KEY][SubjectID=kraadmin][Outcome=Success][RecoveryID=316][KeyID=null][Info=null][PubKey=null] security data retrieval request</font>
 
 
 
These are the logs when a secret is retrieved from the KRA CLI.
 
 
 
<pre>
 
pki -d ./alias/ -c redhat123 -n "PKI Administrator for example.com" key-retrieve --requestID  0x13f
 
</pre>
 
 
 
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login] authorization success
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SystemCertResource.getTransportCert] authorization success
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.keys][Op=execute][Info=KeyResource.retrieveKey] authorization success
 
  <font color="red">[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][RecoveryID=319][KeyID=156][FailureReason=null][RecoveryAgents=kraadmin,kraadmin] security data recovery request processed
 
  [AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][RecoveryID=319][KeyID=156][FailureReason=KeyService.getKey:;keyID=156;requestID=319;synchronous=false;ephemeral=false][RecoveryAgents=kraadmin,kraadmin] security data recovery request processed
 
  [AuditEvent=SECURITY_DATA_EXPORT_KEY][SubjectID=kraadmin][Outcome=Success][RecoveryID=319][KeyID=156][Info=KeyService.getKey:;keyID=156;requestID=319;synchronous=false;ephemeral=false][PubKey=null] security data retrieval request </font>
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout] authorization success
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
 
 
Another example of a key being retrieved with the CLI, showing all the above events:
 
 
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login] authorization success
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SystemCertResource.getTransportCert] authorization success
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.keys][Op=execute][Info=KeyResource.retrieveKey] authorization success
 
  <font color="red">[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST][SubjectID=kraadmin][Outcome=Success][RecoveryID=320][DataID=156][PubKey=null] security data recovery request made
 
  [AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][RecoveryID=320][KeyID=156][FailureReason=null][RecoveryAgents=kraadmin] security data recovery request processed
 
  [AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][RecoveryID=320][KeyID=156][FailureReason=KeyService.getKey:;keyID=156;requestID=320;synchronous=true;ephemeral=false][RecoveryAgents=kraadmin] security data recovery request processed
 
  [AuditEvent=SECURITY_DATA_EXPORT_KEY][SubjectID=kraadmin][Outcome=Success][RecoveryID=320][KeyID=156][Info=KeyService.getKey:;keyID=156;requestID=320;synchronous=true;ephemeral=false][PubKey=null] security data retrieval request</font>
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout] authorization success
 
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
 
 
= References =
 
 
 
* [[PKI Server Audit Events]]
 

Latest revision as of 21:13, 1 December 2020

This page has been moved to https://github.com/dogtagpki/pki/wiki/KRA-Audit-Events.