Difference between revisions of "KRA Audit Events"

From Dogtag
Jump to: navigation, search
(SECURITY_DATA_ARCHIVAL_REQUEST, SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED)
(SECURITY_DATA_ARCHIVAL_REQUEST, SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED)
Line 130: Line 130:
 
   [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout] authorization success
 
   [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout] authorization success
 
   [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 
   [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 +
 +
For example, archive a private key from the CA:
 +
 +
<pre>
 +
pki -d ./alias/ -c redhat123 client-cert-request uid=testuser --profile caDualCert --type crmf --transport transport.pem
 +
</pre>
 +
 +
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 +
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=][Outcome=Success] access session establish success
 +
  [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=Subsystem Certificate,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 +
  [AuditEvent=AUTH_SUCCESS][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
 +
  [AuditEvent=AUTHZ_SUCCESS][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][aclResource=certServer.kra.connector][Op=submit] authorization success
 +
  [AuditEvent=ROLE_ASSUME][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][Role=Data Recovery Manager Agents, Trusted Managers] assume privileged role
 +
  [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ReqID=35][ProfileID=kraConnector][CertSubject=UID=testuser] certificate request made with certificate profiles
 +
  <font color="red">[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ArchivalRequestID=35][ClientKeyID=null] security data archival request made
 +
  [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ArchivalRequestID=315][ClientKeyID=null][KeyID=157][FailureReason=null][PubKey=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyElB1jEDpzcP7SI6JmbS/BGGwAVftpxv4pD5AByWt31Buzzj17ujzD+JXAx06On+DN4n1HTwH/vfVpSRd/0NUaQld6m1hvljRNMhOcP6PfsVPQf0SweLWbZM2aRt3GJss5oynKeS4kSsNp3kyLSE7u008vOE8fQrfBdGl/zgLIwIDAQAB] security data archival request processed </font>
 +
  [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Failure][ReqID=35][InfoName=rejectReason][InfoValue=<null>] certificate request processed
 +
  [AuditEvent=INTER_BOUNDARY][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ProtectionMethod=ssl][ReqType=enrollment][ReqID=35] inter-CIMC_Boundary communication (data exchange) success
 +
  [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=Subsystem Certificate,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
  
 
= References =
 
= References =
  
 
* [[PKI Server Audit Events]]
 
* [[PKI Server Audit Events]]

Revision as of 17:44, 22 May 2017

Overview

This document describes KRA audit events.

log.instance.SignedAudit.events=\
AUDIT_LOG_STARTUP,\
AUDIT_LOG_SHUTDOWN,\
ROLE_ASSUME,\
CONFIG_CERT_POLICY,\
CONFIG_CERT_PROFILE,\
CONFIG_CRL_PROFILE,\
CONFIG_OCSP_PROFILE,\
CONFIG_AUTH,\
CONFIG_ROLE,CONFIG_ACL,\
CONFIG_SIGNED_AUDIT,\
CONFIG_ENCRYPTION,\
CONFIG_TRUSTED_PUBLIC_KEY,\
CONFIG_DRM,SELFTESTS_EXECUTION,\
AUDIT_LOG_DELETE,\
LOG_PATH_CHANGE,\
PRIVATE_KEY_ARCHIVE_REQUEST,\
PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,\
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,\
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,\
KEY_RECOVERY_REQUEST,\
KEY_RECOVERY_REQUEST_ASYNC,\
KEY_RECOVERY_AGENT_LOGIN,\
KEY_RECOVERY_REQUEST_PROCESSED,\
KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,\
KEY_GEN_ASYMMETRIC,\
NON_PROFILE_CERT_REQUEST,\
PROFILE_CERT_REQUEST,\
CERT_REQUEST_PROCESSED,\
CERT_STATUS_CHANGE_REQUEST,\
CERT_STATUS_CHANGE_REQUEST_PROCESSED,\
AUTHZ_SUCCESS,\
AUTHZ_FAIL,\
INTER_BOUNDARY,\
AUTH_FAIL,\
AUTH_SUCCESS,\
CERT_PROFILE_APPROVAL,\
PROOF_OF_POSSESSION,\
CRL_RETRIEVAL,\
CRL_VALIDATION,\
CMC_SIGNED_REQUEST_SIG_VERIFY,\
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,\
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,\
SERVER_SIDE_KEYGEN_REQUEST,\
COMPUTE_SESSION_KEY_REQUEST,\
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,\
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,\
DIVERSIFY_KEY_REQUEST,\
DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS,\
DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,\
ENCRYPT_DATA_REQUEST,\
ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,\
ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,\
OCSP_ADD_CA_REQUEST,\
OCSP_ADD_CA_REQUEST_PROCESSED,\
OCSP_REMOVE_CA_REQUEST,\
OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,\
OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,\
COMPUTE_RANDOM_DATA_REQUEST,\
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,\
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,\
CIMC_CERT_VERIFICATION,\
CONFIG_SERIAL_NUMBER,\
SECURITY_DATA_ARCHIVAL_REQUEST,\
SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,\
SECURITY_DATA_RECOVERY_REQUEST,\
SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,\
SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,\
SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,\
SYMKEY_GENERATION_REQUEST_PROCESSED,\
ASYMKEY_GENERATION_REQUEST,\
ASYMKEY_GENERATION_REQUEST_PROCESSED,\
SECURITY_DATA_RETRIEVE_KEY,\
KEY_STATUS_CHANGE,\
ACCESS_SESSION_ESTABLISH_FAILURE,\
ACCESS_SESSION_ESTABLISH_SUCCESS,\
ACCESS_SESSION_TERMINATED

Key Archival Events

SECURITY_DATA_ARCHIVAL_REQUEST, SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED

These events are triggered when an archival request is received through the REST interface or from the CA. Because they are generated by different threads, they may be created in reversed order.

Properties: (SECURITY_DATA_ARCHIVAL_REQUEST):

  • SubjectID: UID of agent that initiated the request
  • Outcome: success or failure
  • ArchivalRequestID: The request ID for the archival request created (could be ephemeral)
  • ClientKeyID: The client key ID that was passed in by the client to identify the secret.

Properties: (SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED):

  • SubjectID: UID of agent that initiated the request
  • Outcome: success or failure
  • ArchivalRequestID: The request ID for the archival request (as created above)
  • ClientKeyID: The client key ID that was passed in by the client to identify the secret.
  • KeyID: Key record that was created for the archival
  • FailureReason: reason for failure (or None if success)
  • PubKey: public key associated with the archival

Pubkey is only relevant when archiving a private key. When the key is archived from the REST interface, the keyID will be populated and PubKey will likely be not set. When the key is archived from the CA connector, the pubKey will be set and the keyID may not be set. This is all OK because either identifier defines the key record that was created for the archival.

For example, use the PKI CLI to archive a passphrase:

pki -d ./alias/ -c redhat123 -n "PKI Administrator for example.com" key-archive --clientKeyID "my_pass1" --passphrase  "goodbye cruel world!"
 [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain]  [Outcome=Success] access session establish success
 [AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
 [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login] authorization success
 [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain]  [Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 [AuditEvent=AUTHZ_SUCCESS][SubjectID=$Unidentified$][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SystemCertResource.getTransportCert] authorization success
 [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.keyrequests][Op=execute][Info=KeyRequestResource.submitRequest] authorization success
 [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID=kraadmin][Outcome=Success][ArchivalRequestID=314][ClientKeyID=my_pass1] security data archival request made
 [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][ArchivalRequestID=314][ClientKeyID=my_pass1][KeyID=156][FailureReason=None][PubKey=null] security data archival request processed 
 [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID=kraadmin][Outcome=Success][ArchivalRequestID=314][ClientKeyID=my_pass1] security data archival request made
 [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
 [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout] authorization success
 [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

For example, archive a private key from the CA:

pki -d ./alias/ -c redhat123 client-cert-request uid=testuser --profile caDualCert --type crmf --transport transport.pem
 [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=][Outcome=Success] access session establish success
 [AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=Subsystem Certificate,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success] access session establish success
 [AuditEvent=AUTH_SUCCESS][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
 [AuditEvent=AUTHZ_SUCCESS][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][aclResource=certServer.kra.connector][Op=submit] authorization success
 [AuditEvent=ROLE_ASSUME][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][Role=Data Recovery Manager Agents, Trusted Managers] assume privileged role
 [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ReqID=35][ProfileID=kraConnector][CertSubject=UID=testuser] certificate request made with certificate profiles
 [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ArchivalRequestID=35][ClientKeyID=null] security data archival request made
 [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ArchivalRequestID=315][ClientKeyID=null][KeyID=157][FailureReason=null][PubKey=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyElB1jEDpzcP7SI6JmbS/BGGwAVftpxv4pD5AByWt31Buzzj17ujzD+JXAx06On+DN4n1HTwH/vfVpSRd/0NUaQld6m1hvljRNMhOcP6PfsVPQf0SweLWbZM2aRt3GJss5oynKeS4kSsNp3kyLSE7u008vOE8fQrfBdGl/zgLIwIDAQAB] security data archival request processed 
 [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Failure][ReqID=35][InfoName=rejectReason][InfoValue=<null>] certificate request processed
 [AuditEvent=INTER_BOUNDARY][SubjectID=CA-aleelaptop.example.com-8443][Outcome=Success][ProtectionMethod=ssl][ReqType=enrollment][ReqID=35] inter-CIMC_Boundary communication (data exchange) success
 [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.168.0.2][ServerIP=192.168.0.2][SubjectID=CN=Subsystem Certificate,OU=pki-tomcat,O=example.com Security Domain][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

References