PKI 10.5 Audit Event Improvements

From Dogtag
Jump to: navigation, search

Overview

PKI 10.5 introduced serveral improvements to audit events.

Audit Event Management Tools

Prior to PKI 10.5, the complete list of all audit events was stored in the comments of log.instance.SignedAudit property in the CS.cfg in each subsystem:

log.instance.SignedAudit._000=##
log.instance.SignedAudit._001=## Signed Audit Logging
log.instance.SignedAudit._002=##
log.instance.SignedAudit._003=##
log.instance.SignedAudit._004=## Available Audit events:
log.instance.SignedAudit._005=## <list of all audit events>
log.instance.SignedAudit._006=##

The list was very long (containing around 100 events) so it was hard to read. The accuracy was questionable since there was not automatic mechanism to update it. It is also redundant since the same list can be obtained from LogMessages.properties.

The audit events used by PKI are stored in the following properties:

log.instance.SignedAudit.events=<list of enabled audit events>
log.instance.SignedAudit.unselected.events=<list of disabled audit events>
log.instance.SignedAudit.mandatory.events=<list of mandatory audit events>

Prior to PKI 10.5 these properties had to be managed manually with a text editor (except TPS which provided a UI), so it was quite difficult to do and error-prone.

PKI 10.5 provides tools to manage the audit events more easily via CLI for all subsystems. The list of all audit events can be viewed with the following command:

$ pki-server <subsystem>-audit-event-find

The list of enabled audit events can be viewed with the following command:

$ pki-server <subsystem>-audit-event-find --enabled True

Events can be enabled or disabled with the following command:

$ pki-server <subsystem>-audit-event-enable/disable <event>

See also PKI Server Audit CLI.

Merged Audit Events

To reduce the number of events to manage, some of the event pairs that ends with _FAILURE/_FAIL and _SUCCESS have been merged into a single event with different Outcome values:

Old Event New Event Outcome
ACCESS_SESSION_ESTABLISH_FAILURE ACCESS_SESSION_ESTABLISH Failure
ACCESS_SESSION_ESTABLISH_SUCCESS ACCESS_SESSION_ESTABLISH Success
AUTH_FAIL AUTH Failure
AUTH_SUCCESS AUTH Success
AUTHZ_FAIL AUTHZ Failure
AUTHZ_SUCCESS AUTHZ Success
CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE CMC_USER_SIGNED_REQUEST_SIG_VERIFY Failure
CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS CMC_USER_SIGNED_REQUEST_SIG_VERIFY Success
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE COMPUTE_RANDOM_DATA_REQUEST_PROCESSED Failure
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS COMPUTE_RANDOM_DATA_REQUEST_PROCESSED Success
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE COMPUTE_SESSION_KEY_REQUEST_PROCESSED Failure
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS COMPUTE_SESSION_KEY_REQUEST_PROCESSED Success
DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE DIVERSIFY_KEY_REQUEST_PROCESSED Failure
DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS DIVERSIFY_KEY_REQUEST_PROCESSED Success
ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE ENCRYPT_DATA_REQUEST_PROCESSED Failure
ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS ENCRYPT_DATA_REQUEST_PROCESSED Success
OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE OCSP_REMOVE_CA_REQUEST_PROCESSED Failure
OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS OCSP_REMOVE_CA_REQUEST_PROCESSED Success
TOKEN_APPLET_UPGRADE_FAILURE TOKEN_APPLET_UPGRADE Failure
TOKEN_APPLET_UPGRADE_SUCCESS TOKEN_APPLET_UPGRADE Success
TOKEN_AUTH_FAILURE TOKEN_AUTH Failure
TOKEN_AUTH_SUCCESS TOKEN_AUTH Success
TOKEN_FORMAT_FAILURE TOKEN_FORMAT Failure
TOKEN_FORMAT_SUCCESS TOKEN_FORMAT Success
TOKEN_PIN_RESET_FAILURE TOKEN_PIN_RESET Failure
TOKEN_PIN_RESET_SUCCESS TOKEN_PIN_RESET Success
TOKEN_KEY_CHANGEOVER_FAILURE TOKEN_KEY_CHANGEOVER Failure
TOKEN_KEY_CHANGEOVER_SUCCESS TOKEN_KEY_CHANGEOVER Success

Simplified Default Audit Event List

To reduce the amount of audit event logs generated by default, the default list of audit events in log.instance.SignedAudit.events been simplified. See the Default Events section in the following pages:

New Default Audit Event Filters

PKI 10.5 introduces a default set of audit event filters in log.instance.SignedAudit.filters. See the Default Events section in the above pages.

See also PKI Server Audit Event Filter.

Upgrade

To simplify upgrade, an upgrade script will automatically update the configuration files in the existing instances. The script will update the comments for log.instance.SignedAudit to describe the audit event management tools as follows:

log.instance.SignedAudit._000=##
log.instance.SignedAudit._001=## Signed Audit Logging
log.instance.SignedAudit._002=##
log.instance.SignedAudit._003=## To list available audit events:
log.instance.SignedAudit._004=## $ pki-server <subsystem>-audit-event-find
log.instance.SignedAudit._005=##
log.instance.SignedAudit._006=## To enable/disable audit event:
log.instance.SignedAudit._007=## $ pki-server <subsystem>-audit-event-enable/disable <event name>
log.instance.SignedAudit._008=##

The upgrade script will also merge the event pairs described above if they are in the following properties:

  • log.instance.SignedAudit.events
  • log.instance.SignedAudit.mandatory.events
  • log.instance.SignedAudit.filters

Note:

  • The upgrade script will not add events into or remove events from the above properties.
  • The log.instance.SignedAudit.unselected.events property will be dropped since it is now redundant

See also Configuration Upgrade for PKI 10.5.x.

References