PKI 10.5 Audit Event Improvements - dogtagpki/pki GitHub Wiki
PKI 10.5 introduced serveral improvements to audit events.
Prior to PKI 10.5, the complete list of all audit events was stored in the comments of log.instance.SignedAudit property in the CS.cfg in each subsystem:
log.instance.SignedAudit._000=## log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: log.instance.SignedAudit._005=## <list of all audit events> log.instance.SignedAudit._006=##
The list was very long (containing around 100 events) so it was hard to read. The accuracy was questionable since there was not automatic mechanism to update it. It is also redundant since the same list can be obtained from LogMessages.properties.
The audit events used by PKI are stored in the following properties:
log.instance.SignedAudit.events=<list of enabled audit events> log.instance.SignedAudit.unselected.events=<list of disabled audit events> log.instance.SignedAudit.mandatory.events=<list of mandatory audit events>
Prior to PKI 10.5 these properties had to be managed manually with a text editor (except TPS which provided a UI), so it was quite difficult to do and error-prone.
PKI 10.5 provides tools to manage the audit events more easily via CLI for all subsystems. The list of all audit events can be viewed with the following command:
$ pki-server <subsystem>-audit-event-find
The list of enabled audit events can be viewed with the following command:
$ pki-server <subsystem>-audit-event-find --enabled True
Events can be enabled or disabled with the following command:
$ pki-server <subsystem>-audit-event-enable/disable <event>
To reduce the number of events to manage, some of the event pairs that ends with _FAILURE/_FAIL and _SUCCESS have been merged into a single event with different Outcome values:
| Old Event | New Event | Outcome |
|---|---|---|
ACCESS_SESSION_ESTABLISH_FAILURE |
ACCESS_SESSION_ESTABLISH |
Failure |
ACCESS_SESSION_ESTABLISH_SUCCESS |
ACCESS_SESSION_ESTABLISH |
Success |
AUTH_FAIL |
AUTH |
Failure |
AUTH_SUCCESS |
AUTH |
Success |
AUTHZ_FAIL |
AUTHZ |
Failure |
AUTHZ_SUCCESS |
AUTHZ |
Success |
CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE |
CMC_USER_SIGNED_REQUEST_SIG_VERIFY |
Failure |
CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS |
CMC_USER_SIGNED_REQUEST_SIG_VERIFY |
Success |
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE |
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED |
Failure |
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS |
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED |
Success |
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE |
COMPUTE_SESSION_KEY_REQUEST_PROCESSED |
Failure |
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS |
COMPUTE_SESSION_KEY_REQUEST_PROCESSED |
Success |
DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE |
DIVERSIFY_KEY_REQUEST_PROCESSED |
Failure |
DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS |
DIVERSIFY_KEY_REQUEST_PROCESSED |
Success |
ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE |
ENCRYPT_DATA_REQUEST_PROCESSED |
Failure |
ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS |
ENCRYPT_DATA_REQUEST_PROCESSED |
Success |
OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE |
OCSP_REMOVE_CA_REQUEST_PROCESSED |
Failure |
OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS |
OCSP_REMOVE_CA_REQUEST_PROCESSED |
Success |
TOKEN_APPLET_UPGRADE_FAILURE |
TOKEN_APPLET_UPGRADE |
Failure |
TOKEN_APPLET_UPGRADE_SUCCESS |
TOKEN_APPLET_UPGRADE |
Success |
TOKEN_AUTH_FAILURE |
TOKEN_AUTH |
Failure |
TOKEN_AUTH_SUCCESS |
TOKEN_AUTH |
Success |
TOKEN_FORMAT_FAILURE |
TOKEN_FORMAT |
Failure |
TOKEN_FORMAT_SUCCESS |
TOKEN_FORMAT |
Success |
TOKEN_PIN_RESET_FAILURE |
TOKEN_PIN_RESET |
Failure |
TOKEN_PIN_RESET_SUCCESS |
TOKEN_PIN_RESET |
Success |
TOKEN_KEY_CHANGEOVER_FAILURE |
TOKEN_KEY_CHANGEOVER |
Failure |
TOKEN_KEY_CHANGEOVER_SUCCESS |
TOKEN_KEY_CHANGEOVER |
Success |
To reduce the amount of audit event logs generated by default, the default list of audit events in log.instance.SignedAudit.events been simplified. See the Default Events section in the following pages:
PKI 10.5 introduces a default set of audit event filters in log.instance.SignedAudit.filters. See the Default Events section in the above pages.
See also Signed Audit Event Filters.
To simplify upgrade, an upgrade script will automatically update the configuration files in the existing instances. The script will update the comments for log.instance.SignedAudit to describe the audit event management tools as follows:
log.instance.SignedAudit._000=## log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## To list available audit events: log.instance.SignedAudit._004=## $ pki-server <subsystem>-audit-event-find log.instance.SignedAudit._005=## log.instance.SignedAudit._006=## To enable/disable audit event: log.instance.SignedAudit._007=## $ pki-server <subsystem>-audit-event-enable/disable <event name> log.instance.SignedAudit._008=##
The upgrade script will also merge the event pairs described above if they are in the following properties:
-
log.instance.SignedAudit.events -
log.instance.SignedAudit.mandatory.events -
log.instance.SignedAudit.filters
Note:
-
The upgrade script will not add events into or remove events from the above properties.
-
The
log.instance.SignedAudit.unselected.eventsproperty will be dropped since it is now redundant
See also PKI 10.5 Configuration Upgrade.