Use this task to enable and configure security auditing
in your environment with the wsadmin tool. Security auditing provides
tracking and archiving of auditable events.
Before you begin
Before enabling security auditing, enable administrative
security in your environment.
If you previously configured
security auditing and do not want to modify configuration settings,
use the enableAudit and disableAudit commands to start and stop security
auditing. After enabling or disabling security auditing, restart the
server to apply the configuration changes.
About this task
Security auditing ensures the integrity of a security
computing environment. Security auditing collects and logs authentication,
authorization, system management, security, and audit policy events
in audit event records. You can analyze audit event records to determine
possible security breaches, threats, attacks, and potential weaknesses
in the security configuration of your environment.
Use the
following steps to enable and configure security auditing in your
environment:
Procedure
- Launch the wsadmin scripting tool using the Jython scripting
language. See the Starting the wsadmin scripting client article for
more information.
- Verify that the security auditing subsystem is configured.
To enable security auditing, you must configure event filters,
an audit emitter, and an audit event factory. Event filters specify
which event types the system audits and records, and the outcome of
the event. The audit service provider writes the audit records to
the backend repository that is associated with the implementation.
The audit event factory generates security events.
By default,
the security auditing system includes one audit service provider and
one audit event factory.
The audit command groups provide several
commands to query for event filters, audit emitters, event factories,
and their respective configuration attributes. Use the audit command
reference to use specific query commands. The following example commands
query your security auditing configuration at a high level.
- Use the getAuditFilters command to display a list of references
to all audit filters defined in your configuration, as the following
example demonstrates:
AdminTask.getAuditFilters()
- Use the listAuditEmitters command to display a list of all audit
emitters in your configuration, as the following example demonstrates:
AdminTask.listAuditEmitters()
- Use the listAuditEventFactories command to display a list of all
audit event factories in your configuration, as the following example
demonstrates:
AdminTask.listAuditEventFactories()
- Enable security auditing in your environment. Use
the modifyAuditPolicy command to enable security auditing in your
environment.
Table 1. Command parameters. Use the following optional parameters for the modifyAuditPolicy
command to customize your security auditing configuration:
Parameter |
Description |
Data type |
Required |
-auditEnabled |
Specifies whether to enable security auditing. |
Boolean |
No |
-auditPolicy |
Specifies the behavior of the server process
if the audit subsystem fails. Valid values are: WARN, NOWARN and FATAL.
The WARN setting notifies the auditor when an error occurs
and ceases auditing when an error occurs in the audit sub-system,
but continues to run the application server process. The NOWARN setting
does not notify the auditor when an error occurs and ceases auditing,
but continues to run the application server process. The FATAL setting
notifies the auditor of the error and stops the application server
process. By default, the command assigns the NOWARN setting. |
String |
No |
-auditorId |
Specifies the ID of the user to assign to the
auditor role. |
String |
No |
-auditorPwd |
Specifies the password for the auditor role. |
String |
No |
-sign |
Specifies whether to sign audit records. By
default, the security auditing system does not sign audit records.
You must configure the signing of audit records before you can specify
this parameter. |
Boolean |
No |
-encrypt |
Specifies whether to encrypt audit records.
By default, the security auditing system does not encrypt audit records.
You must configure encryption for audit records before you can specify
this parameter. |
Boolean |
No |
-verbose |
Specifies whether to capture verbose audit data.
By default, the security auditing system does not capture verbose
audit data. |
Boolean |
No |
-encryptionCert |
Specifies the reference ID of the certificate
to use for encryption. Specify this parameter if you set the -encrypt
parameter to true. |
String |
No |
The following example command enables security auditing,
and identifies the primary auditor by assigning a user and password.
AdminTask.modifyAuditPolicy('-auditEnabled true -auditorId securityAdmin -auditorPwd security4you')
- Save your configuration changes.
Use the following command example to save your configuration
changes:
AdminConfig.save()
- Restart the server.
Results
After completing the steps to enable and configure security
auditing, the profile of interest audits your security configurations
for specific auditable event types.
What to do next
After you configure the audit policy for the first time,
use the enableAudit and disableAudit commands to turn the security
auditing system on and off. The system maintains the settings that
you define with the modifyAuditPolicy command when you enable and
disable the security auditing system.
Note: You must restart the server
to apply the configuration changes.