Auditable security events

Auditable security events are security events that have audit instrumentation added to the security run time code to enable them to be recorded. Event filters are configured to specify which auditable security events are recorded to the audit log files.

The following list describes each valid auditable event that you can specify as an enabled event type when creating an event filter:
Table 1. 事件類型. 有效的可審核事件可以指定為建立事件過濾器時所能啟用的事件類型:
事件名稱 說明
SECURITY_AUTHN 審核所有鑑別事件
SECURITY_AUTHN_MAPPING 審核事件,這些事件記錄其中涉及兩個使用者身分之認證的對映
SECURITY_AUTHN_TERMINATE 審核鑑別終止事件,例如表單型登出
SECURITY_AUTHZ 系統執行存取控制原則時,審核與授權檢查相關的事件
SECURITY_RUNTIME 審核執行時期事件,例如啟動及停止安全伺服器。這種事件類型不是要用於系統管理者所執行的管理作業,因為這類的作業需要使用其他的 SECURITY_MGMT_* 事件類型。
SECURITY_MGMT_AUDIT 審核記錄審核子系統相關作業的事件,例如啟動審核、停止審核、開啟或關閉審核、變更審核過濾器或層次的配置、保存審核資料、清除審核資料等等。
SECURITY_RESOURCE_ACCESS 審核記錄所有存取資源的事件。檔案的所有存取作業、給定網頁的所有 HTTP 要求和回應,以及重要資料庫表格的所有存取作業都是範例
SECURITY_SIGNING 審核記錄簽署作業的事件,例如用來驗證 Web 服務 SOAP 訊息組件的簽署作業
SECURITY_ENCRYPTION 記錄加密資訊的審核事件,例如 Web 服務加密
SECURITY_AUTHN_DELEGATION 審核記錄委派的事件,其中包括身分主張、執行身分和低主張。在傳播了用戶端身分或是委派涉及使用特殊身分時,會使用這種事件類型。在給定的階段作業內切換使用者身分時,也會使用這種事件類型。
SECURITY_AUTHN_CREDS_MODIFY 審核事件以修改給定使用者身分的認證
SECURITY_FORM_LOGIN 要登入之使用者以及要在其中起始登入之遠端 IP 位址的審核事件,會隨附時間戳記和輸出。
SECURITY_FORM_LOGOUT 要登出之使用者以及要在其中起始登出之遠端 IP 位址的審核事件,會隨附時間戳記和輸出。
For each audit event type, you must specify an outcome. Valid outcomes include SUCCESS, FAILURE, REDIRECT, ERROR, DENIED, WARNING, and INFO. Not all outcomes are applicable with all event types.
Note: Support for the SECURITY_RUNTIME auditing event type has been fully implemented for this release of WebSphere® Application Server. It audits runtime events such as the starting and the stopping of security servers.
[z/OS]
Table 2. Event Type SMF Codes. The following tables map the Security auditing event types and event outcomes to the SMF interpretations.
Event name SMF Code SMF Unload Keyword
SECURITY_AUTHN 1 *WASAUTN
SECURITY_AUTHN_MAPPING 3 *WASAUTM
SECURITY_AUTHN_TERMINATE 2 *WASAUTT
SECURITY_AUTHZ 4 *WASAUTZ
SECURITY_MGMT_CONFIG 8 *WASCONF
SECURITY_MGMT_POLICY 5 *WASPOLM
SECURITY_MGMT_PROVISIONING 9 *WASPROV
SECURITY_MGMT_RESOURCE 10 *WASRESM
SECURITY_RUNTIME 7 *WASRUNT
SECURITY_RUNTIME_KEY 11 *WASKEYR
SECURITY_MGMT_KEY 12 *WASKEYM
SECURITY_MGMT_AUDIT 13 *WASAUDI
SECURITY_MGMT_REGISTRY 6 *WASREGM
SECURITY_RESOURCE_ACCESS 14 *WASACCE
SECURITY_SIGNING 15 *WASSIGN
SECURITY_ENCRYPTION 16 *WASCRYP
SECURITY_AUTHN_DELEGATION 17 *WASDELE
Table 3. Event Outcome SMF Qualifier. The following table lists the event outcome SMF Qualifier.
Event Outcome SMF Qualifier SMF Unload Keyword
SUCCESSFUL 0 SUCCESS
INFO 1 INFO
WARNING 2 WARNING
FAILURE 3 FAILURE
REDIRECT 4 REDIRECT
DENIED 5 DENIED

To provide support for federal regulation compliance with minimal performance usage, support is added to allow for the capture of Web UI logins and logouts with a minimum amount of audit data.

The following properties, supported in the audit.xml file, are introduced:
  • com.ibm.audit.terse.form.login, with a value that consists of a space-delimited list of valid outcomes.
  • com.ibm.audit.terse.form.logout, with a value that consists of a space-delimited list of valid outcomes.
  • com.ibm.audit.terse.form login enables the SECURITY_FORM_LOGIN event with the outcomes specified in "value".
  • com.ibm.audit.terse.form.logout enables the SECURITY_FORM_LOGOUT event with the outcomes specified. in "value".

The resulting audit event contains only: the time stamp, the user being logged in (or out), the remote IP address from which the login or logout is initiated, and the outcome.

The following is an example of an audit.xml file that has both properties set:

<?xml version="1.0" encoding="UTF-8"?>
<security:Audit xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:security="http://www.ibm.com/websphere/appserver/schemas/5.0/security.xmi" xmi:id="Audit_1173199825578">
  <auditSpecifications xmi:id="AuditSpecification_1173199825610" enabled="true" name="DefaultAuditSpecification_3">
    <event>SECURITY_AUTHN_TERMINATE</event>
    <outcome>SUCCESS</outcome>
    <outcome>REDIRECT</outcome>
    <outcome>FAILURE</outcome>
  </auditSpecifications>
  <auditPolicy xmi:id="AuditPolicy_1173199825608" auditEnabled="true" auditorId="sadie" auditorPwd="{xor}" sign="false" encrypt="false" batching="false" verbose="false">
    <auditEventFactories xmi:id="AuditEventFactory_1173199825608" name="auditEventFactoryImpl_1" className="com.ibm.ws.security.audit.AuditEventFactoryImpl" auditServiceProvider="AuditServiceProvider_1173199825608" auditSpecifications="AuditSpecification_1173199825610"/>
    <auditServiceProviders xmi:id="AuditServiceProvider_1173199825608" name="auditServiceProviderImpl_1" className="com.ibm.ws.security.audit.BinaryEmitterImpl" eventFormatterClass="" maxFileSize="10" maxLogs="100" fileLocation="$(LOG_ROOT)" auditSpecifications="AuditSpecification_1173199825610"/>
  <properties xmi:id="Property_1" name="com.ibm.audit.terse.form.login" value="SUCCESS FAILURE" description="dtcc custom property"/>
  <properties xmi:id="Property_2" name="com.ibm.audit.terse.form.logout" value="SUCCESS FAILURE ERROR" description="dtcc custom property"/>
  </auditPolicy>
</security:Audit>

Property_1 defines that we will be capturing the terse SECURITY_FORM_LOGIN event type and an audit event will only be captured for outcomes of either success or failure.
Property_2 defines that we will be capturing the terse SECURITY_FORM_LOGOUT event type and an audit event will only be captures if the outcome is success, failure or error.

Starting with WebSphere Application Server V9, support is added to be able to configure the SECURITY_FORM_LOGIN and SECURITY_FORM_LOGOUT auditevent types either through the administrative console, or through wsadmin scripting. Specifying the properties is still supported, and if specified, there is not a need to reconfigure by using the administrative console or wsadmin scripting.


指出主題類型的圖示 參照主題



時間戳記圖示 前次更新: July 9, 2016 11:13
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=rsec_sa_event_types
檔名:rsec_sa_event_types.html