Auditable security events
Auditable security events are security events that have audit instrumentation added to the security run time code to enable them to be recorded. Event filters are configured to specify which auditable security events are recorded to the audit log files.
事件名稱 | 說明 |
---|---|
SECURITY_AUTHN | 審核所有鑑別事件 |
SECURITY_AUTHN_MAPPING | 審核事件,這些事件記錄其中涉及兩個使用者身分之認證的對映 |
SECURITY_AUTHN_TERMINATE | 審核鑑別終止事件,例如表單型登出 |
SECURITY_AUTHZ | 系統執行存取控制原則時,審核與授權檢查相關的事件 |
SECURITY_RUNTIME | 審核執行時期事件,例如啟動及停止安全伺服器。這種事件類型不是要用於系統管理者所執行的管理作業,因為這類的作業需要使用其他的 SECURITY_MGMT_* 事件類型。 |
SECURITY_MGMT_AUDIT | 審核記錄審核子系統相關作業的事件,例如啟動審核、停止審核、開啟或關閉審核、變更審核過濾器或層次的配置、保存審核資料、清除審核資料等等。 |
SECURITY_RESOURCE_ACCESS | 審核記錄所有存取資源的事件。檔案的所有存取作業、給定網頁的所有 HTTP 要求和回應,以及重要資料庫表格的所有存取作業都是範例 |
SECURITY_SIGNING | 審核記錄簽署作業的事件,例如用來驗證 Web 服務 SOAP 訊息組件的簽署作業 |
SECURITY_ENCRYPTION | 記錄加密資訊的審核事件,例如 Web 服務加密 |
SECURITY_AUTHN_DELEGATION | 審核記錄委派的事件,其中包括身分主張、執行身分和低主張。在傳播了用戶端身分或是委派涉及使用特殊身分時,會使用這種事件類型。在給定的階段作業內切換使用者身分時,也會使用這種事件類型。 |
SECURITY_AUTHN_CREDS_MODIFY | 審核事件以修改給定使用者身分的認證 |
SECURITY_FORM_LOGIN | 要登入之使用者以及要在其中起始登入之遠端 IP 位址的審核事件,會隨附時間戳記和輸出。 |
SECURITY_FORM_LOGOUT | 要登出之使用者以及要在其中起始登出之遠端 IP 位址的審核事件,會隨附時間戳記和輸出。 |
![[z/OS]](../images/ngzos.gif)
Event name | SMF Code | SMF Unload Keyword |
---|---|---|
SECURITY_AUTHN | 1 | *WASAUTN |
SECURITY_AUTHN_MAPPING | 3 | *WASAUTM |
SECURITY_AUTHN_TERMINATE | 2 | *WASAUTT |
SECURITY_AUTHZ | 4 | *WASAUTZ |
SECURITY_MGMT_CONFIG | 8 | *WASCONF |
SECURITY_MGMT_POLICY | 5 | *WASPOLM |
SECURITY_MGMT_PROVISIONING | 9 | *WASPROV |
SECURITY_MGMT_RESOURCE | 10 | *WASRESM |
SECURITY_RUNTIME | 7 | *WASRUNT |
SECURITY_RUNTIME_KEY | 11 | *WASKEYR |
SECURITY_MGMT_KEY | 12 | *WASKEYM |
SECURITY_MGMT_AUDIT | 13 | *WASAUDI |
SECURITY_MGMT_REGISTRY | 6 | *WASREGM |
SECURITY_RESOURCE_ACCESS | 14 | *WASACCE |
SECURITY_SIGNING | 15 | *WASSIGN |
SECURITY_ENCRYPTION | 16 | *WASCRYP |
SECURITY_AUTHN_DELEGATION | 17 | *WASDELE |
Event Outcome | SMF Qualifier | SMF Unload Keyword |
---|---|---|
SUCCESSFUL | 0 | SUCCESS |
INFO | 1 | INFO |
WARNING | 2 | WARNING |
FAILURE | 3 | FAILURE |
REDIRECT | 4 | REDIRECT |
DENIED | 5 | DENIED |
To provide support for federal regulation compliance with minimal performance usage, support is added to allow for the capture of Web UI logins and logouts with a minimum amount of audit data.
- com.ibm.audit.terse.form.login, with a value that consists of a space-delimited list of valid outcomes.
- com.ibm.audit.terse.form.logout, with a value that consists of a space-delimited list of valid outcomes.
- com.ibm.audit.terse.form login enables the SECURITY_FORM_LOGIN event with the outcomes specified in "value".
- com.ibm.audit.terse.form.logout enables the SECURITY_FORM_LOGOUT event with the outcomes specified. in "value".
The resulting audit event contains only: the time stamp, the user being logged in (or out), the remote IP address from which the login or logout is initiated, and the outcome.
The following is an example of an audit.xml file that has both properties set:
<?xml version="1.0" encoding="UTF-8"?>
<security:Audit xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:security="http://www.ibm.com/websphere/appserver/schemas/5.0/security.xmi" xmi:id="Audit_1173199825578">
<auditSpecifications xmi:id="AuditSpecification_1173199825610" enabled="true" name="DefaultAuditSpecification_3">
<event>SECURITY_AUTHN_TERMINATE</event>
<outcome>SUCCESS</outcome>
<outcome>REDIRECT</outcome>
<outcome>FAILURE</outcome>
</auditSpecifications>
<auditPolicy xmi:id="AuditPolicy_1173199825608" auditEnabled="true" auditorId="sadie" auditorPwd="{xor}" sign="false" encrypt="false" batching="false" verbose="false">
<auditEventFactories xmi:id="AuditEventFactory_1173199825608" name="auditEventFactoryImpl_1" className="com.ibm.ws.security.audit.AuditEventFactoryImpl" auditServiceProvider="AuditServiceProvider_1173199825608" auditSpecifications="AuditSpecification_1173199825610"/>
<auditServiceProviders xmi:id="AuditServiceProvider_1173199825608" name="auditServiceProviderImpl_1" className="com.ibm.ws.security.audit.BinaryEmitterImpl" eventFormatterClass="" maxFileSize="10" maxLogs="100" fileLocation="$(LOG_ROOT)" auditSpecifications="AuditSpecification_1173199825610"/>
<properties xmi:id="Property_1" name="com.ibm.audit.terse.form.login" value="SUCCESS FAILURE" description="dtcc custom property"/>
<properties xmi:id="Property_2" name="com.ibm.audit.terse.form.logout" value="SUCCESS FAILURE ERROR" description="dtcc custom property"/>
</auditPolicy>
</security:Audit>
Property_1 defines that we will be capturing the terse SECURITY_FORM_LOGIN event type and an audit event will only be captured for outcomes of either success or failure.
Property_2 defines that we will be capturing the terse SECURITY_FORM_LOGOUT event type and an audit event will only be captures if the outcome is success, failure or error.
Starting with WebSphere Application Server V9, support is added to be able to configure the SECURITY_FORM_LOGIN and SECURITY_FORM_LOGOUT auditevent types either through the administrative console, or through wsadmin scripting. Specifying the properties is still supported, and if specified, there is not a need to reconfigure by using the administrative console or wsadmin scripting.