Configuring audit event factories using scripting
Before enabling security auditing, use this task to configure audit event factories using the wsadmin tool. Security auditing provides tracking and archiving of auditable events.
Before you begin
Before configuring security auditing event factories, enable administrative security in your environment.
About this task
In order to enable security auditing in your environment, you must configure an audit event factory. The audit event factory gathers the data that is associated with security events. The security auditing configuration provides a default event factory. Use this topic to customize your security auditing subsystem by creating additional audit event factories.
Use the following steps to configure your security auditing subsystem using the wsadmin tool:
Procedure
- Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
- Configure event filters. You can use the default event
filters or use this step to create additional filters to customize
your security auditing configuration.
Table 1. Event filters in the audit.xml file. The application server provides the following event filters by default in the audit.xml template file: Event Name Outcome of event SECURITY_AUTHN SUCCESS SECURITY_AUTHN DENIED SECURITY_RESOURCE_ACCESS SUCCESS SECURITY_AUTHN REDIRECT You can configure additional audit event types to track and archive various events. Use the following command to list all supported auditable events:print AdminTask.getSupportedAuditEvents()
Use the createAuditFilter command with the -eventType and -outcome parameters to enable one or multiple audit events and outcomes. You can specify multiple event types and multiple outcomes separated by a comma with one command invocation. The following list describes each valid auditable event that you can specify with the -eventType parameter:Table 2. 事件類型. 有效的可審核事件可以指定為建立事件過濾器時所能啟用的事件類型: 事件名稱 說明 SECURITY_AUTHN 審核所有鑑別事件 SECURITY_AUTHN_MAPPING 審核事件,這些事件記錄其中涉及兩個使用者身分之認證的對映 SECURITY_AUTHN_TERMINATE 審核鑑別終止事件,例如表單型登出 SECURITY_AUTHZ 系統執行存取控制原則時,審核與授權檢查相關的事件 SECURITY_RUNTIME 審核執行時期事件,例如啟動及停止安全伺服器。這種事件類型不是要用於系統管理者所執行的管理作業,因為這類的作業需要使用其他的 SECURITY_MGMT_* 事件類型。 SECURITY_MGMT_AUDIT 審核記錄審核子系統相關作業的事件,例如啟動審核、停止審核、開啟或關閉審核、變更審核過濾器或層次的配置、保存審核資料、清除審核資料等等。 SECURITY_RESOURCE_ACCESS 審核記錄所有存取資源的事件。檔案的所有存取作業、給定網頁的所有 HTTP 要求和回應,以及重要資料庫表格的所有存取作業都是範例 SECURITY_SIGNING 審核記錄簽署作業的事件,例如用來驗證 Web 服務 SOAP 訊息組件的簽署作業 SECURITY_ENCRYPTION 記錄加密資訊的審核事件,例如 Web 服務加密 SECURITY_AUTHN_DELEGATION 審核記錄委派的事件,其中包括身分主張、執行身分和低主張。在傳播了用戶端身分或是委派涉及使用特殊身分時,會使用這種事件類型。在給定的階段作業內切換使用者身分時,也會使用這種事件類型。 SECURITY_AUTHN_CREDS_MODIFY 審核事件以修改給定使用者身分的認證 SECURITY_FORM_LOGIN 要登入之使用者以及要在其中起始登入之遠端 IP 位址的審核事件,會隨附時間戳記和輸出。 SECURITY_FORM_LOGOUT 要登出之使用者以及要在其中起始登出之遠端 IP 位址的審核事件,會隨附時間戳記和輸出。 Important: The following security audit event types are not used in this release of WebSphere® Application Server:For each audit event type, you must specify an outcome. Valid outcomes include SUCCESS, FAILURE, REDIRECT, ERROR, DENIED, WARNING, and INFO. The following command example creates an audit filter to log users who receive an error when modifying credentials:- SECURITY_MGMT_KEY
- SECURITY_RUNTIME_KEY
- SECURITY_MGMT_PROVISIONING
- SECURITY_MGMT_REGISTRY
- SECURITY_RUNTIME
- SECURITY_AUTHN_CREDS_MODIFY
AdminTask.createAuditFilter('-name uniqueFilterName -eventType SECURITY_RESOURCE_ACCESS,SECURITY_AUTHN_DELEGATION -outcome ERROR,REDIRECT')
- Create an audit event factory. You can use the default
audit event factory or use this step to create a new audit event factory.
Use the createAuditEventFactory command to create an audit event factory in your security configuration. You can use the default implementation of the audit event factory or use a third-party implementation. To configure a third-party implementation, use the optional -customProperties parameter to specify any properties necessary to configure the audit event factory implementation.
Table 3. Required parameters. Specify the following required parameters with the createAuditEventFactory to configure your audit event factory: Parameter Description Data type Required -uniqueName Specifies a unique name that identifies the audit event factory. String Yes -className Specifies the class implementation of the audit event factory interface. String Yes -auditFilters Specifies a reference or a group of references to predefined audit filters, using the following format: "reference, reference, reference" String Yes -provider Specifies a reference to a predefined audit service provider implementation. String Yes -customProperties Specifies a comma (,) separated list of custom property pairs to add to the security object in the following format: attribute=value,attribute=value String No The following sample command creates an enables an audit event factory:AdminTask.createAuditEventFactory('-uniqueName eventFactory1 -className com.ibm.ws.security.audit.AuditEventFactoryImpl -auditFilters "AuditSpecification_1173199825608, AuditSpecification_1173199825609, AuditSpecification_1173199825610, AuditSpecification_1173199825611" -provider newASP')
- Save your configuration changes. 請利用下列指令範例來儲存您的配置變更:
AdminConfig.save()
What to do next
Configure the audit service provider.


http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=txml_7auditeventfactory
檔名:txml_7auditeventfactory.html