Audit record attributes

Data about each audit event is captured in an event record, in comma-separated value (CSV) format. You can use this data to analyze system activity and deployment activity on your system.

Record structure overview

The first few comma-separated elements of every record are values for the common attributes that are listed in the next section. Within each record, the values for these common attributes are followed by additional data that contain attribute name-value pairs. These attribute name-value pairs vary from record to record. The content of records captured from the system differ from those captured from the deployer. See the Attribute name-value pairs section to see pairs that you can use in your analysis of system activity and deployment activity in the cloud.

Common attributes

Audit record attributes and their values help you discover important information about user actions that might affect system integrity, such as who performs the action, when the action takes place, from where the action originates, which resource is targeted by the action, and whether the action is successful.

Table 1 provides the attribute definitions and example values that apply to every event record. All of these attribute values appear in the same order in every record, and all of them are strings.

Table 1. Values in CSV file
Order of attributes in CSV file	Attribute	Information provided in value	Example
1	`Timestamp`	When did the action occur?	`2013-10-03 23:46:59.621 Central Daylight Time`
2	`Resource (Component) Type`	To which type of resource or component was the action targeted?	Example values include `ibm:ipas.server`, `KS`, `SH`, and more.
3	`Action`	What action was performed?	Possible values include `PUT`, `POST`, `DELETE`, or `GET`.
4	`Resource Identifier`	To which resource was the action targeted?	`/storehouse/admin/registry/2/ ITM/clientRegistry.json`
5	`User Identifier`	Who performed the action?	Example values include `userID`, `cbadmin` (internal server identity), `d-ef86e0fb-938a-4d5e-8005-6c56663ad915` (a deployment identifier), and more.
6	`Source Address`	Where did the action originate?	Examples values include an IPv4 address such as `172.16.254.192`, `Console`, `localhost`, or an IPv6 address such as `fd8c:215d:178e:17e2:200:c9ff:fec2:9317`.
7	`Additional Data`	What happened? Was the action successful? If not, what caused the failure?	Note: To answer the 'What happened' question, the value of the `Additional Data` attribute consists of multiple name-value pairs that are separated by delimiters.

Example: The following example depicts a typical event record. The first line (from 2012-06-29 10:45:43.158 GMT to 172.16.15.45) is comprised of values for the attributes that are common to all records. The subsequent lines (from status=202# to the end of the record) are all part of additionalData and consist of attribute name-value pairs.

2012-06-29 10:45:43.158 GMT,ibm:ipas.server,PUT,075e1c01-3011-41d6-a160-dead008707aa,admin,172.16.15.45,database
status=202#|eventid=PUT#|isrecoveryprocess=false#|message_key=pure0206#|message=Router update#|
requestPath=/resources/users/075e1c01-3011-41d6-a160-dead008707aa#|requestServerName=localhost#|
userConfigRoles=[SUPER_USER, HARDWARE_ADMIN_WRITER, SECURITY_ADMIN_WRITER, HARDWARE_ADMIN_READER, SECURITY_ADMIN_READER,
AUDIT_READER, AUDIT_WRITER, APPLIANCE_ADMIN_WRITER, APPLIANCE_ADMIN_READER, CLOUD_ADMIN_WRITER, CLOUD_ADMIN_READER, CLOUD_USER,
REPORT_READER, CATALOG_CREATOR, PATTERN_CREATOR, ILMT_USER, PROFILE_CREATOR, ROLE_ADMIN, CLOUDGROUP_ADMIN_WRITER,
CLOUDGROUP_ADMIN_READER, USER_ADMIN_READER, TOOLS_ADMIN_WRITER, TOOLS_ADMIN_READER]#|
requestURI=/admin/resources/users/075e1c01-3011-41d6-a160-dead008707aa#|requestRemotePort=53313#|requestUserName=admin#|
userName=audittestup10b#|modifiedItems=roles|#|resourceType=users#|routerRenderName=audittestup10b

Attribute name-value pairs

The following table lists attributes that are common to all event records that are generated during both system activity and deployment activity in the cloud.

Table 2. System and deployment record attribute name-value pairs
Attribute name	Description	Example value
`auditAction`	Indicates the specific action that was attempted.	Example values include `Add user to usergroup`, `userlogin`, `authenticate`, `user logout via UI button`.
`auditresults`	An HTTP status code that shows if the requested action completed successfully.	Example codes include `200` (successful), `401` (connection or authentication failure), `403` (authentication or authorization failure), `404` (specified resource not found), `500` (internal error).
`event_authz_acl_check`	An optional attribute that indicates that a user with an appropriate permission (read, write, or full access permission) successfully accessed the specified resource. This attribute shows in records that contain the `event_outcome` attribute.	When a user accesses multiple resources within an audit event, the product concatenates those resource names in the attribute value, for example: `/admin/users/u-0/ userdata.json_RWF_true___/ admin/plugins/webservice/ 1.0.0.3/parts/ webservice.scripts.tgz_WF_true`
`event_authz_check`	An optional attribute that shows the result of a REST interface access control check. This attribute shows in records that contain the `event_outcome` attribute. When performing this verification step, the product verifies every access request against a set of rules. These rules entail verifying the endorsement signature, the freshness of the request timestamp, the integrity of the security token, and the sufficiency of the caller and asserted security roles.	Possible values include `success`, `failure`, or `reject`
`event_correlator_id`	A Universally Unique Identifier (UUID) of a common event that triggers other events, for example an event on the system that corresponds to the trigger of an audit record. All events triggered from a common event contains the same `event_correlator_id` value.	`event_correlator_id=c5e2d799-0e2d-414d-b505-85854660d518`
`event_exception`	Specifies the error condition that caused a request failure or rejection.	Example exception: `CWZSE0924W: User: user1 not found`
`event_roles`	Lists the security roles of the specified user. The list consists of security roles that have been granted to the user, as well as any additional security role that is asserted by the most recent endorsement server. Refer to the description of the `event_authz_header` attribute for more information about endorsement servers.	`[REPORT_READER]_ [AUDIT_READER]_ [AUDIT_WRITER]_`
`event_subjects`	Displays the security identity of the requester.	`[user1]`
`eventid`	A UUID that identifies an event.	`eventid=f9fbcd36-4c35-4c7c-81c8-8dd5fed420f9`
`groupName`	Specifies the name of the user group to be added.	`group1`
`loginUser`	The ID of the user.	`user1`
`loginMessage`	Description of an auditing record.	Examples values include `Principals found for user. Login succeeded` and `null or empty Principals for user. Possibly unknown user or incorrect password. Login failed`.
`resourceType`	Specifies the type of resource to be changed.	`users`
`requestURI`	Specifies the fully qualified URI that represents the target resource type.	`/admin/resources/users/`
`status`	An HTTP status code that shows if the requested action completed successfully.	Example codes include `200` (successful), `401` (connection or authentication failure), `403` (authentication or authorization failure), `404` (specified resource not found), `500` (internal error).
`userConfigRoles`	The roles an authenticated user belongs to. If null, then the user has not been assigned any roles.	`[SECURITY_ADMIN_WRITER, SECURITY_ADMIN_READER, CLOUD_USER, ROLE_ADMIN]`
`userName`	Specifies the name of the user account to be added.	`user1`

Example: The following example depicts typical, system event records. Each record starts with a timestamp such as 2012-07-03 18:24:25.002 GMT .

2012-07-03 18:25:09.344 GMT,ibm:ipas.server,POST,24d53890-62d5-4731-9151-62e101640d99,cbadmin,fd8c:215d:178e:17e2:5054:e2ff:fed7:ba,status=200#|
eventid=0207#|isrecoveryprocess=false#|message_key=pure0207#|message=Router create#|requestPath=/resources/users#|
requestServerName=fd8c#|requestURI=/admin/resources/users#|requestRemotePort=55215#|requestUserName=cbadmin#|auditCaller=groupHelper.onCreate#|
resourceType=user_groups_users#|userName=[[user_id:5mVpBQMjvf00RJrK0JAmMcbNCJvtzFfylP7JCufAkutYfkv7Y1dPZ2JSXQmLGvLS]]#|groupName=[[name:Everyone]]#|
auditAction=Add user to user group
2012-07-03 18:25:11.930 GMT,ibm:ipas.server,POST,/admin/resources/users/c174803b-803b-46bd-a9f6-dff396d9868a,cbadmin,
fd8c:215d:178e:17e2:5054:e2ff:fed7:ba,status=200#|eventid=POST#|isrecoveryprocess=false#|message_key=pure0207#|message=Router create#|
requestPath=/resources/users#|requestServerName=fd8c#|requestURI=/admin/resources/users#|
requestRemotePort=55215#|requestUserName=cbadmin#|userName=5mVpBQMjvf00RJrK0JAmMcbNCJvtzFfylP7JCufAkutYfkv7Y1dPZ2JSXQmLGvLS#|
routerRenderHeaders=[Location:/admin/resources/users/c174803b-803b-46bd-a9f6-dff396d9868a]#|
routerRenderName=5mVpBQMjvf00RJrK0JAmMcbNCJvtzFfylP7JCufAkutYfkv7Y1dPZ2JSXQmLGvLS
2012-07-03 18:25:14.462 GMT,ibm:ipas.server,PUT,c174803b-803b-46bd-a9f6-dff396d9868a,cbadmin,fd8c:215d:178e:17e2:5054:e2ff:fed7:ba,status=202#|
eventid=PUT#|isrecoveryprocess=false#|message_key=pure0206#|message=Router update#|
requestPath=/resources/users/c174803b-803b-46bd-a9f6-dff396d9868a#|requestServerName=fd8c#|
requestURI=/admin/resources/users/c174803b-803b-46bd-a9f6-dff396d9868a#|requestRemotePort=55224#|requestUserName=cbadmin#|
userName=5mVpBQMjvf00RJrK0JAmMcbNCJvtzFfylP7JCufAkutYfkv7Y1dPZ2JSXQmLGvLS#|modifiedItems=current_message|is_internal|
deployment_options|current_status|user_groups|name|email|roles|#|resourceType=users#|
routerRenderName=5mVpBQMjvf00RJrK0JAmMcbNCJvtzFfylP7JCufAkutYfkv7Y1dPZ2JSXQmLGvLS

Security token format

As mentioned previously, the event_authz_header attribute displays Cloud Pak System Software security tokens as signed JSON objects. Review the following example for an understanding of the data that these security tokens contain. (Note that the security token format is subject to change in future releases of the product.)

{ "attributes": 
     "{ "authorizationAttributes" : { "groups" : ["g-0"], 
               "roles" :  
["11","13","14","15","16","17","1","2","3","4","5","6","7","8","9","10"] }, 
     "ownerProcessTypeID" :"IT", 
     "ownerPublicKey": "IT", 
     "AT" : "1316453354588", 
     "userName" : "cbadmin", 
     "userID" : "u-0", 
     "type": "user", 
     "issuerProcessTypeID" : "TS", 
     "expirationTime" : 86400000, 
               "issuerPublicKey" : "TS" 
      }", 
 "signature":"IPf***A=="}

Guidelines for analysis

Ultimately, the business value of audit data analysis is to minimize risk to your business assets, by maintaining the integrity of your IT practices and building effective security measures for your environment. The following guidelines and analysis scenarios give you insight to achieve those critical goals.

Detect fraudulent or risky user activity, and take action to preserve system integrity.
Review event record attributes to track the activity of both human and non-human user entities. (Remember that a user entity might not be a human, but rather a system such as a deployed virtual machine.) For example, you might want to track the recent activity of a specific user on a specific resource. You can search event records with attributes that meet all of the following conditions:
- A User value that matches a specific user security identity
- Values for Resource type, Resource Name, and, optionally, Resource ID that match your resource of interest
- Timestamp values that correspond with your time frame of interest
If you examine the records and detect a risk, you can modify the configuration to minimize future risks.
Analyze security attacks to provide insight for proactive security measures.
Examine attributes to perform detailed intrusion detection and forensic analysis if an attack occurs. The attributes event_subjects, event_authz_header, and event_authz_acl_check are particularly helpful for these purposes. The following list enumerates the ways in which you can examine the attributes:
- Use theevent_subjects attribute to see the complete path of a user's request to access a resource; use it for a quick analysis of how a malicious user might have launched his or her attack.
- You can also use event_subjects to determine which records require detailed examination. Consider the attribute as a concise summary of the security token stack information in the event_authz_header attribute. Therefore, you can use event_subjects to pinpoint the event records to analyze, with the information in event_authz_header.
- You can use the Resource Type and Resource Name attributes to identify records that document activity on a resource of particular concern. Then you can examine the event_authz_acl_check attribute for more detailed information about the user who accessed that resource. Consider the following sample event_authz_acl_check value:
```
/admin/plugins/webservice/1.0.0.3/parts/webservice.scripts.tgz_WF_true
```
  This value indicates that the user who accessed the resource /admin/plugins/webservice/1.0.0.3/parts/webservice.scripts.tgz has Write and Full permissions for that resource. Thus, when the integrity of a resource is compromised, you can refine your list of suspected perpetrators to users who have Write and Full permissions for the resource in question.