Auditable security events
Auditable security events are security events with audit instrumentation that is added to the security runtime code to enable them to be recorded. Event filters are configured to specify which auditable security events are recorded to the audit log files.
Event name | Description |
---|---|
ADMIN_REPOSITORY_SAVE | Depending on the outcome of the save, an audit record results. If needed, configure checkpoints. |
SECURITY_AUTHN | Audits all authentication events |
SECURITY_AUTHN_MAPPING | Audits events that record mapping of credentials where two user identities are involved |
SECURITY_AUTHN_TERMINATE | Audits authentication termination events such as a form-based logout |
SECURITY_AUTHZ | Audits events related to authorization checks when the system enforces access control policies |
SECURITY_RUNTIME | Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types. |
SECURITY_MGMT_AUDIT | Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on. |
SECURITY_RESOURCE_ACCESS | Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given web page, and all accesses to a critical database table |
SECURITY_SIGNING | Audits events that record signing such as signing operations used to validate parts of a SOAP Message for web services |
SECURITY_ENCRYPTION | Audits events that record encryption information such as encryption for web services |
SECURITY_AUTHN_DELEGATION | Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session. |
SECURITY_AUTHN_CREDS_MODIFY | Audits events to modify credentials for a given user identity |
SECURITY_FORM_LOGIN | Audits events of the user being logged in and the remote IP address from which
the login is initiated along with the timestamp and the outcome. To enable this event, the
com.ibm.audit.terse.form.login property needs to be configured in the
audit.xml file. Currently this event is not shown in the administrative
console, but the audit event is activated in the BinaryAudit.log file. |
SECURITY_FORM_LOGOUT | Audits events of the user being logged out and the remote IP address from
which the logout is initiated along with the timestamp and the outcome. To enable this event, the
com.ibm.audit.terse.form.logout property needs to be configured in the
audit.xml file. Currently this event is not shown in the administrative
console, but the audit event is activated in the BinaryAudit.log file. |
SECURITY_KERBEROS_LOGIN |
Audits events of the user performing a web login into Kerberos and the remote
IP address from which the login is initiated along with the timestamp and the outcome. To enable
this event, the com.ibm.audit.terse.form.login property needs to be configured in
the audit.xml file. Currently this event is not shown in the administrative
console, but the audit event is activated in the BinaryAudit.log file. |
SECURITY_KERBEROS_LOGOUT |
Audits events of the user performing a web logout into Kerberos and the remote
IP address from which the logout is initiated along with the timestamp and the outcome. To enable
this event, the com.ibm.audit.terse.form.logout property needs to be configured in
the audit.xml file. Currently this event is not shown in the administrative
console, but the audit event is activated in the BinaryAudit.log file. |
SECURITY_SPNEGO_LOGIN |
Audits events of the user performing a web login into Spnego and the remote IP
address from which the login is initiated along with the timestamp and the outcome. To enable this
event, the com.ibm.audit.terse.form.login property needs to be configured in the
audit.xml file. Currently this event is not shown in the administrative
console, but the audit event is activated in the BinaryAudit.log file. |
SECURITY_SPNEGO_LOGOUT |
Audits events of the user performing a web logout into Spnego and the remote
IP address from which the logout is initiated along with the timestamp and the outcome. To enable
this event, the com.ibm.audit.terse.form.logout property needs to be configured in
the audit.xml file. Currently this event is not shown in the administrative
console, but the audit event is activated in the BinaryAudit.log file. . |
For each audit event type, you must specify an outcome. Valid outcomes include SUCCESS, FAILURE, REDIRECT, ERROR, DENIED, WARNING, and INFO. Not all outcomes are applicable with all event types.
- The timestamp
- The ID of the user who is being logged in or out
- The remote IP address from which the login or logout is initiated.
- The outcome of the event
Terse audit record custom properties
- com.ibm.audit.terse.form.login
- The value for this property consists of a space-delimited list of valid outcomes. It enables the
SECURITY_FORM_LOGIN
event. Specify the outcomes to be included in this audit event in the value parameter. - com.ibm.audit.terse.form.logout
- The value for this property consists of a space-delimited list of valid outcomes. It enables the
SECURITY_FORM_LOGOUT
audit event. Specify the outcomes to be included in this audit event in the value parameter. - com.ibm.audit.terse.progname
- When this property is set to
true
, the name of the application that is being logged in to and out of is included in the terse audit record. Valid values aretrue
orfalse
. By default, the application name is not included in the terse audit record.
Examples for setting audit custom properties in the audit.xml file
com.ibm.audit.terse.form.login
and com.ibm.audit.terse.form.logout
properties set.<?xml version="1.0" encoding="UTF-8"?>
<security:Audit xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:security="http://www.ibm.com/websphere/appserver/schemas/5.0/security.xmi" xmi:id="Audit_1173199825578">
<auditSpecifications xmi:id="AuditSpecification_1173199825610" enabled="true" name="DefaultAuditSpecification_3">
<event>SECURITY_AUTHN_TERMINATE</event>
<outcome>SUCCESS</outcome>
<outcome>REDIRECT</outcome>
<outcome>FAILURE</outcome>
</auditSpecifications>
<auditPolicy xmi:id="AuditPolicy_1173199825608" auditEnabled="true" auditorId="sadie" auditorPwd="{xor}" sign="false" encrypt="false" batching="false" verbose="false">
<auditEventFactories xmi:id="AuditEventFactory_1173199825608" name="auditEventFactoryImpl_1" className="com.ibm.ws.security.audit.AuditEventFactoryImpl" auditServiceProvider="AuditServiceProvider_1173199825608" auditSpecifications="AuditSpecification_1173199825610"/>
<auditServiceProviders xmi:id="AuditServiceProvider_1173199825608" name="auditServiceProviderImpl_1" className="com.ibm.ws.security.audit.BinaryEmitterImpl" eventFormatterClass="" maxFileSize="10" maxLogs="100" fileLocation="$(LOG_ROOT)" auditSpecifications="AuditSpecification_1173199825610"/>
<properties xmi:id="Property_1" name="com.ibm.audit.terse.form.login" value="SUCCESS FAILURE" description="custom property"/>
<properties xmi:id="Property_2" name="com.ibm.audit.terse.form.logout" value="SUCCESS FAILURE ERROR" description=" custom property"/>
</auditPolicy>
</security:Audit>
In this example the custom properties are specified in the
auditPolicy
element. The Property_1
property
(com.ibm.audit.terse.form.login
) specifies that the
SECURITY_FORM_LOGIN
audit event is captured and that it is reported only for
outcomes of either SUCCESS or FAILURE. The Property_2
property
(com.ibm.audit.terse.form.logout
) specifies that the
SECURITY_FORM_LOGOUT
audit event is captured and that it is reported for outcomes
of SUCCESS, FAILURE, or ERROR.In version 8.5.5.21 and later, Property_1
also captures
the SECURITY_KERBEROS_LOGIN
and SECURITY_SPNEGO_LOGIN
audit
events. Property_2
also captures the SECURITY_KERBEROS_LOGOUT
and
SECURITY_SPNEGO_LOGOUT
audit events.
com.ibm.audit.terse.form.login
and
com.ibm.audit.terse.form.logout
properties set and the
com.ibm.audit.terse.progname
property set to
true
.<?xml version="1.0" encoding="UTF-8"?>
<security:Audit xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:security="http://www.ibm.com/websphere/appserver/schemas/5.0/security.xmi" xmi:id="Audit_1173199825578">
<auditSpecifications xmi:id="AuditSpecification_1173199825610" enabled="true" name="DefaultAuditSpecification_3">
<event>SECURITY_AUTHN_TERMINATE</event>
<outcome>SUCCESS</outcome>
<outcome>REDIRECT</outcome>
<outcome>FAILURE</outcome>
</auditSpecifications>
<auditPolicy xmi:id="AuditPolicy_1173199825608" auditEnabled="true" auditorId="sadie" auditorPwd="{xor}" sign="false" encrypt="false" batching="false" verbose="false">
<auditEventFactories xmi:id="AuditEventFactory_1173199825608" name="auditEventFactoryImpl_1" className="com.ibm.ws.security.audit.AuditEventFactoryImpl" auditServiceProvider="AuditServiceProvider_1173199825608" auditSpecifications="AuditSpecification_1173199825610"/>
<auditServiceProviders xmi:id="AuditServiceProvider_1173199825608" name="auditServiceProviderImpl_1" className="com.ibm.ws.security.audit.BinaryEmitterImpl" eventFormatterClass="" maxFileSize="10" maxLogs="100" fileLocation="$(LOG_ROOT)" auditSpecifications="AuditSpecification_1173199825610"/>
<properties xmi:id="Property_1" name="com.ibm.audit.terse.form.login" value="SUCCESS FAILURE" description="custom property"/>
<properties xmi:id="Property_2" name="com.ibm.audit.terse.form.logout" value="SUCCESS FAILURE ERROR" description="custom property"/>
<properties xmi:id="Property_3" name="com.ibm.audit.progname" value="true" description="custom property"/>
</auditPolicy>
</security:Audit>
In this example the custom properties are specified in the auditPolicy
element.
The Property_1
property (com.ibm.audit.terse.form.login
) specifies
that the SECURITY_FORM_LOGIN
, SECURITY_KERBEROS_LOGIN
, and
SECURITY_SPNEGO_LOGIN
audit events are captured and that these audit events are
reported only for outcomes of either SUCCESS or FAILURE. The Property_2
property
(com.ibm.audit.terse.form.logout
) specifies that the
SECURITY_FORM_LOGOUT
, SECURITY_KERBEROS_LOGOUT
, and
SECURITY_SPNEGO_LOGOUT
audit events are captured and that these audit event are
reported for outcomes of SUCCESS, FAILURE, or ERROR. The Property_3
property
(com.ibm.audit.progname
) specifies that the application name is included in the
terse audit records.