Administrative audits
This page discusses aspects of admin audits, such as log files that contain the audit information, the admin actions that are audited, and the types of audit messages that are logged.
Administrative audits use the same logging facility as the rest of the product. The audits are available in both the activity.log file and the SystemOut.log of the server that performs the action. You do not need to enable trace to produce the audits. However, through the Repository service console page, we can control whether configuration change auditing is done. This type of audit is done by default. Operational command auditing is always enabled. Information about which user performed the change is available only when security is enabled.
We can do admin audits with or without the security audit facility. The security audit facility can record unauthorized access in audit log files. We can sign and encrypt the file-based audit logs to ensure data integrity. We can protect the audit files using directory and file permissions.
The following admin actions are audited:
- All configuration changes, in terms of the configuration documents that are created, modified, or deleted.
- Certain operational changes like starting and stopping nodes, clusters, servers, and applications. These managed bean (MBean) operations provide admin auditing:
Table 1. Administrative auditing MBean operations
MBean type MBean operations CellSync syncNode Cluster start, stop, stopImmediate, rippleStart NodeAgent launchProcess, stopNode, restart Server stop, stopImmediate AppManagement startApplication, stopApplication
Configuration change audits have ADMRxxxxI message IDs, where xxxx is the message number. Operational audits have ADMN10xxI message IDs, where 10xx is the message number.
Here are some audit examples from an ND environment.
The following audit example is from the dmgr SystemOut.log file:
[7/23/03 17:04:49:089 CDT] 39c26dad FileRepositor A ADMR0015I: Document cells/ellingtonNetwork/security.xml was modified by user u1. [7/23/03 17:04:49:269 CDT] 3ea0edb5 FileRepositor A ADMR0016I: Document cells/ellingtonNetwork/nodes/ellington/app.policy was created by user u1. ... [7/23/03 17:13:54:081 CDT] 39a572a1 AdminHelper A ADMN1008I: Attempt made to start the SamplesGallery application. (User ID = u1) ...The following audit example is from the node agent SystemOut.log file:
[7/23/03 17:38:43:461 CDT] 23d1326 AdminHelper A ADMN1000I: Attempt made to launch server1 on node ellington. (User ID = u1)The following audit example is from the appserverSystemOut.log file:
[7/23/03 17:39:59:360 CDT] 24865373 AdminHelper A ADMN1020I: Attempt made to stop the server1 server. (User ID = u1)The message text is split for printing purposes.
Repository service settings
Set up the admin architecture
Audit the security infrastructure