Auditable security events


Auditable security events are security events that have audit instrumentation added to the security run time code to enable them to be recorded. Event filters are configured to specify which auditable security events are recorded to the audit log files.

The following list describes each valid auditable event that we can specify as an enabled event type when creating an event filter:


Table 1. Event types

Event name Description
SECURITY_AUTHN Audits all authentication events
SECURITY_AUTHN_MAPPING Audits events that record mapping of credentials where two user identities are involved
SECURITY_AUTHN_TERMINATE Audits authentication termination events such as a timeout, terminated session, or user-initiated logging out
SECURITY_AUTHZ Audits events related to authorization checks when the system enforces access control policies
SECURITY_MGMT_CONFIG Audits events related to configuration operations for a security server
SECURITY_MGMT_POLICY Audits events related to security policies, such as the creation of access control lists
SECURITY_MGMT_PROVISIONING Audits provisioning events such as the creation of an account for a user on a specific machine or adding a user to a group on a specific machine. A given provisioning event might be related to one or more SECURITY_MGMT_REGISTRY events.
SECURITY_MGMT_RESOURCE Audits resource management events such as creation, deletion, and changes to the attributes of a resource. The resource represents an entity with operations that need to be secured. An example of a resource is the TAM protected object that might represent a file, a Web page.
SECURITY_RUNTIME Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types.
SECURITY_RUNTIME_KEY Audits events related to runtime operations for certificates such as expiration checks, and invalid certificates
SECURITY_MGMT_KEY Audits events related to management operations for certificates such as creating, updating, or exporting a certificate, reading or updating a certificate request, publishing a certificate revocation list, monitoring changes to the keystore, truststore.
SECURITY_MGMT_AUDIT Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on.
SECURITY_MGMT_REGISTRY Audits registry management events such as creating users and groups, changing passwords, and changing the properties or attributes for users and groups. This event type is used to record changes by the administrator to user attributes such as address.
SECURITY_RESOURCE_ACCESS Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given Web page, and all accesses to a critical database table
SECURITY_SIGNING Audits events that record signing such as signing operations used to validate parts of a SOAP Message for Web services
SECURITY_ENCRYPTION Audits events that record encryption information such as encryption for Web services
SECURITY_AUTHN_DELEGATION Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session.
SECURITY_AUTHN_CREDS_MODIFY Audits events to modify credentials for a given user identity

For each audit event type, specify an outcome. Valid outcomes include SUCCESS, FAILURE, REDIRECT, ERROR, DENIED, WARNING, and INFO. Not all outcomes are applicable with all event types.

For this version of WAS, within the Security, System Management, SIB, and Web Services runtimes we can only enable auditing for the following events:





 

Related tasks


Create security auditing event type filters