Set audit event factories using scripting

Set audit event factories using scripting

Before enabling security auditing, use this task to configure audit event factories using wsadmin. Security auditing provides tracking and archiving of auditable events.
Before configuring security auditing event factories, enable administrative security in the environment.
In order to enable security auditing in the environment, configure an audit event factory. The audit event factory gathers the data that is associated with security events. The security auditing configuration provides a default event factory. Use this topic to customize the security auditing subsystem by creating additional audit event factories.
Use the following steps to configure your security auditing subsystem using wsadmin:

Launch the wsadmin scripting tool using the Jython scripting language.
Set event filters. Use the default event filters or use this step to create additional filters to customize your security auditing configuration.
The appserver provides the following event filters by default in the audit.xml template file:
Event Name Outcome of event
SECURITY_AUTHN SUCCESS
SECURITY_AUTHN DENIED
SECURITY_RESOURCE_ACCESS SUCCESS
SECURITY_AUTHN REDIRECT

Configure additional audit event types to track and archive various events. Use the following command to list all supported auditable events:
print AdminTask.getSupportedAuditEvents()

Use the createAuditFilter command with the -eventType and -outcome parameters to enable one or multiple audit events and outcomes. We can specify multiple event types and multiple outcomes separated by a comma with one command invocation.
The following list describes each valid auditable event that we can specify with the -eventType parameter:

Table 1. Event types

Event name Description
SECURITY_AUTHN Audits all authentication events
SECURITY_AUTHN_MAPPING Audits events that record mapping of credentials where two user identities are involved
SECURITY_AUTHN_TERMINATE Audits authentication termination events such as a timeout, terminated session, or user-initiated logging out
SECURITY_AUTHZ Audits events related to authorization checks when the system enforces access control policies
SECURITY_MGMT_CONFIG Audits events related to configuration operations for a security server
SECURITY_MGMT_POLICY Audits events related to security policies, such as the creation of access control lists
SECURITY_MGMT_PROVISIONING Audits provisioning events such as the creation of an account for a user on a specific machine or adding a user to a group on a specific machine. A given provisioning event might be related to one or more SECURITY_MGMT_REGISTRY events.
SECURITY_MGMT_RESOURCE Audits resource management events such as creation, deletion, and changes to the attributes of a resource. The resource represents an entity with operations that need to be secured. An example of a resource is the TAM protected object that might represent a file, a Web page.
SECURITY_RUNTIME Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types.
SECURITY_RUNTIME_KEY Audits events related to runtime operations for certificates such as expiration checks, and invalid certificates
SECURITY_MGMT_KEY Audits events related to management operations for certificates such as creating, updating, or exporting a certificate, reading or updating a certificate request, publishing a certificate revocation list, monitoring changes to the keystore, truststore.
SECURITY_MGMT_AUDIT Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on.
SECURITY_MGMT_REGISTRY Audits registry management events such as creating users and groups, changing passwords, and changing the properties or attributes for users and groups. This event type is used to record changes by the administrator to user attributes such as address.
SECURITY_RESOURCE_ACCESS Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given Web page, and all accesses to a critical database table
SECURITY_SIGNING Audits events that record signing such as signing operations used to validate parts of a SOAP Message for Web services
SECURITY_ENCRYPTION Audits events that record encryption information such as encryption for Web services
SECURITY_AUTHN_DELEGATION Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session.
SECURITY_AUTHN_CREDS_MODIFY Audits events to modify credentials for a given user identity

The following security audit event types are not used in this release of WAS but will be considered for use in a future release:

SECURITY_MGMT_KEY
SECURITY_RUNTIME_KEY
SECURITY_MGMT_PROVISIONING
SECURITY_MGMT_REGISTRY
SECURITY_RUNTIME

For each audit event type, specify an outcome. Valid outcomes include SUCCESS, FAILURE, REDIRECT, ERROR, DENIED, WARNING, and INFO.
The following command example creates an audit filter to log users who receive an error when modifying credentials:
AdminTask.createAuditFilter('-name uniqueFilterName -eventType SECURITY_AUTHN_CREDS_MODIFY,SECURITY_AUTHN_DELEGATION -outcome ERROR,REDIRECT')

Create an audit event factory. Use the default audit event factory or use this step to create a new audit event factory.
Use the createAuditEventFactory command to create an audit event factory in the security configuration. Use the default implementation of the audit event factory or use a third-party implementation. To configure a third-party implementation, use the optional -customProperties parameter to specify any properties necessary to configure the audit event factory implementation. Specify the following required parameters with the createAuditEventFactory to configure the audit event factory:

Table 2. Required parameters

Parameter Description Data type Required
-uniqueName Specifies a unique name that identifies the audit event factory. String Yes
-className Class implementation of the audit event factory interface. String Yes
-auditFilters Specifies a reference or a group of references to predefined audit filters, using the following format: "reference, reference, reference" String Yes
-provider Specifies a reference to a predefined audit service provider implementation. String Yes
-customProperties comma (,) separated list of custom property pairs to add to the security object in the following format: attribute=value,attribute=value String No

The following sample command creates an enables an audit event factory:
AdminTask.createAuditEventFactory('-uniqueName eventFactory1 -className com.ibm.ws.security.audit.AuditEventFactoryImpl -auditFilters "AuditSpecification_1173199825608, AuditSpecification_1173199825609, AuditSpecification_1173199825610, AuditSpecification_1173199825611" -provider newASP')

Save the configuration changes...
AdminConfig.save()

What to do next

Set the audit service provider.

Related tasks

Set auditable events using scripting
Set audit service providers using scripting
Set security auditing using scripting
Enable security auditing using scripting
Encrypting security audit data using scripting
Signing security audit data using scripting
Set security audit notifications using scripting

Related

AuditKeyStoreCommands
AuditEmitterCommands for AdminTask
AuditSigningCommands
AuditEncryptionCommands
AuditEventFactoryCommands for AdminTask
AuditFilterCommands
AuditNotificationCommands
AuditPolicyCommands
AuditEventFormatterCommands

Event Name	Outcome of event
SECURITY_AUTHN	SUCCESS
SECURITY_AUTHN	DENIED
SECURITY_RESOURCE_ACCESS	SUCCESS
SECURITY_AUTHN	REDIRECT

Event name	Description
SECURITY_AUTHN	Audits all authentication events
SECURITY_AUTHN_MAPPING	Audits events that record mapping of credentials where two user identities are involved
SECURITY_AUTHN_TERMINATE	Audits authentication termination events such as a timeout, terminated session, or user-initiated logging out
SECURITY_AUTHZ	Audits events related to authorization checks when the system enforces access control policies
SECURITY_MGMT_CONFIG	Audits events related to configuration operations for a security server
SECURITY_MGMT_POLICY	Audits events related to security policies, such as the creation of access control lists
SECURITY_MGMT_PROVISIONING	Audits provisioning events such as the creation of an account for a user on a specific machine or adding a user to a group on a specific machine. A given provisioning event might be related to one or more SECURITY_MGMT_REGISTRY events.
SECURITY_MGMT_RESOURCE	Audits resource management events such as creation, deletion, and changes to the attributes of a resource. The resource represents an entity with operations that need to be secured. An example of a resource is the TAM protected object that might represent a file, a Web page.
SECURITY_RUNTIME	Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types.
SECURITY_RUNTIME_KEY	Audits events related to runtime operations for certificates such as expiration checks, and invalid certificates
SECURITY_MGMT_KEY	Audits events related to management operations for certificates such as creating, updating, or exporting a certificate, reading or updating a certificate request, publishing a certificate revocation list, monitoring changes to the keystore, truststore.
SECURITY_MGMT_AUDIT	Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on.
SECURITY_MGMT_REGISTRY	Audits registry management events such as creating users and groups, changing passwords, and changing the properties or attributes for users and groups. This event type is used to record changes by the administrator to user attributes such as address.
SECURITY_RESOURCE_ACCESS	Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given Web page, and all accesses to a critical database table
SECURITY_SIGNING	Audits events that record signing such as signing operations used to validate parts of a SOAP Message for Web services
SECURITY_ENCRYPTION	Audits events that record encryption information such as encryption for Web services
SECURITY_AUTHN_DELEGATION	Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session.
SECURITY_AUTHN_CREDS_MODIFY	Audits events to modify credentials for a given user identity

Parameter	Description	Data type	Required
-uniqueName	Specifies a unique name that identifies the audit event factory.	String	Yes
-className	Class implementation of the audit event factory interface.	String	Yes
-auditFilters	Specifies a reference or a group of references to predefined audit filters, using the following format: "reference, reference, reference"	String	Yes
-provider	Specifies a reference to a predefined audit service provider implementation.	String	Yes
-customProperties	comma (,) separated list of custom property pairs to add to the security object in the following format: attribute=value,attribute=value	String	No