Set auditable events using scripting

Set auditable events using scripting

Before enabling security auditing, use this task to configure event filters using wsadmin. Security auditing provides tracking and archiving of auditable events.
Before configuring security auditing filters, enable administrative security in the environment.
Before configuring an audit event factory and audit service provider, configure event filters.
The audit service provider writes audit records to the back end repository associated with the provider implementation. The audit event factory generates security events. Event filters specify which event types and outcomes the system audits and records. Each event type has up to seven possible outcomes, including success, failure, denied, error, warning, info, and redirect. The security auditing configuration provides four default filters. Use this topic to customize the security auditing subsystem by creating additional audit event filters.
Use the following steps to configure your security auditing subsystem using wsadmin:

Launch the wsadmin scripting tool using the Jython scripting language.
Set event filters. Use the default event filters or use this step to create additional filters to customize your security auditing configuration. The application server provides the following event filters by default in the audit.xml template file:

Table 1. Provided event filters

Event Name Outcome of event
SECURITY_AUTHN SUCCESS
SECURITY_AUTHN DENIED
SECURITY_RESOURCE_ACCESS SUCCESS
SECURITY_AUTHN REDIRECT

Configure additional audit event types to capture various events. Use the following command to list all supported auditable events:
print AdminTask.getSupportedAuditEvents()

Use the createAuditFilter command with the -name, -eventType, and -outcome parameters to enable one or multiple audit events and outcomes. We can specify multiple event types and multiple outcomes separated by a comma with one command invocation.
The following list describes each valid auditable event that we can specify with the -eventType parameter:

Table 2. Event types

Event name Description
SECURITY_AUTHN Audits all authentication events
SECURITY_AUTHN_MAPPING Audits events that record mapping of credentials where two user identities are involved
SECURITY_AUTHZ Audits events related to authorization checks when the system enforces access control policies
SECURITY_MGMT_AUDIT Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on.
SECURITY_RESOURCE_ACCESS Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given Web page, and all accesses to a critical database table
SECURITY_AUTHN_DELEGATION Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session.

For each audit event type, specify an outcome. Valid outcomes include SUCCESS, FAILURE, REDIRECT, ERROR, DENIED, WARNING, and INFO.
The following command example creates an audit filter to log users who receive an error when modifying credentials:
AdminTask.createAuditFilter('-name myUniqueName -eventType SECURITY_AUTHN_CREDS_MODIFY,SECURITY_AUTHN_DELEGATION -outcome ERROR,REDIRECT')

Save the configuration changes...
AdminConfig.save()

What to do next

Enable security auditing in the environment.

Related tasks

Set audit service providers using scripting
Set audit event factories using scripting
Set security auditing using scripting
Enable security auditing using scripting
Encrypting security audit data using scripting
Signing security audit data using scripting
Set security audit notifications using scripting

Related

AuditKeyStoreCommands
AuditEmitterCommands for AdminTask
AuditSigningCommands
AuditEncryptionCommands
AuditEventFactoryCommands for AdminTask
AuditFilterCommands
AuditNotificationCommands
AuditPolicyCommands
AuditEventFormatterCommands

Event Name	Outcome of event
SECURITY_AUTHN	SUCCESS
SECURITY_AUTHN	DENIED
SECURITY_RESOURCE_ACCESS	SUCCESS
SECURITY_AUTHN	REDIRECT

Event name	Description
SECURITY_AUTHN	Audits all authentication events
SECURITY_AUTHN_MAPPING	Audits events that record mapping of credentials where two user identities are involved
SECURITY_AUTHZ	Audits events related to authorization checks when the system enforces access control policies
SECURITY_MGMT_AUDIT	Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on.
SECURITY_RESOURCE_ACCESS	Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given Web page, and all accesses to a critical database table
SECURITY_AUTHN_DELEGATION	Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session.