Auditable security events

Auditable security events

Auditable security events are security events that have audit instrumentation added to the security run time code to enable them to be recorded. Event filters are configured to specify which auditable security events are recorded to the audit log files.
The following list describes each valid auditable event that we can specify as an enabled event type when creating an event filter:

Event name Description
SECURITY_AUTHN Audits all authentication events
SECURITY_AUTHN_MAPPING Audits events that record mapping of credentials where two user identities are involved
SECURITY_AUTHN_TERMINATE Audits authentication termination events such as a form-based logout
SECURITY_AUTHZ Audits events related to authorization checks when the system enforces access control policies
SECURITY_RUNTIME Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types.
SECURITY_MGMT_AUDIT Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on.
SECURITY_RESOURCE_ACCESS Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given web page, and all accesses to a critical database table
SECURITY_SIGNING Audits events that record signing such as signing operations used to validate parts of a SOAP Message for web services
SECURITY_ENCRYPTION Audits events that record encryption information such as encryption for web services
SECURITY_AUTHN_DELEGATION Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session.
SECURITY_AUTHN_CREDS_MODIFY Audits events to modify credentials for a given user identity
For each audit event type, specify an outcome. Valid outcomes include SUCCESS, FAILURE, REDIRECT, ERROR, DENIED, WARNING, and INFO. Not all outcomes are applicable with all event types.
Support for the SECURITY_RUNTIME auditing event type has been fully implemented for this release of WAS. It audits runtime events such as the starting and the stopping of security servers.
(zos)

tables map the Security auditing event types and event outcomes to
Event name SMF Code SMF Unload Keyword
SECURITY_AUTHN 1 *WASAUTN
SECURITY_AUTHN_MAPPING 3 *WASAUTM
SECURITY_AUTHN_TERMINATE 2 *WASAUTT
SECURITY_AUTHZ 4 *WASAUTZ
SECURITY_MGMT_CONFIG 8 *WASCONF
SECURITY_MGMT_POLICY 5 *WASPOLM
SECURITY_MGMT_PROVISIONING 9 *WASPROV
SECURITY_MGMT_RESOURCE 10 *WASRESM
SECURITY_RUNTIME 7 *WASRUNT
SECURITY_RUNTIME_KEY 11 *WASKEYR
SECURITY_MGMT_KEY 12 *WASKEYM
SECURITY_MGMT_AUDIT 13 *WASAUDI
SECURITY_MGMT_REGISTRY 6 *WASREGM
SECURITY_RESOURCE_ACCESS 14 *WASACCE
SECURITY_SIGNING 15 *WASSIGN
SECURITY_ENCRYPTION 16 *WASCRYP
SECURITY_AUTHN_DELEGATION 17 *WASDELE

Event Outcome SMF Qualifier SMF Unload Keyword
SUCCESSFUL 0 SUCCESS
INFO 1 INFO
WARNING 2 WARNING
FAILURE 3 FAILURE
REDIRECT 4 REDIRECT
DENIED 5 DENIED

Related tasks

Create security auditing event type filters

Event name	Description
SECURITY_AUTHN	Audits all authentication events
SECURITY_AUTHN_MAPPING	Audits events that record mapping of credentials where two user identities are involved
SECURITY_AUTHN_TERMINATE	Audits authentication termination events such as a form-based logout
SECURITY_AUTHZ	Audits events related to authorization checks when the system enforces access control policies
SECURITY_RUNTIME	Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types.
SECURITY_MGMT_AUDIT	Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on.
SECURITY_RESOURCE_ACCESS	Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given web page, and all accesses to a critical database table
SECURITY_SIGNING	Audits events that record signing such as signing operations used to validate parts of a SOAP Message for web services
SECURITY_ENCRYPTION	Audits events that record encryption information such as encryption for web services
SECURITY_AUTHN_DELEGATION	Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session.
SECURITY_AUTHN_CREDS_MODIFY	Audits events to modify credentials for a given user identity

Event name	SMF Code	SMF Unload Keyword
SECURITY_AUTHN	1	*WASAUTN
SECURITY_AUTHN_MAPPING	3	*WASAUTM
SECURITY_AUTHN_TERMINATE	2	*WASAUTT
SECURITY_AUTHZ	4	*WASAUTZ
SECURITY_MGMT_CONFIG	8	*WASCONF
SECURITY_MGMT_POLICY	5	*WASPOLM
SECURITY_MGMT_PROVISIONING	9	*WASPROV
SECURITY_MGMT_RESOURCE	10	*WASRESM
SECURITY_RUNTIME	7	*WASRUNT
SECURITY_RUNTIME_KEY	11	*WASKEYR
SECURITY_MGMT_KEY	12	*WASKEYM
SECURITY_MGMT_AUDIT	13	*WASAUDI
SECURITY_MGMT_REGISTRY	6	*WASREGM
SECURITY_RESOURCE_ACCESS	14	*WASACCE
SECURITY_SIGNING	15	*WASSIGN
SECURITY_ENCRYPTION	16	*WASCRYP
SECURITY_AUTHN_DELEGATION	17	*WASDELE

Event Outcome	SMF Qualifier	SMF Unload Keyword
SUCCESSFUL	0	SUCCESS
INFO	1	INFO
WARNING	2	WARNING
FAILURE	3	FAILURE
REDIRECT	4	REDIRECT
DENIED	5	DENIED