Audit the security infrastructure

We can use the Auditing Facility to report and track auditable events to ensure the integrity of the system.

During run time, all code other than the Java EE 5 application code is considered to be trusted. Each time a Java EE 5 application accesses a secured resource, any internal application server process with an audit point included can be recorded as an auditable event.

The auditing subsystem can capture the following auditable events:

• Authentication
• Authorization
• Principal/Credential Mapping
• Audit policy management
• Delegation

Restriction: Audit instrumentation has not been included in the web services client run time.

These types of events can be recorded into audit log files. Each audit log can be optionally signed and encrypted. Security event audit records provide evidence of accountability and nonrepudiation, as well as vulnerability analysis.

The security auditing configuration provides...

• four default filters
• default audit service provider
• default event factory

The default implementation writes to a binary text-file based log.

Set up steps

1. Enable the security auditing subsystem

   Global security must be enabled for the security audit subsystem to function.

2. Assign the auditor role to a user

   The auditor role is required to enable and configure the security auditing subsystem. The auditor role provides granularity, allowing for separation of the auditing role from the authority of the administrator. When Security Auditing is initially enabled, the cell administrator has auditor privileges. If the environment requires separation of privileges, then changes will need to be made to the default role assignments.

3. Create security auditing event type filters

   We can configure filters to only record a specific subset of auditable event types.

4. Configure the audit service provider.

   The audit service provider formats audit data objects before outputting the data to a repository. A default audit service provider implementation is in included. A third party implementation can also be coded and used.

5. Configure audit event factories for security auditing

   The audit event factory gathers the data associated with the auditable events, then creates an audit data object. The audit data object is then sent to the audit service provider to be formatted and recorded to the repository.

6. Protect the security audit data

   We can encrypt and sign the audit data.

7. Configure security audit subsystem failure notifications

   Notifications can be enabled to generate alerts when the security auditing subsystem experiences a failure. Notifications can be configured to record an alert in the System logs or can be configured to send an alert through email to a specified list of recipients.

Subtopics

• Enable the security auditing subsystem
  
• Create security auditing event type filters
  
• Configure security audit subsystem failure notifications
  
• Configure the default audit service providers for security auditing
  
• (zos) Configure the SMF audit service providers for security auditing
  
• Configure audit event factories for security auditing
  
• Protecting the security audit data
  
• Use the audit reader
  

Related tasks

Task overview: Securing resources

Configure security auditing

Administrative roles, including Auditor