Enable security auditing using scripting

WAS v8.5 > Script the application serving environment (wsadmin) > Scripting for security > Configure security with scripting > Configure security auditing using scripting
Enable security auditing using scripting

Use this task to enable and configure security auditing in the environment with wsadmin. Security auditing provides tracking and archiving of auditable events.

Before enabling security auditing, enable administrative security in the environment.
If we previously configured security auditing and do not want to modify configuration settings, use the enableAudit and disableAudit commands to start and stop security auditing. After enabling or disabling security auditing, restart the server to apply the configuration changes. Security auditing ensures the integrity of a security computing environment. Security auditing collects and logs authentication, authorization, system management, security, and audit policy events in audit event records. We can analyze audit event records to determine possible security breaches, threats, attacks, and potential weaknesses in the security configuration of the environment.
Use the following steps to enable and configure security auditing in the environment:

Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
Verify the security auditing subsystem is configured.
To enable security auditing, configure event filters, an audit emitter, and an audit event factory. Event filters specify which event types the system audits and records, and the outcome of the event. The audit service provider writes the audit records to the backend repository associated with the implementation. The audit event factory generates security events.
By default, the security auditing system includes one audit service provider and one audit event factory.
The audit command groups provide several commands to query for event filters, audit emitters, event factories, and their respective configuration attributes. Use the audit command reference to use specific query commands. The following example commands query your security auditing configuration at a high level.

Use the getAuditFilters command to display a list of references to all audit filters defined in your configuration, as the following example demonstrates:
AdminTask.getAuditFilters()

Use the listAuditEmitters command to display a list of all audit emitters in your configuration, as the following example demonstrates:
AdminTask.listAuditEmitters()

Use the listAuditEventFactories command to display a list of all audit event factories in your configuration, as the following example demonstrates:
AdminTask.listAuditEventFactories()

Enable security auditing in the environment. Use the modifyAuditPolicy command to enable security auditing in the environment.
Command parameters. Use the following optional parameters for the modifyAuditPolicy command to customize your security auditing configuration:

Parameter Description Data type Required
-auditEnabled Whether to enable security auditing. Boolean No
-auditPolicy Behavior of the server process if the audit subsystem fails. Valid values are: WARN, NOWARN and FATAL. The WARN setting notifies the auditor when an error occurs and ceases auditing when an error occurs in the audit sub-system, but continues to run the application server process. The NOWARN setting does not notify the auditor when an error occurs and ceases auditing, but continues to run the application server process. The FATAL setting notifies the auditor of the error and stops the application server process. By default, the command assigns the NOWARN setting. String No
-auditorId ID of the user to assign to the auditor role. String No
-auditorPwd Password for the auditor role. String No
-sign Whether to sign audit records. By default, the security auditing system does not sign audit records. You must configure the signing of audit records before we can specify this parameter. Boolean No
-encrypt Whether to encrypt audit records. By default, the security auditing system does not encrypt audit records. You must configure encryption for audit records before we can specify this parameter. Boolean No
-verbose Whether to capture verbose audit data. By default, the security auditing system does not capture verbose audit data. Boolean No
-encryptionCert Specifies the reference ID of the certificate to use for encryption. Specify this parameter if you set the -encrypt parameter to true. String No

The following example command enables security auditing, and identifies the primary auditor by assigning a user and password.
AdminTask.modifyAuditPolicy('-auditEnabled true -auditorId securityAdmin -auditorPwd security4you')

Save your configuration changes.
Use the following command example to save your configuration changes:
AdminConfig.save()

Restart the server.

Results

After completing the steps to enable and configure security auditing, the profile of interest audits your security configurations for specific auditable event types.

After you configure the audit policy for the first time, use the enableAudit and disableAudit commands to turn the security auditing system on and off. The system maintains the settings defined with the modifyAuditPolicy command when we enable and disable the security auditing system.
Restart the server to apply the configuration changes.

Related

Configure auditable events using scripting
Encrypting security audit data using scripting
Signing security audit data using scripting
Configure security audit notifications using scripting
Configure security auditing using scripting
Start the wsadmin scripting client using wsadmin.sh

Reference:

AuditKeyStoreCommands command group for AdminTask
AuditEmitterCommands for AdminTask
AuditSigningCommands command group for AdminTask
AuditEncryptionCommands command group for AdminTask
AuditEventFactoryCommands for AdminTask
AuditFilterCommands command group for AdminTask
AuditNotificationCommands command group for AdminTask
AuditPolicyCommands command group for AdminTask
AuditEventFormatterCommands command group for AdminTask

+
Search Tips | Advanced Search

Parameter	Description	Data type	Required
-auditEnabled	Whether to enable security auditing.	Boolean	No
-auditPolicy	Behavior of the server process if the audit subsystem fails. Valid values are: WARN, NOWARN and FATAL. The WARN setting notifies the auditor when an error occurs and ceases auditing when an error occurs in the audit sub-system, but continues to run the application server process. The NOWARN setting does not notify the auditor when an error occurs and ceases auditing, but continues to run the application server process. The FATAL setting notifies the auditor of the error and stops the application server process. By default, the command assigns the NOWARN setting.	String	No
-auditorId	ID of the user to assign to the auditor role.	String	No
-auditorPwd	Password for the auditor role.	String	No
-sign	Whether to sign audit records. By default, the security auditing system does not sign audit records. You must configure the signing of audit records before we can specify this parameter.	Boolean	No
-encrypt	Whether to encrypt audit records. By default, the security auditing system does not encrypt audit records. You must configure encryption for audit records before we can specify this parameter.	Boolean	No
-verbose	Whether to capture verbose audit data. By default, the security auditing system does not capture verbose audit data.	Boolean	No
-encryptionCert	Specifies the reference ID of the certificate to use for encryption. Specify this parameter if you set the -encrypt parameter to true.	String	No