+

Search Tips   |   Advanced Search

Configure audit event factories using scripting

Before enabling security auditing, use this task to configure audit event factories using the wsadmin tool. Security auditing provides tracking and archiving of auditable events.

Before configuring security auditing event factories, enable administrative security in the environment.

In order to enable security auditing in the environment, configure an audit event factory. The audit event factory gathers the data associated with security events. The security auditing configuration provides a default event factory. Use this topic to customize our security auditing subsystem by creating additional audit event factories.

Use the following steps to configure our security auditing subsystem using the wsadmin tool:


Tasks

  1. Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.

  2. Configure event filters. Use the default event filters or use this step to create additional filters to customize our security auditing configuration.

    Event Name Outcome of event
    SECURITY_AUTHN SUCCESS
    SECURITY_AUTHN DENIED
    SECURITY_RESOURCE_ACCESS SUCCESS
    SECURITY_AUTHN REDIRECT

    We can configure additional audit event types to track and archive various events. To list all supported auditable events:

    print AdminTask.getSupportedAuditEvents()
    

    Use the createAuditFilter command with the -eventType and -outcome parameters to enable one or multiple audit events and outcomes. We can specify multiple event types and multiple outcomes separated by a comma with one command invocation. The following list describes each valid auditable event that we can specify with the -eventType parameter:

    Event name Description
    SECURITY_AUTHN Audits all authentication events
    SECURITY_AUTHN_MAPPING Audits events that record mapping of credentials where two user identities are involved
    SECURITY_AUTHN_TERMINATE Audits authentication termination events such as a form-based logout
    SECURITY_AUTHZ Audits events related to authorization checks when the system enforces access control policies
    SECURITY_RUNTIME Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types.
    SECURITY_MGMT_AUDIT Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on.
    SECURITY_RESOURCE_ACCESS Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given web page, and all accesses to a critical database table
    SECURITY_SIGNING Audits events that record signing such as signing operations used to validate parts of a SOAP Message for web services
    SECURITY_ENCRYPTION Audits events that record encryption information such as encryption for web services
    SECURITY_AUTHN_DELEGATION Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session.
    SECURITY_AUTHN_CREDS_MODIFY Audits events to modify credentials for a given user identity
    SECURITY_FORM_LOGIN Audits events of the user being logged in and the remote IP address from which the login is initiated along with the timestamp and the outcome.
    SECURITY_FORM_LOGOUT Audits events of the user being logged out and the remote IP address from which the logout is initiated along with the timestamp and the outcome.

    Important: The following security audit event types are not used in this release of WebSphere Application Server:

    For each audit event type, specify an outcome. Valid outcomes include SUCCESS, FAILURE, REDIRECT, ERROR, DENIED, WARNING, and INFO. The following command example creates an audit filter to log users who receive an error when modifying credentials:

    AdminTask.createAuditFilter('-name uniqueFilterName -eventType 
    SECURITY_RESOURCE_ACCESS,SECURITY_AUTHN_DELEGATION -outcome ERROR,REDIRECT')
    

  3. Create an audit event factory. Use the default audit event factory or use this step to create a new audit event factory.

    Use the createAuditEventFactory command to create an audit event factory in the security configuration. Use the default implementation of the audit event factory or use a third-party implementation. To configure a third-party implementation, use the optional -customProperties parameter to specify any properties necessary to configure the audit event factory implementation.

    Parameter Description Data type Required
    -uniqueName Unique name that identifies the audit event factory. String Yes
    -className Class implementation of the audit event factory interface. String Yes
    -auditFilters Reference or a group of references to predefined audit filters, using the following format: "reference, reference, reference" String Yes
    -provider Reference to a predefined audit service provider implementation. String Yes
    -customProperties Comma (,) separated list of custom property pairs to add to the security object in the following format: attribute=value,attribute=value String No

    The following sample command creates an enables an audit event factory:

    AdminTask.createAuditEventFactory('-uniqueName eventFactory1 -className 
    com.ibm.ws.security.audit.AuditEventFactoryImpl -auditFilters 
    "AuditSpecification_1173199825608, AuditSpecification_1173199825609, AuditSpecification_1173199825610, 
    AuditSpecification_1173199825611" -provider newASP')
    

  4. Save the configuration changes.
    AdminConfig.save()
    


What to do next

Configure the audit service provider.

  • Configure auditable events using scripting
  • Configure audit service providers using scripting
  • Configure security auditing using scripting
  • Enable security auditing using scripting
  • Encrypting security audit data using scripting
  • Signing security audit data using scripting
  • Configure security audit notifications using scripting
  • Start the wsadmin scripting client
  • AuditKeyStoreCommands
  • AuditEmitterCommands for the AdminTask object
  • AuditSigningCommands
  • AuditEncryptionCommands
  • AuditEventFactoryCommands for the AdminTask object
  • AuditFilterCommands
  • AuditNotificationCommands
  • AuditPolicyCommands
  • AuditEventFormatterCommands