Configure auditable events using scripting
Before enabling security auditing, use this task to configure event filters using the wsadmin tool. Security auditing provides tracking and archiving of auditable events.
Before configuring security auditing filters, enable administrative security in the environment.
Before configuring an audit event factory and audit service provider, configure event filters. The audit service provider writes audit records to the back end repository associated with the provider implementation. The audit event factory generates security events. Event filters specify which event types and outcomes the system audits and records. Each event type has up to seven possible outcomes, including success, failure, denied, error, warning, info, and redirect. The security auditing configuration provides four default filters. Use this topic to customize our security auditing subsystem by creating additional audit event filters.
Use the following steps to configure our security auditing subsystem using the wsadmin tool:
Tasks
- Launch the wsadmin scripting tool using the Jython scripting language. See the Starting the wsadmin scripting client article for more information.
- Configure event filters. Use the default event filters or use this step to create additional filters to customize our security auditing configuration.
Event Name Outcome of event SECURITY_AUTHN SUCCESS SECURITY_AUTHN DENIED SECURITY_RESOURCE_ACCESS SUCCESS SECURITY_AUTHN REDIRECT We can configure additional audit event types to capture various events. To list all supported auditable events:
print AdminTask.getSupportedAuditEvents()
Use the createAuditFilter command with the -name, -eventType, and -outcome parameters to enable one or multiple audit events and outcomes. We can specify multiple event types and multiple outcomes separated by a comma with one command invocation.
Event name Description SECURITY_AUTHN Audit authentication events SECURITY_AUTHN_MAPPING Audit events that record mapping of credentials where two user identities are involved SECURITY_AUTHZ Audit events related to authorization checks when the system enforces access control policies SECURITY_MGMT_AUDIT Audit events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on. SECURITY_RESOURCE_ACCESS Audit events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given web page, and all accesses to a critical database table SECURITY_AUTHN_DELEGATION Audit events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session. For each audit event type, specify an outcome. Valid outcomes include SUCCESS, FAILURE, REDIRECT, ERROR, DENIED, WARNING, and INFO.
Example: Create an audit filter to log users who receive an error when modifying credentials:
AdminTask.createAuditFilter('-name myUniqueName -eventType SECURITY_RESOURCE_ACCESS,SECURITY_AUTHN_DELEGATION -outcome ERROR,REDIRECT')
- Save the configuration changes.
AdminConfig.save()
What to do next
Enable security auditing in the environment.
Configure audit service providers using scripting Configure audit event factories using scripting Configure security auditing using scripting Enable security auditing using scripting Encrypting security audit data using scripting Signing security audit data using scripting Configure security audit notifications using scripting Start the wsadmin scripting client AuditKeyStoreCommands AuditEmitterCommands for the AdminTask object AuditSigningCommands AuditEncryptionCommands AuditEventFactoryCommands for the AdminTask object AuditFilterCommands AuditNotificationCommands AuditPolicyCommands AuditEventFormatterCommands