Auditable security events
Auditable security events are security events with audit instrumentation that is added to the security runtime code to enable them to be recorded. Event filters are configured to specify which auditable security events are recorded to the audit log files.
The following list describes each valid auditable event that you can specify as an enabled event
type when you create an event filter:
| Event name | Description |
|---|---|
| ADMIN_REPOSITORY_SAVE | Depending on the outcome of the save, an audit record results. If needed, configure checkpoints. |
| SECURITY_AUTHN | Audits all authentication events |
| SECURITY_AUTHN_MAPPING | Audits events that record mapping of credentials where two user identities are involved |
| SECURITY_AUTHN_TERMINATE | Audits authentication termination events such as a form-based logout |
| SECURITY_AUTHZ | Audits events related to authorization checks when the system enforces access control policies |
| SECURITY_RUNTIME | Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types. |
| SECURITY_MGMT_AUDIT | Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on. |
| SECURITY_RESOURCE_ACCESS | Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given web page, and all accesses to a critical database table |
| SECURITY_SIGNING | Audits events that record signing such as signing operations used to validate parts of a SOAP Message for web services |
| SECURITY_ENCRYPTION | Audits events that record encryption information such as encryption for web services |
| SECURITY_AUTHN_DELEGATION | Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session. |
| SECURITY_AUTHN_CREDS_MODIFY | Audits events to modify credentials for a given user identity |
| SECURITY_FORM_LOGIN | Audits events of the user being logged in and the remote IP address from which
the login is initiated along with the timestamp and the outcome. To enable this event, the
com.ibm.audit.terse.form.login property needs to be configured in the
audit.xml file. Currently this event is not shown in the administrative
console, but the audit event is activated in the BinaryAudit.log file. |
| SECURITY_FORM_LOGOUT | Audits events of the user being logged out and the remote IP address from
which the logout is initiated along with the timestamp and the outcome. To enable this event, the
com.ibm.audit.terse.form.logout property needs to be configured in the
audit.xml file. Currently this event is not shown in the administrative
console, but the audit event is activated in the BinaryAudit.log file. |
|
|
Audits events of the user performing a web login into Kerberos and the remote
IP address from which the login is initiated along with the timestamp and the outcome. To enable
this event, the com.ibm.audit.terse.form.login property needs to be configured in
the audit.xml file. Currently this event is not shown in the administrative
console, but the audit event is activated in the BinaryAudit.log file. |
|
|
Audits events of the user performing a web logout into Kerberos and the remote
IP address from which the logout is initiated along with the timestamp and the outcome. To enable
this event, the com.ibm.audit.terse.form.logout property needs to be configured in
the audit.xml file. Currently this event is not shown in the administrative
console, but the audit event is activated in the BinaryAudit.log file. |
|
|
Audits events of the user performing a web login into Spnego and the remote IP
address from which the login is initiated along with the timestamp and the outcome. To enable this
event, the com.ibm.audit.terse.form.login property needs to be configured in the
audit.xml file. Currently this event is not shown in the administrative
console, but the audit event is activated in the BinaryAudit.log file. |
|
|
Audits events of the user performing a web logout into Spnego and the remote
IP address from which the logout is initiated along with the timestamp and the outcome. To enable
this event, the com.ibm.audit.terse.form.logout property needs to be configured in
the audit.xml file. Currently this event is not shown in the administrative
console, but the audit event is activated in the BinaryAudit.log file. . |
For each audit event type, you must specify an outcome. Valid outcomes include SUCCESS, FAILURE, REDIRECT, ERROR, DENIED, WARNING, and INFO. Not all outcomes are applicable with all event types.
The resulting audit event contains only the following details.
- The timestamp
- The ID of the user who is being logged in or out
- The remote IP address from which the login or logout is initiated.
- The outcome of the event
Terse audit record custom properties
The following properties support federal regulation compliance with minimal performance usage by
allowing for the capture of web UI logins and logouts with a minimum amount of audit data. These
properties must be manually specified in an audit.xml file and are not
configurable through the administrative console or scripting.
- com.ibm.audit.terse.form.login
- The value for this property consists of a space-delimited list of valid outcomes. It enables the
SECURITY_FORM_LOGINevent. Specify the outcomes to be included in this audit event in the value parameter. ![[8.5.5.21 or later]](../images/ng_v85521.svg)
In version 8.5.5.21 and later, the
com.ibm.audit.terse.form.loginproperty enables theSECURITY_FORM_LOGIN,SECURITY_KERBEROS_LOGIN, andSECURITY_SPNEGO_LOGINaudit events. Specify the outcomes to be included in these audit events in the value parameter. When this property is added in the audit.xml file, web logins to environments where Kerberos or SPNEGO are configured produce a minimum amount of audit data.- com.ibm.audit.terse.form.logout
- The value for this property consists of a space-delimited list of valid outcomes. It enables the
SECURITY_FORM_LOGOUTaudit event. Specify the outcomes to be included in this audit event in the value parameter. - In version 8.5.5.21 and later, the
com.ibm.audit.terse.form.logoutproperty enables theSECURITY_FORM_LOGOUT,SECURITY_KERBEROS_LOGOUT, andSECURITY_SPNEGO_LOGOUTaudit events. Specify the outcomes to be included in these audit events in the value parameter. When this property is added in the audit.xml file, web logouts from environments where Kerberos or SPNEGO are configured produce a minimum amount of audit data. - com.ibm.audit.terse.progname
- When this property is set to
true, the name of the application that is being logged in to and out of is included in the terse audit record. Valid values aretrueorfalse. By default, the application name is not included in the terse audit record.
Examples for setting audit custom properties in the audit.xml file
The following example shows an audit.xml file with both the
com.ibm.audit.terse.form.login and com.ibm.audit.terse.form.logout
properties set.<?xml version="1.0" encoding="UTF-8"?>
<security:Audit xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:security="http://www.ibm.com/websphere/appserver/schemas/5.0/security.xmi" xmi:id="Audit_1173199825578">
<auditSpecifications xmi:id="AuditSpecification_1173199825610" enabled="true" name="DefaultAuditSpecification_3">
<event>SECURITY_AUTHN_TERMINATE</event>
<outcome>SUCCESS</outcome>
<outcome>REDIRECT</outcome>
<outcome>FAILURE</outcome>
</auditSpecifications>
<auditPolicy xmi:id="AuditPolicy_1173199825608" auditEnabled="true" auditorId="sadie" auditorPwd="{xor}" sign="false" encrypt="false" batching="false" verbose="false">
<auditEventFactories xmi:id="AuditEventFactory_1173199825608" name="auditEventFactoryImpl_1" className="com.ibm.ws.security.audit.AuditEventFactoryImpl" auditServiceProvider="AuditServiceProvider_1173199825608" auditSpecifications="AuditSpecification_1173199825610"/>
<auditServiceProviders xmi:id="AuditServiceProvider_1173199825608" name="auditServiceProviderImpl_1" className="com.ibm.ws.security.audit.BinaryEmitterImpl" eventFormatterClass="" maxFileSize="10" maxLogs="100" fileLocation="$(LOG_ROOT)" auditSpecifications="AuditSpecification_1173199825610"/>
<properties xmi:id="Property_1" name="com.ibm.audit.terse.form.login" value="SUCCESS FAILURE" description="custom property"/>
<properties xmi:id="Property_2" name="com.ibm.audit.terse.form.logout" value="SUCCESS FAILURE ERROR" description=" custom property"/>
</auditPolicy>
</security:Audit> auditPolicy element. The Property_1 property
(com.ibm.audit.terse.form.login) specifies that the
SECURITY_FORM_LOGIN audit event is captured and that it is reported only for
outcomes of either SUCCESS or FAILURE. The Property_2 property
(com.ibm.audit.terse.form.logout) specifies that the
SECURITY_FORM_LOGOUT audit event is captured and that it is reported for outcomes
of SUCCESS, FAILURE, or ERROR.In version 8.5.5.21 and later, Property_1 also captures
the SECURITY_KERBEROS_LOGIN and SECURITY_SPNEGO_LOGIN audit
events. Property_2 also captures the SECURITY_KERBEROS_LOGOUT and
SECURITY_SPNEGO_LOGOUT audit events.
The following example shows an audit.xml file with
both the com.ibm.audit.terse.form.login and
com.ibm.audit.terse.form.logout properties set and the
com.ibm.audit.terse.progname property set to
true.<?xml version="1.0" encoding="UTF-8"?>
<security:Audit xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:security="http://www.ibm.com/websphere/appserver/schemas/5.0/security.xmi" xmi:id="Audit_1173199825578">
<auditSpecifications xmi:id="AuditSpecification_1173199825610" enabled="true" name="DefaultAuditSpecification_3">
<event>SECURITY_AUTHN_TERMINATE</event>
<outcome>SUCCESS</outcome>
<outcome>REDIRECT</outcome>
<outcome>FAILURE</outcome>
</auditSpecifications>
<auditPolicy xmi:id="AuditPolicy_1173199825608" auditEnabled="true" auditorId="sadie" auditorPwd="{xor}" sign="false" encrypt="false" batching="false" verbose="false">
<auditEventFactories xmi:id="AuditEventFactory_1173199825608" name="auditEventFactoryImpl_1" className="com.ibm.ws.security.audit.AuditEventFactoryImpl" auditServiceProvider="AuditServiceProvider_1173199825608" auditSpecifications="AuditSpecification_1173199825610"/>
<auditServiceProviders xmi:id="AuditServiceProvider_1173199825608" name="auditServiceProviderImpl_1" className="com.ibm.ws.security.audit.BinaryEmitterImpl" eventFormatterClass="" maxFileSize="10" maxLogs="100" fileLocation="$(LOG_ROOT)" auditSpecifications="AuditSpecification_1173199825610"/>
<properties xmi:id="Property_1" name="com.ibm.audit.terse.form.login" value="SUCCESS FAILURE" description="custom property"/>
<properties xmi:id="Property_2" name="com.ibm.audit.terse.form.logout" value="SUCCESS FAILURE ERROR" description="custom property"/>
<properties xmi:id="Property_3" name="com.ibm.audit.progname" value="true" description="custom property"/>
</auditPolicy>
</security:Audit>
In this example the custom properties are specified in the auditPolicy element.
The Property_1 property (com.ibm.audit.terse.form.login) specifies
that the SECURITY_FORM_LOGIN, SECURITY_KERBEROS_LOGIN, and
SECURITY_SPNEGO_LOGIN audit events are captured and that these audit events are
reported only for outcomes of either SUCCESS or FAILURE. The Property_2 property
(com.ibm.audit.terse.form.logout) specifies that the
SECURITY_FORM_LOGOUT, SECURITY_KERBEROS_LOGOUT, and
SECURITY_SPNEGO_LOGOUT audit events are captured and that these audit event are
reported for outcomes of SUCCESS, FAILURE, or ERROR. The Property_3 property
(com.ibm.audit.progname) specifies that the application name is included in the
terse audit records.