Security Auditing in Dashboard Application Services Hub

Edit online

You can enable and disable security auditing in the Dashboard Application Services Hub console to capture and store supported security events.

The following security elements can be audited in the console:

  • Authentication events
  • Authorization events

When auditing is enabled these types of events are recorded in audit log files. Each audit log can to be signed and encrypted to ensure data integrity. The audit logs can be analyzed to discover breaches in the existing security mechanisms and highlight potential weaknesses in the current security infrastructure.

Use the configureConsoleAudit.sh|bat console_admin_user_ID console_admin_user_password [true|false] to enable or disable security auditing in the console.

Note:

You can experience slower performance from the console when you enable security auditing. In that case, make a backup copy of following file and manually enable the features that you need and disable the features that you do not need. Restart the console server after you make your changes to the audit.xml file:

  • JazzSM_WAS_Profile/config/cells/JazzSMNode01Cell/audit.xml

Enabling and disabling auditing

Edit online

Procedure

  1. Change directory to JazzSM_HOME/ui/bin.
  2. To enable auditing run the following command:
    • Operating systems such as UNIXLinux operating system./configureConsoleAudit.sh console_admin_user_ID console_admin_user_password true
    • Windows operating systemsconfigureConsoleAudit.bat console_admin_user_ID console_admin_user_password true

    where console_admin_user_ID is a console administrator user ID and console_admin_user_password is the associated password.

  3. To disable auditing run the following command:
    • Operating systems such as UNIXLinux operating system./configureConsoleAudit.sh console_admin_user_ID console_admin_user_password false
    • Windows operating systemsconfigureConsoleAudit.bat console_admin_user_ID console_admin_user_password false

    where console_admin_user_ID is a console administrator user ID and console_admin_user_password is the associated password.

  4. After enabling or disabling security auditing, you must restart the Jazz® for Service Management application server, see Restarting Jazz for Service Management application servers

Audit file location

Edit online

When you enable security auditing, a binary audit log file is generated, which contains the audit records for various actions that are performed in Dashboard Application Services Hub.

The log file is created in the following directory:

  • JazzSM_WAS_Profile/logs/server1

The log file is named as BinaryAudit_JazzSMNode01Cell_JazzSMNode01_server1.log.

Note: The binary audit log file can be signed and encrypted to protect the audit data. For more information, see https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_sa_audit_data_protection.html

Security event examples

Edit online

User login example

When auditing is enabled and a user logs in, a SECURITY_AUTHN event type is recorded in audit log files:

Seq = 12751 | Event Type = SECURITY_AUTHN | Outcome = SUCCESSFUL | OutcomeReason = SUCCESS | OutcomeReasonCode = 5 | SessionId = 2EEYlMJY_5faSiMYNkTtlNJ | RemoteHost = LOCHIBA-009011111111.booktown.xyz.com | RemoteAddr = 1.23.456.789 | RemotePort = 1171 | ProgName = /kts.do | Action = webAuth | AppUserName = admin_user | ResourceName = POST | RegistryUserName = defaultWIMFileBasedRealm/admin_user | AccessDecision = authnSuccess | ResourceType = web | ResourceUniqueId = 0 | PermissionsChecked = null | PermissionsGranted = null | RolesChecked = null | RolesGranted = null | CreationTime = Thu Jul 07 08:35:27 EDT 2015 | GlobalInstanceId = 0 | EventTrailId = null | FirstCaller = /UNAUTHENTICATED | Realm = defaultWIMFileBasedRealm | RegistryType = WIMUserRegistry | AuthnType = challengeResponse | Provider = WebSphere | ProviderStatus = providerSuccess

User logout example

When auditing is enabled and a user logs out, a SECURITY_AUTHN_TERMINATE event type is recorded in audit log files:

Seq = 18516 | Event Type = SECURITY_AUTHN_TERMINATE | Outcome = SUCCESS | OutcomeReason = SUCCESS | OutcomeReasonCode = 9 | SessionId = cdkX1qziTdc2NcCIEfuNhKr | RemoteHost = localhost.localdomain | RemoteAddr = 0:0:0:0:0:0:0:1 | RemotePort = 32825 | ProgName = isclite | Action = logout | AppUserName = admin_user | ResourceName = GET | RegistryUserName = null | AccessDecision = logoutSuccess | ResourceType = web | ResourceUniqueId = 0 | PermissionsChecked = null | PermissionsGranted = null | RolesChecked = null | RolesGranted = null | CreationTime = Fri Jul 08 09:20:39 EDT 2015 | GlobalInstanceId = 0 | EventTrailId = -20674659 | FirstCaller = admin_user | Realm = defaultWIMFileBasedRealm | RegistryType = WIMUserRegistry | AuthnType = challengeResponse | TerminateReason = logout | Provider = TIPLogout | ProviderStatus = providerSuccess | LogoutAction:29bhE1--dc9Cjm0vsA2gr-g = Logout SuccessFully

Authorization event example

For authorization events, for example, when a console administrator modifies roles, pages, or widgets, a SECURITY_MGMT_REGISTRY event types are recorded in audit log files:

Seq = 22469 | Event Type = SECURITY_MGMT_REGISTRY | Outcome = SUCCESS | OutcomeReason = SUCCESS | OutcomeReasonCode = 7 | SessionId = null | RemoteHost = null | RemoteAddr = null | RemotePort = null | ProgName = isclite | Action = acl | AppUserName = admin_user | ResourceName = null | RegistryUserName = null | AccessDecision = RolesGranted | ResourceType = web | ResourceUniqueId = 0 | PermissionsChecked = null | PermissionsGranted = null | RolesChecked = null | RolesGranted = null | CreationTime = Fri Jul 15 08:26:52 EDT 2014 | GlobalInstanceId = 0 | EventTrailId = 1614842881 | FirstCaller = admin_user | Realm = defaultWIMFileBasedRealm | RegistryType = WIMUserRegistry | MgmtType = null | MgmtCommand = null | Removed subject (user) 'admin_user' from the roleAssignment object = SUCCESS

Seq = 22465 | Event Type = SECURITY_MGMT_REGISTRY | Outcome = SUCCESS | OutcomeReason = SUCCESS | OutcomeReasonCode = 7 | SessionId = null | RemoteHost = null | RemoteAddr = null | RemotePort = null | ProgName = isclite | Action = acl | AppUserName = admin_user | ResourceName = null | RegistryUserName = null | AccessDecision = RolesGranted | ResourceType = web | ResourceUniqueId = 0 | PermissionsChecked = null | PermissionsGranted = null | RolesChecked = null | RolesGranted = null | CreationTime = Fri Jul 15 08:26:52 EDT 2014 | GlobalInstanceId = 0 | EventTrailId = 1614842881 | FirstCaller = admin_user | Realm = defaultWIMFileBasedRealm | RegistryType = WIMUserRegistry | MgmtType = null | MgmtCommand = null | Update Argus Store = Role mapping update in Argus Store