Secure socket connection auditing

Socket connections that are protected by a security protocol that is known to the system are audited with the audit level *NETSECURE. The security protocols that are known to the system are System TLS and VPN.

System TLS

Audit records are generated for System TLS successful and failed secure socket connections when the audit level contains *NETSECURE.

Successful System TLS connections produce SK-S records that contain the secure properties that are used for the connection. The SK-S audit records for successful TLS connections contain the following information:
  • Address family (IPv4 or IPv6)
  • Local IP address
  • Local port
  • Remote IP address
  • Remote port
  • Secure version field that contains the protocol that was used (for example, TLSv1.2)
  • Secure properties field that contains the connection properties (including cipher, signature algorithm, and named curve, if applicable)
Failed System TLS connections produce SK-X audit records for a failed secure handshake. The SK-X audit records for failed TLS connections contain the following information:
  • Address family (IPv4 or IPv6)
  • Local IP address
  • Local port
  • Remote IP address
  • Remote port
  • Secure version field that contains the protocol, if applicable (for example, TLSv1.2)
  • Secure properties field that contains the return value
  • Secure information field that contains the detailed error message that was returned from the failed connection

Virtual Private Networking (VPN)

Internet Key Exchange (IKE) negotiations are audited when a VPN connection is successfully established when audit level *NETSECURE is enabled for system level auditing.

The SK-S audit records for IKE contain the following information:
  • Address family (IPv4 or IPv6)
  • Local IP address
  • Local port
  • Remote IP address
  • Remote port
  • Secure version field that contains the IKE version used (IKEv1 or IKEv2)
  • Secure properties field that contains the IKE policy (phase 1) security association algorithms and data policy (phase 2) security association algorithms
  • Secure information field that contains the VPN connection name

TCP connections and UDP traffic is audited if it is transferred with IPsec over the established VPN connection when audit level *NETSECURE is enabled for system or user level auditing.

The SK-S audit records for IPsec contain the following information:
  • Address family (IPv4 or IPv6)
  • Local IP address
  • Local port
  • Remote IP address
  • Remote port
  • Secure version field that contains the data transfer protocol used (IPsec TCP or IPsec UDP)
  • Secure properties field that contains the data policy (phase 2) security association algorithms
  • Secure information field that contains the VPN connection name

The audit interval, over which multiple audit records are created for the same secure UDP packet four-tuple, is configurable through the System Service Tools (SST) Advanced Analysis command IPCONFIG option udpAuditInterval. The audit interval is enforced for secure UDP traffic when the audit level contains *NETSECURE. For more information about how to set this option, see UDP Traffic.

You can restrict auditing to secure TCP traffic only by disabling secure UDP auditing. The System Service Tools (SST) Advanced Analysis command TLSCONFIG option netsecureUDP defaults to enabled and is only applicable when the audit level contains *NETSECURE. TLSCONFIG option -h displays the help panel that describes how to set the secure UDP auditing option.

To disable auditing for secure UDP traffic, use this command:
TLSCONFIG -netsecureUDP:disabled

Secure Telnet server

Secure Telnet server connections are audited only when both audit levels *NETTELSVR and *NETSECURE are enabled. Secure Telnet connections create SK-A, SK-S, and SK-X records in the same manner as other System TLS applications.

Secure Telnet server auditing can be enabled independently from Telnet server connection auditing by using TLSCONFIG option netsecureTelnetServer. A user can enable auditing for the secure Telnet server without enabling audit level *NETTELSVR. This option is enforced only when the audit level contains *NETSECURE and is disabled by default. TLSCONFIG option -h displays the help panel that describes how to set the secure Telnet server auditing option.

To enable auditing for secure Telnet connections, use this command:
TLSCONFIG -netsecureTelnetServer:enabled