Security Auditing in Dashboard Application Services Hub
You can enable and disable security auditing in the Dashboard Application Services Hub console to capture and store supported security events.
The following security elements can be audited in the console:
- Authentication events
- Authorization events
When auditing is enabled these types of events are recorded in audit log files. Each audit log can to be signed and encrypted to ensure data integrity. The audit logs can be analyzed to discover breaches in the existing security mechanisms and highlight potential weaknesses in the current security infrastructure.
Use the configureConsoleAudit.sh|bat console_admin_user_ID console_admin_user_password [true|false] to enable or disable security auditing in the console.
You can experience slower performance from the console when you enable security auditing. In that case, make a backup copy of following file and manually enable the features that you need and disable the features that you do not need. Restart the console server after you make your changes to the audit.xml file:
- JazzSM_WAS_Profile/config/cells/JazzSMNode01Cell/audit.xml
Enabling and disabling auditing
Procedure
Audit file location
When you enable security auditing, a binary audit log file is generated, which contains the audit records for various actions that are performed in Dashboard Application Services Hub.
The log file is created in the following directory:
- JazzSM_WAS_Profile/logs/server1
The log file is named as BinaryAudit_JazzSMNode01Cell_JazzSMNode01_server1.log.
Security event examples
User login example
When auditing is enabled and a user logs in, a SECURITY_AUTHN event type is recorded in audit log files:
Seq = 12751 | Event Type = SECURITY_AUTHN | Outcome = SUCCESSFUL | OutcomeReason = SUCCESS | OutcomeReasonCode = 5 | SessionId = 2EEYlMJY_5faSiMYNkTtlNJ | RemoteHost = LOCHIBA-009011111111.booktown.xyz.com | RemoteAddr = 1.23.456.789 | RemotePort = 1171 | ProgName = /kts.do | Action = webAuth | AppUserName = admin_user | ResourceName = POST | RegistryUserName = defaultWIMFileBasedRealm/admin_user | AccessDecision = authnSuccess | ResourceType = web | ResourceUniqueId = 0 | PermissionsChecked = null | PermissionsGranted = null | RolesChecked = null | RolesGranted = null | CreationTime = Thu Jul 07 08:35:27 EDT 2015 | GlobalInstanceId = 0 | EventTrailId = null | FirstCaller = /UNAUTHENTICATED | Realm = defaultWIMFileBasedRealm | RegistryType = WIMUserRegistry | AuthnType = challengeResponse | Provider = WebSphere | ProviderStatus = providerSuccessUser logout example
When auditing is enabled and a user logs out, a SECURITY_AUTHN_TERMINATE event type is recorded in audit log files:
Seq = 18516 | Event Type = SECURITY_AUTHN_TERMINATE | Outcome = SUCCESS | OutcomeReason = SUCCESS | OutcomeReasonCode = 9 | SessionId = cdkX1qziTdc2NcCIEfuNhKr | RemoteHost = localhost.localdomain | RemoteAddr = 0:0:0:0:0:0:0:1 | RemotePort = 32825 | ProgName = isclite | Action = logout | AppUserName = admin_user | ResourceName = GET | RegistryUserName = null | AccessDecision = logoutSuccess | ResourceType = web | ResourceUniqueId = 0 | PermissionsChecked = null | PermissionsGranted = null | RolesChecked = null | RolesGranted = null | CreationTime = Fri Jul 08 09:20:39 EDT 2015 | GlobalInstanceId = 0 | EventTrailId = -20674659 | FirstCaller = admin_user | Realm = defaultWIMFileBasedRealm | RegistryType = WIMUserRegistry | AuthnType = challengeResponse | TerminateReason = logout | Provider = TIPLogout | ProviderStatus = providerSuccess | LogoutAction:29bhE1--dc9Cjm0vsA2gr-g = Logout SuccessFullyAuthorization event example
For authorization events, for example, when a console administrator modifies roles, pages, or widgets, a SECURITY_MGMT_REGISTRY event types are recorded in audit log files:
Seq = 22469 | Event Type = SECURITY_MGMT_REGISTRY | Outcome = SUCCESS | OutcomeReason = SUCCESS | OutcomeReasonCode = 7 | SessionId = null | RemoteHost = null | RemoteAddr = null | RemotePort = null | ProgName = isclite | Action = acl | AppUserName = admin_user | ResourceName = null | RegistryUserName = null | AccessDecision = RolesGranted | ResourceType = web | ResourceUniqueId = 0 | PermissionsChecked = null | PermissionsGranted = null | RolesChecked = null | RolesGranted = null | CreationTime = Fri Jul 15 08:26:52 EDT 2014 | GlobalInstanceId = 0 | EventTrailId = 1614842881 | FirstCaller = admin_user | Realm = defaultWIMFileBasedRealm | RegistryType = WIMUserRegistry | MgmtType = null | MgmtCommand = null | Removed subject (user) 'admin_user' from the roleAssignment object = SUCCESS
Seq = 22465 | Event Type = SECURITY_MGMT_REGISTRY | Outcome = SUCCESS | OutcomeReason = SUCCESS | OutcomeReasonCode = 7 | SessionId = null | RemoteHost = null | RemoteAddr = null | RemotePort = null | ProgName = isclite | Action = acl | AppUserName = admin_user | ResourceName = null | RegistryUserName = null | AccessDecision = RolesGranted | ResourceType = web | ResourceUniqueId = 0 | PermissionsChecked = null | PermissionsGranted = null | RolesChecked = null | RolesGranted = null | CreationTime = Fri Jul 15 08:26:52 EDT 2014 | GlobalInstanceId = 0 | EventTrailId = 1614842881 | FirstCaller = admin_user | Realm = defaultWIMFileBasedRealm | RegistryType = WIMUserRegistry | MgmtType = null | MgmtCommand = null | Update Argus Store = Role mapping update in Argus Store