Skip to content

TPS Audit Events

Endi S. Dewata edited this page Jan 14, 2022 · 16 revisions

Overview

TPS audit events can be configured in log.instance.SignedAudit.events property.

Notes:

  • Each operation is preceded by a separate AUTHZ_* event

  • Authentication event only happens once initially at login

  • Some operations with specific changes to fields within an object (e.g. profiles, authenticators) might produce larger quantity of data. Examples below are selected ones that produce less data.

  • Service or OP in general can be any of the services provided by the REST interface

Event properties:

  • SubjectID: the subject user that triggers the audit event

  • Outcome: Success or Failure of the action that triggers the audit event

  • Service: in general, the name of the operation method where the audit event occurs

  • ParamNameValPairs: name/value pairs where

    • <name> and <value> are separated by the delimiter ;;

    • If more than one <name>;;<value> pair, separated by +

    • Secret component (password) MUST NOT be logged

  • Info: in general is used for capturing error info for failed cases; In case of success, it is usually left as null.

Default Events

TPS Configuration Events

CONFIG_TOKEN_GENERAL

This event is triggered when the general TPS configuration is updated.

[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID=tpsadmin][Outcome=Success][Service=C
onfigService.updateConfig[ParamNameValPairs=+applet._000;;######################
###################+applet._001;;# applet information+applet._002;;# SAF Key:+ap
plet._003;;# applet.aid.cardmgr_instance=A0000001510000+applet._004;;# Stock RSA
,KeyRecover applet : 1.4.54de790f.ijc+applet._005;;# Beta RSA/KeyRecovery/GP211/
SCP02 applet : 1.5.558cdcff.ijc+applet._006;;# Use GP211 applet only with SCP02
card+applet._007;;#########################################+applet.aid.cardmgr_i
nstance;;A0000000030000+applet.aid.netkey_file;;627601FF0000+applet.aid.netkey_i
nstance;;627601FF000000+applet.aid.netkey_old_file;;A000000001+applet.aid.netkey
_old_instance;;A00000000101+applet.delete_old;;true+applet.so_pin;;000000000000+
channel._000;;#########################################+channel._001;;# channel.
encryption:+channel._002;;#+channel._003;;#   - enable encryption for all operat
ion commands to token+channel._004;;#   - default is true+channel._005;;#  chann
el.blocksize=224+channel._006;;#  channel.defKeyVersion=0+channel._007;;#  chann
el.defKeyIndex=0+channel._008;;#+channel._009;;#  Config the size of memory mana
ged memory in the applet+channel._010;;#  Default is 5000, try not go get close
to the instanceSize+channel._011;;#  which defaults to 18000:+channel._012;;#+ch
annel._013;;#  * channel.instanceSize=18000+channel._014;;#  * channel.appletMem
orySize=5000+channel._015;;#########################################+channel.blo
cksize;;224+channel.defKeyIndex;;0+channel.defKeyVersion;;0+channel.encryption;;
true+failover.pod.enable;;false+general.applet_ext;;ijc+general.pwlength.min;;12
+general.search.sizelimit.default;;100+general.search.sizelimit.max;;2000+genera
l.search.timelimit.default;;10+general.search.timelimit.max;;10+general.verifyPr
oof;;1][Info=null] TPS token configuration parameter(s) change

CONFIG_TOKEN_PROFILE

This event is triggered when a token profile configuration is updated.

[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID=tpsadmin][Outcome=Success][Service=P
rofileService.updateProfile][ProfileID=cfuTestProfile5][ParamNameValPairs=+op.en
roll.cfuTestProfile5.entry0;;value0+op.enroll.cfuTestProfile5.entry1;;value1][In
fo=null] token profile configuration parameter(s) change

CONFIG_TOKEN_MAPPING_RESOLVER

This event is triggered when a token mapping resolver configuration is updated.

[AuditEvent=CONFIG_TOKEN_MAPPING_RESOLVER][SubjectID=tpsadmin][Outcome=Success][
Service=ProfileMappingService.removeProfileMapping][MappingResolverID=cfu4mappin
gResolver][ParamNameValPairs=][Info=null] token mapping resolver configuration p
arameter(s) change

CONFIG_TOKEN_AUTHENTICATOR

This event is triggered when a token authenticator configuration is updated.

[AuditEvent=CONFIG_TOKEN_AUTHENTICATOR][SubjectID=tpsadmin][Outcome=Success][OP=
AuthenticatorService.changeStatus][Authenticator=ldap2][ParamNameValPairs=+Statu
s;;Disabled+Action;;disable+authenticatorID;;ldap2][Info=null] token authenticat
or configuration parameter(s) change

CONFIG_TOKEN_CONNECTOR

This event is triggered when a token connector configuration is updated.

[AuditEvent=CONFIG_TOKEN_CONNECTOR][SubjectID=tpsadmin][Outcome=Success][OP=Conn
ectorService.changeStatus][Connector=tks1][ParamNameValPairs=+Status;;Enabled+Ac
tion;;enable][Info=null] token connector configuration parameter(s) change

CONFIG_TOKEN_RECORD

This event is triggered when a token record is updated.

[AuditEvent=CONFIG_TOKEN_RECORD][SubjectID=tpsadmin][Outcome=Success][OP=TokenSe
rvice.removeToken][TokenID=33333333333333333333][ParamNameValPairs=][Info=null]
token record configuration parameter(s) change

Token Events

TOKEN_OP_REQUEST

This event is triggered when token processor op request made.

  • OP can be format, enroll, or pinReset

[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token processor op request made

TOKEN_FORMAT_SUCCESS

This event is triggered when token format op succeeded.

[AuditEvent=TOKEN_FORMAT_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][KeyVersion={7}][Info={8}] token op format success

TOKEN_FORMAT_FAILURE

This event is triggered when token format op failed.

[AuditEvent=TOKEN_FORMAT_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][KeyVersion={7}][Info={8}] token op format failure

TOKEN_APPLET_UPGRADE_SUCCESS

This event is triggered when token apple upgrade succeeded.

[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade success

TOKEN_APPLET_UPGRADE_FAILURE

This event is triggered when token apple upgrade failed.

[AuditEvent=TOKEN_APPLET_UPGRADE_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade failure

TOKEN_STATE_CHANGE

This event is triggered when a token state has been changed.

[AuditEvent=TOKEN_STATE_CHANGE][SubjectID=tpsadmin][Outcome=Success][oldState=uninitialized][oldReason=null][newState=lost][newReason=onHold][ParamNameValPairs=+tokenStatus;;TEMP_LOST+tokenID;;77777777777777777777+UserID;;itsme][Info=null] token state changed

TPS Certificate Events

Properties:

  • CUID: card unique ID

  • MSN: manufacturer serial number

  • TokenType: TPS profile name

  • Serial: serial number in decimal

  • CA_ID: CA id as defined in TPS CS.cfg

  • KRA_ID: KRA id as defined in TPS CS.cfg

TOKEN_CERT_ENROLLMENT

This event is triggered when token certificate enrollment request is made.

[AuditEvent=TOKEN_CERT_ENROLLMENT][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate enrollment request made

TOKEN_CERT_RENEWAL

This event is used for TPS when token certificate renewal request is made.

[AuditEvent=TOKEN_CERT_RENEWAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate renewal request made

TOKEN_CERT_RETRIEVAL

This event is used for TPS when token certificate retrieval request is made.

[AuditEvent=TOKEN_CERT_RETRIEVAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate retrieval request made

TOKEN_CERT_STATUS_CHANGE_REQUEST

This event is used when a token certificate status change request (e.g. revocation) is made.

  • CUID must be the last token that the certificate was associated with

  • CertSerialNum must be the serial number (in decimal) of the certificate to be revoked

  • RequestType must be revoke, on-hold, off-hold

[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][CertSerialNum={5}][RequestType={6}][RevokeReasonNum={7}][CA_ID={8}][Info={9}] token certificate revocation/unrevocation request made

Token PIN Events

TOKEN_PIN_RESET_SUCCESS

This event is used when token pin reset request succeeded.

[AuditEvent=TOKEN_PIN_RESET_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][AppletVersion={4}][KeyVersion={5}] token op pin reset success

TOKEN_PIN_RESET_FAILURE

This event is used when token pin reset request failed.

[AuditEvent=TOKEN_PIN_RESET_FAILURE][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][AppletVersion={4}][KeyVersion={5}] token op pin reset failure

Token Key Events

TOKEN_KEY_RECOVERY

This event is triggered when token certificate key recovery request is made.

[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made

TOKEN_KEY_CHANGEOVER_REQUIRED

This event is triggered when token key changeover is required.

[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required

TOKEN_KEY_CHANGEOVER_SUCCESS

This event is triggered when token key changeover succeeded.

[AuditEvent=TOKEN_KEY_CHANGEOVER_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover success

TOKEN_KEY_CHANGEOVER_FAILURE

This event is triggered when token key changeover failed.

[AuditEvent=TOKEN_KEY_CHANGEOVER_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover failure

Token Authentication Events

TOKEN_AUTH_FAILURE

This event is triggered when authentication failed.

  • Outcome should always be failure in this event

  • When authentication failed, AttemptedID is logged instead of SubjectID, as in the event of TOKEN_AUTH_FAILURE

  • AuthMgr must be the authentication manager instance name that did this authentication

[AuditEvent=TOKEN_AUTH_FAILURE][IP={0}][AttemptedID={1}][CUID={2}][MSN={3}][Outcome={4}][OP={5}][tokenType={6}][AppletVersion={7}][AuthMgr={8}] token authentication failure

TOKEN_AUTH_SUCCESS

This event is triggered when authentication succeeded.

  • Outcome should always be success in this event

  • AuthMgr must be the authentication manager instance name that did this authentication

[AuditEvent=TOKEN_AUTH_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][OP={5}][tokenType={6}][AppletVersion={7}][AuthMgr={8}] token authentication success

Examples

Token Format

[AuditEvent=TOKEN_OP_REQUEST][IP=a.b.c.d][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=format][AppletVersion=0.0.6fbbc105] token op request made
[AuditEvent=TOKEN_AUTH_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=format][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][AuthMgr=ldap1] token authentication success
[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][KeyVersion=0101][oldAppletVersion=0.0.6fbbc105][newAppletVersion=1.4.54de790f][Info=null] token applet upgrade success
[AuditEvent=TOKEN_FORMAT_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][KeyVersion=0101][Info=null] token op format success

Token Enrollment

[AuditEvent=TOKEN_OP_REQUEST][IP=a.b.c.d][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=enroll][AppletVersion=0.0.6fbbc105] token op request made
[AuditEvent=TOKEN_AUTH_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=enroll][tokenType=userKey][AppletVersion=0.0.6fbbc105][AuthMgr=ldap1] token authentication success
[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][KeyVersion=0101][oldAppletVersion=0.0.6fbbc105][newAppletVersion=1.4.54de790f][Info=null] token applet upgrade success
[AuditEvent=TOKEN_CERT_ENROLLMENT][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][Outcome=success][tokenType=userKey][KeyVersion=0101][Serial=131][CA_ID=ca1][Info=null] token certificate enrollment request made

Token Find

Execute the following command to search tokens:

$ pki -n caadmin tps-token-find

The command will generate the following logs:

[AuditEvent=AUTH_SUCCESS][SubjectID=tpsadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=tpsadmin][Outcome=Success][aclResource=certServer.tps.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=tpsadmin][Outcome=Success][aclResource=certServer.tps.tokens][Op=read][Info=TokenResource.findTokens] authorization success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=tpsadmin][Outcome=Success][aclResource=certServer.tps.account][Op=logout][Info=AccountResource.logout] authorization success

Modifying Profile Mapping

[AuditEvent=AUTHZ_SUCCESS][SubjectID=tpsadmin][Outcome=Success][aclResource=certServer.tps.profile-mappings][Op=modify][Info=ProfileMappingResource.updateProfileMapping] authorization success

Pin Reset

[AuditEvent=TOKEN_OP_REQUEST][IP=a.b.c.d][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=pinReset][AppletVersion=0.0.6fbbc105] token op request made
[AuditEvent=TOKEN_AUTH_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=pinReset][tokenType=userKey][AppletVersion=0.0.6fbbc105][AuthMgr=ldap1] token authentication success
[AuditEvent=TOKEN_PIN_RESET_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][Outcome=success][AppletVersion=userKey][KeyVersion=0101] token op pin reset success

ExternalReg

Example audit messages for an externalReg enrollment request with user entries tokenType: delegateISEtoken certstoadd: 63,ca1,9,kra1 (That’s two cert enrollments and one "recovery"):

[AuditEvent=TOKEN_OP_REQUEST][IP=a.b.c.d][CUID=A10192030405028001C0][MSN=01%02%03%04%][Outcome=success][OP=enroll][AppletVersion=0.0.6fbbc105] token op request made
[AuditEvent=TOKEN_AUTH_SUCCESS][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][MSN=01%02%03%04%][Outcome=success][OP=enroll][tokenType=null][AppletVersion=0.0.6fbbc105][AuthMgr=ldap1] token authentication success
[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][MSN=01%02%03%04%][Outcome=success][KeyVersion=0101][oldAppletVersion=0.0.6fbbc105][newAppletVersion=1.4.54de790f][Info=null] token applet upgrade success
[AuditEvent=TOKEN_CERT_ENROLLMENT][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][Outcome=success][tokenType=delegateISEtoken][KeyVersion=0101][Serial=128][CA_ID=ca1][Info=null] token certificate enrollment request made
[AuditEvent=TOKEN_CERT_ENROLLMENT][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][Outcome=success][tokenType=delegateISEtoken][KeyVersion=0101][Serial=129][CA_ID=ca1][Info=null] token certificate enrollment request made
[AuditEvent=TOKEN_KEY_RECOVERY][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][Outcome=success][tokenType=delegateISEtoken][KeyVersion=0101][Serial=63][CA_ID=ca1][KRA_ID=kra1][Info=null] token certificate/key recovery request made 0.http-bio-8080-exec-2 - [15/Feb/2016:16:03:39 PST] [14] [6] [AuditEvent=TOKEN_CERT_RETRIEVAL][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][Outcome=success][tokenType=delegateISEtoken][KeyVersion=0101][Serial=63][CA_ID=ca1][Info=null] token certificate retrieval request made

Formatting an active token that causes revocation

[AuditEvent=TOKEN_OP_REQUEST][IP=a.b.c.d][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=format][AppletVersion=0.0.6fbbc105] token op request made
[AuditEvent=TOKEN_AUTH_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=format][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][AuthMgr=ldap1] token authentication success
[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][KeyVersion=0101][oldAppletVersion=0.0.6fbbc105][newAppletVersion=1.4.54de790f][Info=null] token applet upgrade success
[AuditEvent=TOKEN_FORMAT_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][KeyVersion=0101][Info=null] token op format success
[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][Outcome=0][tokenType=tokenKey][CertSerialNum=131][RequestType=revoke][RevokeReasonNum=0][CA_ID=ca1][Info=null] token certificate revocation/unrevocation request made
[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][Outcome=0][tokenType=tokenKey][CertSerialNum=132][RequestType=revoke][RevokeReasonNum=0][CA_ID=ca1][Info=null] token certificate revocation/unrevocation request made

Format with invalid symkey required version

For example, the following requiredVersion not exist in TKS:

op.format.tokenKey.update.symmetricKeys.requiredVersion=2
[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=na][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][oldKeyVersion=0101][newKeyVersion=02%01%][Info=null] token key changeover required
[AuditEvent=TOKEN_KEY_CHANGEOVER_FAILURE][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=failure][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][oldKeyVersion=null][newKeyVersion=02%01%][Info=TPSEngine.computeSessionKey: invalid returned status: 1] token key changeover failure

See Also

Clone this wiki locally