-
Notifications
You must be signed in to change notification settings - Fork 139
TPS Audit Events
TPS audit events can be configured in log.instance.SignedAudit.events
property.
Notes:
-
Each operation is preceded by a separate
AUTHZ_*
event -
Authentication event only happens once initially at login
-
Some operations with specific changes to fields within an object (e.g. profiles, authenticators) might produce larger quantity of data. Examples below are selected ones that produce less data.
-
Service
orOP
in general can be any of the services provided by the REST interface
Event properties:
-
SubjectID
: the subject user that triggers the audit event -
Outcome
: Success or Failure of the action that triggers the audit event -
Service
: in general, the name of the operation method where the audit event occurs -
ParamNameValPairs
: name/value pairs where-
<name>
and<value>
are separated by the delimiter;;
-
If more than one
<name>;;<value>
pair, separated by+
-
Secret component (password) MUST NOT be logged
-
-
Info
: in general is used for capturing error info for failed cases; In case of success, it is usually left as null.
This event is triggered when a token authenticator configuration is updated.
[AuditEvent=CONFIG_TOKEN_AUTHENTICATOR][SubjectID=tpsadmin][Outcome=Success][OP= AuthenticatorService.changeStatus][Authenticator=ldap2][ParamNameValPairs=+Statu s;;Disabled+Action;;disable+authenticatorID;;ldap2][Info=null] token authenticat or configuration parameter(s) change
This event is triggered when a token connector configuration is updated.
[AuditEvent=CONFIG_TOKEN_CONNECTOR][SubjectID=tpsadmin][Outcome=Success][OP=Conn ectorService.changeStatus][Connector=tks1][ParamNameValPairs=+Status;;Enabled+Ac tion;;enable][Info=null] token connector configuration parameter(s) change
This event is triggered when a token record is updated.
[AuditEvent=CONFIG_TOKEN_RECORD][SubjectID=tpsadmin][Outcome=Success][OP=TokenSe rvice.removeToken][TokenID=33333333333333333333][ParamNameValPairs=][Info=null] token record configuration parameter(s) change
This event is triggered when token processor op request made.
-
OP
can beformat
,enroll
, orpinReset
[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token processor op request made
This event is triggered when token format op succeeded.
[AuditEvent=TOKEN_FORMAT_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][KeyVersion={7}][Info={8}] token op format success
This event is triggered when token format op failed.
[AuditEvent=TOKEN_FORMAT_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][KeyVersion={7}][Info={8}] token op format failure
This event is triggered when token apple upgrade succeeded.
[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade success
This event is triggered when token apple upgrade failed.
[AuditEvent=TOKEN_APPLET_UPGRADE_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade failure
This event is triggered when a token state has been changed.
[AuditEvent=TOKEN_STATE_CHANGE][SubjectID=tpsadmin][Outcome=Success][oldState=uninitialized][oldReason=null][newState=lost][newReason=onHold][ParamNameValPairs=+tokenStatus;;TEMP_LOST+tokenID;;77777777777777777777+UserID;;itsme][Info=null] token state changed
Properties:
-
CUID
: card unique ID -
MSN
: manufacturer serial number -
TokenType
: TPS profile name -
Serial
: serial number in decimal -
CA_ID
: CA id as defined in TPS CS.cfg -
KRA_ID
: KRA id as defined in TPS CS.cfg
This event is triggered when token certificate enrollment request is made.
[AuditEvent=TOKEN_CERT_ENROLLMENT][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate enrollment request made
This event is used for TPS when token certificate renewal request is made.
[AuditEvent=TOKEN_CERT_RENEWAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate renewal request made
This event is used for TPS when token certificate retrieval request is made.
[AuditEvent=TOKEN_CERT_RETRIEVAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate retrieval request made
This event is used when a token certificate status change request (e.g. revocation) is made.
-
CUID
must be the last token that the certificate was associated with -
CertSerialNum
must be the serial number (in decimal) of the certificate to be revoked -
RequestType
must berevoke
,on-hold
,off-hold
[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][CertSerialNum={5}][RequestType={6}][RevokeReasonNum={7}][CA_ID={8}][Info={9}] token certificate revocation/unrevocation request made
This event is used when token pin reset request succeeded.
[AuditEvent=TOKEN_PIN_RESET_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][AppletVersion={4}][KeyVersion={5}] token op pin reset success
This event is used when token pin reset request failed.
[AuditEvent=TOKEN_PIN_RESET_FAILURE][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][AppletVersion={4}][KeyVersion={5}] token op pin reset failure
This event is triggered when token certificate key recovery request is made.
[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made
This event is triggered when token key changeover is required.
[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required
This event is triggered when token key changeover succeeded.
[AuditEvent=TOKEN_KEY_CHANGEOVER_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover success
This event is triggered when token key changeover failed.
[AuditEvent=TOKEN_KEY_CHANGEOVER_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover failure
This event is triggered when authentication failed.
-
Outcome
should always befailure
in this event -
When authentication failed,
AttemptedID
is logged instead ofSubjectID
, as in the event ofTOKEN_AUTH_FAILURE
-
AuthMgr
must be the authentication manager instance name that did this authentication
[AuditEvent=TOKEN_AUTH_FAILURE][IP={0}][AttemptedID={1}][CUID={2}][MSN={3}][Outcome={4}][OP={5}][tokenType={6}][AppletVersion={7}][AuthMgr={8}] token authentication failure
This event is triggered when authentication succeeded.
-
Outcome
should always besuccess
in this event -
AuthMgr
must be the authentication manager instance name that did this authentication
[AuditEvent=TOKEN_AUTH_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][OP={5}][tokenType={6}][AppletVersion={7}][AuthMgr={8}] token authentication success
[AuditEvent=TOKEN_OP_REQUEST][IP=a.b.c.d][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=format][AppletVersion=0.0.6fbbc105] token op request made [AuditEvent=TOKEN_AUTH_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=format][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][AuthMgr=ldap1] token authentication success [AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][KeyVersion=0101][oldAppletVersion=0.0.6fbbc105][newAppletVersion=1.4.54de790f][Info=null] token applet upgrade success [AuditEvent=TOKEN_FORMAT_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][KeyVersion=0101][Info=null] token op format success
[AuditEvent=TOKEN_OP_REQUEST][IP=a.b.c.d][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=enroll][AppletVersion=0.0.6fbbc105] token op request made [AuditEvent=TOKEN_AUTH_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=enroll][tokenType=userKey][AppletVersion=0.0.6fbbc105][AuthMgr=ldap1] token authentication success [AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][KeyVersion=0101][oldAppletVersion=0.0.6fbbc105][newAppletVersion=1.4.54de790f][Info=null] token applet upgrade success [AuditEvent=TOKEN_CERT_ENROLLMENT][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][Outcome=success][tokenType=userKey][KeyVersion=0101][Serial=131][CA_ID=ca1][Info=null] token certificate enrollment request made
Execute the following command to search tokens:
$ pki -n caadmin tps-token-find
The command will generate the following logs:
[AuditEvent=AUTH_SUCCESS][SubjectID=tpsadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success [AuditEvent=AUTHZ_SUCCESS][SubjectID=tpsadmin][Outcome=Success][aclResource=certServer.tps.account][Op=login][Info=AccountResource.login] authorization success [AuditEvent=AUTHZ_SUCCESS][SubjectID=tpsadmin][Outcome=Success][aclResource=certServer.tps.tokens][Op=read][Info=TokenResource.findTokens] authorization success [AuditEvent=AUTHZ_SUCCESS][SubjectID=tpsadmin][Outcome=Success][aclResource=certServer.tps.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=tpsadmin][Outcome=Success][aclResource=certServer.tps.profile-mappings][Op=modify][Info=ProfileMappingResource.updateProfileMapping] authorization success
[AuditEvent=TOKEN_OP_REQUEST][IP=a.b.c.d][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=pinReset][AppletVersion=0.0.6fbbc105] token op request made [AuditEvent=TOKEN_AUTH_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=pinReset][tokenType=userKey][AppletVersion=0.0.6fbbc105][AuthMgr=ldap1] token authentication success [AuditEvent=TOKEN_PIN_RESET_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][Outcome=success][AppletVersion=userKey][KeyVersion=0101] token op pin reset success
Example audit messages for an externalReg enrollment request with user entries tokenType: delegateISEtoken certstoadd: 63,ca1,9,kra1 (That’s two cert enrollments and one "recovery"):
[AuditEvent=TOKEN_OP_REQUEST][IP=a.b.c.d][CUID=A10192030405028001C0][MSN=01%02%03%04%][Outcome=success][OP=enroll][AppletVersion=0.0.6fbbc105] token op request made [AuditEvent=TOKEN_AUTH_SUCCESS][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][MSN=01%02%03%04%][Outcome=success][OP=enroll][tokenType=null][AppletVersion=0.0.6fbbc105][AuthMgr=ldap1] token authentication success [AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][MSN=01%02%03%04%][Outcome=success][KeyVersion=0101][oldAppletVersion=0.0.6fbbc105][newAppletVersion=1.4.54de790f][Info=null] token applet upgrade success [AuditEvent=TOKEN_CERT_ENROLLMENT][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][Outcome=success][tokenType=delegateISEtoken][KeyVersion=0101][Serial=128][CA_ID=ca1][Info=null] token certificate enrollment request made [AuditEvent=TOKEN_CERT_ENROLLMENT][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][Outcome=success][tokenType=delegateISEtoken][KeyVersion=0101][Serial=129][CA_ID=ca1][Info=null] token certificate enrollment request made [AuditEvent=TOKEN_KEY_RECOVERY][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][Outcome=success][tokenType=delegateISEtoken][KeyVersion=0101][Serial=63][CA_ID=ca1][KRA_ID=kra1][Info=null] token certificate/key recovery request made 0.http-bio-8080-exec-2 - [15/Feb/2016:16:03:39 PST] [14] [6] [AuditEvent=TOKEN_CERT_RETRIEVAL][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][Outcome=success][tokenType=delegateISEtoken][KeyVersion=0101][Serial=63][CA_ID=ca1][Info=null] token certificate retrieval request made
[AuditEvent=TOKEN_OP_REQUEST][IP=a.b.c.d][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=format][AppletVersion=0.0.6fbbc105] token op request made [AuditEvent=TOKEN_AUTH_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=format][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][AuthMgr=ldap1] token authentication success [AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][KeyVersion=0101][oldAppletVersion=0.0.6fbbc105][newAppletVersion=1.4.54de790f][Info=null] token applet upgrade success [AuditEvent=TOKEN_FORMAT_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][KeyVersion=0101][Info=null] token op format success [AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][Outcome=0][tokenType=tokenKey][CertSerialNum=131][RequestType=revoke][RevokeReasonNum=0][CA_ID=ca1][Info=null] token certificate revocation/unrevocation request made [AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][Outcome=0][tokenType=tokenKey][CertSerialNum=132][RequestType=revoke][RevokeReasonNum=0][CA_ID=ca1][Info=null] token certificate revocation/unrevocation request made
For example, the following requiredVersion not exist in TKS:
op.format.tokenKey.update.symmetricKeys.requiredVersion=2
[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=na][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][oldKeyVersion=0101][newKeyVersion=02%01%][Info=null] token key changeover required [AuditEvent=TOKEN_KEY_CHANGEOVER_FAILURE][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=failure][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][oldKeyVersion=null][newKeyVersion=02%01%][Info=TPSEngine.computeSessionKey: invalid returned status: 1] token key changeover failure
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |