Project

General

Profile

Wiki » Documentation » Installation Configuration and Administration Guide » Directory Configuration Reference »

Auditing

Auditing is similar to logging, except that it is designed to explicitly monitor security decisions and the security subsystem. Auditing is a feature that allows retrospective analysis of the security relevant events. Such events are:

  • security context creation and deletion;
  • security context switch;
  • access rights check attempted as {resource type, resource instance name, requested access};
  • access rights check results.

Auditing is implemented as a simple log of formatted records of several types. Due to a potentially high volume of records, a filtering mechanism exists that only logs records based on the following criteria:

  • events caused by a subject;
  • events related to a specific resource:
    • as {resource type};
    • as {resource type, instance name};
    • as {resource type, requested access};
    • as {resource type, instance name, requested access};
  • granted accesses or rejected accesses.

A special instance of the system resource named context is introduced to allow security context related events to be selectively audited like any other resource.

Multiple filters of the same type are always combined using logical OR operation, like in {subject1, subject2} or in {resource type1, {resource type2, instance name2}} creating log records for all listed events.

Multiple filter types may be combined either using OR or AND operation. Sometimes it is useful to log only records for subject1 about all rejected accesses (AND operation). Other times, it is desirable to log accesses to a specific resource instance and, at the same time, all rejected accesses to any resource (OR operation). In order to avoid performance degradation due to auditing, regular expressions are not allowed in the resource instance names.

The audit log files are defined in the FWD directory as a collection of these attributes:

  • pattern for path and names of the log files /security/audit/logfile
  • size of each log file /security/audit/logsize
  • number of log files which form a ring /security/audit/logcount

The entire audit subsystem is off by default. To enable auditing, the /security/audit/enabled value should be set to true.

All directory configurations related to auditing are cached in memory for quick access.

The following table shows the predefined directory object classes related to auditing:

Category Class name Details
Security Audit Classes auditDecision This class contain two class attributes of boolean type: success and failure. Each class attribute specifies if the granted and respectively denied accesses will be recorded.
auditResource This class contain three class attributes: type , instances and requests. The type class attribute will identify a plug-in providing the resource. The instances class attribute is a list of resource instance names and the requests class attribute specifies the requested rights.

These are the class attributes for the auditDecision class:

Name Type Mandatory Multiple
success boolean false false
failure boolean false false

These are the class attributes for the auditResource class:

Name Type Mandatory Multiple
type string true false
instances string false true
requests integer false true

Search Algorithm

There is no search algorithm used for reading the audit directory section. All configurations are global for the directory and can be found under the /security/audit/ absolute path.

Example

The following is an example of the most common auditing settings.

<node class="container" name="security">
   <node class="container" name="audit">
      <node class="integer" name="logcount">
         <node-attribute name="value" value="3"/>
      </node>
      <node class="boolean" name="enabled">
         <node-attribute name="value" value="TRUE"/>
      </node>
      <node class="auditDecision" name="decisions">
         <node-attribute name="failure" value="TRUE"/>
      </node>
      <node class="integer" name="logsize">
         <node-attribute name="value" value="4096"/>
      </node>
      <node class="boolean" name="filtermode">
         <node-attribute name="value" value="FALSE"/>
      </node>
      <node class="string" name="logfile">
         <node-attribute name="value" value="audit_%s_%g.log"/>
      </node>
   </node>
</node>
</node>

Reference

The following options can be specified:

Option ID Data Type Default Value Required Details
enabled boolean false No Use this parameter to enable or disable auditing.
logfile string n/a Yes - if audit is enabled This parameter specify the name of the log file or a filename template. The filename template can be customized to include the server name by inserting the %s token. In this way it becomes much more convenient to share a single directory file between multiple servers. Other commonly used tokens are:
"/" the local pathname separator
"%t" the system temporary directory
"%h" the value of the "user.home" system property
"%g" the generation number to distinguish rotated logs
"%u" a unique number to resolve conflicts
"%%" translates to a single percent sign "%"
logsize integer 8096 No This parameter specify the limit in kilobytes of the file size.
logcount integer 3 No This parameter specify the number of files to rotate.
filterMode boolean false No This parameter controls how the filtering of audit targets are done. There are three conditions that are verified before an audit log record is created. This conditions are:
     the result of the request matches either the success or failure values of the auditDecision option. This means that success node attribute has the value of true and the access was granted or the failure node attribute has the value of true and the access was denied.
     the account ID for the current request is matching one of those listed in /security/audit/subjects
     the resource instance and access mode constitute a valid audit target matching a node under the /security/audit/resources path.
If this parameter is true then this will create an audit record only if all of the above condition are true. If filterMode is false then auditing is done if any of the above conditions is true.
decisions auditDecision false
false		 No This parameter controls what type of accesses will be audited. Both granted and denied accesses could be audited by using the boolean values of the success and failure node attributes.
subjects strings empty set No This parameter lists subject IDs to be audited. An empty (omitted) set means no auditing by subject.
resources container empty set No This parameter specify the resources to be audited. All child nodes of this node must have the auditResource type(class). This filters accesses to be audited by resource type, then, optionally, by one or more instance names, and then, optionally, by one or more access rights.

Options Examples

Example 1. Enable the audit:

<node class="container" name="security">
   <node class="container" name="audit">
      ...
      <node class="boolean" name="enabled">
         <node-attribute name="value" value="TRUE"/>
      </node>
      ...
   </node>
</node>

Example 2. Disable the audit:

<node class="container" name="security">
   <node class="container" name="audit">
      ...
      <node class="boolean" name="enabled">
         <node-attribute name="value" value=”FALSE"/>
      </node>
      ...
   </node>
</node>

Example 3. Enable the audit for both granted and denied accesses:

<node class="container" name="security">
   <node class="container" name="audit">
      ...
      <node class="auditDecision" name="decisions">
         <node-attribute name="success" value="TRUE"/>
         <node-attribute name="failure" value="TRUE"/>
      </node>
      ...
   </node>
</node>

Example 4. Specify subjects to be audited:

<node class="container" name="security">
   <node class="container" name="audit">
      ...
      <node class="strings" name="subjects">
         <node-attribute name="values" value="admins"/>
         <node-attribute name="values" value="sysmaint"/>
         <node-attribute name="values" value="group2"/>
      </node>
      ...
   </node>
</node>

Example 5. Specify resources to be audited:

<node class="container" name="security">
   <node class="container" name="audit">
      ...
      <node class="container" name="resources">
         <node class="auditResource" name="10">
            <node-attribute name="type" value="system"/>
            <node-attribute name="instances" value="context"/>
            <node-attribute name="requests" value="'0101'B"/>
         </node>
         <node class="auditResource" name="20">
            ...
         </node>
      </node>
      ...
   </node>
</node>

© 2004-2017 Golden Code Development Corporation. ALL RIGHTS RESERVED.