Before enabling security auditing, use this task to configure audit event factories using the wsadmin tool. Security auditing provides tracking and archiving of auditable events.
Before configuring security auditing event factories, enable administrative security in your environment.
In order to enable security auditing in your environment, you must configure an audit event factory. The audit event factory gathers the data that is associated with security events. The security auditing configuration provides a default event factory. Use this topic to customize your security auditing subsystem by creating additional audit event factories.
Use the following steps to configure your security auditing subsystem using the wsadmin tool:
Event Name | Outcome of event |
---|---|
SECURITY_AUTHN | SUCCESS |
SECURITY_AUTHN | DENIED |
SECURITY_RESOURCE_ACCESS | SUCCESS |
SECURITY_AUTHN | REDIRECT |
print AdminTask.getSupportedAuditEvents()
Event name | Description |
---|---|
SECURITY_AUTHN | Audits all authentication events |
SECURITY_AUTHN_MAPPING | Audits events that record mapping of credentials where two user identities are involved |
SECURITY_AUTHN_TERMINATE | Audits authentication termination events such as a timeout, terminated session, or user-initiated logging out |
SECURITY_AUTHZ | Audits events related to authorization checks when the system enforces access control policies |
SECURITY_RUNTIME | Audits runtime events such as the starting and the stopping of security servers. This event type is not meant for administrative operations performed by a system administrator as such operations need to use the other SECURITY_MGMT_* event types. |
SECURITY_MGMT_AUDIT | Audits events that record operations related to the audit subsystem such as starting audit, stopping audit, turning audit on or off, changing configuration of audit filters or level, archiving audit data, purging audit data, and so on. |
SECURITY_RESOURCE_ACCESS | Audits events that record all accesses to a resource. Examples are all accesses to a file, all HTTP requests and responses to a given web page, and all accesses to a critical database table |
SECURITY_SIGNING | Audits events that record signing such as signing operations used to validate parts of a SOAP Message for web services |
SECURITY_ENCRYPTION | Audits events that record encryption information such as encryption for web services |
SECURITY_AUTHN_DELEGATION | Audits events that record delegation, including identity assertion, RunAs, and low assertion. Used when the client identity is propagated or when delegation involves the use of a special identity. This event type is also used when switching user identities within a given session. |
SECURITY_AUTHN_CREDS_MODIFY | Audits events to modify credentials for a given user identity |
AdminTask.createAuditFilter('-name uniqueFilterName -eventType
SECURITY_RESOURCE_ACCESS,SECURITY_AUTHN_DELEGATION -outcome ERROR,REDIRECT')
Use the createAuditEventFactory command to create an audit event factory in your security configuration. You can use the default implementation of the audit event factory or use a third-party implementation. To configure a third-party implementation, use the optional -customProperties parameter to specify any properties necessary to configure the audit event factory implementation.
Parameter | Description | Data type | Required |
---|---|---|---|
-uniqueName | Specifies a unique name that identifies the audit event factory. | String | Yes |
-className | Specifies the class implementation of the audit event factory interface. | String | Yes |
-auditFilters | Specifies a reference or a group of references to predefined audit filters, using the following format: "reference, reference, reference" | String | Yes |
-provider | Specifies a reference to a predefined audit service provider implementation. | String | Yes |
-customProperties | Specifies a comma (,) separated list of custom property pairs to add to the security object in the following format: attribute=value,attribute=value | String | No |
AdminTask.createAuditEventFactory('-uniqueName eventFactory1 -className
com.ibm.ws.security.audit.AuditEventFactoryImpl -auditFilters
"AuditSpecification_1173199825608, AuditSpecification_1173199825609, AuditSpecification_1173199825610,
AuditSpecification_1173199825611" -provider newASP')
AdminConfig.save()
Configure the audit service provider.