pki.git/base/kra/shared/conf, branch master Unnamed repository; edit this file 'description' to name the repository. Encapsulate server side keygen audit events 2017-05-25T14:40:47+00:00 Ade Lee alee@redhat.com 2017-05-25T03:42:41+00:00 2a947446b81d21758ffadbae905a49e8c4e900ef This encapsulates key gen events for the token servlets. Consolidated the success and failure cases. Note that this event can likely later be replaced with security_data_keygen events. Leaving separate for now. Change-Id: I6caaeb2231fd2f7410eade03cb5fa93d66444bbf 
This encapsulates key gen events for the token servlets.
Consolidated the success and failure cases.  Note that this
event can likely later be replaced with security_data_keygen
events.  Leaving separate for now.

Change-Id: I6caaeb2231fd2f7410eade03cb5fa93d66444bbf
Fix failing audit log 2017-05-24T15:24:17+00:00 Ade Lee alee@redhat.com 2017-05-23T15:12:06+00:00 b9f906eb1f26cf3d82262bc9894785742f451cd9 As currently written, the audit log for completing the cert processing on the KRA will always fail because the cert is not yet issued. The cert is only issued after the key is archived. Basically, though, this particular log is only suppposed to be written to the CA audit log. Rather than adding a subsystem check, the simplest solution is to not expose this event on the KRA. Change-Id: I9e658dca15fd87e87c0124c4c9972dbca2910643 
As currently written, the audit log for completing the cert
processing on the KRA will always fail because the cert is not
yet issued.  The cert is only issued after the key is archived.

Basically, though, this particular log is only suppposed to be
written to the CA audit log.  Rather than adding a subsystem check,
the simplest solution is to not expose this event on the KRA.

Change-Id: I9e658dca15fd87e87c0124c4c9972dbca2910643
Fix auditing in retrieveKey 2017-05-23T19:24:51+00:00 Ade Lee alee@redhat.com 2017-05-18T20:05:07+00:00 3027b565320c96857b7f7fdffed9a5fbec084bab The auditing in retrieveKey is all messed up. * Added new audit event to track accesses to KeyInfo queries. They may produce a lot of events, especially if events are generated for every listing of data. By default, this event may be turned off. * Added audit events for generation and processing of key recovery requests. Change-Id: Icb695e712bdfadf0a80903aa52bd00b9d4883182 
The auditing in retrieveKey is all messed up.
* Added new audit event to track accesses to KeyInfo queries.
  They may produce a lot of events, especially if events are
  generated for every listing of data.  By default, this event
  may be turned off.
* Added audit events for generation and processing of key
  recovery requests.

Change-Id: Icb695e712bdfadf0a80903aa52bd00b9d4883182
Encapsulate key retrieval audit events 2017-05-23T18:46:23+00:00 Ade Lee alee@redhat.com 2017-05-18T05:27:12+00:00 0df4ba1372e0a5942806fda3b56f0b9ea70c6e05 Key retrieval is when the key/secret is extracted and returned to the client (once the recovery request is approved). We combine SECURITY_DATA_RETRIEVE_KEY and a couple of older EXPORT events. Note: an analysis of the key retrieval rest flow (and the auditing there will be done in a subsequent patch). Change-Id: Ibd897772fef154869a721fda55ff7498210ca03c 
Key retrieval is when the key/secret is extracted and returned
to the client (once the recovery request is approved).  We combine
SECURITY_DATA_RETRIEVE_KEY and a couple of older EXPORT events.

Note: an analysis of the key retrieval rest flow (and the auditing
there will be done in a subsequent patch).

Change-Id: Ibd897772fef154869a721fda55ff7498210ca03c
Eliminate async recovery audit events 2017-05-23T18:33:34+00:00 Ade Lee alee@redhat.com 2017-05-17T20:17:30+00:00 f52f5be832e37cc45e665708d3b59d2a3aa04370 There are now many ways to recover keys. From an auditing point of view, its not helpful to distinguish between sync or async requests. So we just use SECURITY_DATA ... Change-Id: Id64abd56248c07f3f7f7b038ba5ac458af854089 
There are now many ways to recover keys.  From an
auditing point of view, its not helpful to distinguish
between sync or async requests.  So we just use
SECURITY_DATA ...

Change-Id: Id64abd56248c07f3f7f7b038ba5ac458af854089
Encapsulate recovery processed audit events 2017-05-23T18:32:48+00:00 Ade Lee alee@redhat.com 2017-05-17T18:10:37+00:00 58927bc0573769480dd35b564b9791eb086b267e This creates audit events for KEY_RECOVERY_PROCESSED and SECURITY_DATA_RECOVERY_PROCESSED audit logs. We simplify by reducing the logs to the SECURITY_DATA ones. Change-Id: I75968799dec48d1f056ba15f8125d3bd031f31bb 
This creates audit events for KEY_RECOVERY_PROCESSED and
SECURITY_DATA_RECOVERY_PROCESSED audit logs.  We simplify by
reducing the logs to the SECURITY_DATA ones.

Change-Id: I75968799dec48d1f056ba15f8125d3bd031f31bb
Encapsulate key recovery audit events 2017-05-23T18:32:34+00:00 Ade Lee alee@redhat.com 2017-05-17T03:11:34+00:00 90f6d8ece46d70a3566b97b549efb1053895f407 Encapsulate SECURITY_DATA_KEY_RECOVERY_REQUEST and KEY_RECOVERY_REQUEST audit events as audit event objects. We have collapse to a single audit event type. Change-Id: I68c27573725cf27c34d008c58847d6a22e0d0bac 
Encapsulate SECURITY_DATA_KEY_RECOVERY_REQUEST and
KEY_RECOVERY_REQUEST audit events as audit event objects.
We have collapse to a single audit event type.

Change-Id: I68c27573725cf27c34d008c58847d6a22e0d0bac
Encapsulate archival processed audit logs 2017-05-23T18:32:11+00:00 Ade Lee alee@redhat.com 2017-05-17T02:16:30+00:00 3a35eceffed65862e66806c20cff3a3b64d75ae8 Encapsulate audit logs for SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED and PRIVATE_KEY_ARCHIVAL_REQUEST_PROCESSED. We have merged the two audit events. Change-Id: I2abc7edff076495bb62733b92304fecd4f15b2b7 
Encapsulate audit logs for SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED
and PRIVATE_KEY_ARCHIVAL_REQUEST_PROCESSED.  We have merged the
two audit events.

Change-Id: I2abc7edff076495bb62733b92304fecd4f15b2b7
Encapsulate the archival audit log 2017-05-23T18:31:54+00:00 Ade Lee alee@redhat.com 2017-05-16T21:29:45+00:00 1c8c61ef235bb57e744e9a8cfa5e1ff0cebb06a2 This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events. The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the SECURITY_DATA ones to simplify the whole structure. They used to provide an archivalID parameter which was pretty much meaningless as it was at best just the same as the request id which is alreadty logged. So this is now dropped. Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2 
This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and
PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events.

The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the
SECURITY_DATA ones to simplify the whole structure.  They
used to provide an archivalID parameter which was pretty much
meaningless as it was at best just the same as the request id
which is alreadty logged.  So this is now dropped.

Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2
Added CLIs to access audit log files. 2017-04-04T20:07:54+00:00 Endi S. Dewata edewata@redhat.com 2017-03-28T19:02:22+00:00 88cd07655268831e14e7cd4f6f6a65e331f86583 New pki audit commands have been added to list and retrieve audit log files. Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5 
New pki audit commands have been added to list and retrieve audit
log files.

Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5