diff options
author | Ade Lee <alee@redhat.com> | 2013-10-03 12:58:34 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2013-10-07 22:17:04 -0400 |
commit | 99def3060c7c59ea5727a5555adb7b4af3fc4887 (patch) | |
tree | 2c239f6e56451bb174f9cdbccfec7439eb9183a3 /base/common/src | |
parent | f2a85c09689cb09e6a0996125c112552599c717c (diff) | |
download | pki-99def3060c7c59ea5727a5555adb7b4af3fc4887.tar.gz pki-99def3060c7c59ea5727a5555adb7b4af3fc4887.tar.xz pki-99def3060c7c59ea5727a5555adb7b4af3fc4887.zip |
Add audit logging for new security data operations in kra
Ticket 97
Diffstat (limited to 'base/common/src')
3 files changed, 135 insertions, 13 deletions
diff --git a/base/common/src/LogMessages.properties b/base/common/src/LogMessages.properties index 67ca36957..aacd7fc61 100644 --- a/base/common/src/LogMessages.properties +++ b/base/common/src/LogMessages.properties @@ -2013,6 +2013,7 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3=<type=SERVER # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=<type=KEY_RECOVERY_REQUEST>:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made # +# # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC # - used when asynchronous key recovery request is made # RequestID must be the recovery request ID @@ -2030,6 +2031,7 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4=<type=KEY_RECOVERY_REQUEST_ASY # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=<type=KEY_RECOVERY_AGENT_LOGIN>:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login # +# # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED # - used when key recovery request is processed # RecoveryID must be the recovery request ID @@ -2383,7 +2385,54 @@ LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=<type=SECURITY_DOMAIN_UPDATE>:[Aud # separated by + (if more than one name;;value pair) of config params changed # LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=<type=CONFIG_SERIAL_NUMBER>:[AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] serial number range update - +# +# LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED +# - used when user security data archive request is processed +# this is when DRM receives and processed the request +# Client ID must be the user supplied client ID associated with +# the security data to be archived +# +LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6=<type=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientID={3}][KeyID={4}][FailureReason={5}] security data archival request processed +# +# LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST +# - used when security data recovery request is made +# RecoveryID must be the recovery request ID +# CientID is the ID of the security data to be archived +# +LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4=<type=SECURITY_DATA_ARCHIVAL_REQUEST>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientID={3}] security data archival request made +# +# +# LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED +# - used when security data recovery request is processed +# RecoveryID must be the recovery request ID +# KeyID is the ID of the security data being requested to be recovered +# +LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5=<type=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][FailureReason={4}] security data recovery request processed +# +# +# LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST +# - used when security data recovery request is made +# RecoveryID must be the recovery request ID +# DataID is the ID of the security data to be recovered +# +LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_4=<type=SECURITY_DATA_RECOVERY_REQUEST>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][DataID={3}] security data recovery request made +# +# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_STATE_CHANGE +# - used when DRM agents login as recovery agents to change +# the state of key recovery requests +# RecoveryID must be the recovery request ID +# Operation is the operation performed (approve, reject, cancel etc.) +# +LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4=<type=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE][SubjectID={0}][Outcome={1}][RecoveryID={2}][Operation={3}] security data recovery request state change +# +# LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY +# - used when user attempts to retrieve key after the recovery request +# has been approved. +# +# RecoveryID must be the recovery request ID +# Operation is the operation performed (approve, reject, cancel etc.) +# +LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5=<type=SECURITY_DATA_RETRIEVE_KEY>:[AuditEvent=SECURITY_DATA_RETRIEVE_KEY][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][FailureReason={4}] security data retrieval request ########################### #Unselectable signedAudit Events diff --git a/base/common/src/com/netscape/cms/servlet/key/KeyService.java b/base/common/src/com/netscape/cms/servlet/key/KeyService.java index 2aba7ab40..f642417e2 100644 --- a/base/common/src/com/netscape/cms/servlet/key/KeyService.java +++ b/base/common/src/com/netscape/cms/servlet/key/KeyService.java @@ -48,6 +48,7 @@ import com.netscape.certsrv.key.KeyRecoveryRequest; import com.netscape.certsrv.key.KeyRequestInfo; import com.netscape.certsrv.key.KeyResource; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; +import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IRequestQueue; import com.netscape.certsrv.request.RequestId; @@ -73,13 +74,16 @@ public class KeyService extends PKIService implements KeyResource { @Context private HttpServletRequest servletRequest; - public static final int DEFAULT_MAXRESULTS = 100; - public static final int DEFAULT_MAXTIME = 10; - private IKeyRepository repo; private IKeyRecoveryAuthority kra; private IRequestQueue queue; + private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5"; + + public static final int DEFAULT_MAXRESULTS = 100; + public static final int DEFAULT_MAXTIME = 10; + public KeyService() { kra = ( IKeyRecoveryAuthority ) CMS.getSubsystem( "kra" ); repo = kra.getKeyRepository(); @@ -94,17 +98,21 @@ public class KeyService extends PKIService implements KeyResource { public KeyData retrieveKey(KeyRecoveryRequest data) { // auth and authz KeyId keyId = validateRequest(data); + RequestId requestID = data.getRequestId(); KeyData keyData; try { keyData = getKey(keyId, data); } catch (EBaseException e) { e.printStackTrace(); + auditRetrieveKey(ILogger.FAILURE, requestID, keyId, e.getMessage()); throw new PKIException(e.getMessage()); } if (keyData == null) { // no key record + auditRetrieveKey(ILogger.FAILURE, requestID, keyId, "No key record"); throw new HTTPGoneException("No key record."); } + auditRetrieveKey(ILogger.SUCCESS, requestID, keyId, "None"); return keyData; } @@ -138,6 +146,7 @@ public class KeyService extends PKIService implements KeyResource { request.getRequestId()); if(requestParams == null) { + auditRetrieveKey(ILogger.FAILURE, rId, keyId, "cannot obtain volatile requestParams"); throw new EBaseException("Can't obtain Volatile requestParams in getKey!"); } @@ -160,9 +169,10 @@ public class KeyService extends PKIService implements KeyResource { nonceData = data.getNonceData(); if (transWrappedSessionKey == null) { - //There must be at least a transWrappedSessionKey input provided. - //The command AND the request have provided insufficient data, end of the line. - throw new EBaseException("Can't retrieve key, insufficient input data!"); + //There must be at least a transWrappedSessionKey input provided. + //The command AND the request have provided insufficient data, end of the line. + auditRetrieveKey(ILogger.FAILURE, rId, keyId, "insufficient input data"); + throw new EBaseException("Can't retrieve key, insufficient input data!"); } if (sessionWrappedPassphrase != null) { @@ -217,6 +227,7 @@ public class KeyService extends PKIService implements KeyResource { // confirm request exists RequestId reqId = data.getRequestId(); if (reqId == null) { + auditRetrieveKey(ILogger.FAILURE, null, null, "Request id not found"); // log error throw new BadRequestException("Request id not found."); } @@ -224,6 +235,7 @@ public class KeyService extends PKIService implements KeyResource { // confirm that at least one wrapping method exists // There must be at least the wrapped session key method. if ((data.getTransWrappedSessionKey() == null)) { + auditRetrieveKey(ILogger.FAILURE, reqId, null, "No wrapping method found"); // log error throw new BadRequestException("No wrapping method found."); } @@ -233,11 +245,13 @@ public class KeyService extends PKIService implements KeyResource { try { reqInfo = reqDAO.getRequest(reqId, uriInfo); } catch (EBaseException e1) { + auditRetrieveKey(ILogger.FAILURE, reqId, null, "failed to get request"); // failed to get request e1.printStackTrace(); throw new PKIException(e1.getMessage()); } if (reqInfo == null) { + auditRetrieveKey(ILogger.FAILURE, reqId, null, "no request info available"); // request not found throw new HTTPGoneException("No request information available."); } @@ -245,6 +259,7 @@ public class KeyService extends PKIService implements KeyResource { //confirm request is of the right type String type = reqInfo.getRequestType(); if (!type.equals(IRequest.SECURITY_DATA_RECOVERY_REQUEST)) { + auditRetrieveKey(ILogger.FAILURE, reqId, null, "invalid request type"); // log error throw new BadRequestException("Invalid request type"); } @@ -255,8 +270,9 @@ public class KeyService extends PKIService implements KeyResource { // confirm request is in approved state RequestStatus status = reqInfo.getRequestStatus(); if (!status.equals(RequestStatus.APPROVED)) { + auditRetrieveKey(ILogger.FAILURE, reqId, null, "recovery request not approved"); // log error - throw new UnauthorizedException("Unauthorized request."); + throw new UnauthorizedException("Unauthorized request. Recovery request not approved."); } return reqInfo.getKeyId(); @@ -342,4 +358,15 @@ public class KeyService extends PKIService implements KeyResource { return filter; } + + public void auditRetrieveKey(String status, RequestId requestID, KeyId keyID, String reason) { + String msg = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY, + servletRequest.getUserPrincipal().getName(), + status, + requestID != null ? requestID.toString(): "null", + keyID != null ? keyID.toString(): "null", + reason); + auditor.log(msg); + } } diff --git a/base/common/src/com/netscape/cms/servlet/request/KeyRequestService.java b/base/common/src/com/netscape/cms/servlet/request/KeyRequestService.java index fce3e879e..8db16b51f 100644 --- a/base/common/src/com/netscape/cms/servlet/request/KeyRequestService.java +++ b/base/common/src/com/netscape/cms/servlet/request/KeyRequestService.java @@ -29,11 +29,13 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.BadRequestException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.PKIException; +import com.netscape.certsrv.dbs.keydb.KeyId; import com.netscape.certsrv.key.KeyArchivalRequest; import com.netscape.certsrv.key.KeyRecoveryRequest; import com.netscape.certsrv.key.KeyRequestInfo; import com.netscape.certsrv.key.KeyRequestInfos; import com.netscape.certsrv.key.KeyRequestResource; +import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.request.RequestNotFoundException; import com.netscape.cms.servlet.base.PKIService; @@ -58,6 +60,15 @@ public class KeyRequestService extends PKIService implements KeyRequestResource @Context private HttpServletRequest servletRequest; + private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4"; + + private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_4"; + + private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; + public static final int DEFAULT_START = 0; public static final int DEFAULT_PAGESIZE = 20; public static final int DEFAULT_MAXRESULTS = 100; @@ -104,9 +115,10 @@ public class KeyRequestService extends PKIService implements KeyRequestResource KeyRequestInfo info; try { info = dao.submitRequest(data, uriInfo); + auditArchivalRequestMade(info.getRequestId(), ILogger.SUCCESS, data.getClientId()); } catch (EBaseException e) { - // TODO Auto-generated catch block e.printStackTrace(); + auditArchivalRequestMade(null, ILogger.FAILURE, data.getClientId()); throw new PKIException(e.toString()); } return info; @@ -137,9 +149,10 @@ public class KeyRequestService extends PKIService implements KeyRequestResource KeyRequestInfo info; try { info = dao.submitRequest(data, uriInfo); + auditRecoveryRequestMade(info.getRequestId(), ILogger.SUCCESS, data.getKeyId()); } catch (EBaseException e) { - // TODO Auto-generated catch block e.printStackTrace(); + auditRecoveryRequestMade(null, ILogger.FAILURE, data.getKeyId()); throw new PKIException(e.toString()); } return info; @@ -153,9 +166,10 @@ public class KeyRequestService extends PKIService implements KeyRequestResource KeyRequestDAO dao = new KeyRequestDAO(); try { dao.approveRequest(id); + auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve"); } catch (EBaseException e) { - // TODO Auto-generated catch block e.printStackTrace(); + auditRecoveryRequestChange(id, ILogger.FAILURE, "approve"); throw new PKIException(e.toString()); } } @@ -168,9 +182,10 @@ public class KeyRequestService extends PKIService implements KeyRequestResource KeyRequestDAO dao = new KeyRequestDAO(); try { dao.rejectRequest(id); + auditRecoveryRequestChange(id, ILogger.SUCCESS, "reject"); } catch (EBaseException e) { - // TODO Auto-generated catch block e.printStackTrace(); + auditRecoveryRequestChange(id, ILogger.FAILURE, "reject"); throw new PKIException(e.toString()); } } @@ -183,9 +198,10 @@ public class KeyRequestService extends PKIService implements KeyRequestResource KeyRequestDAO dao = new KeyRequestDAO(); try { dao.cancelRequest(id); + auditRecoveryRequestChange(id, ILogger.SUCCESS, "cancel"); } catch (EBaseException e) { - // TODO Auto-generated catch block e.printStackTrace(); + auditRecoveryRequestChange(id, ILogger.FAILURE, "cancel"); throw new PKIException(e.toString()); } } @@ -248,4 +264,34 @@ public class KeyRequestService extends PKIService implements KeyRequestResource return filter; } + + public void auditRecoveryRequestChange(RequestId requestId, String status, String operation) { + String msg = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE, + servletRequest.getUserPrincipal().getName(), + status, + requestId.toString(), + operation); + auditor.log(msg); + } + + public void auditRecoveryRequestMade(RequestId requestId, String status, KeyId dataId) { + String msg = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST, + servletRequest.getUserPrincipal().getName(), + status, + requestId != null? requestId.toString(): "null", + dataId.toString()); + auditor.log(msg); + } + + public void auditArchivalRequestMade(RequestId requestId, String status, String clientId) { + String msg = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST, + servletRequest.getUserPrincipal().getName(), + status, + requestId != null? requestId.toString(): "null", + clientId); + auditor.log(msg); + } } |