diff options
| author | Christina Fu <cfu@redhat.com> | 2016-01-21 11:58:03 -0800 |
|---|---|---|
| committer | Christina Fu <cfu@redhat.com> | 2016-02-15 15:56:26 -0800 |
| commit | 4e948d6ab69f19f5ee705ca168e7813c14d36f10 (patch) | |
| tree | 708e500dd0aba7f5620443ae64d04f451d8774c0 /base/server/cmsbundle/src | |
| parent | ae975289fcd669e122589cfd1a7c82e0b28f733e (diff) | |
| download | pki-4e948d6ab69f19f5ee705ca168e7813c14d36f10.tar.gz pki-4e948d6ab69f19f5ee705ca168e7813c14d36f10.tar.xz pki-4e948d6ab69f19f5ee705ca168e7813c14d36f10.zip | |
Ticket #1007 TPS audit events
This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE
Administrative auditing (via REST interface) will be covered in a separate ticket
Diffstat (limited to 'base/server/cmsbundle/src')
| -rw-r--r-- | base/server/cmsbundle/src/LogMessages.properties | 88 |
1 files changed, 74 insertions, 14 deletions
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index e0e926ccb..9dcfa1a9a 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2541,13 +2541,26 @@ LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6=<type=ASYMKEY_GENERATION_RE # # LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT # - used for TPS when token certificate enrollment request is made +# - Info is normally used to store more info in case of failure # -LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=<type=TOKEN_CERT_ENROLLMENT>:[[AuditEvent=TOKEN_CERT_ENROLLMENT][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][AppletVersion={5}][KeyVersion={6}][Serial={7}][CA_ID={8}] token certificate enrollment request made +LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=<type=TOKEN_CERT_ENROLLMENT>:[[AuditEvent=TOKEN_CERT_ENROLLMENT][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate enrollment request made # # LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL # - used for TPS when token certificate renewal request is made +# - Info is normally used to store more info in case of failure # -LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[[AuditEvent=TOKEN_CERT_RENEWAL][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][AppletVersion={5}][KeyVersion={6}][Serial={7}][CA_ID={8}] token certificate renewal request made +LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[[AuditEvent=TOKEN_CERT_RENEWAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate renewal request made +# +# LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL +# - used for TPS when token certificate retrieval request is made; +# usually used during recovery, along with LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY +# +LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9=<type=TOKEN_CERT_RETRIEVAL>:[[AuditEvent=TOKEN_CERT_RETRIEVAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate retrieval request made +# +# LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY +# - used for TPS when token certificate key recovery request is made +# +LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=<type=TOKEN_KEY_RECOVERY>:[[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made # # LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST # - used when a token certificate status change request (e.g. revocation) @@ -2556,23 +2569,70 @@ LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[[AuditEvent # CertSerialNum must be the serial number (in hex) of the certificate to be revoked # RequestType must be "revoke", "on-hold", "off-hold" # -LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_7=<type=TOKEN_CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][SubjectID={0}][Outcome={1}][tokenType={2}][CUID={3}][CertSerialNum={4}][RequestType={5}][CA_ID={6}] token certificate revocation/unrevocation request made +LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10=<type=TOKEN_CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][CertSerialNum={5}][RequestType={6}][RevokeReasonNum={7}][CA_ID={8}][Info={9}] token certificate revocation/unrevocation request made # -# LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_REQUEST +# LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS # - used when token pin reset request is made -LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_REQUEST_7=<type=TOKEN_PIN_RESET_REQUEST>:[AuditEvent=TOKEN_PIN_RESET_REQUEST][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][AppletVersion={5}][KeyVersion={6}] token pin reset request made +LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS_6=<type=TOKEN_PIN_RESET_SUCCESS>:[AuditEvent=TOKEN_PIN_RESET_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][AppletVersion={4}][KeyVersion={5}] token op pin reset success +# +# LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE +# - used when token pin reset request failed +LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE_6=<type=TOKEN_PIN_RESET_FAILURE>:[AuditEvent=TOKEN_PIN_RESET_FAILURE][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][AppletVersion={4}][KeyVersion={5}] token op pin reset failure +# +# LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST +# - used when token op request made +# - OP can be "format", "enroll", or "pinReset" +LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=<type=TOKEN_OP_REQUEST>:[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token op request made +# +# LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS +# - used when token format op succeeded +LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9=<type=TOKEN_FORMAT_SUCCESS>:[AuditEvent=TOKEN_FORMAT_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][KeyVersion={7}][Info={8}] token op format success +# +# LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE +# - used when token format op failed +LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9=<type=TOKEN_FORMAT_FAILURE>:[AuditEvent=TOKEN_FORMAT_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][KeyVersion={7}][Info={8}] token op format failure +# +# +# LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS +# - used when token apple upgrade succeeded +LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9=<type=TOKEN_APPLET_UPGRADE_SUCCESS>:[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade success +# +# +# LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE +# - used when token apple upgrade failed +LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9=<type=TOKEN_APPLET_UPGRADE_FAILURE>:[AuditEvent=TOKEN_APPLET_UPGRADE_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade failure # -# LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_REQUEST -# - used when token format request is made -LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_REQUEST_7=<type=TOKEN_FORMAT_REQUEST>:[AuditEvent=TOKEN_FORMAT_REQUEST][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][AppletVersion={5}][KeyVersion={6}] token format request made +# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED +# - used when token key changeover is required +LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=<type=TOKEN_KEY_CHANGEOVER_REQUIRED>:[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required # -# LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE -# - used when token apple upgrade occurs -LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_8=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}] token applet upgrade +# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS +# - used when token key changeover succeeded +# - Info usually is unused for success +LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_10=<type=TOKEN_KEY_CHANGEOVER_SUCCESS>:[AuditEvent=TOKEN_KEY_CHANGEOVER_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover success +# +# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE +# - used when token key changeover failed +# - Info is used for storing more info in case of failure +LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10=<type=TOKEN_KEY_CHANGEOVER_FAILURE>:[AuditEvent=TOKEN_KEY_CHANGEOVER_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover failure +# +# LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE +# - used when authentication failed +# Outcome should always be "failure" in this event +# (obviously, if authentication failed, you won't have a valid SubjectID, so +# in this case, AttemptedID is recorded) +# AuthMgr must be the authentication manager instance name that did +# this authentication +# +LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9=<type=TOKEN_AUTH_FAILURE>:[AuditEvent=TOKEN_AUTH_FAILURE][IP={0}][AttemptedID={1}][CUID={2}][MSN={3}][Outcome={4}][OP={5}][tokenType={6}][AppletVersion={7}][AuthMgr={8}] token authentication failure +# +# LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS +# - used when authentication succeeded +# Outcome should always be "success" in this event +# AuthMgr must be the authentication manager instance name that did +# this authentication # -# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER -# - used when token applet upgrade occurs -LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_8=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][AppletVersion={5}][oldKeyVersion={6}][newKeyVersion={7}] token key changeover +LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9=<type=TOKEN_AUTH_SUCCESS>:[AuditEvent=TOKEN_AUTH_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][OP={5}][tokenType={6}][AppletVersion={7}][AuthMgr={8}] token authentication success # # LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL # - used when configuring general TPS |