diff options
Diffstat (limited to 'pki/base/tps/src/include/engine')
-rw-r--r-- | pki/base/tps/src/include/engine/RA.h | 34 | ||||
-rw-r--r-- | pki/base/tps/src/include/engine/audit.h | 52 |
2 files changed, 80 insertions, 6 deletions
diff --git a/pki/base/tps/src/include/engine/RA.h b/pki/base/tps/src/include/engine/RA.h index c18acace0..cd75e3d0f 100644 --- a/pki/base/tps/src/include/engine/RA.h +++ b/pki/base/tps/src/include/engine/RA.h @@ -44,6 +44,7 @@ #include "main/Buffer.h" #include "main/PublishEntry.h" #include "main/AuthenticationEntry.h" +#include "main/LogFile.h" #include "authentication/Authentication.h" #include "apdu/APDU.h" #include "main/RA_Context.h" @@ -144,6 +145,14 @@ class RA TPS_PUBLIC static void Error(RA_Log_Level level, const char *func_name, const char *fmt, ...); TPS_PUBLIC static void Debug(RA_Log_Level level, const char *func_name, const char *fmt, ...); static void DebugBuffer(RA_Log_Level level, const char *func_name, const char *prefix, Buffer *buf); + TPS_PUBLIC static void FlushAuditLogBuffer(); + TPS_PUBLIC static void SignAuditLog(NSSUTF8 *msg); + TPS_PUBLIC static char *GetAuditSigningMessage(NSSUTF8 *msg); + TPS_PUBLIC static void SetFlushInterval(int interval); + TPS_PUBLIC static void SetBufferSize(int size); + static void RunFlushThread(void *arg); + TPS_PUBLIC static int setup_audit_log(bool enable_signing, bool signing_changed); + TPS_PUBLIC static void enable_audit_logging(bool enable); private: static void AuditThis(RA_Log_Level level, const char *func_name, const char *fmt, va_list ap); static void ErrorThis(RA_Log_Level level, const char *func_name, const char *fmt, va_list ap); @@ -206,6 +215,7 @@ class RA static HttpConnection *GetDRMConn(const char *id); static void ReturnDRMConn(HttpConnection *conn); static int GetCurrentIndex(HttpConnection *conn); + static LogFile* GetLogFile(const char *log_type); public: @@ -216,8 +226,8 @@ class RA TPS_PUBLIC static PRLock *GetAuthLock(); TPS_PUBLIC static void IncrementAuthCurrentIndex(int len); TPS_PUBLIC static void update_signed_audit_selected_events(char *new_selected); - TPS_PUBLIC static void update_signed_audit_enable(char *enable); - TPS_PUBLIC static void update_signed_audit_logging_enable(char *enable); + TPS_PUBLIC static void update_signed_audit_enable(const char *enable); + TPS_PUBLIC static void update_signed_audit_log_signing(const char *enable); static void SetGlobalSecurityLevel(SecurityLevel sl); static SecurityLevel GetGlobalSecurityLevel(); @@ -253,6 +263,15 @@ class RA static const char *CFG_ERROR_FILENAME; static const char *CFG_CHANNEL_SEC_LEVEL; static const char *CFG_CHANNEL_ENCRYPTION; + static const char *CFG_AUDIT_BUFFER_SIZE; + static const char *CFG_AUDIT_FLUSH_INTERVAL; + static const char *CFG_AUDIT_FILE_TYPE; + static const char *CFG_DEBUG_FILE_TYPE; + static const char *CFG_ERROR_FILE_TYPE; + static const char *CFG_AUDIT_PREFIX; + static const char *CFG_DEBUG_PREFIX; + static const char *CFG_ERROR_PREFIX; + static const char *CFG_AUTHS_ENABLE; static const char *CFG_AUTHS_CURRENTIMPL; @@ -284,7 +303,7 @@ class RA static PRLock *m_pod_lock; static PRLock *m_auth_lock; static PRLock *m_error_log_lock; - static PRLock *m_audit_log_lock; + static PRMonitor *m_audit_log_monitor; static PRLock *m_debug_log_lock; static int m_audit_log_level; static int m_debug_log_level; @@ -297,6 +316,12 @@ class RA TPS_PUBLIC static char *m_signedAuditSelectedEvents; TPS_PUBLIC static char *m_signedAuditSelectableEvents; TPS_PUBLIC static char *m_signedAuditNonSelectableEvents; + static char *m_audit_log_buffer; + static PRThread *m_flush_thread; + static size_t m_bytes_unflushed; + static size_t m_buffer_size; + static int m_flush_interval; + static HttpConnection* m_caConnection[]; static HttpConnection* m_tksConnection[]; static int m_caConns_len; @@ -308,6 +333,7 @@ class RA static PublisherEntry *publisher_list; static int m_num_publishers; + static RA_Context *m_ctx; static PublisherEntry *getPublisherById(const char *publisher_id); @@ -315,7 +341,7 @@ class RA static int InitializeHttpConnections(const char *id, int *len, HttpConnection **conn, RA_Context *ctx); static void CleanupPublishers(); static int Failover(HttpConnection *&conn, int len); - + }; #endif /* RA_H */ diff --git a/pki/base/tps/src/include/engine/audit.h b/pki/base/tps/src/include/engine/audit.h index 20b5efcb7..647c14e85 100644 --- a/pki/base/tps/src/include/engine/audit.h +++ b/pki/base/tps/src/include/engine/audit.h @@ -24,6 +24,40 @@ #define AUDIT_SIG_MSG_FORMAT "[%s] %x [AuditEvent=%s][SubjectID=%s][Outcome=%s] signature of audit buffer just flushed: sig: %s" #define AUDIT_MSG_FORMAT "[SubjectID=%s][Outcome=%s] %s" + +// for EV_ROLE_ASSUME +#define AUDIT_MSG_ROLE "[SubjectID=%s][Role=%s][Outcome=%s] %s" + +// for EV_CONFIG, EV_CONFIG_ROLE, EV_CONFIG_TOKEN, EV_CONFIG_PROFILE, EV_CONFIG_AUDIT +/* + ParamNameValPairs must be a name;;value pair + (where name and value are separated by the delimiter ;;) + separated by + (if more than one name;;value pair) of config params changed + Object which identifies the object being modified has the same format name;;value eg. tokenid;;12345 +*/ +#define AUDIT_MSG_CONFIG "[SubjectID=%s][Role=%s][Outcome=%s][Object=%s][ParamNameValPairs=%s] %s" + +// for EV_APPLET_UPGRADE; note: "op" is operation such as "format," "enrollment" +#define AUDIT_MSG_APPLET_UPGRADE "[SubjectID=%s][CUID=%s][MSN=%s][Outcome=%s][op=%s][KeyVersion=%s][OldAppletVersion=%s][NewAppletVersion=%s] %s" + +// for EV_KEY_CHANGEOVER; note: "op" is operation such as "format," "enrollment," "pinReset," "renewal" +#define AUDIT_MSG_KEY_CHANGEOVER "[SubjectID=%s][CUID=%s][MSN=%s][Outcome=%s][op=%s][AppletVersion=%s][OldKeyVersion=%s][NewKeyVersion=%s] %s" + +// for EV_AUTH_SUCCESS and EV_AUTH_FAIL +#define AUDIT_MSG_AUTH "[SubjectID=%s][AuthID=%s][Outcome=%s] %s" + +// for EV_AUTHZ_SUCCESS and EV_AUTHZ_FAIL +#define AUDIT_MSG_AUTHZ "[SubjectID=%s][op=%s][Outcome=%s] %s" + +// for op's EV_FORMAT, EV_ENROLLMENT, EV_PIN_RESET, EV_RENEWAL +#define AUDIT_MSG_PROC "[SubjectID=%s][CUID=%s][MSN=%s][Outcome=%s][op=%s][AppletVersion=%s][KeyVersion=%s] %s" + +// for op's EV_ENROLLMENT and EV_RENEWAL. +#define AUDIT_MSG_PROC_CERT_REQ "[SubjectID=%s][CUID=%s][MSN=%s][Outcome=%s][op=%s][AppletVersion=%s][KeyVersion=%s][Serial=%s][CA_ID=%s] %s" + +// op is either "revoke" or "unrevoke" +#define AUDIT_MSG_CERT_STATUS_CHANGE "[SubjectID=%s][Outcome=%s][op=%s][Serial=%s][CA_ID=%s] %s" + /* * Audit events definitions */ @@ -33,9 +67,23 @@ #define EV_ENROLLMENT "ENROLLMENT" #define EV_PIN_RESET "PIN_RESET" #define EV_FORMAT "FORMAT" -#define EV_UPGRADE "UPGRADE" #define EV_AUTHZ_FAIL "AUTHZ_FAIL" #define EV_AUTHZ_SUCCESS "AUTHZ_SUCCESS" -// ... to be continued ... + +// config operations from the TUS interface +#define EV_CONFIG "CONFIG" // for config operations not specifically defined below +#define EV_CONFIG_ROLE "CONFIG_ROLE" +#define EV_CONFIG_TOKEN "CONFIG_TOKEN" +#define EV_CONFIG_PROFILE "CONFIG_PROFILE" +#define EV_CONFIG_AUDIT "CONFIG_AUDIT" + +#define EV_APPLET_UPGRADE "APPLET_UPGRADE" +#define EV_KEY_CHANGEOVER "KEY_CHANGEOVER" + +#define EV_RENEWAL "RENEWAL" + +// authentication for both user login for token ops and role user login (this is different from EV_AUTHZ which is for role authorization) +#define EV_AUTH_SUCCESS "AUTH_SUCCESS" +#define EV_AUTH_FAIL "AUTH_FAIL" #endif //AUDIT_H |