Before enabling security auditing, use this task to configure
event filters using the wsadmin tool. Security auditing provides tracking
and archiving of auditable events.
Before you begin
Before configuring security auditing filters, enable administrative
security in your environment.
About this task
Before configuring an audit event factory and audit service
provider, configure event filters. The audit service provider writes
audit records to the back end repository associated with the provider
implementation. The audit event factory generates security events.
Event filters specify which event types and outcomes the system audits
and records. Each event type has up to seven possible outcomes, including
success, failure, denied, error, warning, info, and redirect. The
security auditing configuration provides four default filters. Use
this topic to customize your security auditing subsystem by creating
additional audit event filters.
Use the following steps to configure
your security auditing subsystem using the wsadmin tool:
Procedure
- Launch the wsadmin scripting tool using the Jython scripting
language. See the Starting the wsadmin scripting client article for
more information.
- Configure event filters. You can use the default event
filters or use this step to create additional filters to customize
your security auditing configuration.
Table 1. Provided event filters . The application
server provides the following event filters by default in the audit.xml template
file:
| Event Name |
Outcome of event |
| SECURITY_AUTHN |
SUCCESS |
| SECURITY_AUTHN |
DENIED |
| SECURITY_RESOURCE_ACCESS |
SUCCESS |
| SECURITY_AUTHN |
REDIRECT |
You can configure additional audit event types to capture
various events. Use the following command to list all supported auditable
events:
print AdminTask.getSupportedAuditEvents()
Use
the createAuditFilter command with the -name, -eventType, and -outcome
parameters to enable one or multiple audit events and outcomes. You
can specify multiple event types and multiple outcomes separated by
a comma with one command invocation.
Table 2. Event types . The following list describes each
valid auditable event that you can specify with the -eventType parameter:
| Event name |
Description |
| SECURITY_AUTHN |
Audits all authentication events |
| SECURITY_AUTHN_MAPPING |
Audits events that record mapping of credentials
where two user identities are involved |
| SECURITY_AUTHZ |
Audits events related to authorization checks
when the system enforces access control policies |
| SECURITY_MGMT_AUDIT |
Audits events that record operations related
to the audit subsystem such as starting audit, stopping audit, turning
audit on or off, changing configuration of audit filters or level,
archiving audit data, purging audit data, and so on. |
| SECURITY_RESOURCE_ACCESS |
Audits events that record all accesses to a
resource. Examples are all accesses to a file, all HTTP requests and
responses to a given web page, and all accesses to a critical database
table |
| SECURITY_AUTHN_DELEGATION |
Audits events that record delegation, including
identity assertion, RunAs, and low assertion. Used when the client
identity is propagated or when delegation involves the use of a special
identity. This event type is also used when switching user identities
within a given session. |
For each audit event type, you must specify an outcome. Valid
outcomes include SUCCESS, FAILURE, REDIRECT, ERROR, DENIED, WARNING,
and INFO. The following command example creates an audit filter to
log users who receive an error when modifying credentials:
AdminTask.createAuditFilter('-name myUniqueName -eventType SECURITY_RESOURCE_ACCESS,SECURITY_AUTHN_DELEGATION -outcome ERROR,REDIRECT')
- Save your configuration changes.
Use the following command example to save your configuration
changes:
AdminConfig.save()
What to do next
Enable security auditing in your environment.