IBM Security Access Manager Version 9.0.6 November 2018 Auditing topics IBM IBM Security Access Manager Version 9.0.6 November 2018 Auditing topics IBM ii IBM Security Access Manager Version 9.0.6 November 2018: Auditing topics Contents Figures .............. vii Elements for AUDIT_AUTHN_TERMINATE events ............... 88 Tables ............... ix Elements for AUDIT_AUTHZ events ..... 89 Elements for AUDIT_COMPLIANCE events .. 92 Elements for AUDIT_DATA_SYNC events ... 94 Chapter 1. Auditing overview...... 1 Elements for AUDIT_MGMT_CONFIG events .. 96 Elements for AUDIT_MGMT_POLICY events .. 98 Chapter 2. Overview of Security Access Elements for AUDIT_MGMT_PROVISIONING Manager event logging ........ 5 events ............... 100 Native auditing ............. 5 Elements for AUDIT_MGMT_REGISTRY events 102 Statistics gathering ............ 6 Elements for AUDIT_MGMT_RESOURCE Logging process ............. 7 events ............... 104 Audit data in UTF-8 format ......... 7 Elements for AUDIT_PASSWORD_CHANGE events ............... 107 Chapter 3. Configuring auditing on the Elements for AUDIT_RESOURCE_ACCESS appliance .............. 9 events ............... 108 Elements for AUDIT_RUNTIME events .... 111 Elements for AUDIT_RUNTIME_KEY events 113 Chapter 4. Native Security Access Elements for AUDIT_WORKFLOW events... 115 Manager auditing .......... 13 Reference information about elements and element Audit event logging ........... 13 types ................ 117 Log agents.............. 13 accessDecision element ......... 118 Configuring audit events ......... 13 accessDecisionReason element ....... 118 Defining logcfg entries ......... 13 action element ............ 119 Disabling resource access events ...... 33 appName element ........... 122 Process flow for logcfg logging ....... 33 attributePermissionInfo element ...... 123 Auditing using logaudit ......... 34 attributePermissionInfo.attributeNames element 123 WebSEAL HTTP logging .......... 34 attributePermissionInfo.checked element ... 123 HTTP log files ............ 34 attributePermissionInfo element ...... 124 Enabling HTTP logging ......... 35 attributePermissionInfo.granted element ... 124 Customizing the HTTP request log ..... 36 attributes element ........... 124 Process flow for [logging] and logcfg logging .. 38 attributes.name element ......... 125 Sample request.log file.......... 39 attributes.source ........... 125 Sample agent.log file .......... 40 attributes.value ............ 126 Sample referer.log ........... 40 auditMsg .............. 126 Working with statistics .......... 40 auditMsgElement ........... 126 Using stats commands for statistics ..... 40 auditTrailId ............. 126 Using stanza entries for statistics ...... 45 authenProvider ............ 127 Security Access Manager components and authnType ............. 127 activity types ............. 46 authnTypeVersion ........... 128 WebSEAL components and activity types ... 47 complianceStatus ........... 128 endTime .............. 129 Chapter 5. Audit events ....... 55 extensionName ............ 129 XML output of native audit events ...... 55 fixDescription ............ 130 DTD intermediate format ......... 55 fixId ............... 130 Data blocks and output elements ...... 55 globalInstanceId ........... 130 XML output elements .......... 57 httpURLInfo element .......... 130 Action codes for management commands ... 76 HTTPURLInfo.method ......... 131 Authentication failures ......... 81 HTTPURLInfo.requestHeaders....... 131 Elements by event types .......... 83 HTTPURLInfo.responseCode ....... 131 Elements for AUDIT_AUTHN events ..... 83 HTTPURLInfo.responseHeaders ...... 132 Elements for AUDIT_AUTHN_CREDS_MODIFY HTTPURLInfo.url element ........ 132 events ............... 85 keyLabel .............. 132 Elements for AUDIT_AUTHN_MAPPING events 86 lifetime .............. 133 location .............. 133 locationType............. 133 iii loginTime ............. 133 registryObjectInfo.type element ...... 157 mappedRealm ............ 134 reporterComponentId ......... 157 mappedSecurityDomain ......... 134 resourceInfo ............. 158 mappedUserName .......... 134 resourceInfo.attributes ......... 158 membershipInfo ........... 135 resourceInfo.nameInApp ........ 159 memberships.id element......... 135 resourceInfo.nameInPolicy ........ 159 memberships.name element ....... 135 resourceInfo.type element ........ 159 memberships.type element ........ 136 sequenceNumber ........... 161 message .............. 136 severity .............. 161 mgmtInfo ............. 136 sourceComponentId .......... 161 mgmtInfo.command .......... 137 sourceComponentId/@application ..... 162 mgmtInfo.targetInfo .......... 138 sourceComponentId/@component ..... 162 originalRealm ............ 138 sourceComponentId/@componentIdType ... 163 originalSecurityRealm ......... 138 sourceComponentId/@componentType .... 163 originalUserName ........... 138 sourceComponentId/@executionEnvironment 163 outcome .............. 139 sourceComponentId/@instanceId...... 164 outcome.failureReason ......... 139 sourceComponentId/@location ...... 164 outcome.majorStatus .......... 141 sourceComponentId/@locationType ..... 164 outcome.minorStatus .......... 141 sourceComponentId/@processId ...... 165 outcome.result ............ 142 sourceComponentId/@subComponent .... 165 partner .............. 142 sourceComponentId/@threadId ...... 165 perfInfo .............. 142 startTime .............. 166 perfInfo.aggregate ........... 143 suppressed ............. 166 perfInfo.description .......... 143 targetAccount ............ 166 perfInfo.name element ......... 144 targetInfoType ............ 166 perfInfo.maxValue ........... 144 targetInfo.attributes .......... 167 perfInfo.minValue ........... 144 targetInfo.targetNames ......... 167 perfInfo.numDataPoints ......... 144 targetResource ............ 167 perfInfo.unit element .......... 145 targetUser ............. 168 perfInfo.value ............ 145 targetUserInfo (1) ........... 168 permissionInfo ............ 145 targetUserInfo (2) ........... 168 permissionInfo.checked ......... 146 targetUserRegistryInfo ......... 169 permissionInfo.denied ......... 146 terminateReason ........... 169 permissionInfo.granted ......... 146 timestamp ............. 170 permissionInfo.J2EERolesChecked ..... 147 type ............... 170 permissionInfo.J2EERolesGranted...... 147 userInfo .............. 170 policyDescription ........... 148 userInfo.appUserName ......... 171 policyInfo ............. 148 userInfo.attributes ........... 171 policyInfo.attributes .......... 148 userInfo.callerList ........... 172 policyInfo.branch ........... 149 userInfo.domain ........... 172 policyInfo.description ......... 149 userInfo.location ........... 172 policyInfo.name element......... 149 userInfo.locationType.......... 173 policyInfo.type element ......... 150 userInfo.realm ............ 173 policyName ............. 151 userInfo.registryUserName ........ 173 progName ............. 151 userInfo.sessionId ........... 174 provisioningInfo ........... 151 userInfo.uniqueId ........... 174 provisioningInfo.accountId ........ 152 userInputs ............. 174 provisioningInfo.resourceId........ 152 violationClassification ......... 175 provisioningInfo.resourceType ....... 152 violationDescription .......... 176 provisioningTargetInfo ......... 153 violationName ............ 176 recommendation ........... 153 workItemInfo ............ 176 registryInfo ............. 153 workItemInfoType.id element ....... 177 registryInfo.serverLocation ........ 154 workItemInfoType.type element ...... 177 registryInfo.serverLocationType ...... 154 registryInfo.serverPort ......... 154 Chapter 6. Routing files ....... 179 registryInfo.type element ........ 155 Locations of routing files ......... 179 registryObjectInfo ........... 155 Routing file entries ........... 179 registryObjectInfo.attributes ....... 155 registryObjectInfo.description ....... 156 Chapter 7. Configuration stanzas ... 183 registryObjectInfo.name element ...... 156 Guidelines for changing configuration files ... 183 registryObjectInfo.registryName ...... 156 iv IBM Security Access Manager Version 9.0.6 November 2018: Auditing topics General guidelines .......... 183 [logging] stanza ........... 187 Default values ............ 183 [pdaudit-filter] stanza ......... 194 Strings .............. 183 Defined strings ............ 184 Chapter 8. Commands and utilities 195 File names ............. 184 Reading syntax statements ......... 195 Integers .............. 184 Commands .............. 195 Boolean values ............ 185 login ................ 195 Configuration file reference......... 185 server list............... 198 Location of configuration files ....... 185 server task stats ............ 198 Contents of configuration files....... 186 Configuration file stanza reference ...... 186 Index ............... 203 [aznapi-configuration] stanza ....... 186 Contents v vi IBM Security Access Manager Version 9.0.6 November 2018: Auditing topics Figures 1. Event pool hierarchy .......... 5 2. Application-specific probe points...... 7 vii viii IBM Security Access Manager Version 9.0.6 November 2018: Auditing topics Tables 1. Categories and description of native audit 16. Elements used in AUDIT_COMPLIANCE events............... 6 events .............. 92 2. Syslog server remote machine configuration 17. Elements used in AUDIT_DATA_SYNC events 94 values. .............. 9 18. Elements used in AUDIT_MGMT_CONFIG 3. Audit tuning values.......... 10 events .............. 96 4. Available parameters for the logcfg