The signed audit log creates a log recording system events; the events that are recorded are selected from a list of potential events. This feature, when enabled, records all selected system events and produces a verbose set of messages about the activity. Be careful to provide enough space in the filesystem for this log when using signed audit logs. The signed audit log feature is disabled by default.
The audit logs for a TPS subsystem cannot be signed.
A log is set to a signed audit log by setting the logSigning parameter to enable and providing the nickname of the certificate used to sign the log.
When a log is set as a signed audit log, only a user with auditor privileges can access and view the log. Auditors can use the AuditVerify tool to verify that signed audit logs have not been tampered with.
If there is not a dedicated certificate to sign audit logs, the subsystem signing certificate can be used to sign logs. To do this for a Certificate Manager, specify caSigningCert cert-CA_instance name as the value in the signedAuditCertNickname parameter. For other systems, specify the appropriate signing certificate.
Which events are recorded in the log are configured by adding or deleting the event type from the value of the events parameter. Table 4.10, “Signed Audit Log Events” lists the loggable events. To add an event, add the logging event to the list; to delete an event, remove it from the list. Log events are separated by commas with no spaces.
| Logging Event | Type of Log Messages Generated |
|---|---|
| AUDIT_LOG_STARTUP | The start of the subsystem, and thus the start of the audit function. |
| AUDIT_LOG_SHUTDOWN | The shutdown of the subsystem, and thus the shutdown of the audit function. |
| ROLE_ASSUME | A user assuming a role. A user assumes a role after passing through authentication and authorization systems. Only the default roles of administrator, auditor, and agent are tracked. Custom roles are not tracked. |
| CONFIG_CERT_PROFILE | A change is made to the configuration settings for the certificate profile framework. |
| CONFIG_CRL_PROFILE | A change is made to the configuration settings for the CRL framework, such as to the extensions, frequency, and CRL format. |
| CONFIG_OCSP_PROFILE | A change is made to the configuration settings for the OCSP. |
| CONFIG_AUTH | A change is made to the configuration settings for the authentication framework. |
| CONFIG_ROLE | A change is made to the configuration settings for roles, including changes made to users or groups. |
| CONFIG_ACL | A change is made to the configuration settings for the ACL framework. |
| CONFIG_SIGNED_AUDIT | A change is made to the configuration settings for the signed audit feature. |
| CONFIG_ENCRYPTION | A change is made to the encryption settings, including certificate settings and SSL cipher preferences. |
| CONFIG_TRUSTED_PUBLIC_KEY | The Certificate Setup Wizard is used to import certificates into the certificate database or any activity in Manage Certificates. |
| CONFIG_DRM | The configuration associated with a DRM changes. |
| SELFTESTS_EXECUTION | The self-tests are executed. |
| AUDIT_LOG_DELETE |
The signed audit log expires or is deleted. NOTEThe authorization system should not allow a signed audit log to be deleted. |
| LOG_PATH_CHANGE |
The path or name for the signed audit, system, transaction or any customized log is changed. NOTEThe authorization system should not allow such a change. |
| PRIVATE_KEY_ARCHIVE | Shows when an encryption private key is requested during enrollment. |
| PRIVATE_KEY_ARCHIVE_PROCESSED | Shows when a private encryption key is archived in the DRM. |
| KEY_RECOVERY_REQUEST | Shows when a request is made to recover a private encryption key stored in the DRM. |
| KEY_RECOVERY_AGENT_LOGIN | Shows when DRM agents log in as recovery agents to approve key recovery requests. |
| KEY_RECOVERY_PROCESSED | Shows when a key recovery has been processed. |
| KEY_GEN_ASYMMETRIC | Shows when asymmetric keys are generated. |
| NON_PROFILE_CERT_REQUEST | Shows when a certificate request is made outside the certificate profile framework. |
| PROFILE_CERT_REQUEST | Shows when a certificate request is made through the certificate profile framework. |
| CERT_REQUEST_PROCESSED | Shows when a certificate request is being processed. |
| CERT_STATUS_CHANGE_REQUEST | Shows when the request is made to change the status of a certificate. |
| CERT_STATUS_CHANGE_REQUEST_PROCESSED | Shows when a certificate status change is processed. |
| AUTHZ_SUCCESS | Shows when a user is successfully processed by the authorization servlets. |
| AUTHZ_FAIL | Shows when a user is not successfully processed by the authorization servlets. |
| INTER_BOUNDARY | Records stat transfer between different subsystems. |
| AUTH_FAIL | Shows when a user does not successfully authenticate. |
| AUTH_SUCCESS | Shows when a user successfully authenticates. |
| CERT_PROFILE_APPROVAL | Shows when a certificate profile sent by an administrator is approved by an agent. |
| PROOF_OF_POSSESSION | Shows when proof of possession is checked during certificate enrollment. |
| CRL_RETRIEVAL | Shows when a CRL is retrieved by the OCSP. |
| CRL_VALIDATION | Shows when a CRL is retrieved and the validation process occurs. |
| CMC_SIGNED_REQUEST_SIG_VERIFY | Used when CMC (agent pre-signed) certificate requests or revocation requests are submitted and the signature is verified. |
| AUDIT_LOG_SIGNING | Shows when the audit buffer is signed and flushed to disk. |