附录 E. 审计事件
本附录提供单独的审计事件及其参数描述和格式。日志中的每个审计事件都由以下信息组成:
- 线程的 Java 标识符。例如:
0.localhost-startStop-1
- 事件发生的时间戳。例如:
[21/Jan/2019:17:53:00 IST]
- 日志源(14 为 SIGNED_AUDIT):
[14]
- 当前的日志级别(6)与安全相关的事件。请参阅 Red Hat Certificate System 规划、安装和部署指南中的 日志级别(Message Categories) 部分。例如:
[6]
- 有关日志事件(这是特定日志事件)的信息;有关特定日志事件中的每个字段的信息,请参阅 第 E.1 节 “审计事件描述”。例如:
[AuditEvent=AUDIT_LOG_STARTUP][SubjectID=$System$][Outcome=Success] audit function startup
E.1. 审计事件描述
以下列表列出了证书系统中提供的审计事件:
####################### SIGNED AUDIT EVENTS ############################# # Common fields: # - Outcome: "Success" or "Failure" # - SubjectID: The UID of the user responsible for the operation # "$System$" or "SYSTEM" if system-initiated operation (e.g. log signing). # ######################################################################### # Required Audit Events # # Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure] # Description: This event is used when access session failed to establish. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - ClientIP: Client IP address. # - ServerIP: Server IP address. # - SubjectID: Client certificate subject DN. # - Outcome: Failure # - Info: Failure reason. # LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\ <type=ACCESS_SESSION_ESTABLISH>:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish failure # # Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success] # Description: This event is used when access session was established successfully. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - ClientIP: Client IP address. # - ServerIP: Server IP address. # - SubjectID: Client certificate subject DN. # - Outcome: Success # LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ <type=ACCESS_SESSION_ESTABLISH>:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish success # # Event: ACCESS_SESSION_TERMINATED # Description: This event is used when access session was terminated. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - ClientIP: Client IP address. # - ServerIP: Server IP address. # - SubjectID: Client certificate subject DN. # - Info: The TLS Alert received from NSS # - Outcome: Success # - Info: The TLS Alert received from NSS # LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\ <type=ACCESS_SESSION_TERMINATED>:[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated # # Event: AUDIT_LOG_SIGNING # Description: This event is used when a signature on the audit log is generated (same as "flush" time). # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - SubjectID: Predefined to be "$System$" because this operation # associates with no user. # - Outcome: Success # - sig: The base-64 encoded signature of the buffer just flushed. # LOGGING_SIGNED_AUDIT_AUDIT_LOG_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2} # # Event: AUDIT_LOG_STARTUP # Description: This event is used at audit function startup. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - SubjectID: $System$ # - Outcome: # LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=<type=AUDIT_LOG_STARTUP>:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup # # Event: AUTH with [Outcome=Failure] # Description: This event is used when authentication fails. # In case of TLS-client auth, only webserver env can pick up the TLS violation. # CS authMgr can pick up certificate mismatch, so this event is used. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - SubjectID: # - Outcome: Failure # (obviously, if authentication failed, you won't have a valid SubjectID, so # in this case, SubjectID should be $Unidentified$) # - AuthMgr: The authentication manager instance name that did # this authentication. # - AttemptedCred: The credential attempted and failed. # LOGGING_SIGNED_AUDIT_AUTH_FAIL=<type=AUTH>:[AuditEvent=AUTH]{0} authentication failure # # Event: AUTH with [Outcome=Success] # Description: This event is used when authentication succeeded. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - SubjectID: id of user who has been authenticated # - Outcome: Success # - AuthMgr: The authentication manager instance name that did # this authentication. # LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authentication success # # Event: AUTHZ with [Outcome=Failure] # Description: This event is used when authorization has failed. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - SubjectID: id of user who has failed to be authorized for an action # - Outcome: Failure # - aclResource: The ACL resource ID as defined in ACL resource list. # - Op: One of the operations as defined with the ACL statement # e.g. "read" for an ACL statement containing "(read,write)". # - Info: # LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization failure # # Event: AUTHZ with [Outcome=Success] # Description: This event is used when authorization is successful. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - SubjectID: id of user who has been authorized for an action # - Outcome: Success # - aclResource: The ACL resource ID as defined in ACL resource list. # - Op: One of the operations as defined with the ACL statement # e.g. "read" for an ACL statement containing "(read,write)". # LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization success # # Event: CERT_PROFILE_APPROVAL # Description: This event is used when an agent approves/disapproves a certificate profile set by the # administrator for automatic approval. # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: id of the CA agent who approved the certificate enrollment profile # - Outcome: # - ProfileID: One of the profiles defined by the administrator # and to be approved by an agent. # - Op: "approve" or "disapprove". # LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval # # Event: CERT_REQUEST_PROCESSED # Description: This event is used when certificate request has just been through the approval process. # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: The UID of the agent who approves, rejects, or cancels # the certificate request. # - Outcome: # - ReqID: The request ID. # - InfoName: "certificate" (in case of approval), "rejectReason" # (in case of reject), or "cancelReason" (in case of cancel) # - InfoValue: The certificate (in case of success), a reject reason in # text, or a cancel reason in text. # - CertSerialNum: # LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=<type=CERT_REQUEST_PROCESSED>:[AuditEvent=CERT_REQUEST_PROCESSED]{0} certificate request processed # # Event: CERT_SIGNING_INFO # Description: This event indicates which key is used to sign certificates. # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: $System$ # - Outcome: Success # - SKI: Subject Key Identifier of the certificate signing certificate # - AuthorityID: (applicable only to lightweight CA) # LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO=<type=CERT_SIGNING_INFO>:[AuditEvent=CERT_SIGNING_INFO]{0} certificate signing info # # Event: CERT_STATUS_CHANGE_REQUEST # Description: This event is used when a certificate status change request (e.g. revocation) # is made (before approval process). # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: id of uer who performed the action # - Outcome: # - ReqID: The request ID. # - CertSerialNum: The serial number (in hex) of the certificate to be revoked. # - RequestType: "revoke", "on-hold", "off-hold" # LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=<type=CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=CERT_STATUS_CHANGE_REQUEST]{0} certificate revocation/unrevocation request made # # Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED # Description: This event is used when certificate status is changed (revoked, expired, on-hold, # off-hold). # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: The UID of the agent that processed the request. # - Outcome: # - ReqID: The request ID. # - RequestType: "revoke", "on-hold", "off-hold" # - Approval: "complete", "rejected", or "canceled" # (note that "complete" means "approved") # - CertSerialNum: The serial number (in hex). # - RevokeReasonNum: One of the following number: # reason number reason # -------------------------------------- # 0 Unspecified # 1 Key compromised # 2 CA key compromised (should not be used) # 3 Affiliation changed # 4 Certificate superceded # 5 Cessation of operation # 6 Certificate is on-hold # - Info: # LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=<type=CERT_STATUS_CHANGE_REQUEST_PROCESSED>:[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED]{0} certificate status change request processed # # Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure] # Description: This event is when access session failed to establish when Certificate System acts as client. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - ClientHost: Client hostname. # - ServerHost: Server hostname. # - ServerPort: Server port. # - SubjectID: SYSTEM # - Outcome: Failure # - Info: # LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\ <type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client # # Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success] # Description: This event is used when access session was established successfully when # Certificate System acts as client. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - ClientHost: Client hostname. # - ServerHost: Server hostname. # - ServerPort: Server port. # - SubjectID: SYSTEM # - Outcome: Success # LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ <type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client # # Event: CLIENT_ACCESS_SESSION_TERMINATED # Description: This event is used when access session was terminated when Certificate System acts as client. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - ClientHost: Client hostname. # - ServerHost: Server hostname. # - ServerPort: Server port. # - SubjectID: SYSTEM # - Outcome: Success # - Info: The TLS Alert received from NSS # LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\ <type=CLIENT_ACCESS_SESSION_TERMINATED>:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client # # Event: CMC_REQUEST_RECEIVED # Description: This event is used when a CMC request is received. # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: The UID of user that triggered this event. # If CMC requests is signed by an agent, SubjectID should # be that of the agent. # In case of an unsigned request, it would bear $Unidentified$. # - Outcome: # - CMCRequest: Base64 encoding of the CMC request received # LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=<type=CMC_REQUEST_RECEIVED>:[AuditEvent=CMC_REQUEST_RECEIVED][SubjectID={0}][Outcome={1}][CMCRequest={2}] CMC request received # # Event: CMC_RESPONSE_SENT # Description: This event is used when a CMC response is sent. # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: The UID of user that triggered this event. # - Outcome: # - CMCResponse: Base64 encoding of the CMC response sent # LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=<type=CMC_RESPONSE_SENT>:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent # # Event: CMC_SIGNED_REQUEST_SIG_VERIFY # Description: This event is used when agent signed CMC certificate requests or revocation requests # are submitted and signature is verified. # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: the user who signed the CMC request (success case) # - Outcome: # - ReqType: The request type (enrollment, or revocation). # - CertSubject: The certificate subject name of the certificate request. # - SignerInfo: A unique String representation for the signer. # LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=<type=CMC_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent signed CMC request signature verification # # Event: CMC_USER_SIGNED_REQUEST_SIG_VERIFY # Description: This event is used when CMC (user-signed or self-signed) certificate requests or revocation requests # are submitted and signature is verified. # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: the user who signed the CMC request (success case) # - Outcome: # - ReqType: The request type (enrollment, or revocation). # - CertSubject: The certificate subject name of the certificate request. # - CMCSignerInfo: A unique String representation for the CMC request signer. # - info: # LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification failure LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification success # # Event: CONFIG_ACL # Description: This event is used when configuring ACL information. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - SubjectID: id of administrator who performed the action # - Outcome: # - ParamNameValPairs: A name-value pair # (where name and value are separated by the delimiter ;;) # separated by + (if more than one name-value pair) of config params changed. # LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=<type=CONFIG_ACL>:[AuditEvent=CONFIG_ACL][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] ACL configuration parameter(s) change # # Event: CONFIG_AUTH # Description: This event is used when configuring authentication. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - SubjectID: id of administrator who performed the action # - Outcome: # - ParamNameValPairs: A name-value pair # (where name and value are separated by the delimiter ;;) # separated by + (if more than one name-value pair) of config params changed. # --- Password MUST NOT be logged --- # LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=<type=CONFIG_AUTH>:[AuditEvent=CONFIG_AUTH][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] authentication configuration parameter(s) change # # Event: CONFIG_CERT_PROFILE # Description: This event is used when configuring certificate profile # (general settings and certificate profile). # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: id of administrator who performed the action # - Outcome: # - ParamNameValPairs: A name-value pair # (where name and value are separated by the delimiter ;;) # separated by + (if more than one name-value pair) of config params changed. # LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=<type=CONFIG_CERT_PROFILE>:[AuditEvent=CONFIG_CERT_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate profile configuration parameter(s) change # # Event: CONFIG_CRL_PROFILE # Description: This event is used when configuring CRL profile # (extensions, frequency, CRL format). # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: id of administrator who performed the action # - Outcome: # - ParamNameValPairs: A name-value pair # (where name and value are separated by the delimiter ;;) # separated by + (if more than one name-value pair) of config params changed. # LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=<type=CONFIG_CRL_PROFILE>:[AuditEvent=CONFIG_CRL_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] CRL profile configuration parameter(s) change # # Event: CONFIG_DRM # Description: This event is used when configuring KRA. # This includes key recovery scheme, change of any secret component. # Applicable subsystems: KRA # Enabled by default: Yes # Fields: # - SubjectID: id of administrator who performed the action # - Outcome: # - ParamNameValPairs A name-value pair # (where name and value are separated by the delimiter ;;) # separated by + (if more than one name-value pair) of config params changed. # --- secret component (password) MUST NOT be logged --- # LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=<type=CONFIG_DRM>:[AuditEvent=CONFIG_DRM][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] DRM configuration parameter(s) change # # Event: CONFIG_OCSP_PROFILE # Description: This event is used when configuring OCSP profile # (everything under Online Certificate Status Manager). # Applicable subsystems: OCSP # Enabled by default: Yes # Fields: # - SubjectID: id of administrator who performed the action # - Outcome: # - ParamNameValPairs: A name-value pair # (where name and value are separated by the delimiter ;;) # separated by + (if more than one name-value pair) of config params changed. # LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=<type=CONFIG_OCSP_PROFILE>:[AuditEvent=CONFIG_OCSP_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] OCSP profile configuration parameter(s) change # # Event: CONFIG_ROLE # Description: This event is used when configuring role information. # This includes anything under users/groups, add/remove/edit a role, etc. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - SubjectID: id of administrator who performed the action # - Outcome: # - ParamNameValPairs: A name-value pair # (where name and value are separated by the delimiter ;;) # separated by + (if more than one name-value pair) of config params changed. # LOGGING_SIGNED_AUDIT_CONFIG_ROLE=<type=CONFIG_ROLE>:[AuditEvent=CONFIG_ROLE]{0} role configuration parameter(s) change # # Event: CONFIG_SERIAL_NUMBER # Description: This event is used when configuring serial number ranges # (when requesting a serial number range when cloning, for example). # Applicable subsystems: CA, KRA # Enabled by default: Yes # Fields: # - SubjectID: id of administrator who performed the action # - Outcome: # - ParamNameValPairs: A name-value pair # (where name and value are separated by the delimiter ;;) # separated by + (if more than one name-value pair) of config params changed. # LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=<type=CONFIG_SERIAL_NUMBER>:[AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] serial number range update # # Event: CONFIG_SIGNED_AUDIT # Description: This event is used when configuring signedAudit. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - SubjectID: id of administrator who performed the action # - Outcome: # - ParamNameValPairs: A name-value pair # (where name and value are separated by the delimiter ;;) # separated by + (if more than one name-value pair) of config params changed. # LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=<type=CONFIG_SIGNED_AUDIT>:[AuditEvent=CONFIG_SIGNED_AUDIT]{0} signed audit configuration parameter(s) change # # Event: CONFIG_TRUSTED_PUBLIC_KEY # Description: This event is used when: # 1. "Manage Certificate" is used to edit the trustness of certificates # and deletion of certificates # 2. "Certificate Setup Wizard" is used to import CA certificates into the # certificate database (Although CrossCertificatePairs are stored # within internaldb, audit them as well) # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - SubjectID: ID of administrator who performed this configuration # - Outcome: # - ParamNameValPairs: A name-value pair # (where name and value are separated by the delimiter ;;) # separated by + (if more than one name-value pair) of config params changed. # LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=<type=CONFIG_TRUSTED_PUBLIC_KEY>:[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY]{0} certificate database configuration # # Event: CRL_SIGNING_INFO # Description: This event indicates which key is used to sign CRLs. # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: $System$ # - Outcome: # - SKI: Subject Key Identifier of the CRL signing certificate # LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=<type=CRL_SIGNING_INFO>:[AuditEvent=CRL_SIGNING_INFO]{0} CRL signing info # # Event: DELTA_CRL_GENERATION # Description: This event is used when delta CRL generation is complete. # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: $Unidentified$ # - Outcome: "Success" when delta CRL is generated successfully, "Failure" otherwise. # - CRLnum: The CRL number that identifies the CRL # - Info: # - FailureReason: # LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=<type=DELTA_CRL_GENERATION>:[AuditEvent=DELTA_CRL_GENERATION]{0} Delta CRL generation # # Event: FULL_CRL_GENERATION # Description: This event is used when full CRL generation is complete. # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: $System$ # - Outcome: "Success" when full CRL is generated successfully, "Failure" otherwise. # - CRLnum: The CRL number that identifies the CRL # - Info: # - FailureReason: # LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=<type=FULL_CRL_GENERATION>:[AuditEvent=FULL_CRL_GENERATION]{0} Full CRL generation # # Event: PROFILE_CERT_REQUEST # Description: This event is used when a profile certificate request is made (before approval process). # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: The UID of user that triggered this event. # If CMC enrollment requests signed by an agent, SubjectID should # be that of the agent. # - Outcome: # - CertSubject: The certificate subject name of the certificate request. # - ReqID: The certificate request ID. # - ProfileID: One of the certificate profiles defined by the # administrator. # LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=<type=PROFILE_CERT_REQUEST>:[AuditEvent=PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ProfileID={3}][CertSubject={4}] certificate request made with certificate profiles # # Event: PROOF_OF_POSSESSION # Description: This event is used for proof of possession during certificate enrollment processing. # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: id that represents the authenticated user # - Outcome: # - Info: some information on when/how it occurred # LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession # # Event: OCSP_ADD_CA_REQUEST_PROCESSED # Description: This event is used when an add CA request to the OCSP Responder is processed. # Applicable subsystems: OCSP # Enabled by default: Yes # Fields: # - SubjectID: OCSP administrator user id # - Outcome: "Success" when CA is added successfully, "Failure" otherwise. # - CASubjectDN: The subject DN of the leaf CA cert in the chain. # LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED=<type=OCSP_ADD_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED]{0} Add CA for OCSP Responder # # Event: OCSP_GENERATION # Description: This event is used when an OCSP response generated is complete. # Applicable subsystems: CA, OCSP # Enabled by default: Yes # Fields: # - SubjectID: $NonRoleUser$ # - Outcome: "Success" when OCSP response is generated successfully, "Failure" otherwise. # - FailureReason: # LOGGING_SIGNED_AUDIT_OCSP_GENERATION=<type=OCSP_GENERATION>:[AuditEvent=OCSP_GENERATION]{0} OCSP response generation # # Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Failure] # Description: This event is used when a remove CA request to the OCSP Responder is processed and failed. # Applicable subsystems: OCSP # Enabled by default: Yes # Fields: # - SubjectID: OCSP administrator user id # - Outcome: Failure # - CASubjectDN: The subject DN of the leaf CA certificate in the chain. # LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE=<type=OCSP_REMOVE_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder has failed # # Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Success] # Description: This event is used when a remove CA request to the OCSP Responder is processed successfully. # Applicable subsystems: OCSP # Enabled by default: Yes # Fields: # - SubjectID: OCSP administrator user id # - Outcome: "Success" when CA is removed successfully, "Failure" otherwise. # - CASubjectDN: The subject DN of the leaf CA certificate in the chain. # LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS=<type=OCSP_REMOVE_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder is successful # # Event: OCSP_SIGNING_INFO # Description: This event indicates which key is used to sign OCSP responses. # Applicable subsystems: CA, OCSP # Enabled by default: Yes # Fields: # - SubjectID: $System$ # - Outcome: # - SKI: Subject Key Identifier of the OCSP signing certificate # - AuthorityID: (applicable only to lightweight CA) # LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO=<type=OCSP_SIGNING_INFO>:[AuditEvent=OCSP_SIGNING_INFO]{0} OCSP signing info # # Event: ROLE_ASSUME # Description: This event is used when a user assumes a role. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - SubjectID: # - Outcome: # - Role: One of the valid roles: # "Administrators", "Certificate Manager Agents", or "Auditors". # Note that customized role names can be used once configured. # LOGGING_SIGNED_AUDIT_ROLE_ASSUME=<type=ROLE_ASSUME>:[AuditEvent=ROLE_ASSUME]{0} assume privileged role # # Event: SECURITY_DOMAIN_UPDATE # Description: This event is used when updating contents of security domain # (add/remove a subsystem). # Applicable subsystems: CA # Enabled by default: Yes # Fields: # - SubjectID: CA administrator user ID # - Outcome: # - ParamNameValPairs: A name-value pair # (where name and value are separated by the delimiter ;;) # separated by + (if more than one name-value pair) of config params changed. # LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=<type=SECURITY_DOMAIN_UPDATE>:[AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] security domain update # # Event: SELFTESTS_EXECUTION # Description: This event is used when self tests are run. # Applicable subsystems: CA, KRA, OCSP, TKS, TPS # Enabled by default: Yes # Fields: # - SubjectID: $System$ # - Outcome: # LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details)