红帽全球峰会E.2. 审计事件描述
本节提供了审计事件的描述。
有关所需的审计事件及其示例,请参阅 第 E.1 节 “所需的审计事件及其示例”。
E.2.1. TOE 环境审计事件
本节提供了 TOE (评估版本) 审计事件的格式描述。
####################### SIGNED AUDIT EVENTS #############################
# Common fields:
# - Outcome: "Success" or "Failure"
# - SubjectID: The UID of the user responsible for the operation
# "$System$" or "SYSTEM" if system-initiated operation (e.g. log signing).
#
#########################################################################
# Required Audit Events
#
# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
# Description: This event is used when access session failed to establish.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientIP: Client IP address.
# - ServerIP: Server IP address.
# - SubjectID: Client certificate subject DN.
# - Outcome: Failure
# - Info: Failure reason.
#
LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\
<type=ACCESS_SESSION_ESTABLISH>:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish failure
#
# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success]
# Description: This event is used when access session was established successfully.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientIP: Client IP address.
# - ServerIP: Server IP address.
# - SubjectID: Client certificate subject DN.
# - Outcome: Success
#
LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
<type=ACCESS_SESSION_ESTABLISH>:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish success
#
# Event: ACCESS_SESSION_TERMINATED
# Description: This event is used when access session was terminated.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientIP: Client IP address.
# - ServerIP: Server IP address.
# - SubjectID: Client certificate subject DN.
# - Info: The TLS Alert received from NSS
# - Outcome: Success
# - Info: The TLS Alert received from NSS
#
LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\
<type=ACCESS_SESSION_TERMINATED>:[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated
#
# Event: AUDIT_LOG_SIGNING
# Description: This event is used when a signature on the audit log is generated (same as "flush" time).
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: Predefined to be "$System$" because this operation
# associates with no user.
# - Outcome: Success
# - sig: The base-64 encoded signature of the buffer just flushed.
#
LOGGING_SIGNED_AUDIT_AUDIT_LOG_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2}
#
# Event: AUDIT_LOG_STARTUP
# Description: This event is used at audit function startup.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome:
#
LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=<type=AUDIT_LOG_STARTUP>:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup
#
# Event: AUTH with [Outcome=Failure]
# Description: This event is used when authentication fails.
# In case of SSL-client auth, only webserver env can pick up the SSL violation.
# CS authMgr can pick up certificate mismatch, so this event is used.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome: Failure
# (obviously, if authentication failed, you won't have a valid SubjectID, so
# in this case, SubjectID should be $Unidentified$)
# - AuthMgr: The authentication manager instance name that did
# this authentication.
# - AttemptedCred: The credential attempted and failed.
#
LOGGING_SIGNED_AUDIT_AUTH_FAIL=<type=AUTH>:[AuditEvent=AUTH]{0} authentication failure
#
# Event: AUTH with [Outcome=Success]
# Description: This event is used when authentication succeeded.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of user who has been authenticated
# - Outcome: Success
# - AuthMgr: The authentication manager instance name that did
# this authentication.
#
LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authentication success
#
# Event: AUTHZ with [Outcome=Failure]
# Description: This event is used when authorization has failed.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of user who has failed to be authorized for an action
# - Outcome: Failure
# - aclResource: The ACL resource ID as defined in ACL resource list.
# - Op: One of the operations as defined with the ACL statement
# e.g. "read" for an ACL statement containing "(read,write)".
# - Info:
#
LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization failure
#
# Event: AUTHZ with [Outcome=Success]
# Description: This event is used when authorization is successful.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of user who has been authorized for an action
# - Outcome: Success
# - aclResource: The ACL resource ID as defined in ACL resource list.
# - Op: One of the operations as defined with the ACL statement
# e.g. "read" for an ACL statement containing "(read,write)".
#
LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization success
#
# Event: CERT_PROFILE_APPROVAL
# Description: This event is used when an agent approves/disapproves a certificate profile set by the
# administrator for automatic approval.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of the CA agent who approved the certificate enrollment profile
# - Outcome:
# - ProfileID: One of the profiles defined by the administrator
# and to be approved by an agent.
# - Op: "approve" or "disapprove".
#
LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval
#
# Event: CERT_REQUEST_PROCESSED
# Description: This event is used when certificate request has just been through the approval process.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: The UID of the agent who approves, rejects, or cancels
# the certificate request.
# - Outcome:
# - ReqID: The request ID.
# - InfoName: "certificate" (in case of approval), "rejectReason"
# (in case of reject), or "cancelReason" (in case of cancel)
# - InfoValue: The certificate (in case of success), a reject reason in
# text, or a cancel reason in text.
# - CertSerialNum:
#
LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=<type=CERT_REQUEST_PROCESSED>:[AuditEvent=CERT_REQUEST_PROCESSED]{0} certificate request processed
#
# Event: CERT_SIGNING_INFO
# Description: This event indicates which key is used to sign certificates.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome: Success
# - SKI: Subject Key Identifier of the certificate signing certificate
# - AuthorityID: (applicable only to lightweight CA)
#
LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO=<type=CERT_SIGNING_INFO>:[AuditEvent=CERT_SIGNING_INFO]{0} certificate signing info
#
# Event: CERT_STATUS_CHANGE_REQUEST
# Description: This event is used when a certificate status change request (e.g. revocation)
# is made (before approval process).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of uer who performed the action
# - Outcome:
# - ReqID: The request ID.
# - CertSerialNum: The serial number (in hex) of the certificate to be revoked.
# - RequestType: "revoke", "on-hold", "off-hold"
#
LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=<type=CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=CERT_STATUS_CHANGE_REQUEST]{0} certificate revocation/unrevocation request made
#
# Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED
# Description: This event is used when certificate status is changed (revoked, expired, on-hold,
# off-hold).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: The UID of the agent that processed the request.
# - Outcome:
# - ReqID: The request ID.
# - RequestType: "revoke", "on-hold", "off-hold"
# - Approval: "complete", "rejected", or "canceled"
# (note that "complete" means "approved")
# - CertSerialNum: The serial number (in hex).
# - RevokeReasonNum: One of the following number:
# reason number reason
# --------------------------------------
# 0 Unspecified
# 1 Key compromised
# 2 CA key compromised (should not be used)
# 3 Affiliation changed
# 4 Certificate superceded
# 5 Cessation of operation
# 6 Certificate is on-hold
# - Info:
#
LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=<type=CERT_STATUS_CHANGE_REQUEST_PROCESSED>:[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED]{0} certificate status change request processed
#
# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
# Description: This event is when access session failed to establish when Certificate System acts as client.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientHost: Client hostname.
# - ServerHost: Server hostname.
# - ServerPort: Server port.
# - SubjectID: SYSTEM
# - Outcome: Failure
# - Info:
#
LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
<type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client
#
# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success]
# Description: This event is used when access session was established successfully when
# Certificate System acts as client.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientHost: Client hostname.
# - ServerHost: Server hostname.
# - ServerPort: Server port.
# - SubjectID: SYSTEM
# - Outcome: Success
#
LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
<type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client
#
# Event: CLIENT_ACCESS_SESSION_TERMINATED
# Description: This event is used when access session was terminated when Certificate System acts as client.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientHost: Client hostname.
# - ServerHost: Server hostname.
# - ServerPort: Server port.
# - SubjectID: SYSTEM
# - Outcome: Success
# - Info: The TLS Alert received from NSS
#
LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\
<type=CLIENT_ACCESS_SESSION_TERMINATED>:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client
#
# Event: CMC_REQUEST_RECEIVED
# Description: This event is used when a CMC request is received.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: The UID of user that triggered this event.
# If CMC requests is signed by an agent, SubjectID should
# be that of the agent.
# In case of an unsigned request, it would bear $Unidentified$.
# - Outcome:
# - CMCRequest: Base64 encoding of the CMC request received
#
LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=<type=CMC_REQUEST_RECEIVED>:[AuditEvent=CMC_REQUEST_RECEIVED][SubjectID={0}][Outcome={1}][CMCRequest={2}] CMC request received
#
# Event: CMC_RESPONSE_SENT
# Description: This event is used when a CMC response is sent.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: The UID of user that triggered this event.
# - Outcome:
# - CMCResponse: Base64 encoding of the CMC response sent
#
LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=<type=CMC_RESPONSE_SENT>:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent
#
# Event: CMC_SIGNED_REQUEST_SIG_VERIFY
# Description: This event is used when agent signed CMC certificate requests or revocation requests
# are submitted and signature is verified.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: the user who signed the CMC request (success case)
# - Outcome:
# - ReqType: The request type (enrollment, or revocation).
# - CertSubject: The certificate subject name of the certificate request.
# - SignerInfo: A unique String representation for the signer.
#
LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=<type=CMC_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent signed CMC request signature verification
#
# Event: CMC_USER_SIGNED_REQUEST_SIG_VERIFY
# Description: This event is used when CMC (user-signed or self-signed) certificate requests or revocation requests
# are submitted and signature is verified.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: the user who signed the CMC request (success case)
# - Outcome:
# - ReqType: The request type (enrollment, or revocation).
# - CertSubject: The certificate subject name of the certificate request.
# - CMCSignerInfo: A unique String representation for the CMC request signer.
# - info:
#
LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification failure
LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification success
#
# Event: CONFIG_ACL
# Description: This event is used when configuring ACL information.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=<type=CONFIG_ACL>:[AuditEvent=CONFIG_ACL][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] ACL configuration parameter(s) change
#
# Event: CONFIG_AUTH
# Description: This event is used when configuring authentication.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
# --- Password MUST NOT be logged ---
#
LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=<type=CONFIG_AUTH>:[AuditEvent=CONFIG_AUTH][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] authentication configuration parameter(s) change
#
# Event: CONFIG_CERT_PROFILE
# Description: This event is used when configuring certificate profile
# (general settings and certificate profile).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=<type=CONFIG_CERT_PROFILE>:[AuditEvent=CONFIG_CERT_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate profile configuration parameter(s) change
#
# Event: CONFIG_CRL_PROFILE
# Description: This event is used when configuring CRL profile
# (extensions, frequency, CRL format).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=<type=CONFIG_CRL_PROFILE>:[AuditEvent=CONFIG_CRL_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] CRL profile configuration parameter(s) change
#
# Event: CONFIG_DRM
# Description: This event is used when configuring KRA.
# This includes key recovery scheme, change of any secret component.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
# --- secret component (password) MUST NOT be logged ---
#
LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=<type=CONFIG_DRM>:[AuditEvent=CONFIG_DRM][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] DRM configuration parameter(s) change
#
# Event: CONFIG_OCSP_PROFILE
# Description: This event is used when configuring OCSP profile
# (everything under Online Certificate Status Manager).
# Applicable subsystems: OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=<type=CONFIG_OCSP_PROFILE>:[AuditEvent=CONFIG_OCSP_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] OCSP profile configuration parameter(s) change
#
# Event: CONFIG_ROLE
# Description: This event is used when configuring role information.
# This includes anything under users/groups, add/remove/edit a role, etc.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_ROLE=<type=CONFIG_ROLE>:[AuditEvent=CONFIG_ROLE]{0} role configuration parameter(s) change
#
# Event: CONFIG_SERIAL_NUMBER
# Description: This event is used when configuring serial number ranges
# (when requesting a serial number range when cloning, for example).
# Applicable subsystems: CA, KRA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=<type=CONFIG_SERIAL_NUMBER>:[AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] serial number range update
#
# Event: CONFIG_SIGNED_AUDIT
# Description: This event is used when configuring signedAudit.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=<type=CONFIG_SIGNED_AUDIT>:[AuditEvent=CONFIG_SIGNED_AUDIT]{0} signed audit configuration parameter(s) change
#
# Event: CONFIG_TRUSTED_PUBLIC_KEY
# Description: This event is used when:
# 1. "Manage Certificate" is used to edit the trustness of certificates
# and deletion of certificates
# 2. "Certificate Setup Wizard" is used to import CA certificates into the
# certificate database (Although CrossCertificatePairs are stored
# within internaldb, audit them as well)
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: ID of administrator who performed this configuration
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=<type=CONFIG_TRUSTED_PUBLIC_KEY>:[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY]{0} certificate database configuration
#
# Event: CRL_SIGNING_INFO
# Description: This event indicates which key is used to sign CRLs.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome:
# - SKI: Subject Key Identifier of the CRL signing certificate
#
LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=<type=CRL_SIGNING_INFO>:[AuditEvent=CRL_SIGNING_INFO]{0} CRL signing info
#
# Event: DELTA_CRL_GENERATION
# Description: This event is used when delta CRL generation is complete.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: $Unidentified$
# - Outcome: "Success" when delta CRL is generated successfully, "Failure" otherwise.
# - CRLnum: The CRL number that identifies the CRL
# - Info:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=<type=DELTA_CRL_GENERATION>:[AuditEvent=DELTA_CRL_GENERATION]{0} Delta CRL generation
#
# Event: FULL_CRL_GENERATION
# Description: This event is used when full CRL generation is complete.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome: "Success" when full CRL is generated successfully, "Failure" otherwise.
# - CRLnum: The CRL number that identifies the CRL
# - Info:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=<type=FULL_CRL_GENERATION>:[AuditEvent=FULL_CRL_GENERATION]{0} Full CRL generation
#
# Event: PROFILE_CERT_REQUEST
# Description: This event is used when a profile certificate request is made (before approval process).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: The UID of user that triggered this event.
# If CMC enrollment requests signed by an agent, SubjectID should
# be that of the agent.
# - Outcome:
# - CertSubject: The certificate subject name of the certificate request.
# - ReqID: The certificate request ID.
# - ProfileID: One of the certificate profiles defined by the
# administrator.
#
LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=<type=PROFILE_CERT_REQUEST>:[AuditEvent=PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ProfileID={3}][CertSubject={4}] certificate request made with certificate profiles
#
# Event: PROOF_OF_POSSESSION
# Description: This event is used for proof of possession during certificate enrollment processing.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: id that represents the authenticated user
# - Outcome:
# - Info: some information on when/how it occurred
#
LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession
#
# Event: OCSP_ADD_CA_REQUEST_PROCESSED
# Description: This event is used when an add CA request to the OCSP Responder is processed.
# Applicable subsystems: OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: OCSP administrator user id
# - Outcome: "Success" when CA is added successfully, "Failure" otherwise.
# - CASubjectDN: The subject DN of the leaf CA cert in the chain.
#
LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED=<type=OCSP_ADD_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED]{0} Add CA for OCSP Responder
#
# Event: OCSP_GENERATION
# Description: This event is used when an OCSP response generated is complete.
# Applicable subsystems: CA, OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: $NonRoleUser$
# - Outcome: "Success" when OCSP response is generated successfully, "Failure" otherwise.
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_OCSP_GENERATION=<type=OCSP_GENERATION>:[AuditEvent=OCSP_GENERATION]{0} OCSP response generation
#
# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Failure]
# Description: This event is used when a remove CA request to the OCSP Responder is processed and failed.
# Applicable subsystems: OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: OCSP administrator user id
# - Outcome: Failure
# - CASubjectDN: The subject DN of the leaf CA certificate in the chain.
#
LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE=<type=OCSP_REMOVE_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder has failed
#
# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Success]
# Description: This event is used when a remove CA request to the OCSP Responder is processed successfully.
# Applicable subsystems: OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: OCSP administrator user id
# - Outcome: "Success" when CA is removed successfully, "Failure" otherwise.
# - CASubjectDN: The subject DN of the leaf CA certificate in the chain.
#
LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS=<type=OCSP_REMOVE_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder is successful
#
# Event: OCSP_SIGNING_INFO
# Description: This event indicates which key is used to sign OCSP responses.
# Applicable subsystems: CA, OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome:
# - SKI: Subject Key Identifier of the OCSP signing certificate
# - AuthorityID: (applicable only to lightweight CA)
#
LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO=<type=OCSP_SIGNING_INFO>:[AuditEvent=OCSP_SIGNING_INFO]{0} OCSP signing info
#
# Event: ROLE_ASSUME
# Description: This event is used when a user assumes a role.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - Role: One of the valid roles:
# "Administrators", "Certificate Manager Agents", or "Auditors".
# Note that customized role names can be used once configured.
#
LOGGING_SIGNED_AUDIT_ROLE_ASSUME=<type=ROLE_ASSUME>:[AuditEvent=ROLE_ASSUME]{0} assume privileged role
#
# Event: SECURITY_DOMAIN_UPDATE
# Description: This event is used when updating contents of security domain
# (add/remove a subsystem).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: CA administrator user ID
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=<type=SECURITY_DOMAIN_UPDATE>:[AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] security domain update
#
# Event: SELFTESTS_EXECUTION
# Description: This event is used when self tests are run.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome:
#
LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details)
#########################################################################
# Available Audit Events - Enabled by default: Yes
#########################################################################
#
# Event: SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST
# Description: This event is used when Server-Side Keygen enrollment keygen request is made.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - RequestID:
# - ClientID:
#
LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST]{0} Server-Side Keygen enrollment keygen request made
#
# Event: SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST_PROCESSED
# Description: This event is used when a request to do Server-Side Keygen enrollment keygen has been processed
# is processed.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - RequestID:
# - ClientID:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST_PROCESSED=<type=SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST_PROCESSED>:[AuditEvent=SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST_PROCESSED]{0} Server-Side Keygen enrollment keygen request processed
#
# Event: SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST
# Description: This event is used when Server-Side Keygen enrollment key retrieval request is made.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - RequestID:
# - ClientID:
#
LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST=<type=SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST]{0} Server-Side Keygen enrollment retrieval request made
#
# Event: SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST_PROCESSED
# Description: This event is used when a request to do Server-Side Keygen enrollment retrieval has been processed
# is processed.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - RequestID:
# - ClientID:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST_PROCESSED=<type=SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST_PROCESSED>:[AuditEvent=SERVER_SIDE_KEYGEN_ENROLL_RETRIEVAL_REQUEST_PROCESSED]{0} Server-Side Keygen enrollment retrieval request processed
#
# Event: ASYMKEY_GENERATION_REQUEST
# Description: This event is used when asymmetric key generation request is made.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - GenerationRequestID:
# - ClientKeyID:
#
LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=<type=ASYMKEY_GENERATION_REQUEST>:[AuditEvent=ASYMKEY_GENERATION_REQUEST]{0} Asymkey generation request made
#
# Event: ASYMKEY_GENERATION_REQUEST_PROCESSED
# Description: This event is used when a request to generate asymmetric keys received by the KRA
# is processed.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - GenerationRequestID:
# - ClientKeyID:
# - KeyID:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=<type=ASYMKEY_GENERATION_REQUEST_PROCESSED>:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED]{0} Asymkey generation request processed
#
# Event: AUTHORITY_CONFIG
# Description: This event is used when configuring lightweight authorities.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=<type=AUTHORITY_CONFIG>:[AuditEvent=AUTHORITY_CONFIG][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] lightweight authority configuration change
#
# Event: CONFIG_ENCRYPTION
# Description: This event is used when configuring encryption (cert settings and SSL cipher preferences).
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=<type=CONFIG_ENCRYPTION>:[AuditEvent=CONFIG_ENCRYPTION][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] encryption configuration parameter(s) change
#
# Event: CONFIG_TOKEN_AUTHENTICATOR
# Description: This event is used when configuring token authenticators.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - OP:
# - Authenticator:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
# --- secret component (password) MUST NOT be logged ---
# - Info: Error info for failed cases.
#
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6=<type=CONFIG_TOKEN_AUTHENTICATOR>:[AuditEvent=CONFIG_TOKEN_AUTHENTICATOR][SubjectID={0}][Outcome={1}][OP={2}][Authenticator={3}][ParamNameValPairs={4}][Info={5}] token authenticator configuration parameter(s) change
#
# Event: CONFIG_TOKEN_CONNECTOR
# Description: This event is used when configuring token connectors.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - Service: can be any of the methods offered
# - Connector:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
# --- secret component (password) MUST NOT be logged ---
# - Info: Error info for failed cases.
#
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6=<type=CONFIG_TOKEN_CONNECTOR>:[AuditEvent=CONFIG_TOKEN_CONNECTOR][SubjectID={0}][Outcome={1}][Service={2}][Connector={3}][ParamNameValPairs={4}][Info={5}] token connector configuration parameter(s) change
#
# Event: CONFIG_TOKEN_MAPPING_RESOLVER
# Description: This event is used when configuring token mapping resolver.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: TPS administrator id
# - Outcome:
# - Service:
# - MappingResolverID:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
# --- secret component (password) MUST NOT be logged ---
# - Info: Error info for failed cases.
#
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6=<type=CONFIG_TOKEN_MAPPING_RESOLVER>:[AuditEvent=CONFIG_TOKEN_MAPPING_RESOLVER][SubjectID={0}][Outcome={1}][Service={2}][MappingResolverID={3}][ParamNameValPairs={4}][Info={5}] token mapping resolver configuration parameter(s) change
#
# Event: CONFIG_TOKEN_RECORD
# Description: This event is used when information in token record changed.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: TPS administrator id
# - Outcome:
# - OP: operation to add or delete token
# - TokenID: smart card unique id
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
# --- secret component (password) MUST NOT be logged ---
# - Info: in general is used for capturing error info for failed cases
#
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6=<type=CONFIG_TOKEN_RECORD>:[AuditEvent=CONFIG_TOKEN_RECORD][SubjectID={0}][Outcome={1}][OP={2}][TokenID={3}][ParamNameValPairs={4}][Info={5}] token record configuration parameter(s) change
#
# Event: KEY_GEN_ASYMMETRIC
# Description: This event is used when asymmetric keys are generated
# such as when CA certificate requests are generated,
# e.g. CA certificate change over, renewal with new key.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - PubKey: The base-64 encoded public key material.
#
LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=<type=KEY_GEN_ASYMMETRIC>:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation
#
# Event: LOG_PATH_CHANGE
# Description: This event is used when log file name (including any path changes) for any of
# audit, system, transaction, or other customized log file change is attempted.
# The ACL should not allow this operation, but make sure it's written after the attempt.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: administrator user id
# - Outcome:
# - LogType: "System", "Transaction", or "SignedAudit"
# - toLogFile: The name (including any path changes) that the user is
# attempting to change to.
#
LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PATH_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][toLogFile={3}] log path change attempt
#
# Event: RANDOM_GENERATION
# Description: This event is used when a random number generation is complete.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome: "Success" when a random number is generated successfully, "Failure" otherwise.
# - Info:
# - Caller: PKI code that calls the random number generator.
# - Size: Size of random number in bytes.
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=<type=RANDOM_GENERATION>:[AuditEvent=RANDOM_GENERATION]{0} Random number generation
#
# Event: SCHEDULE_CRL_GENERATION
# Description: This event is used when CRL generation is scheduled.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome: "Success" when CRL generation is scheduled successfully, "Failure" otherwise.
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION=<type=SCHEDULE_CRL_GENERATION>:[AuditEvent=SCHEDULE_CRL_GENERATION]{0} schedule for CRL generation
#
# Event: SECURITY_DATA_ARCHIVAL_REQUEST
# Description: This event is used when security data recovery request is made.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - ArchivalRequestID: The requestID provided by the CA through the connector.
# It is used to track the request through from CA to KRA.
# - RequestId: The KRA archival request ID.
# - ClientKeyID: The user supplied client ID associated with
# the security data to be archived.
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=<type=SECURITY_DATA_ARCHIVAL_REQUEST>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST]{0} security data archival request made
#
# Event: SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED
# Description: This event is used when user security data archive request is processed.
# This is when KRA receives and processed the request.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - ArchivalRequestID: The requestID provided by the CA through the connector.
# It is used to track the request through from CA to KRA.
# - RequestId: The KRA archival request ID.
# - ClientKeyID: The user supplied client ID associated with
# the security data to be archived.
# - KeyID:
# - PubKey:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=<type=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED]{0} security data archival request processed
#
# Event: SECURITY_DATA_RECOVERY_REQUEST
# Description: This event is used when security data recovery request is made.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - RecoveryID: The recovery request ID.
# - DataID: The ID of the security data being requested to be recovered.
# - PubKey:
#
LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=<type=SECURITY_DATA_RECOVERY_REQUEST>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST]{0} security data recovery request made
#
# Event: SECURITY_DATA_RECOVERY_REQUEST_PROCESSED
# Description: This event is used when security data recovery request is processed.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - RecoveryID: The recovery request ID.
# - KeyID: The ID of the security data being requested to be recovered.
# - RecoveryAgents: The UIDs of the recovery agents approving this request.
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=<type=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED]{0} security data recovery request processed
#
# Event: SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE
# Description: This event is used when KRA agents login as recovery agents to change
# the state of key recovery requests.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - RecoveryID: The recovery request ID.
# - Operation: The operation performed (approve, reject, cancel etc.).
#
LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=<type=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE]{0} security data recovery request state change
#
# Event: SERVER_SIDE_KEYGEN_REQUEST
# Description: This event is used when server-side key generation request is made.
# This is for token keys.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - EntityID: The representation of the subject that will be on the certificate when issued.
# - RequestID:
#
LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request
#
# Event: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
# Description: This event is used when server-side key generation request has been processed.
# This is for token keys.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - EntityID: The representation of the subject that will be on the certificate when issued.
# - RequestID:
# - PubKey: The base-64 encoded public key associated with
# the private key to be archived.
#
LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=<type=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED]{0} server-side key generation request processed
#
# Event: SYMKEY_GENERATION_REQUEST
# Description: This event is used when symmetric key generation request is made.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - GenerationRequestID:
# - ClientKeyID: The ID of the symmetric key to be generated and archived.
#
LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=<type=SYMKEY_GENERATION_REQUEST>:[AuditEvent=SYMKEY_GENERATION_REQUEST]{0} symkey generation request made
#
# Event: SYMKEY_GENERATION_REQUEST_PROCESSED
# Description: This event is used when symmetric key generation request is processed.
# This is when KRA receives and processes the request.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - GenerationRequestID:
# - ClientKeyID: The user supplied client ID associated with
# the symmetric key to be generated and archived.
# - KeyID:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=<type=SYMKEY_GENERATION_REQUEST_PROCESSED>:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED]{0} symkey generation request processed
#
# Event: TOKEN_APPLET_UPGRADE with [Outcome=Failure]
# Description: This event is used when token apple upgrade failed.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - MSN:
# - KeyVersion:
# - oldAppletVersion:
# - newAppletVersion:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade failure
#
# Event: TOKEN_APPLET_UPGRADE with [Outcome=Success]
# Description: This event is used when token apple upgrade succeeded.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - MSN:
# - KeyVersion:
# - oldAppletVersion:
# - newAppletVersion:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success
#
# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Failure]
# Description: This event is used when token key changeover failed.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - MSN:
# - tokenType:
# - AppletVersion:
# - oldKeyVersion:
# - newKeyVersion:
# - Info: Info in case of failure.
#
LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover failure
#
# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Success]
# Description: This event is used when token key changeover succeeded.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - MSN:
# - tokenType:
# - AppletVersion:
# - oldKeyVersion:
# - newKeyVersion:
# - Info: Usually is unused for success.
#
LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover success
#
# Event: TOKEN_KEY_CHANGEOVER_REQUIRED
# Description: This event is used when token key changeover is required.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - MSN:
# - tokenType:
# - AppletVersion:
# - oldKeyVersion:
# - newKeyVersion:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=<type=TOKEN_KEY_CHANGEOVER_REQUIRED>:[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required
#
# Event: LOGGING_SIGNED_AUDIT_TOKEN_KEY_SANITY_CHECK_SUCCESS
# Description: used for the CS.cfg properties: enableBoundedGPKeyVersion, cuidMustMatchKDD, and validateCardKeyInfoAgainstTokenDB
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - KDD:
# - TokenKeyVersion:
# - NewKeyVersion:
# - TokenDBKeyVersion:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_KEY_SANITY_CHECK_SUCCESS_9=<type=TOKEN_KEY_SANITY_CHECK>:[AuditEvent=TOKEN_KEY_SANITY_CHECK][IP={0}][SubjectID={1}][CUID={2}][KDD={3}][Outcome={4}][TokenKeyVersion={5}][NewKeyVersion={6}][TokenDBKeyVersion={7}][Info={8}] token key sanity check success
#
# Event: LOGGING_SIGNED_AUDIT_TOKEN_KEY_SANITY_CHECK_FAILURE
# Description: used for the CS.cfg properties: enableBoundedGPKeyVersion, cuidMustMatchKDD, and validateCardKeyInfoAgainstTokenDB
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - KDD:
# - TokenKeyVersion:
# - NewKeyVersion:
# - TokenDBKeyVersion:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_KEY_SANITY_CHECK_FAILURE_9=<type=TOKEN_KEY_SANITY_CHECK>:[AuditEvent=TOKEN_KEY_SANITY_CHECK][IP={0}][SubjectID={1}][CUID={2}][KDD={3}][Outcome={4}][TokenKeyVersion={5}][NewKeyVersion={6}][TokenDBKeyVersion={7}][Info={8}] token key sanity check failure
+#
#########################################################################
# Available Audit Events - Enabled by default: No
#########################################################################
#
# Event: AUDIT_LOG_DELETE
# Description: This event is used AFTER audit log gets expired.
# The ACL should not allow this operation, but it is provided in case ACL gets compromised.
# Make sure it is written AFTER the log expiration happens.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - LogFile: The complete name (including the path) of the
# signedAudit log that is attempted to be deleted.
#
LOGGING_SIGNED_AUDIT_LOG_DELETE_3=<type=AUDIT_LOG_DELETE>:[AuditEvent=AUDIT_LOG_DELETE][SubjectID={0}][Outcome={1}][LogFile={2}] signedAudit log deletion
#
# Event: AUDIT_LOG_SHUTDOWN
# Description: This event is used at audit function shutdown.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
#
LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=<type=AUDIT_LOG_SHUTDOWN>:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown
#
# Event: CIMC_CERT_VERIFICATION
# Description: This event is used for verifying CS system certificates.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - CertNickName: The certificate nickname.
#
LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CS certificate verification
#
# Event: CMC_ID_POP_LINK_WITNESS
# Description: This event is used for identification and POP linking verification during CMC request processing.
# Applicable subsystems: CA
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - Info:
#
LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=<type=CMC_ID_POP_LINK_WITNESS>:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification
#
# Event: CMC_PROOF_OF_IDENTIFICATION
# Description: This event is used for proof of identification during CMC request processing.
# Applicable subsystems: CA
# Enabled by default: No
# Fields:
# - SubjectID:
# In case of success, "SubjectID" is the actual identified identification.
# In case of failure, "SubjectID" is the attempted identification.
# - Outcome:
# - Info:
#
LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=<type=CMC_PROOF_OF_IDENTIFICATION>:[AuditEvent=CMC_PROOF_OF_IDENTIFICATION][SubjectID={0}][Outcome={1}][Info={2}] proof of identification in CMC request
#
# Event: COMPUTE_RANDOM_DATA_REQUEST
# Description: This event is used when the request for TPS to TKS to get random challenge data is received.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - Outcome:
# - AgentID: The trusted agent ID used to make the request.
#
LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=<type=COMPUTE_RANDOM_DATA_REQUEST>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request
#
# Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Failure]
# Description: This event is used when the request for TPS to TKS to get random challenge data is processed unsuccessfully.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - Outcome: Success or Failure.
# - Status: 0 for no error.
# - Error: The error message.
# - AgentID: The trusted agent ID used to make the request.
#
LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=<type=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCCESED]{0} TKS Compute random data request failed
#
# Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Success]
# Description: This event is used when the request for TPS to TKS to get random challenge data is processed successfully.
# Applicable subsystems: TKS, TPS
# Fields:
# - Outcome: Success or Failure.
# - Status: 0 for no error.
# - AgentID: The trusted agent ID used to make the request.
#
LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED]{0} TKS Compute random data request processed successfully
#
# Event: COMPUTE_SESSION_KEY_REQUEST
# Description: This event is used when the request for TPS to TKS to get a session key for secure channel is received.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - Outcome:
# - AgentID: The trusted agent ID used to make the request.
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the
## CUID. Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that
## encoded parameters are being logged.
# - CUID_encoded: The special-encoded CUID of the token establishing the secure channel.
# - KDD_encoded: The special-encoded KDD of the token establishing the secure channel.
#
LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=<type=COMPUTE_SESSION_KEY_REQUEST>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}] TKS Compute session key request
#
# Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Failure]
# Description: This event is used when the request for TPS to TKS to get a session key for secure channel is processed unsuccessfully.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - Outcome: Failure
# - status: Error code or 0 for no error.
# - AgentID: The trusted agent ID used to make the request.
# - IsCryptoValidate: tells if the card cryptogram is to be validated
# - IsServerSideKeygen: tells if the keys are to be generated on server
# - SelectedToken: The cryptographic token performing key operations.
# - KeyNickName: The numeric keyset, e.g. #01#01.
# - Error: The error message.
#
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
## Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
# - TKSKeyset: The name of the TKS keyset being used for this request.
# - KeyInfo_KeyVersion: The key version number requested in hex.
# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
#
LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request failed
#
# Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Success]
# Description: This event is used when the request for TPS to TKS to get a session key for secure channel is processed successfully.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - AgentID: The trusted agent ID used to make the request.
# - Outcome: Success
# - status: 0 for no error.
# - IsCryptoValidate: tells if the card cryptogram is to be validated
# - IsServerSideKeygen: tells if the keys are to be generated on server
# - SelectedToken: The cryptographic token performing key operations.
# - KeyNickName: The number keyset, e.g. #01#01.
#
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the
## CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact
## that decoded parameters are now logged.
## Also added TKSKeyset, KeyInfo_KeyVersion,
## NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
# - TKSKeyset: The name of the TKS keyset being used for this request.
# - KeyInfo_KeyVersion: The key version number requested in hex.
# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
#
LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request processed successfully
#
# Event: CONFIG_CERT_POLICY
# Description: This event is used when configuring certificate policy constraints and extensions.
# Applicable subsystems: CA
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=<type=CONFIG_CERT_POLICY>:[AuditEvent=CONFIG_CERT_POLICY][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate policy constraint or extension configuration parameter(s) change
#
# Event: CONFIG_TOKEN_GENERAL
# Description: This event is used when doing general TPS configuration.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
# --- secret component (password) MUST NOT be logged ---
# - Info: Error info for failed cases.
#
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5=<type=CONFIG_TOKEN_GENERAL>:[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID={0}][Outcome={1}][Service={2}][ParamNameValPairs={3}][Info={4}] TPS token configuration parameter(s) change
#
# Event: CONFIG_TOKEN_PROFILE
# Description: This event is used when configuring token profile.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - Service: can be any of the methods offered
# - ProfileID:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
# --- secret component (password) MUST NOT be logged ---
# - Info: Error info for failed cases.
#
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6=<type=CONFIG_TOKEN_PROFILE>:[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID={0}][Outcome={1}][Service={2}][ProfileID={3}][ParamNameValPairs={4}][Info={5}] token profile configuration parameter(s) change
#
# Event: CRL_RETRIEVAL
# Description: This event is used when CRLs are retrieved by the OCSP Responder.
# Applicable subsystems: OCSP
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome: "Success" when CRL is retrieved successfully, "Failure" otherwise.
# - CRLnum: The CRL number that identifies the CRL.
#
LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=<type=CRL_RETRIEVAL>:[AuditEvent=CRL_RETRIEVAL][SubjectID={0}][Outcome={1}][CRLnum={2}] CRL retrieval
#
# Event: CRL_VALIDATION
# Description: This event is used when CRL is retrieved and validation process occurs.
# Applicable subsystems: OCSP
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
#
LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=<type=CRL_VALIDATION>:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation
#
# Event: DELTA_CRL_PUBLISHING
# Description: This event is used when delta CRL publishing is complete.
# Applicable subsystems: CA
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome: "Success" when delta CRL is publishing successfully, "Failure" otherwise.
# - CRLnum:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=<type=DELTA_CRL_PUBLISHING>:[AuditEvent=DELTA_CRL_PUBLISHING]{0} Delta CRL publishing
#
# Event: DIVERSIFY_KEY_REQUEST
# Description: This event is used when the request for TPS to TKS to do key changeover is received.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - Outcome:
# - AgentID: The trusted agent ID used to make the request.
# - oldMasterKeyName: The old master key name.
# - newMasterKeyName: The new master key name.
#
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged.
# - CUID_encoded: The special-encoded CUID of the token establishing the secure channel.
# - KDD_encoded: The special-encoded KDD of the token establishing the secure channel.
#
LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=<type=DIVERSIFY_KEY_REQUEST>:[AuditEvent=DIVERSIFY_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}][oldMasterKeyName={4}][newMasterKeyName={5}] TKS Key Change Over request
#
# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Failure]
# Description: This event is when the request for TPS to TKS to do key changeover is processed unsuccessfully.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - AgentID: The trusted agent ID used to make the request.
# - Outcome: Failure
# - status: 0 for success, non-zero for various errors.
# - oldMasterKeyName: The old master key name.
# - newMasterKeyName: The new master key name.
# - Error: The error message.
#
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
## Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
# - TKSKeyset: The name of the TKS keyset being used for this request.
# - OldKeyInfo_KeyVersion: The old key version number in hex.
# - NewKeyInfo_KeyVersion: The new key version number in hex.
# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
#
LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=<type=DIVERSIFY_KEY_REQUEST_PROCESSED>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request failed
#
# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Success]
# Description: This event is used when the request for TPS to TKS to do key changeover is processed successfully.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - AgentID: The trusted agent ID used to make the request.
# - Outcome: Success
# - status: 0 for success, non-zero for various errors.
# - oldMasterKeyName: The old master key name.
# - newMasterKeyName: The new master key name.
#
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
## Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
# - TKSKeyset: The name of the TKS keyset being used for this request.
# - OldKeyInfo_KeyVersion: The old key version number in hex.
# - NewKeyInfo_KeyVersion: The new key version number in hex.
# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
#
LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=<type=DIVERSIFY_KEY_REQUEST_PROCESSED>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request processed successfully
#
# Event: ENCRYPT_DATA_REQUEST
# Description: This event is used when the request from TPS to TKS to encrypt data
# (or generate random data and encrypt) is received.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - SubjectID: The CUID of the token requesting encrypt data.
# - AgentID: The trusted agent ID used to make the request.
# - status: 0 for success, non-zero for various errors.
# - isRandom: tells if the data is randomly generated on TKS
#
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged.
# - CUID_encoded: The special-encoded CUID of the token establishing the secure channel.
# - KDD_encoded: The special-encoded KDD of the token establishing the secure channel.
#
LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=<type=ENCRYPT_DATA_REQUEST>:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3}] TKS encrypt data request
LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=<type=ENCRYPT_DATA_REQUEST>:[AuditEvent=ENCRYPT_DATA_REQUEST][CUID_encoded={0}][KDD_encoded={1}][status={2}][AgentID={3}][isRandom={4}] TKS encrypt data request
#
# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Failure]
# Description: This event is used when the request from TPS to TKS to encrypt data
# (or generate random data and encrypt) is processed unsuccessfully.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - AgentID: The trusted agent ID used to make the request.
# - Outcome: Failure
# - status: 0 for success, non-zero for various errors.
# - isRandom: tells if the data is randomly generated on TKS
# - SelectedToken: The cryptographic token performing key operations.
# - KeyNickName: The numeric keyset, e.g. #01#01.
# - Error: The error message.
#
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
## Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
# - TKSKeyset: The name of the TKS keyset being used for this request.
# - KeyInfo_KeyVersion: The key version number requested in hex.
# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
#
LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=<type=ENCRYPT_DATA_REQUEST_PROCESSED>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request failed
#
# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Success]
# Description: This event is used when the request from TPS to TKS to encrypt data
# (or generate random data and encrypt) is processed successfully.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - AgentID: The trusted agent ID used to make the request.
# - Outcome: Success
# - status: 0 for success, non-zero for various errors.
# - isRandom: tells if the data is randomly generated on TKS
# - SelectedToken: The cryptographic token performing key operations.
# - KeyNickName: The numeric keyset, e.g. #01#01.
#
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID. Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
## Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
# - TKSKeyset: The name of the TKS keyset being used for this request.
# - KeyInfo_KeyVersion: The key version number requested in hex.
# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
#
LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=<type=ENCRYPT_DATA_REQUEST_PROCESSED>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request processed successfully
#
# Event: FULL_CRL_PUBLISHING
# Description: This event is used when full CRL publishing is complete.
# Applicable subsystems: CA
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome: "Success" when full CRL is publishing successfully, "Failure" otherwise.
# - CRLnum:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=<type=FULL_CRL_PUBLISHING>:[AuditEvent=FULL_CRL_PUBLISHING]{0} Full CRL publishing
#
# Event: INTER_BOUNDARY
# Description: This event is used when inter-CS boundary data transfer is successful.
# This is used when data does not need to be captured.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - ProtectionMethod: "SSL" or "unknown".
# - ReqType: The request type.
# - ReqID: The request ID.
#
LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=<type=INTER_BOUNDARY>:[AuditEvent=INTER_BOUNDARY][SubjectID={0}][Outcome={1}][ProtectionMethod={2}][ReqType={3}][ReqID={4}] inter-CS boundary communication (data exchange) success
#
# Event: KEY_RECOVERY_AGENT_LOGIN
# Description: This event is used when KRA agents login as recovery agents to approve
# key recovery requests.
# Applicable subsystems: KRA
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - RecoveryID: The recovery request ID.
# - RecoveryAgent: The recovery agent the KRA agent is
# logging in with.
#
LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=<type=KEY_RECOVERY_AGENT_LOGIN>:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login
#
# Event: KEY_RECOVERY_REQUEST
# Description: This event is used when key recovery request is made.
# Applicable subsystems: CA, OCSP, TKS, TPS, TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - RecoveryID: The recovery request ID.
# - PubKey: The base-64 encoded public key associated with
# the private key to be recovered.
#
LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=<type=KEY_RECOVERY_REQUEST>:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made
#
# Event: KEY_STATUS_CHANGE
# Description: This event is used when modify key status is executed.
# Applicable subsystems: KRA
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - KeyID: An existing key ID in the database.
# - OldStatus: The old status to change from.
# - NewStatus: The new status to change to.
# - Info:
#
LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=<type=KEY_STATUS_CHANGE>:[AuditEvent=KEY_STATUS_CHANGE]{0} Key Status Change
#
# Event: LOG_EXPIRATION_CHANGE (disabled)
# Description: This event is used when log expiration time change is attempted.
# The ACL should not allow this operation, but make sure it's written after the attempt.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - LogType: "System", "Transaction", or "SignedAudit".
# - ExpirationTime: The amount of time (in seconds) that is
# attempted to be changed to.
#
#LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=<type=LOG_EXPIRATION_CHANGE>:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt
#
# Event: NON_PROFILE_CERT_REQUEST
# Description: This event is used when a non-profile certificate request is made (before approval process).
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: No
# Fields:
# - SubjectID: The UID of user that triggered this event.
# If CMC enrollment requests signed by an agent, SubjectID should
# be that of the agent.
# - Outcome:
# - CertSubject: The certificate subject name of the certificate request.
# - ReqID: The certificate request ID.
# - ServiceID: The identity of the servlet that submitted the original
# request.
#
LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=<type=NON_PROFILE_CERT_REQUEST>:[AuditEvent=NON_PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ServiceID={3}][CertSubject={4}] certificate request made without certificate profiles
#
# Event: OCSP_ADD_CA_REQUEST
# Description: This event is used when a CA is attempted to be added to the OCSP Responder.
# Applicable subsystems: OCSP
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - CA: The base-64 encoded PKCS7 certificate (or chain).
#
LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST=<type=OCSP_ADD_CA_REQUEST>:[AuditEvent=OCSP_ADD_CA_REQUEST]{0} request to add a CA for OCSP Responder
#
# Event: OCSP_REMOVE_CA_REQUEST
# Description: This event is used when a CA is attempted to be removed from the OCSP Responder.
# Applicable subsystems: OCSP
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - CASubjectDN: The DN ID of the CA.
#
LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST=<type=OCSP_REMOVE_CA_REQUEST>:[AuditEvent=OCSP_REMOVE_CA_REQUEST]{0} request to remove a CA from OCSP Responder
#
# Event: SECURITY_DATA_EXPORT_KEY
# Description: This event is used when user attempts to retrieve key after the recovery request
# has been approved.
# Applicable subsystems: KRA
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - RecoveryID: The recovery request ID.
# - KeyID: The key being retrieved.
# - Info: The failure reason if the export fails.
# - PubKey: The public key for the private key being retrieved.
#
LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY=<type=SECURITY_DATA_EXPORT_KEY>:[AuditEvent=SECURITY_DATA_EXPORT_KEY]{0} security data retrieval request
#
# Event: SECURITY_DATA_INFO
# Description: This event is used when user attempts to get metadata information about a key.
# Applicable subsystems: KRA
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - KeyID: The key being retrieved.
# - ClientKeyId:
# - Info: The failure reason if the export fails.
# - PubKey: The public key for the private key being retrieved.
#
LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=<type=SECURITY_DATA_INFO>:[AuditEvent=SECURITY_DATA_INFO]{0} security data info request
#
# Event: TOKEN_AUTH with [Outcome=Failure]
# Description: This event is used when authentication failed.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome: Failure
# (obviously, if authentication failed, you won't have a valid SubjectID, so
# in this case, AttemptedID is recorded)
# - IP:
# - CUID:
# - MSN:
# - OP:
# - tokenType:
# - AppletVersion:
# - AuthMgr: The authentication manager instance name that did
# this authentication.
#
LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH]{0} token authentication failure
#
# Event: TOKEN_AUTH with [Outcome=Success]
# Description: This event is used when authentication succeeded.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome: Success
# - IP:
# - CUID:
# - MSN:
# - OP:
# - tokenType:
# - AppletVersion:
# - AuthMgr: The authentication manager instance name that did
# this authentication.
#
LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH]{0} token authentication success
#
# Event: TOKEN_CERT_ENROLLMENT
# Description: This event is used for TPS when token certificate enrollment request is made.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - tokenType:
# - KeyVersion:
# - Serial:
# - CA_ID:
# - Info: Info in case of failure.
#
LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=<type=TOKEN_CERT_ENROLLMENT>:[AuditEvent=TOKEN_CERT_ENROLLMENT][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate enrollment request made
#
# Event: TOKEN_CERT_RENEWAL
# Description: This event is used for TPS when token certificate renewal request is made.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - tokenType:
# - KeyVersion:
# - Serial:
# - CA_ID:
# - Info: Info in case of failure.
#
LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[AuditEvent=TOKEN_CERT_RENEWAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate renewal request made
#
# Event: TOKEN_CERT_RETRIEVAL
# Description: This event is used for TPS when token certificate retrieval request is made;
# usually used during recovery, along with TOKEN_KEY_RECOVERY.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - tokenType:
# - KeyVersion:
# - Serial:
# - CA_ID:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9=<type=TOKEN_CERT_RETRIEVAL>:[AuditEvent=TOKEN_CERT_RETRIEVAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate retrieval request made
#
# Event: TOKEN_CERT_STATUS_CHANGE_REQUEST
# Description: This event is used when a token certificate status change request (e.g. revocation) is made.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID: The last token that the certificate was associated with.
# - tokenType:
# - CertSerialNum: The serial number (in decimal) of the certificate to be revoked.
# - RequestType: "revoke", "on-hold", "off-hold".
# - RevokeReasonNum:
# - CA_ID:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10=<type=TOKEN_CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][CertSerialNum={5}][RequestType={6}][RevokeReasonNum={7}][CA_ID={8}][Info={9}] token certificate revocation/unrevocation request made
#
# Event: TOKEN_FORMAT with [Outcome=Failure]
# Description: This event is used when token format operation failed.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - MSN:
# - tokenType:
# - AppletVersion:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format failure
#
# Event: TOKEN_FORMAT with [Outcome=Success]
# Description: This event is used when token format operation succeeded.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - MSN:
# - tokenType:
# - AppletVersion:
# - KeyVersion:
#
LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format success
#
# Event: TOKEN_KEY_RECOVERY
# Description: This event is used for TPS when token certificate key recovery request is made.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - tokenType:
# - KeyVersion:
# - Serial:
# - CA_ID:
# - KRA_ID:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=<type=TOKEN_KEY_RECOVERY>:[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made
#
# Event: TOKEN_OP_REQUEST
# Description: This event is used when token processor operation request is made.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - IP:
# - CUID:
# - MSN:
# - Outcome:
# - OP: "format", "enroll", or "pinReset"
# - AppletVersion:
#
LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=<type=TOKEN_OP_REQUEST>:[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token processor op request made
#
# Event: TOKEN_PIN_RESET with [Outcome=Failure]
# Description: This event is used when token pin reset request failed.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - IP:
# - SubjectID:
# - CUID:
# - Outcome:
# - tokenType:
# - AppletVersion:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE=<type=TOKEN_PIN_RESET>:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset failure
#
# Event: TOKEN_PIN_RESET with [Outcome=Success]
# Description: This event is used when token pin reset request succeeded.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - IP:
# - SubjectID:
# - CUID:
# - Outcome:
# - tokenType:
# - AppletVersion:
# - KeyVersion:
#
LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS=<type=TOKEN_PIN_RESET>:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset success
#
# Event: TOKEN_STATE_CHANGE
# Description: This event is used when token state changed.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - oldState:
# - oldReason:
# - newState:
# - newReason:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
# --- secret component (password) MUST NOT be logged ---
# - Info: Error info for failed cases.
#
LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8=<type=TOKEN_STATE_CHANGE>:[AuditEvent=TOKEN_STATE_CHANGE][SubjectID={0}][Outcome={1}][oldState={2}][oldReason={3}][newState={4}][newReason={5}][ParamNameValPairs={6}][Info={7}] token state changedE.2.2. 操作环境审计事件
有关运行环境审计事件格式描述,请参阅 https://access.redhat.com/articles/4409591。另外,对于与 RHCS 相关的事件,请参阅安装指南中的"启用操作系统级审计日志"。
