ShowTable of Contents
Audit logs are security-relevant record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, or event.
Websphere provides the Auditing Service which allows to log a set of events into a separate audit log file. The security auditing primary responsibility is to prevent unauthorized access and usage of resources.
The security auditing subsystem has the ability to capture the following types of auditable events:
- Principal/Credential Mapping
- Audit policy management
PS : All sample files were created when user "wpsadmin" logs in and logout. After that, user "hacker" tries to login but fails.
1. WAS side settings + log
1a. Administrative auditing :
This is the one which is implemented right now.
•All configuration change like WebModule,Applicaton role etc that are created, modified, or deleted.
•User/group created, modified or deleted
Problem : No login/logout information is collected
Sample file : PortalAudit_WebSphere_Portal.log
1b. Security auditing :
This one is more specific to Security auditing.
It gathers the information like Authentication,Authorization, Principal/Credential Mapping, Audit policy management,Delegation
This logs all login/logout event with complete information writing each event as a sequence.
Sample file : BinaryAudit_85-cf10-templateCell_porta_WebSphere_Portal_test.log
2. Portal Side Trace settings
2a. Trace levels suggested in the "Collecting Data: Login for WebSphere Portal" link http://www-01.ibm.com/support/docview.wss?uid=swg21592791
Trace level : *=info:com.ibm.wps.engine.Servlet=all:com.ibm.wps.services.puma.*=all:
Sample file : trace_1.log
2b. Trace levels suggested by Sascha Schefenacker from WebSphere Security Team ( Dilip contacted her to get this info)
Trace level : *=info: com.ibm.wps.auth.impl.LogoutDefaultFilter=all:
Sample file : trace_2.log
We have to decide on what will be the best way to get maximum information and also it should not load the system. As Lorenzo suggested in scrum yesterday, it may be combination of Step 1b (Was Security Auditing) + Portal Trace setting. Also have to decide what trace level is appropriate for our requirement.