ShowTable of Contents
Audit logs are security-relevant record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, or event.
Websphere provides the Auditing Service which allows to log a set of events into a separate audit log file. The security auditing primary responsibility is to prevent unauthorized access and usage of resources.
The security auditing subsystem has the ability to capture the following types of auditable events:
- Principal/Credential Mapping
- Audit policy management
PS : All sample files were created when user "wpsadmin" logs in and logout. After that, user "hacker" tries to login but fails.
WAS side settings + log
Administrative auditing :
Link to steps : https://www.ibm.com/support/knowledgecenter/SSHRKX_8.0.0/admin/srvcfgref_audit.dita
•All configuration change like WebModule,Application role etc that are created, modified, or deleted.
•User/group created, modified or deleted
Problem : No login/logout information is collected
Sample file : PortalAudit_WebSphere_Portal.log
Security auditing :
Link to Steps : http://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_sa_secauditing.html?cp=SSAW57_8.5.5%2F1-8-2-33-5&lang=en
It gathers the information like Authentication,Authorization, Principal/Credential Mapping, Audit policy management,Delegation
This logs all login/logout event with complete information writing each event as a sequence.
Sample file : BinaryAudit_85-cf10-templateCell_porta_WebSphere_Portal_test.log
Portal Side Trace settings
1st set Trace
This is suggested in "Collecting Data: Login for WebSphere Portal" link
Steps to configure - http://www-01.ibm.com/support/docview.wss?uid=swg21592791
Trace level : *=info:com.ibm.wps.engine.Servlet=all:com.ibm.wps.services.puma.*=all:
Sample file : trace_1.log
2nd set Trace
Steps to configure : Follow the link given in above set to set the trace. Use below string for trace in this case.
Trace level : *=info: com.ibm.wps.auth.impl.LogoutDefaultFilter=all:
Sample file : trace_2.log
Each one provides different kind of information in the log when some security threat happens. One can decide to stick with only one type or combination of WAS audit log with setting Portal trace also to more information at that instance of time.