Bug 1461217

Summary: CC: Auditing: ReqID usage inconsistency for CertStatusChangeRequestProcessedEvent and cert requests
Product: Red Hat Enterprise Linux 7 Reporter: Christina Fu <cfu>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.4CC: alee, arubin, bbhavsar, edewata, mharmsen, msauton
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.1-1.el7 Doc Type: Bug Fix
Doc Text:
Updated attributes in `CERT_STATUS_CHANGE_REQUEST_PROCESSED` audit log event Previously, the `CERT_STATUS_CHANGE_REQUEST_PROCESSED` audit event in log files contained the following attributes: * `ReqID` - The requester ID * `SubjectID` - The subject ID of the certificate For consistency with other audit events, the attributes have been modified and now contain the following information: * `ReqID` - The request ID * `SubjectID` - The requester ID
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 16:58:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christina Fu 2017-06-14 00:04:14 UTC 
I found the following in my audit log:
[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=Lady Christina Fu][Outcome=Success][ReqID=caadmin][CertSerialNum=33][RequestType=revoke][RevokeReasonNum=Unspecified][Approval=complete] certificate status change request processed

If you search for PROFILE_CERT_REQUEST or CERT_REQUEST_PROCESSED events in the audit log, you will see that ReqID is supposed to be the actual request id processed.

while I agree the RequestID should be included in the CERT_STATUS_CHANGE_REQUEST_PROCESSED event as well, but recall what I said about "consistent tags" for audit searching, this should be fixed. 

We can discuss whether we should add an additional field of "RequesterID".
Comment 2 Christina Fu 2017-06-14 16:24:26 UTC 
Looking into LogMessages.properties, I see 
# SubjectID must be the UID of the agent that processed the request
# ReqID must be the request ID

I think the "SubjectID" should be requester then.  To avoid massive changes, I think we should stick to that.
Comment 3 Christina Fu 2017-06-14 16:37:28 UTC 
and looks like some events already use "CertSubject" to record the subject of the cert in request
"CertSubject must be the certificate subject name of the certificate request

So my suggestion is to use "CertSubject" and "SubjectID" appropriately.
Comment 4 Endi Sukma Dewata 2017-06-14 17:41:52 UTC 
Per IRC discussion, the following fields in CERT_STATUS_CHANGE_REQUEST_PROCESSED event should be changed as follows:
* ReqID should contain the request ID (e.g. 12)
* SubjectID should contain the requester ID (e.g. caadmin)
Comment 6 Matthew Harmsen 2017-09-25 23:47:30 UTC 
Per CS/DS Meeting 09/25/2017: 10.5 blocker
Comment 7 Matthew Harmsen 2017-10-31 21:51:10 UTC 
edewata fixed in master:

* https://github.com/dogtagpki/pki/commit/28d4187122f358d3203fe0bca26960f179649eb9
* https://github.com/dogtagpki/pki/commit/76eca860d5d87b78156d1478306e8efab0c2c9e1
Comment 9 bhavik 2017-12-27 18:21:24 UTC 
Verified on Build 10.5.1-5

[root@bkr-hv01-guest02 ~]# yum list pki-*
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Installed Packages
pki-base.noarch                                                                                          10.5.1-5.el7                                                             @RHEL75     
pki-base-java.noarch                                                                                     10.5.1-5.el7                                                             @RHEL75     
pki-ca.noarch                                                                                            10.5.1-5.el7                                                             @RHEL75     
pki-console.noarch                                                                                       10.5.1-3.el7pki                                                          @RHCS93     
pki-kra.noarch                                                                                           10.5.1-5.el7                                                             @RHEL75     
pki-ocsp.noarch                                                                                          10.5.1-5.el7pki                                                          @RHCS93     
pki-server.noarch                                                                                        10.5.1-5.el7                                                             @RHEL75     
pki-symkey.x86_64                                                                                        10.5.1-5.el7                                                             @RHEL75     
pki-tks.noarch                                                                                           10.5.1-5.el7pki                                                          @RHCS93     
pki-tools.x86_64                                                                                         10.5.1-5.el7                                                             @RHEL75     
pki-tps.x86_64                                                                                           10.5.1-5.el7pki                                                          @RHCS93     

As per Endi's comment https://bugzilla.redhat.com/show_bug.cgi?id=1461217#c4

PROFILE_CERT_REQUEST or CERT_REQUEST_PROCESSED events should contain as below

* ReqID should contain the request ID (e.g. 12)
* SubjectID should contain the requester ID (e.g. caadmin)

[root@bkr-hv01-guest02 ~]# cat /var/lib/pki/topology-02-CA/logs/ca/signedAudit/ca_audit.20171227124631  | grep PROFILE_CERT_REQUEST
0.http-bio-20443-exec-16 - [27/Dec/2017:06:45:17 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=7][ProfileID=caInternalAuthOCSPCert][CertSubject=CN=OCSP Signing Certificate,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-20 - [27/Dec/2017:06:45:18 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=8][ProfileID=caInternalAuthServerCert][CertSubject=CN=pki1.example.com,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-24 - [27/Dec/2017:06:45:18 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=9][ProfileID=caInternalAuthSubsystemCert][CertSubject=CN=Subsystem Certificate,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-4 - [27/Dec/2017:06:45:19 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=10][ProfileID=caInternalAuthAuditSigningCert][CertSubject=CN=OCSP Audit Signing Certificate,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-10 - [27/Dec/2017:06:45:19 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=11][ProfileID=caAdminCert][CertSubject=CN=PKI Administrator,E=ocspadmin,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-10 - [27/Dec/2017:06:47:00 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=12][ProfileID=caInternalAuthTransportCert][CertSubject=CN=DRM Transport Certificate,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-5 - [27/Dec/2017:06:47:00 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=13][ProfileID=caInternalAuthDRMstorageCert][CertSubject=CN=DRM Storage Certificate,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-8 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=14][ProfileID=caInternalAuthServerCert][CertSubject=CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-23 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=15][ProfileID=caInternalAuthSubsystemCert][CertSubject=CN=Subsystem Certificate,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-4 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=16][ProfileID=caInternalAuthAuditSigningCert][CertSubject=CN=KRA Audit Signing Certificate,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-24 - [27/Dec/2017:06:47:02 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=17][ProfileID=caAdminCert][CertSubject=CN=PKI Administrator,E=kraadmin,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-21 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=18][ProfileID=caInternalAuthServerCert][CertSubject=CN=pki1.example.com,OU=topology-02-TKS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-20 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=19][ProfileID=caInternalAuthSubsystemCert][CertSubject=CN=Subsystem Certificate,OU=topology-02-TKS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-14 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=20][ProfileID=caInternalAuthAuditSigningCert][CertSubject=CN=TKS Audit Signing Certificate,OU=topology-02-TKS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-23 - [27/Dec/2017:06:48:50 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=21][ProfileID=caAdminCert][CertSubject=CN=PKI Administrator,E=tksadmin,OU=topology-02-TKS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-19 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=22][ProfileID=caInternalAuthServerCert][CertSubject=CN=pki1.example.com,OU=topology-02-TPS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-6 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=23][ProfileID=caInternalAuthSubsystemCert][CertSubject=CN=Subsystem Certificate,OU=topology-02-TPS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-3 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=24][ProfileID=caInternalAuthAuditSigningCert][CertSubject=CN=TPS Audit Signing Certificate,OU=topology-02-TPS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-15 - [27/Dec/2017:06:51:06 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=25][ProfileID=caAdminCert][CertSubject=CN=PKI Administrator,E=tpsadmin,OU=topology-02-TPS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles


[root@bkr-hv01-guest02 ~]# cat /var/lib/pki/topology-02-CA/logs/ca/signedAudit/ca_audit.20171227124631  | grep CERT_REQUEST_PROCESSED
0.http-bio-20443-exec-16 - [27/Dec/2017:06:45:17 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=7][CertSerialNum=7] certificate request processed
0.http-bio-20443-exec-20 - [27/Dec/2017:06:45:18 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=8][CertSerialNum=8] certificate request processed
0.http-bio-20443-exec-24 - [27/Dec/2017:06:45:18 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=9][CertSerialNum=9] certificate request processed
0.http-bio-20443-exec-4 - [27/Dec/2017:06:45:19 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=10][CertSerialNum=10] certificate request processed
0.http-bio-20443-exec-10 - [27/Dec/2017:06:45:19 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=11][CertSerialNum=11] certificate request processed
0.http-bio-20443-exec-10 - [27/Dec/2017:06:47:00 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=12][CertSerialNum=12] certificate request processed
0.http-bio-20443-exec-5 - [27/Dec/2017:06:47:00 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=13][CertSerialNum=13] certificate request processed
0.http-bio-20443-exec-8 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=14][CertSerialNum=14] certificate request processed
0.http-bio-20443-exec-23 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=15][CertSerialNum=15] certificate request processed
0.http-bio-20443-exec-4 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=16][CertSerialNum=16] certificate request processed
0.http-bio-20443-exec-24 - [27/Dec/2017:06:47:02 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=17][CertSerialNum=17] certificate request processed
0.http-bio-20443-exec-21 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=18][CertSerialNum=18] certificate request processed
0.http-bio-20443-exec-20 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=19][CertSerialNum=19] certificate request processed
0.http-bio-20443-exec-14 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=20][CertSerialNum=20] certificate request processed
0.http-bio-20443-exec-23 - [27/Dec/2017:06:48:50 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=21][CertSerialNum=21] certificate request processed
0.http-bio-20443-exec-19 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=22][CertSerialNum=22] certificate request processed
0.http-bio-20443-exec-6 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=23][CertSerialNum=23] certificate request processed
0.http-bio-20443-exec-3 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=24][CertSerialNum=24] certificate request processed
0.http-bio-20443-exec-15 - [27/Dec/2017:06:51:06 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=25][CertSerialNum=25] certificate request processed


As per the above audit events ReqID anad SubjectID contains ID and requestor ID as per expectation hence marking this as verified.
Comment 16 errata-xmlrpc 2018-04-10 16:58:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925