1461217 – CC: Auditing: ReqID usage inconsistency for CertStatusChangeRequestProcessedEvent and cert requests

Bug 1461217 - CC: Auditing: ReqID usage inconsistency for CertStatusChangeRequestProcessedEvent and cert requests

Summary: CC: Auditing: ReqID usage inconsistency for CertStatusChangeRequestProcessedE...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Endi Sukma Dewata
QA Contact:	Asha Akkiangady
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-06-14 00:04 UTC by Christina Fu
Modified:	2020-10-04 21:32 UTC (History)
CC List:	6 users (show)
Fixed In Version:	pki-core-10.5.1-1.el7
Doc Type:	Bug Fix
Doc Text:	Updated attributes in `CERT_STATUS_CHANGE_REQUEST_PROCESSED` audit log event Previously, the `CERT_STATUS_CHANGE_REQUEST_PROCESSED` audit event in log files contained the following attributes: * `ReqID` - The requester ID * `SubjectID` - The subject ID of the certificate For consistency with other audit events, the attributes have been modified and now contain the following information: * `ReqID` - The request ID * `SubjectID` - The requester ID
Clone Of:
Environment:
Last Closed:	2018-04-10 16:58:29 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2858	0	None	None	None	2020-10-04 21:32:33 UTC
Red Hat Product Errata	RHBA-2018:0925	0	None	None	None	2018-04-10 16:59:35 UTC

Description Christina Fu 2017-06-14 00:04:14 UTC

I found the following in my audit log:
[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=Lady Christina Fu][Outcome=Success][ReqID=caadmin][CertSerialNum=33][RequestType=revoke][RevokeReasonNum=Unspecified][Approval=complete] certificate status change request processed

If you search for PROFILE_CERT_REQUEST or CERT_REQUEST_PROCESSED events in the audit log, you will see that ReqID is supposed to be the actual request id processed.

while I agree the RequestID should be included in the CERT_STATUS_CHANGE_REQUEST_PROCESSED event as well, but recall what I said about "consistent tags" for audit searching, this should be fixed. 

We can discuss whether we should add an additional field of "RequesterID".

Comment 2 Christina Fu 2017-06-14 16:24:26 UTC

Looking into LogMessages.properties, I see 
# SubjectID must be the UID of the agent that processed the request
# ReqID must be the request ID

I think the "SubjectID" should be requester then.  To avoid massive changes, I think we should stick to that.

Comment 3 Christina Fu 2017-06-14 16:37:28 UTC

and looks like some events already use "CertSubject" to record the subject of the cert in request
"CertSubject must be the certificate subject name of the certificate request

So my suggestion is to use "CertSubject" and "SubjectID" appropriately.

Comment 4 Endi Sukma Dewata 2017-06-14 17:41:52 UTC

Per IRC discussion, the following fields in CERT_STATUS_CHANGE_REQUEST_PROCESSED event should be changed as follows:
* ReqID should contain the request ID (e.g. 12)
* SubjectID should contain the requester ID (e.g. caadmin)

Comment 6 Matthew Harmsen 2017-09-25 23:47:30 UTC

Per CS/DS Meeting 09/25/2017: 10.5 blocker

Comment 7 Matthew Harmsen 2017-10-31 21:51:10 UTC

edewata fixed in master:

* https://github.com/dogtagpki/pki/commit/28d4187122f358d3203fe0bca26960f179649eb9
* https://github.com/dogtagpki/pki/commit/76eca860d5d87b78156d1478306e8efab0c2c9e1

Comment 9 bhavik 2017-12-27 18:21:24 UTC

Verified on Build 10.5.1-5

[root@bkr-hv01-guest02 ~]# yum list pki-*
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Installed Packages
pki-base.noarch                                                                                          10.5.1-5.el7                                                             @RHEL75     
pki-base-java.noarch                                                                                     10.5.1-5.el7                                                             @RHEL75     
pki-ca.noarch                                                                                            10.5.1-5.el7                                                             @RHEL75     
pki-console.noarch                                                                                       10.5.1-3.el7pki                                                          @RHCS93     
pki-kra.noarch                                                                                           10.5.1-5.el7                                                             @RHEL75     
pki-ocsp.noarch                                                                                          10.5.1-5.el7pki                                                          @RHCS93     
pki-server.noarch                                                                                        10.5.1-5.el7                                                             @RHEL75     
pki-symkey.x86_64                                                                                        10.5.1-5.el7                                                             @RHEL75     
pki-tks.noarch                                                                                           10.5.1-5.el7pki                                                          @RHCS93     
pki-tools.x86_64                                                                                         10.5.1-5.el7                                                             @RHEL75     
pki-tps.x86_64                                                                                           10.5.1-5.el7pki                                                          @RHCS93     

As per Endi's comment https://bugzilla.redhat.com/show_bug.cgi?id=1461217#c4

PROFILE_CERT_REQUEST or CERT_REQUEST_PROCESSED events should contain as below

* ReqID should contain the request ID (e.g. 12)
* SubjectID should contain the requester ID (e.g. caadmin)

[root@bkr-hv01-guest02 ~]# cat /var/lib/pki/topology-02-CA/logs/ca/signedAudit/ca_audit.20171227124631  | grep PROFILE_CERT_REQUEST
0.http-bio-20443-exec-16 - [27/Dec/2017:06:45:17 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=7][ProfileID=caInternalAuthOCSPCert][CertSubject=CN=OCSP Signing Certificate,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-20 - [27/Dec/2017:06:45:18 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=8][ProfileID=caInternalAuthServerCert][CertSubject=CN=pki1.example.com,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-24 - [27/Dec/2017:06:45:18 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=9][ProfileID=caInternalAuthSubsystemCert][CertSubject=CN=Subsystem Certificate,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-4 - [27/Dec/2017:06:45:19 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=10][ProfileID=caInternalAuthAuditSigningCert][CertSubject=CN=OCSP Audit Signing Certificate,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-10 - [27/Dec/2017:06:45:19 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=11][ProfileID=caAdminCert][CertSubject=CN=PKI Administrator,E=ocspadmin,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-10 - [27/Dec/2017:06:47:00 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=12][ProfileID=caInternalAuthTransportCert][CertSubject=CN=DRM Transport Certificate,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-5 - [27/Dec/2017:06:47:00 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=13][ProfileID=caInternalAuthDRMstorageCert][CertSubject=CN=DRM Storage Certificate,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-8 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=14][ProfileID=caInternalAuthServerCert][CertSubject=CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-23 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=15][ProfileID=caInternalAuthSubsystemCert][CertSubject=CN=Subsystem Certificate,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-4 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=16][ProfileID=caInternalAuthAuditSigningCert][CertSubject=CN=KRA Audit Signing Certificate,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-24 - [27/Dec/2017:06:47:02 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=17][ProfileID=caAdminCert][CertSubject=CN=PKI Administrator,E=kraadmin,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-21 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=18][ProfileID=caInternalAuthServerCert][CertSubject=CN=pki1.example.com,OU=topology-02-TKS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-20 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=19][ProfileID=caInternalAuthSubsystemCert][CertSubject=CN=Subsystem Certificate,OU=topology-02-TKS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-14 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=20][ProfileID=caInternalAuthAuditSigningCert][CertSubject=CN=TKS Audit Signing Certificate,OU=topology-02-TKS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-23 - [27/Dec/2017:06:48:50 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=21][ProfileID=caAdminCert][CertSubject=CN=PKI Administrator,E=tksadmin,OU=topology-02-TKS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-19 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=22][ProfileID=caInternalAuthServerCert][CertSubject=CN=pki1.example.com,OU=topology-02-TPS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-6 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=23][ProfileID=caInternalAuthSubsystemCert][CertSubject=CN=Subsystem Certificate,OU=topology-02-TPS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-3 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=24][ProfileID=caInternalAuthAuditSigningCert][CertSubject=CN=TPS Audit Signing Certificate,OU=topology-02-TPS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-15 - [27/Dec/2017:06:51:06 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=25][ProfileID=caAdminCert][CertSubject=CN=PKI Administrator,E=tpsadmin,OU=topology-02-TPS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles


[root@bkr-hv01-guest02 ~]# cat /var/lib/pki/topology-02-CA/logs/ca/signedAudit/ca_audit.20171227124631  | grep CERT_REQUEST_PROCESSED
0.http-bio-20443-exec-16 - [27/Dec/2017:06:45:17 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=7][CertSerialNum=7] certificate request processed
0.http-bio-20443-exec-20 - [27/Dec/2017:06:45:18 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=8][CertSerialNum=8] certificate request processed
0.http-bio-20443-exec-24 - [27/Dec/2017:06:45:18 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=9][CertSerialNum=9] certificate request processed
0.http-bio-20443-exec-4 - [27/Dec/2017:06:45:19 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=10][CertSerialNum=10] certificate request processed
0.http-bio-20443-exec-10 - [27/Dec/2017:06:45:19 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=11][CertSerialNum=11] certificate request processed
0.http-bio-20443-exec-10 - [27/Dec/2017:06:47:00 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=12][CertSerialNum=12] certificate request processed
0.http-bio-20443-exec-5 - [27/Dec/2017:06:47:00 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=13][CertSerialNum=13] certificate request processed
0.http-bio-20443-exec-8 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=14][CertSerialNum=14] certificate request processed
0.http-bio-20443-exec-23 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=15][CertSerialNum=15] certificate request processed
0.http-bio-20443-exec-4 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=16][CertSerialNum=16] certificate request processed
0.http-bio-20443-exec-24 - [27/Dec/2017:06:47:02 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=17][CertSerialNum=17] certificate request processed
0.http-bio-20443-exec-21 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=18][CertSerialNum=18] certificate request processed
0.http-bio-20443-exec-20 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=19][CertSerialNum=19] certificate request processed
0.http-bio-20443-exec-14 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=20][CertSerialNum=20] certificate request processed
0.http-bio-20443-exec-23 - [27/Dec/2017:06:48:50 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=21][CertSerialNum=21] certificate request processed
0.http-bio-20443-exec-19 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=22][CertSerialNum=22] certificate request processed
0.http-bio-20443-exec-6 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=23][CertSerialNum=23] certificate request processed
0.http-bio-20443-exec-3 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=24][CertSerialNum=24] certificate request processed
0.http-bio-20443-exec-15 - [27/Dec/2017:06:51:06 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=25][CertSerialNum=25] certificate request processed


As per the above audit events ReqID anad SubjectID contains ID and requestor ID as per expectation hence marking this as verified.

Comment 16 errata-xmlrpc 2018-04-10 16:58:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925

Note You need to log in before you can comment on or make changes to this bug.