Bug 1461217 - CC: Auditing: ReqID usage inconsistency for CertStatusChangeRequestProcessedEvent and cert requests
CC: Auditing: ReqID usage inconsistency for CertStatusChangeRequestProcessedE...
Status: VERIFIED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.4
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Endi Sukma Dewata
Asha Akkiangady
Marc Muehlfeld
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-13 20:04 EDT by Christina Fu
Modified: 2018-01-11 11:09 EST (History)
6 users (show)

See Also:
Fixed In Version: pki-core-10.5.1-1.el7
Doc Type: Bug Fix
Doc Text:
Updated attributes in *CERT_STATUS_CHANGE_REQUEST_PROCESSED* audit log event Previously, the *CERT_STATUS_CHANGE_REQUEST_PROCESSED* audit event in log files contained the following attributes: * "ReqID": The requester ID * "SubjectID": The subject ID of the certificate For consistency with other audit events, the attributes have been modified and now contain the following information: * "ReqID": The request ID * "SubjectID": The requester ID
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Christina Fu 2017-06-13 20:04:14 EDT
I found the following in my audit log:
[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=Lady Christina Fu][Outcome=Success][ReqID=caadmin][CertSerialNum=33][RequestType=revoke][RevokeReasonNum=Unspecified][Approval=complete] certificate status change request processed

If you search for PROFILE_CERT_REQUEST or CERT_REQUEST_PROCESSED events in the audit log, you will see that ReqID is supposed to be the actual request id processed.

while I agree the RequestID should be included in the CERT_STATUS_CHANGE_REQUEST_PROCESSED event as well, but recall what I said about "consistent tags" for audit searching, this should be fixed. 

We can discuss whether we should add an additional field of "RequesterID".
Comment 2 Christina Fu 2017-06-14 12:24:26 EDT
Looking into LogMessages.properties, I see 
# SubjectID must be the UID of the agent that processed the request
# ReqID must be the request ID

I think the "SubjectID" should be requester then.  To avoid massive changes, I think we should stick to that.
Comment 3 Christina Fu 2017-06-14 12:37:28 EDT
and looks like some events already use "CertSubject" to record the subject of the cert in request
"CertSubject must be the certificate subject name of the certificate request

So my suggestion is to use "CertSubject" and "SubjectID" appropriately.
Comment 4 Endi Sukma Dewata 2017-06-14 13:41:52 EDT
Per IRC discussion, the following fields in CERT_STATUS_CHANGE_REQUEST_PROCESSED event should be changed as follows:
* ReqID should contain the request ID (e.g. 12)
* SubjectID should contain the requester ID (e.g. caadmin)
Comment 6 Matthew Harmsen 2017-09-25 19:47:30 EDT
Per CS/DS Meeting 09/25/2017: 10.5 blocker
Comment 9 bhavik 2017-12-27 13:21:24 EST
Verified on Build 10.5.1-5

[root@bkr-hv01-guest02 ~]# yum list pki-*
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Installed Packages
pki-base.noarch                                                                                          10.5.1-5.el7                                                             @RHEL75     
pki-base-java.noarch                                                                                     10.5.1-5.el7                                                             @RHEL75     
pki-ca.noarch                                                                                            10.5.1-5.el7                                                             @RHEL75     
pki-console.noarch                                                                                       10.5.1-3.el7pki                                                          @RHCS93     
pki-kra.noarch                                                                                           10.5.1-5.el7                                                             @RHEL75     
pki-ocsp.noarch                                                                                          10.5.1-5.el7pki                                                          @RHCS93     
pki-server.noarch                                                                                        10.5.1-5.el7                                                             @RHEL75     
pki-symkey.x86_64                                                                                        10.5.1-5.el7                                                             @RHEL75     
pki-tks.noarch                                                                                           10.5.1-5.el7pki                                                          @RHCS93     
pki-tools.x86_64                                                                                         10.5.1-5.el7                                                             @RHEL75     
pki-tps.x86_64                                                                                           10.5.1-5.el7pki                                                          @RHCS93     

As per Endi's comment https://bugzilla.redhat.com/show_bug.cgi?id=1461217#c4

PROFILE_CERT_REQUEST or CERT_REQUEST_PROCESSED events should contain as below

* ReqID should contain the request ID (e.g. 12)
* SubjectID should contain the requester ID (e.g. caadmin)

[root@bkr-hv01-guest02 ~]# cat /var/lib/pki/topology-02-CA/logs/ca/signedAudit/ca_audit.20171227124631  | grep PROFILE_CERT_REQUEST
0.http-bio-20443-exec-16 - [27/Dec/2017:06:45:17 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=7][ProfileID=caInternalAuthOCSPCert][CertSubject=CN=OCSP Signing Certificate,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-20 - [27/Dec/2017:06:45:18 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=8][ProfileID=caInternalAuthServerCert][CertSubject=CN=pki1.example.com,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-24 - [27/Dec/2017:06:45:18 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=9][ProfileID=caInternalAuthSubsystemCert][CertSubject=CN=Subsystem Certificate,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-4 - [27/Dec/2017:06:45:19 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=10][ProfileID=caInternalAuthAuditSigningCert][CertSubject=CN=OCSP Audit Signing Certificate,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-10 - [27/Dec/2017:06:45:19 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=11][ProfileID=caAdminCert][CertSubject=CN=PKI Administrator,E=ocspadmin@example.com,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-10 - [27/Dec/2017:06:47:00 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=12][ProfileID=caInternalAuthTransportCert][CertSubject=CN=DRM Transport Certificate,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-5 - [27/Dec/2017:06:47:00 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=13][ProfileID=caInternalAuthDRMstorageCert][CertSubject=CN=DRM Storage Certificate,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-8 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=14][ProfileID=caInternalAuthServerCert][CertSubject=CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-23 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=15][ProfileID=caInternalAuthSubsystemCert][CertSubject=CN=Subsystem Certificate,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-4 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=16][ProfileID=caInternalAuthAuditSigningCert][CertSubject=CN=KRA Audit Signing Certificate,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-24 - [27/Dec/2017:06:47:02 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=17][ProfileID=caAdminCert][CertSubject=CN=PKI Administrator,E=kraadmin@example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-21 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=18][ProfileID=caInternalAuthServerCert][CertSubject=CN=pki1.example.com,OU=topology-02-TKS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-20 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=19][ProfileID=caInternalAuthSubsystemCert][CertSubject=CN=Subsystem Certificate,OU=topology-02-TKS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-14 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=20][ProfileID=caInternalAuthAuditSigningCert][CertSubject=CN=TKS Audit Signing Certificate,OU=topology-02-TKS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-23 - [27/Dec/2017:06:48:50 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=21][ProfileID=caAdminCert][CertSubject=CN=PKI Administrator,E=tksadmin@example.com,OU=topology-02-TKS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-19 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=22][ProfileID=caInternalAuthServerCert][CertSubject=CN=pki1.example.com,OU=topology-02-TPS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-6 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=23][ProfileID=caInternalAuthSubsystemCert][CertSubject=CN=Subsystem Certificate,OU=topology-02-TPS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-3 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=24][ProfileID=caInternalAuthAuditSigningCert][CertSubject=CN=TPS Audit Signing Certificate,OU=topology-02-TPS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles
0.http-bio-20443-exec-15 - [27/Dec/2017:06:51:06 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=25][ProfileID=caAdminCert][CertSubject=CN=PKI Administrator,E=tpsadmin@example.com,OU=topology-02-TPS,O=topology-02_Foobarmaster.org] certificate request made with certificate profiles


[root@bkr-hv01-guest02 ~]# cat /var/lib/pki/topology-02-CA/logs/ca/signedAudit/ca_audit.20171227124631  | grep CERT_REQUEST_PROCESSED
0.http-bio-20443-exec-16 - [27/Dec/2017:06:45:17 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=7][CertSerialNum=7] certificate request processed
0.http-bio-20443-exec-20 - [27/Dec/2017:06:45:18 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=8][CertSerialNum=8] certificate request processed
0.http-bio-20443-exec-24 - [27/Dec/2017:06:45:18 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=9][CertSerialNum=9] certificate request processed
0.http-bio-20443-exec-4 - [27/Dec/2017:06:45:19 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=10][CertSerialNum=10] certificate request processed
0.http-bio-20443-exec-10 - [27/Dec/2017:06:45:19 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=11][CertSerialNum=11] certificate request processed
0.http-bio-20443-exec-10 - [27/Dec/2017:06:47:00 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=12][CertSerialNum=12] certificate request processed
0.http-bio-20443-exec-5 - [27/Dec/2017:06:47:00 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=13][CertSerialNum=13] certificate request processed
0.http-bio-20443-exec-8 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=14][CertSerialNum=14] certificate request processed
0.http-bio-20443-exec-23 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=15][CertSerialNum=15] certificate request processed
0.http-bio-20443-exec-4 - [27/Dec/2017:06:47:01 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=16][CertSerialNum=16] certificate request processed
0.http-bio-20443-exec-24 - [27/Dec/2017:06:47:02 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=17][CertSerialNum=17] certificate request processed
0.http-bio-20443-exec-21 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=18][CertSerialNum=18] certificate request processed
0.http-bio-20443-exec-20 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=19][CertSerialNum=19] certificate request processed
0.http-bio-20443-exec-14 - [27/Dec/2017:06:48:49 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=20][CertSerialNum=20] certificate request processed
0.http-bio-20443-exec-23 - [27/Dec/2017:06:48:50 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=21][CertSerialNum=21] certificate request processed
0.http-bio-20443-exec-19 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=22][CertSerialNum=22] certificate request processed
0.http-bio-20443-exec-6 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=23][CertSerialNum=23] certificate request processed
0.http-bio-20443-exec-3 - [27/Dec/2017:06:51:05 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=24][CertSerialNum=24] certificate request processed
0.http-bio-20443-exec-15 - [27/Dec/2017:06:51:06 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=25][CertSerialNum=25] certificate request processed


As per the above audit events ReqID anad SubjectID contains ID and requestor ID as per expectation hence marking this as verified.

Note You need to log in before you can comment on or make changes to this bug.