Hide Forgot
Gossamer reports that agent operation for profile enabling and disabling are missing by default. Investigation shows that CERT_PROFILE_APPROVAL should be the event. Here is Gossamer's explanation for expecting such events to be enabled by default: "... FAU_GEN.1 indicated that there is a requirement for auditing of administrative actions. That is a very broad feature and covers a lot of things. ..." As a result, we want to make sure all audit events concerning role actions (mostly config) are enabled by default.
https://review.gerrithub.io/c/dogtagpki/pki/+/421669
commit 07a82189eda713073cced649bfe402ce0cf10a05 (HEAD -> master, origin/master, origin/HEAD, ticket-3041-audit-config-events-master) Author: Christina Fu <cfu@redhat.com> Date: Wed Aug 8 18:41:52 2018 -0700 Ticket #3041 Enable all config audit events This patch enables the audit events concerning role actions (mostly config) by default. Two additional minor issues are also addressed: 1. keyType typos in the two profiles: caDirUserCert and caECDirUserCert (bugzilla #1610718) 2. removing unrecommended signing algorithms fixes: https://pagure.io/dogtagpki/issue/3041 Change-Id: I795e8437e66b59f343044eb8a974b2dd0b95ad6d
Build used for verification: root@csqa4-guest01 hsm_setup # pki --version PKI Command-Line Interface 10.5.9-6.el7 Verification procedure as mention in: https://bugzilla.redhat.com/show_bug.cgi?id=1614839#c4 disable profile pki -d /tmp/nssdb/ -c SECret.123 -n CA_AgentV ca-profile-disable caUserCert ----------------------------- Disabled profile "caUserCert" ----------------------------- CA audit log 0.http-bio-8443-exec-1 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success] access session establish success 0.http-bio-8443-exec-1 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=AUTH][SubjectID=CA_AgentV][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success 0.http-bio-8443-exec-1 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=CA_AgentV][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success 0.http-bio-8443-exec-1 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated 0.http-bio-8443-exec-3 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success] access session establish success 0.http-bio-8443-exec-3 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=CA_AgentV][Outcome=Success][aclResource=certServer.ca.profile][Op=approve][Info=ProfileResource.modifyProfileState] authorization success 0.http-bio-8443-exec-3 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=CERT_PROFILE_APPROVAL][SubjectID=CA_AgentV][Outcome=Success][ProfileID=caUserCert][Op=disapprove] certificate profile approval 0.http-bio-8443-exec-3 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated 0.http-bio-8443-exec-5 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success] access session establish success 0.http-bio-8443-exec-5 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=CA_AgentV][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success 0.http-bio-8443-exec-5 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated enable profile pki -d /tmp/nssdb/ -c SECret.123 -n CA_AgentV ca-profile-enable caUserCert ---------------------------- Enabled profile "caUserCert" ---------------------------- CA audit log 0.http-bio-8443-exec-7 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success] access session establish success 0.http-bio-8443-exec-7 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=AUTH][SubjectID=CA_AgentV][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success 0.http-bio-8443-exec-7 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=CA_AgentV][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success 0.http-bio-8443-exec-7 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated 0.http-bio-8443-exec-10 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success] access session establish success 0.http-bio-8443-exec-10 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=CA_AgentV][Outcome=Success][aclResource=certServer.ca.profile][Op=approve][Info=ProfileResource.modifyProfileState] authorization success 0.http-bio-8443-exec-10 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=CERT_PROFILE_APPROVAL][SubjectID=CA_AgentV][Outcome=Success][ProfileID=caUserCert][Op=approve] certificate profile approval 0.http-bio-8443-exec-10 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated 0.http-bio-8443-exec-12 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success] access session establish success 0.http-bio-8443-exec-12 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=CA_AgentV][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success 0.http-bio-8443-exec-12 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated pki console does not show MD2 or MD5 algorithms in Revocation List Signing Algorithm drop-down list
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3195