Bug 1601569 - CC: Enable all config audit events
Summary: CC: Enable all config audit events
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.6
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Christina Fu
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks: 1614839
TreeView+ depends on / blocked
 
Reported: 2018-07-16 17:36 UTC by Christina Fu
Modified: 2018-10-30 11:07 UTC (History)
4 users (show)

Fixed In Version: pki-core-10.5.9-6.el7
Doc Type: No Doc Update
Doc Text:
See Doc Text field in BZ#1614839.
Clone Of:
: 1614839 (view as bug list)
Environment:
Last Closed: 2018-10-30 11:07:14 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3195 None None None 2018-10-30 11:07:43 UTC

Description Christina Fu 2018-07-16 17:36:10 UTC
Gossamer reports that agent operation for profile enabling and disabling are missing by default.
Investigation shows that CERT_PROFILE_APPROVAL should be the event.

Here is Gossamer's explanation for expecting such events to be enabled by default:
"...
FAU_GEN.1 indicated that there is a requirement for auditing of administrative actions.  That is a very broad feature and covers a lot of things. 
..."

As a result, we want to make sure all audit events concerning role actions (mostly config) are enabled by default.

Comment 4 Christina Fu 2018-08-10 00:59:14 UTC
commit 07a82189eda713073cced649bfe402ce0cf10a05 (HEAD -> master, origin/master, origin/HEAD, ticket-3041-audit-config-events-master)
Author: Christina Fu <cfu@redhat.com>
Date:   Wed Aug 8 18:41:52 2018 -0700

    Ticket #3041 Enable all config audit events
    
    This patch enables the audit events concerning role actions (mostly config)
    by default.
    
    Two additional minor issues are also addressed:
    1. keyType typos in the two profiles: caDirUserCert and caECDirUserCert
       (bugzilla #1610718)
    2. removing unrecommended signing algorithms
    
    fixes: https://pagure.io/dogtagpki/issue/3041
    Change-Id: I795e8437e66b59f343044eb8a974b2dd0b95ad6d

Comment 9 Sumedh Sidhaye 2018-08-29 08:47:15 UTC
Build used for verification:

root@csqa4-guest01 hsm_setup # pki --version
PKI Command-Line Interface 10.5.9-6.el7


Verification procedure as mention in:
https://bugzilla.redhat.com/show_bug.cgi?id=1614839#c4


disable profile

pki -d /tmp/nssdb/ -c SECret.123 -n CA_AgentV ca-profile-disable caUserCert
-----------------------------
Disabled profile "caUserCert"
-----------------------------

CA audit log

0.http-bio-8443-exec-1 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success] access session establish success
0.http-bio-8443-exec-1 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=AUTH][SubjectID=CA_AgentV][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
0.http-bio-8443-exec-1 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=CA_AgentV][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
0.http-bio-8443-exec-1 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
0.http-bio-8443-exec-3 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success] access session establish success
0.http-bio-8443-exec-3 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=CA_AgentV][Outcome=Success][aclResource=certServer.ca.profile][Op=approve][Info=ProfileResource.modifyProfileState] authorization success
0.http-bio-8443-exec-3 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=CERT_PROFILE_APPROVAL][SubjectID=CA_AgentV][Outcome=Success][ProfileID=caUserCert][Op=disapprove] certificate profile approval
0.http-bio-8443-exec-3 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
0.http-bio-8443-exec-5 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success] access session establish success
0.http-bio-8443-exec-5 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=CA_AgentV][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
0.http-bio-8443-exec-5 - [28/Aug/2018:23:59:12 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated



enable profile

pki -d /tmp/nssdb/ -c SECret.123 -n CA_AgentV ca-profile-enable caUserCert
----------------------------
Enabled profile "caUserCert"
----------------------------
CA audit log

0.http-bio-8443-exec-7 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success] access session establish success
0.http-bio-8443-exec-7 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=AUTH][SubjectID=CA_AgentV][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
0.http-bio-8443-exec-7 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=CA_AgentV][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
0.http-bio-8443-exec-7 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
0.http-bio-8443-exec-10 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success] access session establish success
0.http-bio-8443-exec-10 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=CA_AgentV][Outcome=Success][aclResource=certServer.ca.profile][Op=approve][Info=ProfileResource.modifyProfileState] authorization success
0.http-bio-8443-exec-10 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=CERT_PROFILE_APPROVAL][SubjectID=CA_AgentV][Outcome=Success][ProfileID=caUserCert][Op=approve] certificate profile approval
0.http-bio-8443-exec-10 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
0.http-bio-8443-exec-12 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success] access session establish success
0.http-bio-8443-exec-12 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=AUTHZ][SubjectID=CA_AgentV][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
0.http-bio-8443-exec-12 - [29/Aug/2018:01:58:21 EDT] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=IP][ServerIP=IP][SubjectID=UID=CA_AgentV,E=CA_AgentV@example.org,CN=CA Agent User,O=Example Org][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated


pki console does not show MD2 or MD5 algorithms in Revocation List Signing Algorithm drop-down list

Comment 11 errata-xmlrpc 2018-10-30 11:07:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195


Note You need to log in before you can comment on or make changes to this bug.