Red Hat Training

A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification

6.2. Audit

JBoss Enterprise Application Platform can generate audit records for access control events. Attempts to access web resources, invocation of EJB methods, unauthorized message destinations, and regular Web Service related access control can all be logged. As the administrator you can select the level of events to audit.
The JBoss Application Sever (JBoss AS) generates log events at start-up time and when it is shutdown:

Example 6.1. Start up log events

15:36:39,026 INFO  [ServerImpl] Starting JBoss (Microcontainer)...
15:36:39,027 INFO  [ServerImpl] Release ID: JBoss [EAP] 5.1.0 (build: SVNTag=JBPAPP_5_1_0 date=201009150028)
15:36:39,027 INFO  [ServerImpl] Bootstrap URL: null
15:36:39,027 INFO  [ServerImpl] Home Dir: /opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as
15:36:39,027 INFO  [ServerImpl] Home URL: file:/opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as/
15:36:39,027 INFO  [ServerImpl] Library URL: file:/opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as/lib/
15:36:39,028 INFO  [ServerImpl] Patch URL: null
15:36:39,028 INFO  [ServerImpl] Common Base URL: file:/opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as/common/
15:36:39,028 INFO  [ServerImpl] Common Library URL: file:/opt/JBoss/EnterprisePlatform-5.1.0/
jboss-eap-5.1/jboss-as/common/lib/
15:36:39,028 INFO  [ServerImpl] Server Name: production
15:36:39,028 INFO  [ServerImpl] Server Base Dir: /opt/JBoss/EnterprisePlatform-5.1.0/
jboss-eap-5.1/jboss-as/server
15:36:39,028 INFO  [ServerImpl] Server Base URL: file:/opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as/server/
15:36:39,028 INFO  [ServerImpl] Server Config URL: file:/opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as/server/production/conf/
15:36:39,028 INFO  [ServerImpl] Server Home Dir: /opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as/server/production
15:36:39,029 INFO  [ServerImpl] Server Home URL: file:/opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as/server/production/
15:36:39,029 INFO  [ServerImpl] Server Data Dir: /opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as/server/production/data
15:36:39,029 INFO  [ServerImpl] Server Library URL: file:/opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as/server/production/lib/
15:36:39,029 INFO  [ServerImpl] Server Log Dir: /opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as/server/production/log
15:36:39,029 INFO  [ServerImpl] Server Native Dir: /opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as/server/production/tmp/native
15:36:39,029 INFO  [ServerImpl] Server Temp Dir: /opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as/server/production/tmp
15:36:39,029 INFO  [ServerImpl] Server Temp Deploy Dir: /opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as/server/production/tmp/deploy
15:36:39,587 INFO  [ServerImpl] Starting Microcontainer, bootstrapURL=file:/opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as/server/production/conf/bootstrap.xml
15:36:40,024 INFO  [VFSCacheFactory] Initializing VFSCache [org.jboss.virtual.plugins.cache.CombinedVFSCache]
15:36:40,026 INFO  [VFSCacheFactory] Using VFSCache [CombinedVFSCache[real-cache: null]]
15:36:40,259 INFO  [CopyMechanism] VFS temp dir: /opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as/server/production/tmp
15:36:40,260 INFO  [ZipEntryContext] VFS force nested jars copy-mode is enabled.
15:36:41,278 INFO  [ServerInfo] Java version: 1.6.0_18,Sun Microsystems Inc.
15:36:41,278 INFO  [ServerInfo] Java Runtime: OpenJDK Runtime Environment (build 1.6.0_18-b18)
15:36:41,278 INFO  [ServerInfo] Java VM: OpenJDK Server VM 14.0-b16,Sun Microsystems Inc.
15:36:41,278 INFO  [ServerInfo] OS-System: Linux 2.6.34.7-61.fc13.i686.PAE,i386
15:36:41,279 INFO  [ServerInfo] VM arguments: -Dprogram.name=run.sh -Xms1303m -Xmx1303m -XX:MaxPermSize=256m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Dsun.lang.ClassLoader.allowArraySyntax=true -Djava.net.preferIPv4Stack=true -Djava.endorsed.dirs=/opt/JBoss/EnterprisePlatform-5.1.0/jboss-eap-5.1/jboss-as/lib/endorsed 
15:36:41,302 INFO  [JMXKernel] Legacy JMX core initialized

Example 6.2. Shutdown log events

2010-11-19 15:59:54,304 INFO  [org.jboss.bootstrap.microcontainer.ServerImpl] (JBoss Shutdown Hook) Runtime shutdown hook called, forceHalt: true
2010-11-19 15:59:54,305 INFO  [org.apache.coyote.http11.Http11Protocol] (JBoss Shutdown Hook) Pausing Coyote HTTP/1.1 on http-127.0.0.1-8080
2010-11-19 15:59:54,322 INFO  [org.apache.coyote.http11.Http11Protocol] (JBoss Shutdown Hook) Stopping Coyote HTTP/1.1 on http-127.0.0.1-8080
2010-11-19 15:59:54,326 INFO  [org.apache.coyote.ajp.AjpProtocol] (JBoss Shutdown Hook) Pausing Coyote AJP/1.3 on ajp-127.0.0.1-8009
2010-11-19 15:59:54,332 INFO  [org.apache.coyote.ajp.AjpProtocol] (JBoss Shutdown Hook) Stopping Coyote AJP/1.3 on ajp-127.0.0.1-8009
2010-11-19 15:59:54,396 INFO  [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (JBoss Shutdown Hook) undeploy, ctxPath=/jmx-console
2010-11-19 15:59:54,417 INFO  [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (JBoss Shutdown Hook) undeploy, ctxPath=/
2010-11-19 15:59:54,424 INFO  [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (JBoss Shutdown Hook) undeploy, ctxPath=/admin-console
2010-11-19 15:59:54,462 INFO  [org.jboss.resource.connectionmanager.ConnectionFactoryBindingService] (JBoss Shutdown Hook) Unbound ConnectionManager 'jboss.jca:service=ConnectionFactoryBinding,name=JmsXA' from JNDI name 'java:JmsXA'
2010-11-19 15:59:54,512 INFO  [org.jboss.jms.server.connectionfactory.ConnectionFactory] (JBoss Shutdown Hook) org.jboss.jms.server.connectionfactory.ConnectionFactory@8301 undeployed
2010-11-19 15:59:54,513 INFO  [org.jboss.jms.server.connectionfactory.ConnectionFactory] (JBoss Shutdown Hook) org.jboss.jms.server.connectionfactory.ConnectionFactory@b24e3f undeployed
2010-11-19 15:59:54,514 INFO  [org.jboss.jms.server.connectionfactory.ConnectionFactory] (JBoss Shutdown Hook) org.jboss.jms.server.connectionfactory.ConnectionFactory@355f75 undeployed
2010-11-19 15:59:54,514 INFO  [org.jboss.jms.server.destination.QueueService] (JBoss Shutdown Hook) Queue[/queue/DLQ] stopped
2010-11-19 15:59:54,515 INFO  [org.jboss.jms.server.destination.QueueService] (JBoss Shutdown Hook) Queue[/queue/ExpiryQueue] stopped

...

2010-11-19 15:59:59,358 INFO  [org.jboss.bootstrap.microcontainer.ServerImpl] (JBoss Shutdown Hook) Shutdown complete
The audit facility is based on the integrated log4j mechanism. log4j has three main components: loggers, appenders, and layouts. These three types of components work together to enable developers to log messages according to message type and level, and to control at run-time how these messages are formatted and where they are reported.
The audit information is recorded in text files which can be reviewed using tools from the underlying operating system, such as pagers or editors.
User information (principal name) appears only in the first log that records the authentication request, and also in the ERROR log generated if the authentication is unsuccessful. Subsequent log events do not record explicitly the user executing the methods.
User information can be obtained by using the container and thread ids that are recorded in each audit log and remain during the life of the user session.
In Example 6.3, “Log output”, the first log entry informs that authentication for container 753, thread id 826541 has been requested by principal name “scott”. The second log records the execution of a method, and, although the principal name does not appear, it can be inferred by looking at all logs with the same container and thread id.

Example 6.3. Log output

2008-12-12 16:04:33,753 826541 TRACE [org.jboss.ejb.plugins.SecurityInterceptor] (WorkerThread#0[127.0.0.1:33182]:) Authenticated  principal=scott
2008-12-12 16:04:33,753 826541 TRACE [org.jboss.ejb.plugins.SecurityInterceptor] (WorkerThread#0[127.0.0.1:33182]:) method=public abstract org.jboss.test.jca.securedejb.CallerIdentity org.jboss.test.jca.securedejb.CallerIdentityHome.create() throws javax.ejb.CreateException,java.rmi.RemoteException, interface=HOME, requiredRoles=[CallerIdentityUser]

6.2.1. Enabling Additional Logging

Additional logging for EJB application requests has been configured during the setup process of this guide when audit logging was configured. For more information regarding audit logging configuration refer to Section 2.5.2, “Setup Configuration”