Appendix E. Audit Events

The following lists the audit events in Certificate System:
ACCESS_SESSION_ESTABLISH
This event is triggered when the PKI client established or failed to establish a secure connection to the PKI server.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
ACCESS_SESSION_TERMINATED
This event is triggered when the secure connection between PKI client and PKI server is terminated.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
ASYMKEY_GEN_REQUEST_PROCESSED
This event is triggered when a request to generate asymmetric keys received by the KRA.
This event is enabled by default in the following subsystem: KRA
ASYMKEY_GENERATION_REQUEST
This event is triggered when asymmetric key generation request is made.
This event is enabled by default in the following subsystem: KRA
AUDIT_LOG_DELETE[2]
The signed audit log expires or is deleted.
This event is not enabled by default in any subsystem.
AUDIT_LOG_SHUTDOWN
The shutdown of the subsystem, and thus the shutdown of the audit function.
This event is not enabled by default in any subsystem.
AUDIT_LOG_STARTUP
The start of the subsystem, and thus the start of the audit function.
This event is not enabled by default in any subsystem.
AUTH
Shows when a user successfully authenticates or fails to authenticate.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
AUTHZ
Shows when a user is or is not successfully processed by the authorization servlets.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
CERT_PROFILE_APPROVAL
Shows when a certificate profile sent by an administrator is approved by an agent.
This event is not enabled by default in any subsystem.
CERT_REQUEST_PROCESSED
Shows when a certificate request is being processed.
This event is enabled by default in the following subsystem: CA
CERT_SIGNING_INFO
Shows which key is used to sign certificates.
This event is enabled by default in the following subsystem: CA
CERT_STATUS_CHANGE_REQUEST
Shows when the request is made to change the status of a certificate.
This event is not enabled by default in any subsystem.
CERT_STATUS_CHANGE_REQUEST_PROCESSED
Shows when a certificate status change is processed.
This event is not enabled by default in any subsystem.
CIMC_CERT_VERIFICATION
Shows when a router (Cisco Integrated Management Controller) certificate verification request has been processed.
This event is not enabled by default in any subsystem.
CMC_SIGNED_REQUEST_SIG_VERIFY
Used when CMC (agent pre-signed) certificate requests or revocation requests are submitted and the signature is verified.
This event is enabled by default in the following subsystem: CA
CMC_USER_SIGNED_REQUEST_SIG_VERIFY
This event is triggered when CMC (user-signed or self-signed) certificate requests or revocation requests are submitted and signature is verified.
This event is enabled by default in the following subsystem: CA
COMPUTE_RANDOM_DATA_REQUEST
Shows when a request has been made to generate or derive a random data set.
This event is not enabled by default in any subsystem.
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
Shows when a request to generatea random data set failed to process.
This event is not enabled by default in any subsystem.
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
Shows when a request to generatea random data set has been successfully processed.
This event is not enabled by default in any subsystem.
COMPUTE_SESSION_KEY_REQUEST
Shows when a request to compute a session key has been received by the TKS.
This event is not enabled by default in any subsystem.
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
Shows when a request to compute a session key has been processed by the TKS and failed.
This event is not enabled by default in any subsystem.
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
Shows when a request to compute a session key has been succesfully processed by the TKS.
This event is not enabled by default in any subsystem.
CONFIG
Shows general configuration changes not specifically defined below.
This event is not enabled by default in any subsystem.
CONFIG_ACL
A change is made to the configuration settings for the ACL framework.
This event is not enabled by default in any subsystem.
CONFIG_AUDIT
Shows that a change has been made to the audit log configuration.
This event is not enabled by default in any subsystem.
CONFIG_AUTH
A change is made to the configuration settings for the authentication framework.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
CONFIG_CERT_POLICY
Shows when a change has been made to a certificate's policy configuration.
This event is not enabled by default in any subsystem.
CONFIG_CERT_PROFILE
A change is made to the configuration settings for the certificate profile framework.
This event is enabled by default in the following subsystem: CA
CONFIG_CRL_PROFILE
A change is made to the configuration settings for the CRL framework, such as to the extensions, frequency, and CRL format.
This event is not enabled by default in any subsystem.
CONFIG_DRM
This event is triggered when configuring KRA.
This event is enabled by default in the following subsystem: KRA
CONFIG_ENCRYPTION
A change is made to the encryption settings, including certificate settings and SSL cipher preferences.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, and TKS
CONFIG_OCSP_PROFILE
A change is made to the configuration settings for the OCSP.
This event is not enabled by default in any subsystem.
CONFIG_ROLE
Shows that a change has been made to the configuration settings for roles, including changes made to users or groups.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
CONFIG_SERIAL_NUMBER
A change is made to the serial number range assigned for certificates and keys. This is recorded by CA and KRA subsystems.
This event is enabled by default in the following subsystems: CA and KRA
CONFIG_SIGNED_AUDIT
A change is made to the configuration settings for the signed audit feature.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
CONFIG_TOKEN_AUTHENTICATOR
Shows when a token authenticator configuration is updated.
This event is enabled by default in the following subsystem: TPS
CONFIG_TOKEN_CONNECTOR
Shows when a token connector configuration is updated.
This event is enabled by default in the following subsystem: TPS
CONFIG_TOKEN_GENERAL
Shows when the general TPS configuration is updated.
This event is not enabled by default in any subsystem.
CONFIG_TOKEN_MAPPING_RESOLVER
Shows when a token mapping resolver configuration is updated.
This event is enabled by default in the following subsystem: TPS
CONFIG_TOKEN_PROFILE
Shows when a token profile configuration is updated.
This event is not enabled by default in any subsystem.
CONFIG_TOKEN_RECORD
Shows when a token record is updated.
This event is enabled by default in the following subsystem: TPS
CONFIG_TRUSTED_PUBLIC_KEY
The Certificate Setup Wizard is used to import certificates into the certificate database or any activity in Manage Certificates.
This event is enabled by default in the following subsystems: CA, KRA, and OCSP
CRL_RETRIEVAL
Shows when a CRL is retrieved by the OCSP.
This event is not enabled by default in any subsystem.
CRL_SIGNING_INFO
Shows which key is used to sign CRLs.
This event is not enabled by default in any subsystem.
CRL_VALIDATION
Shows when a CRL is retrieved and the validation process occurs.
This event is enabled by default in the following subsystem: CA
DELTA_CRL_GENERATION
Shows when the delta CRL generation is complete.
This event is enabled by default in the following subsystem: CA
DELTA_CRL_PUBLISHING
Shows when the delta CRL publishing is complete.
This event is not enabled by default in any subsystem.
DIVERSIFY_KEY_REQUEST
Shows when a request has been made for a key changeover.
This event is not enabled by default in any subsystem.
DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
Shows when a request for key changeover has failed to process correctly.
This event is not enabled by default in any subsystem.
DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
Shows when a request for key changeover has been successfully processed by the TKS.
This event is not enabled by default in any subsystem.
ENCRYPT_DATA_REQUEST
Shows when a request has been made to encrypt data.
This event is not enabled by default in any subsystem.
ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
Shows when a request for encrypted data failed to process.
This event is not enabled by default in any subsystem.
ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
Shows when a request for encrypted data has been successfully processed.
This event is not enabled by default in any subsystem.
FULL_CRL_GENERATION
Shows when the full CRL generation is complete.
This event is enabled by default in the following subsystem: CA
FULL_CRL_PUBLISHING
Shows when the full CRL publishing is complete.
This event is not enabled by default in any subsystem.
INTER_BOUNDARY
Records stat transfer between different subsystems.
This event is not enabled by default in any subsystem.
KEY_GEN_ASYMMETRIC
Shows when asymmetric keys are generated.
This event is enabled by default in the following subsystem: KRA
KEY_RECOVERY_AGENT_LOGIN
Shows when KRA agents log in as recovery agents to approve key recovery requests.
This event is enabled by default in the following subsystem: KRA
KEY_RECOVERY_REQUEST
Shows when a request is made to recover a private encryption key stored in the KRA.
This event is not enabled by default in any subsystem.
KEY_RECOVERY_REQUEST_ASYNC
Shows when an asynchronous key recovery request has been made.
This event is not enabled by default in any subsystem.
KEY_RECOVERY_REQUEST_PROCESSED
Shows when a key recovery request has been processed.
This event is not enabled by default in any subsystem.
KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
Shows when an asynchronous key recovery request has been processed.
This event is not enabled by default in any subsystem.
LOG_EXPIRATION_CHANGE
Shows when the log expiration time has been changed.
This event is not enabled by default in any subsystem.
LOG_PATH_CHANGE[3]
The path or name for the signed audit, system, transaction or any customized log is changed.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
LOGGING_SIGNED_AUDIT_SIGNING
Shows changes in whether the audit log is signed.
This event is not enabled by default in any subsystem.
NON_PROFILE_CERT_REQUEST
Shows when a certificate request is made outside the certificate profile framework.
This event is not enabled by default in any subsystem.
OCSP_ADD_CA_REQUEST
Shows when a request has been made to add a new certificate authority to the OCSP Manager's configuration.
This event is not enabled by default in any subsystem.
OCSP_ADD_CA_REQUEST_PROCESSED
Shows when a request to add a certificate authority to the OCSP Manager's configuration has been completed.
This event is enabled by default in the following subsystem: OCSP
OCSP_GENERATION
This event will be generated for each OCSP response generated by PKI CA Internal OCSP Responder.
This event is enabled by default in the following subsystem: CA
OCSP_REMOVE_CA_REQUEST
Shows when a request to remove a certificate authority from the OCSP Manager's configuration has been submitted.
This event is not enabled by default in any subsystem.
OCSP_REMOVE_CA_REQUEST_PROCESSED
Shows when a request to remove a certificate authority from the OCSP Manager's configuration has been successfully completed or failed.
This event is enabled by default in the following subsystem: OCSP
OCSP_SIGNING_INFO
Shows which key is used to sign OCSP responses.
This event is enabled by default in the following subsystems: CA and OCSP
PRIVATE_KEY_ARCHIVE_REQUEST
Shows when an encryption private key is requested during enrollment.
This event is not enabled by default in any subsystem.
PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
Shows when a private encryption key is archived in the KRA.
This event is not enabled by default in any subsystem.
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
Shows when a private key export request has been processed and returned a failed status.
This event is not enabled by default in any subsystem.
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
Shows when a private key export request has been successfully processed.
This event is not enabled by default in any subsystem.
PROFILE_CERT_REQUEST
Shows when a certificate request is made through the certificate profile framework.
This event is enabled by default in the following subsystems: CA and KRA
PROOF_OF_POSSESSION
Shows when proof of possession is checked during certificate enrollment.
This event is enabled by default in the following subsystem: CA
RANDOM_GENERATION
Shows when a random number was generated, including for random certificate serial numbers.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
ROLE_ASSUME
A user assuming a role. A user assumes a role after passing through authentication and authorization systems. Only the default roles of administrator, auditor, and agent are tracked. Custom roles are not tracked.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
SCHEDULE_CRL_GENERATION
Shows when the CRL generation is scheduled manually.
This event is not enabled by default in any subsystem.
SECURITY_DATA_ARCHIVAL_REQUEST
Shows when a archival request is created, either through the Web UI or through the CLI.
This event is enabled by default in the following subsystem: KRA
SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED
Shows when a archival request was processed.
This event is enabled by default in the following subsystem: KRA
SECURITY_DATA_RECOVERY_REQUEST
Shows when a recovery request is created, either through the Web UI or through the CLI.
This event is enabled by default in the following subsystem: KRA
SECURITY_DATA_RECOVERY_REQUEST_PROCESSED
This event occur when an approved key recovery request is processed and the key is retrieved, wrapped appropriately and returned to the client.
This event is enabled by default in the following subsystem: KRA
SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE
This event occurs when the state of a recovery request is changed, for example by having an agent approve the request either through the UI or through the CLI.
This event is enabled by default in the following subsystem: KRA
SECURITY_DOMAIN_UPDATE
The security domain is changed by adding or removing subsystem instances.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
SELFTESTS_EXECUTION
The self-tests are executed.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
SERVER_SIDE_KEYGEN_REQUEST
Shows when a server-side key generation request has been processed.
This event is enabled by default in the following subsystem: KRA
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
Shows when a server-side key generation request has been processed.
This event is enabled by default in the following subsystem: KRA
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE
Shows when a server-side key generation request has been processed but returned a failed status.
This event is not enabled by default in any subsystem.
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS
Shows when a server-side key generation request has been successfully processed.
This event is not enabled by default in any subsystem.
SYMKEY_GEN_REQUEST_PROCESSED
This event is logged when a symmetric key request was processed.
This event is enabled by default in the following subsystem: KRA
SYMKEY_GENERATION_REQUEST
This event is logged when a symmetric key is requested to be generated from the CLI.
This event is enabled by default in the following subsystem: KRA
TOKEN_APPLET_UPGRADE
Shows when token apple upgrade succeeded or failed.
This event is enabled by default in the following subsystem: TPS
TOKEN_AUTH_FAILURE
This event is triggered when authentication failed.
This event is not enabled by default in any subsystem.
TOKEN_AUTH_SUCCESS
Shows when authentication succeeded.
This event is not enabled by default in any subsystem.
TOKEN_CERT_ENROLLMENT
Shows when token certificate enrollment request is made.
This event is not enabled by default in any subsystem.
TOKEN_CERT_RENEWAL
This event is used for TPS when token certificate renewal request is made.
This event is not enabled by default in any subsystem.
TOKEN_CERT_RETRIEVAL
This event is used for TPS when token certificate retrieval request is made.
This event is not enabled by default in any subsystem.
TOKEN_CERT_STATUS_CHANGE_REQUEST
This event is used when a token certificate status change request, such as revocation, is made.
This event is not enabled by default in any subsystem.
TOKEN_FORMAT_FAILURE
Shows when token format op failed.
This event is not enabled by default in any subsystem.
TOKEN_FORMAT_SUCCESS
Shows when token format op succeeded.
This event is not enabled by default in any subsystem.
TOKEN_KEY_CHANGEOVER
Shows when token key changeover failed.
This event is enabled by default in the following subsystem: TPS
TOKEN_KEY_CHANGEOVER_FAILURE
Shows when token key changeover failed.
This event is not enabled by default in any subsystem.
TOKEN_KEY_CHANGEOVER_REQUIRED
Shows when token key changeover is required.
This event is enabled by default in the following subsystem: TPS
TOKEN_KEY_CHANGEOVER_REQUIRED
Shows when token key changeover is required.
This event is not enabled by default in any subsystem.
TOKEN_KEY_CHANGEOVER_SUCCESS
Shows when token key changeover succeeded.
This event is not enabled by default in any subsystem.
TOKEN_KEY_RECOVERY
Shows when token certificate key recovery request is made.
This event is not enabled by default in any subsystem.
TOKEN_OP_REQUEST
Shows when token processor op request made.
This event is not enabled by default in any subsystem.
TOKEN_PIN_RESET_FAILURE
Shows when token pin reset request failed.
This event is not enabled by default in any subsystem.
TOKEN_PIN_RESET_SUCCESS
Shows when a token pin reset request succeeded.
This event is not enabled by default in any subsystem.
TOKEN_STATE_CHANGE
Shows when a token state has been changed.
This event is not enabled by default in any subsystem.


[2] The authorization system should not allow a signed audit log to be deleted.
[3] The authorization system should not allow the log path or name to be changed.