Appendix E. Audit Events

This appendix contains two parts. The first part, Section E.1, “Required Audit Events and Their Examples”, contains a list of required audit events grouped by the requirement ID from the CA Protection Profile V2.1, where each audit event is accompanied by one or more examples. The second part, Section E.2, “Audit Event Descriptions” provides individual audit event and their parameter description and format. Every audit event in the log is accompanied by the following information:
  • The Java identifier of the thread. For example: 
    0.localhost-startStop-1
  • The time stamp the event occurred at. For example: 
    [21/Jan/2019:17:53:00 IST]
  • The log source (14 is SIGNED_AUDIT): 
    [14]
  • The current log level (6 is Security-related events. See the Log Levels (Message Categories) section in the Red Hat Certificate System Planning, Installation, and Deployment Guide (Common Criteria Edition)). For example: 
    [6]
  • The information about the log event (which is log event specific; see Section E.2, “Audit Event Descriptions” for information about each field in a particular log event). For example: 
    [AuditEvent=AUDIT_LOG_STARTUP][SubjectID=$System$][Outcome=Success] audit function startup

E.1. Required Audit Events and Their Examples

This section contains all required audit events per Common Criteria CA Protection Profile v.2.1.
For audit events descriptions, see Section E.2, “Audit Event Descriptions”.

FAU_GEN.1

  • Start-up of the TSF audit functions
    • AUDIT_LOG_STARTUP 
      0.localhost-startStop-1 - [21/Jan/2019:17:53:00 IST] [14] [6] [AuditEvent=AUDIT_LOG_STARTUP][SubjectID=$System$][Outcome=Success] audit function startup
  • All administrative actions invoked through the TFS interface
    • CONFIG_CERT_PROFILE 
      0.http-bio-20443-exec-35 - [02/Jan/2019:05:05:09 EST] [14] [6] [AuditEvent=CONFIG_CERT_PROFILE][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;rules+Operation;;OP_ADD+Resource;;caAgentExample+class_id;;caEnrollImpl+name;;caAgentExample Enrollment Profile+description;;This certificate profile is for enrolling user certificates+visible;;true] certificate profile configuration parameter(s) change
    • CERT_PROFILE_APPROVAL 
      0.http-bio-8443-exec-8 - [15/Nov/2018:15:37:19 PST] [14] [6] [AuditEvent=CERT_PROFILE_APPROVAL][SubjectID=cfuEC-0830-agent-2][Outcome=Success][ProfileID=caTPSCert][Op=disapprove] certificate profile approval
    • CONFIG_OCSP_PROFILE 
      0.http-bio-22443-exec-11 - [30/Jan/2019:06:18:02 EST] [14] [6] [AuditEvent=CONFIG_OCSP_PROFILE][SubjectID=ocspadmin][Outcome=Success][ParamNameValPairs=Scope;;ocspStoresRules+Operation;;OP_MODIFY+Resource;;ldapStore+includeNextUpdate;;false+byName;;true+implName;;com.netscape.cms.ocsp.LDAPStore+numConns;;0+caCertAttr;;cACertificate;binary+notFoundAsGood;;true+crlAttr;;certificateRevocationList;binary] OCSP profile configuration parameter(s) change
    • CONFIG_CRL_PROFILE 
      0.http-bio-20443-exec-48 - [29/Jan/2019:04:29:29 EST] [14] [6] [AuditEvent=CONFIG_CRL_PROFILE][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;crl+Operation;;OP_MODIFY+Resource;;MasterCRL+enableCRLUpdates;;true+updateSchema;;1+extendedNextUpdate;;true+alwaysUpdate;;false+enableDailyUpdates;;true+dailyUpdates;;4:30+enableUpdateInterval;;true+autoUpdateInterval;;240+nextUpdateGracePeriod;;0+nextAsThisUpdateExtension;;0] CRL profile configuration parameter(s) change
    • CONFIG_AUTH 
      0.http-bio-20443-exec-11 - [15/Jan/2019:08:36:39 EST] [14] [6] [AuditEvent=CONFIG_AUTH][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;instance+Operation;;OP_ADD+Resource;;plug502+implName;;UidPwdDirAuth+ldap.ldapconn.host;;server.example.com+dnpattern;;uid=test,ou=people,o=topology-02-CA+ldapStringAttributes;;mail+ldap.ldapconn.version;;3+ldap.ldapconn.port;;3389+ldap.maxConns;;10+ldap.basedn;;dc=example,dc=com+ldap.minConns;;3+ldap.ldapconn.secureConn;;false+ldapByteAttributes;;uid+ldap.password;;(sensitive)+ldap.ldapauth.authtype;;BasicAuth+ldap.ldapauth.bindDN;;cn=direcory manager] authentication configuration parameter(s) change
      0.http-bio-20080-exec-25 - [29/Jan/2019:04:54:14 EST] [14] [6] [AuditEvent=CONFIG_AUTH][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;instance+Operation;;OP_ADD+Resource;;plug7487+implName;;AgentCertAuth] authentication configuration parameter(s) change
    • CONFIG_ROLE(success) 
      0.http-bio-20443-exec-50 - [18/Jan/2019:04:08:45 EST] [14] [6] [AuditEvent=CONFIG_ROLE][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;certs+Operation;;OP_ADD+Resource;;CA_AdminV+cert;;-----BEGIN CERTIFICATE-----MIIDYTCCAkmgAwIBAgIBfz...-----END CERTIFICATE-----] role configuration parameter(s) change
    • CONFIG_ROLE(Failure) 
      0.http-bio-20443-exec-39 - [18/Jan/2019:04:08:57 EST] [14] [6] [AuditEvent=CONFIG_ROLE][SubjectID=caadmin][Outcome=Failure][ParamNameValPairs=Scope;;users+Operation;;OP_ADD+Resource;;CA_AdminUnTrusted+password;;********+phone;;<null>+fullname;;CA_AdminUnTrusted+state;;<null>+userType;;<null>+email;;<null>] role configuration parameter(s) change
    • CONFIG_ACL
      • CA 
        CA = 0.http-bio-20443-exec-18 - [29/Jan/2019:05:15:16 EST] [14] [6] [AuditEvent=CONFIG_ACL][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;acls+Operation;;OP_MODIFY+Resource;;testACL+aci;;allow (read,allow) group="testGroup"+desc;;ALLOW READ to testGroup+rights;;read,allow] ACL configuration parameter(s) change
    • CONFIG_SIGNED_AUDIT
      • CA 
        0.http-bio-20443-exec-20 - [29/Jan/2019:02:44:04 EST] [14] [6] [AuditEvent=CONFIG_SIGNED_AUDIT][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Action;;disable] signed audit configuration parameter(s) change
      • KRA 
        0.http-bio-21443-exec-9 - [30/Jan/2019:08:15:11 EST] [14] [6] [AuditEvent=CONFIG_SIGNED_AUDIT][SubjectID=kraadmin][Outcome=Success][ParamNameValPairs=Action;;enable] signed audit configuration parameter(s) change
      • OCSP 
        0.http-bio-22443-exec-17 - [30/Jan/2019:08:17:06 EST] [14] [6] [AuditEvent=CONFIG_SIGNED_AUDIT][SubjectID=ocspadmin][Outcome=Success][ParamNameValPairs=Action;;enable] signed audit configuration parameter(s) change
      • TKS 
        0.http-bio-23443-exec-15 - [30/Jan/2019:08:18:52 EST] [14] [6] [AuditEvent=CONFIG_SIGNED_AUDIT][SubjectID=tksadmin][Outcome=Success][ParamNameValPairs=Action;;enable] signed audit configuration parameter(s) change
      • TPS 
        0.http-bio-25443-exec-5 - [30/Jan/2019:08:20:03 EST] [14] [6] [AuditEvent=CONFIG_SIGNED_AUDIT][SubjectID=tpsadmin][Outcome=Success][ParamNameValPairs=Action;;enable] signed audit configuration parameter(s) change
    • CONFIG_TRUSTED_PUBLIC_KEY
      • CA 
        0.http-bio-20443-exec-9 - [29/Jan/2019:03:25:02 EST] [14] [6] [AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;installCert+Operation;;OP_MODIFY+Resource;;trustedCACert+pkcs10;;-----BEGIN CERTIFICATE-----MIIEBDCCAuygAwI...-----END CERTIFICATE-----+nickname;;<null>+pathname;;<null>+serverRoot;;<null>+serverID;;instanceID] certificate database configuration
      • KRA 
        0.http-bio-21443-exec-17 - [30/Jan/2019:08:29:07 EST] [14] [6] [AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY][SubjectID=kraadmin][Outcome=Success][ParamNameValPairs=Scope;;installCert+Operation;;OP_MODIFY+Resource;;trustedCACert+pkcs10;;-----BEGIN CERTIFICATE-----MIIEBDCCAuygAw...-----END CERTIFICATE-----+nickname;;<null>+pathname;;<null>+serverRoot;;<null>+serverID;;instanceID] certificate database configuration
      • OCSP 
        0.http-bio-22443-exec-25 - [30/Jan/2019:08:41:08 EST] [14] [6] [AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY][SubjectID=ocspadmin][Outcome=Success][ParamNameValPairs=Scope;;installCert+Operation;;OP_MODIFY+Resource;;trustedCACert+pkcs10;;-----BEGIN CERTIFICATE-----MIIEBDCCAuygAwIB...-----END CERTIFICATE-----+nickname;;<null>+pathname;;<null>+serverRoot;;<null>+serverID;;instanceID] certificate database configuration
      • TKS 
        0.http-bio-23443-exec-23 - [30/Jan/2019:08:45:40 EST] [14] [6] [AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY][SubjectID=tksadmin][Outcome=Success][ParamNameValPairs=Scope;;installCert+Operation;;OP_MODIFY+Resource;;trustedCACert+pkcs10;;-----BEGIN CERTIFICATE-----MIIEBDCCAuygAwIBA...-----END CERTIFICATE-----+nickname;;<null>+pathname;;<null>+serverRoot;;<null>+serverID;;instanceID] certificate database configuration
      • TPS 
        0.http-bio-22443-exec-23 - [30/Jan/2019:08:46:13 EST] [14] [6] [AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY][SubjectID=tpsadmin][Outcome=Success][ParamNameValPairs=Scope;;installCert+Operation;;OP_MODIFY+Resource;;trustedCACert+pkcs10;;-----BEGIN CERTIFICATE-----MIIEBDCCAuygAwIBA...-----END CERTIFICATE-----+nickname;;<null>+pathname;;<null>+serverRoot;;<null>+serverID;;instanceID] certificate database configuration
    • CONFIG_DRM 
      0.http-bio-21443-exec-1 - [24/Jan/2019:09:36:52 EST] [14] [6] [AuditEvent=CONFIG_DRM][SubjectID=kraadmin][Outcome=Success][ParamNameValPairs=Scope;;general+Operation;;OP_MODIFY+Resource;;RS_ID_CONFIG+noOfRequiredRecoveryAgents;;2] DRM configuration parameter(s) change
    • OCSP_ADD_CA_REQUEST_PROCESSED
      • Success 
        0.http-bio-22443-exec-24 - [29/Jan/2019:03:15:59 EST] [14] [6] [AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED][SubjectID=ocspadmin][Outcome=Success][CASubjectDN=CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_example.com] Add CA for OCSP Responde
      • Failure 
        0.http-bio-22443-exec-12 - [30/Jan/2019:06:44:32 EST] [14] [6] [AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED][SubjectID=ocspadmin][Outcome=Failure][CASubjectDN=<null>] Add CA for OCSP Responder
    • OCSP_REMOVE_CA_REQUEST_PROCESSED 
      0.http-bio-22443-exec-24 - [29/Jan/2019:03:13:43 EST] [14] [6] [AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED][SubjectID=ocspadmin][Outcome=Success][CASubjectDN=CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_example.com] Remove CA for OCSP Responder is successful
    • SECURITY_DOMAIN_UPDATE
      • Operation: Issue_token 
        0.http-bio-20443-exec-10 - [16/Jan/2019:03:19:57 EST] [14] [6] [AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=operation;;issue_token+token;;2433856184928074456+ip;;192.0.2.1+uid;;caadmin+groupname;;Enterprise TKS Administrators] security domain update
      • Operation: Add 
        0.http-bio-20443-exec-18 - [02/Jan/2019:04:39:21 EST] [14] [6] [AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=host;;server.example.com+name;;OCSP server.example.com 22443+sport;;22443+clone;;false+type;;OCSP+operation;;add] security domain update
    • CONFIG_SERIAL_NUMBER
      • CA 
        0.http-bio-20443-exec-2 - [29/Jan/2019:07:53:21 EST] [14] [6] [AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=source;;updateNumberRange+type;;request+beginNumber;;9990001+endNumber;;10000000] serial number range update
      • KRA 
        0.http-bio-21443-exec-7 - [18/Jan/2019:19:11:47 EST] [14] [6] [AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=source;;updateNumberRange+type;;serialNo+beginNumber;;fff0001+endNumber;;10000000] serial number range update

FDP_CER_EXT.1 (extended)

  • Certificate generation
    • CERT_REQUEST_PROCESSED (SUCCESS) 
      0.http-bio-8443-exec-24 - [07/Sep/2018:10:21:57 PDT] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=7][CertSerialNum=7] certificate request processed

FDP_CER_EXT.2 (extended)

  • Linking of certificates to certificate requests
    • PROFILE_CERT_REQUEST 
      0.http-bio-8443-exec-24 - [07/Sep/2018:10:21:57 PDT] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=7][ProfileID=caECFullCMCUserCert][CertSubject=CN=cfuEC-0830] certificate request made with certificate profiles

      Note

      The ReqID field effectively links to the ReqID field of a successful CERT_REQUEST_PROCESSED event.

FDP_CER_EXT.3

  • Failed certificate approvals
    • CERT_REQUEST_PROCESSED (FAILURE) 
      0.http-bio-20443-exec-4 - [21/Jan/2019:00:24:16 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=$NonRoleUser$][Outcome=Failure][ReqID=1483][InfoName=rejectReason][InfoValue=Request 1483 Rejected - Subject Name Not Matched UID=testuser00,E=example@example.com,CN=MyTestUser] certificate request processed

FIA_X509_EXT.1, FIA_X509_EXT.2

  • Failed certificate validations; failed authentications
    • ACCESS_SESSION_ESTABLISH (FAILURE)
      • User with revoked cert trying to perform an operation. 
        0.http-bio-21443-exec-9 - [12/Feb/2019:14:52:26 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.2][SubjectID=UID=KRA_AgentR,E=KRA_AgentR@example.org,CN=KRA_AgentR,OU=IDMQE,C=US][Outcome=Failure][Info=CERTIFICATE_REVOKED] access session establish failure
      • User with expired cert trying to perform an operation. 
        0.http-bio-21443-exec-9 - [12/Feb/2019:14:52:26 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.2][SubjectID=UID=KRA_AgentR,E=KRA_AgentR@example.org,CN=KRA_AgentR,OU=IDMQE,C=US][Outcome=Failure][Info=CERTIFICATE_EXPIRED] access session establish failure
      • CMC enrollment request submitted using a TLS client cert issued by an unknown CA. 
        0.http-bio-20443-exec-28 - [12/Feb/2019:16:31:08 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.2][SubjectID=CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE][Outcome=Failure][Info=UNKNOWN_CA] access session establish failure
      • When client protocol does not match. For example: client use ssl3 but server does not support. 
        0.http-bio-20443-exec-11 - [12/Feb/2019:16:35:26 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.2][SubjectID=][Outcome=Failure][Info=HANDSHAKE_FAILURE] access session establish failure
      • For incorrect protocol version. Example server supports tls1.1 and tls1.2 but client sends tls1. 
        0.http-bio-20443-exec-46 - [12/Feb/2019:16:39:10 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.2][SubjectID=][Outcome=Failure][Info=PROTOCOL_VERSION] access session establish failure
      • When client sends list of cipher but Server have no list of ciphers.
        Server: 
        0.http-bio-21443-exec-3 - [13/Feb/2019:07:40:44 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.2][SubjectID=][Outcome=Failure][Info=INTERNAL_ERROR] access session establish failure

FIA_UIA_EXT.1

  • Privileged user identification and authentication
    • ACCESS_SESSION_ESTABLISH
      • CA Example 
        0.http-bio-8443-exec-1 - [10/Oct/2018:15:42:13 PDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.1][SubjectID=][Outcome=Success] access session establish success
      • TPS Example 
        0.http-bio-25443-exec-1 - [02/Jan/2019:04:44:12 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.1][SubjectID=][Outcome=Success] access session establish success
    • AUTH
      • CA Example 
        0.http-bio-8443-exec-1 - [28/Nov/2018:16:23:15 PST] [14] [6] [AuditEvent=AUTH][SubjectID=caagentJoe][Outcome=Success][AuthMgr=CMCAuth] authentication success
      • TPS Example 
        0.http-bio-25443-exec-1 - [25/Jan/2019:13:00:59 IST] [14] [6] [AuditEvent=AUTH][SubjectID=tpsadmin][Outcome=Success][AuthMgr=passwdUserDBAuthMgr] authentication success
    • AUTHZ
      • CA Example 
        0.http-bio-8443-exec-1 - [28/Nov/2018:16:23:15 PST] [14] [6] [AuditEvent=AUTHZ][SubjectID=caagentJoe][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success
      • TPS Example 
        0.http-bio-25443-exec-1 - [25/Jan/2019:13:00:59 IST] [14] [6] [AuditEvent=AUTHZ][SubjectID=tpsadmin][Outcome=Success][aclResource=certServer.tps.account][Op=login][Info=AccountResource.login] authorization success
    • ROLE_ASSUME
      • CA Example 
        0.http-bio-8443-exec-1 - [28/Nov/2018:16:23:15 PST] [14] [6] [AuditEvent=ROLE_ASSUME][SubjectID=caagentJoe][Outcome=Success][Role=Certificate Manager Agents] assume privileged role
      • TPS Example 
        0.http-bio-25443-exec-9 - [25/Jan/2019:13:00:07 IST] [14] [6] [AuditEvent=ROLE_ASSUME][SubjectID=cfu][Outcome=Success][Role=Certificate Manager Agents] assume privileged role

FMT_SMR.2

  • Modifications to the group of users that are part of a role
    • CONFIG_ROLE
      See CONFIG_ROLE event above.

FPT_FLS.1

  • Failure with preservation of secure state
    • SELFTESTS_EXECUTION
      • CA Example 
        0.localhost-startStop-1 - [10/Jan/2019:00:47:57 EST] [14] [6] [AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self tests execution (see selftests.log for details)
      • TPS Example 
        0.localhost-startStop-1 - [22/Jan/2019:11:55:32 IST] [14] [6] [AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self tests execution (see selftests.log for details)

FPT_KST_EXT.2

  • Private/secret keys are stored by the HSM and the only operations to "access" those keys are through the TSF as signing operations. 
    CERT_REQUEST_PROCESSED (failure)                         
0.http-bio-20443-exec-8 - [28/Jan/2019:13:48:14 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=$Unidentified$][Outcome=Failure][ReqID=28][InfoName=rejectReason][InfoValue=Request Key Type RSA Not Matched Rejected - {1}] certificate request processed

FPT_RCV.1

  • The fact that a failure or service discontinuity occurred. Resumption of the regular operation.
    • Failure: SELFTESTS_EXECUTION (Failure)
      • CA Example 
        0.localhost-startStop-1 - [29/Jan/2019:13:29:03 UTC] [14] [6] [AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self tests execution (see selftests.log for details)
      • TPS Example 
        0.localhost-startStop-1 - [22/Jan/2019:11:55:32 IST] [14] [6] [AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self tests execution (see selftests.log for details)
    • Self-test log, see 13.3.2. Configuring Self-Tests in Red Hat Certificat Systemitem's Planning, Installation, and Deployment Guide.
    • Resumption: AUDIT_LOG_STARTUP; SELFTESTS_EXECUTION (Success)
      • TPS Example 
        0.localhost-startStop-1 - [21/Jan/2019:16:47:44 IST] [14] [6] [AuditEvent=AUDIT_LOG_STARTUP][SubjectID=$System$][Outcome=Success] audit function startup
      • CA Example 
        0.localhost-startStop-1 - [04/Feb/2019:18:29:38 EST] [14] [6] [AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Success] self tests execution (see selftests.log for details)

FPT_STM.1

FPT_TUD_EXT.1

FTA_SSL.4

  • The termination of an interactive session.
    • ACCESS_SESSION_TERMINATED 
      • 0.http-bio-20443-exec-7 - [21/Jan/2019:03:42:17 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.0.2.1][ServerIP=192.0.2.1][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=topology-02-CA,O=topology-02_example.com][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
      • TPS 
        0.http-bio-25443-exec-1 - [02/Jan/2019:04:44:12 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.0.2.1][ServerIP=192.0.2.1][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session

FTP_TRP.1

  • Initiation of the trusted channel. Termination of the trusted channel. Failures of the trusted path functions.
    • ACCESS_SESSION_ESTABLISH 
      • 2529:0.http-bio-20443-exec-8 - [29/Jan/2019:02:41:10 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.1][SubjectID=CN=PKI Administrator,E=tpsadmin@server.example.com,OU=topology-02-TPS,O=topology-02_example.com][Outcome=Failure][Info=UNKNOWN_CA] access session establish failure
      • TPS 
        0.http-bio-25443-exec-4 - [25/Jan/2019:12:58:31 IST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=0:0:0:0:0:0:0:1][ServerIP=0:0:0:0:0:0:0:1][SubjectID=][Outcome=Failure][Info=RECORD_OVERFLOW] access session establish failure
    • ACCESS_SESSION_TERMINATED 
      • 0.http-bio-20443-exec-48 - [29/Jan/2019:04:30:49 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.0.2.1][ServerIP=192.0.2.1][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
      • TPS 
        TPS=0.http-bio-25443-exec-19 - [25/Jan/2019:12:47:07 IST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.0.2.1][ServerIP=192.0.2.1][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

FCS_CKM.1 and FCS_CKM.2

  • Not available. There are no TOE-related functions where a TOE subsystem generates (or requests the OE to generate) a non-ephemeral key. All system certificates are generated in the same manner as user keys during the installation, before the TOE is running and, thus, before the it can audit.

FCS_CKM_EXT.4

  • Not available

FCS_COP.1(2)

  • All occurrences of signature generation using a CA signing key.
    • CERT_SIGNING_INFO records CA signing certificate key info at system startup 
      0.authorityMonitor - [03/Jan/2019:02:33:35 EST] [14] [6] [AuditEvent=CERT_SIGNING_INFO][SubjectID=$System$][Outcome=Success][SKI=E3:D2:5B:2A:F5:76:FF:7B:48:CA:94:18:5F:7B:BD:6B:95:FB:8F:30][AuthorityID=dbec10a4-1264-4759-96d5-6d2aadbf9d34] certificate signing info
    • CERT_REQUEST_PROCESSED (success) 
      0.http-bio-20443-exec-378 - [19/Jan/2019:05:57:39 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=1352][CertSerialNum=984] certificate request processed
    • OCSP_SIGNING_INFO records OCSP signing certificate key info at system startup 
      0.http-bio-29443-exec-3 - [10/Oct/2018:14:15:24 PDT] [14] [6] [AuditEvent=OCSP_SIGNING_INFO][SubjectID=$System$][Outcome=Success][SKI=71:B1:D0:AE:44:DF:ED:D0:20:15:2B:E3:37:E8:EE:04:EB:D6:F1:44] OCSP signing info
    • OCSP_GENERATION (success) 
      0.http-nio-22080-exec-3 - [31/Jan/2019:15:34:47 EST] [14] [6] [AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Success] OCSP response generation
    • CRL_SIGNING_INFO records CRL signing certificate key info at system startup 
      0.localhost-startStop-1 - [10/Jan/2019:09:10:27 EST] [14] [6] [AuditEvent=CRL_SIGNING_INFO][SubjectID=$System$][Outcome=Success][SKI=23:98:ED:52:5B:2C:27:C6:FF:7C:34:D1:D5:48:57:E9:B8:D1:4E:95] CRL signing info
    • FULL_CRL_GENERATION (success) 
      0.CRLIssuingPoint-testing123 - [30/Jan/2019:08:35:02 EST] [14] [6] [AuditEvent=FULL_CRL_GENERATION][SubjectID=$System$][Outcome=Success][CRLnum=6] Full CRL generation
    • DELTA_CRL_GENERATION (success) 
      0.CRLIssuingPoint-testing123 - [30/Jan/2019:08:35:01 EST] [14] [6] [AuditEvent=DELTA_CRL_GENERATION][SubjectID=$Unidentified$][Outcome=Success][CRLnum=5] Delta CRL generation
  • Failure in signature generation.
    • CERT_REQUEST_PROCESSED (failure) 
      0.http-bio-20443-exec-8 - [28/Jan/2019:13:48:14 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=$Unidentified$][Outcome=Failure][ReqID=28][InfoName=rejectReason][InfoValue=Request Key Type RSA Not Matched Rejected - {1}] certificate request processed
    • OCSP_GENERATION (failure) 
      0.http-nio-22080-exec-6 - [31/Jan/2019:15:35:38 EST] [14] [6] [AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Failure][FailureReason=Missing issuer certificate] OCSP response generation
    • FULL_CRL_GENERATION (failure)

FCS_HTTPS_EXT.1 and FCS_TLSS_EXT.2

  • Failure to establish a HTTPS/TLS session.
    • ACCESS_SESSION_ESTABLISH (Failure) 
      See FTP_TRP.1
  • Establishment/termination of a HTTPS/TLS session
    • ACCESS_SESSION_TERMINATED 
      See FIA_UIA_EXT.1

FCS_TLSC_EXT.2

  • Failure to establish a TLS session.
    • CLIENT_ACCESS_SESSION_ESTABLISH (Failure) 
      0.http-bio-20443-exec-21 - [13/Feb/2019:07:48:08 EST] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH][ClientHost=192.0.2.1][ServerHost=pki1.example.com][ServerPort=21443][SubjectID=SYSTEM][Outcome=Failure][Info=send:java.io.IOException: SocketException cannot write on socket] access session failed to establish when Certificate System acts as client
      When Server is not reachable by Client and Session ran into failures. In this scenario, CA acts as a client for KRA during Key Archival and KRA is not reachable by CA. 
      0.http-bio-20443-exec-11 - [12/Feb/2019:18:20:03 EST] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH][ClientHost=192.0.2.1][ServerHost=pki1.example.com][ServerPort=21443][SubjectID=SYSTEM][Outcome=Failure][Info=send:java.io.IOException: Socket has been closed, and cannot be reused.] access session failed to establish when Certificate System acts as client
      When CA's subsystem cert is revoked and it tried to access KRA.
      • KRA 
        0.http-bio-21443-exec-3 - [13/Feb/2019:08:15:53 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.2][SubjectID=CN=Subsystem Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org][Outcome=Failure][Info=CERTIFICATE_REVOKED] access session establish failure
      • CA 
        0.http-bio-20443-exec-10 - [13/Feb/2019:08:16:08 EST] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH][ClientHost=192.0.2.1][ServerHost=pki1.example.com][ServerPort=21443][SubjectID=SYSTEM][Outcome=Failure][Info=send:java.io.IOException: SocketException cannot write on socket] access session failed to establish when Certificate System acts as client
  • Establishment/termination of a TLS session.
    • CLIENT_ACCESS_SESSION_TERMINATED 
      0.http-bio-8443-exec-6 - [10/Oct/2018:15:10:54 PDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED][ClientHost=192.0.2.1][ServerHost=192.0.2.1][ServerPort=29443][SubjectID=SYSTEM][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated when Certificate System acts as client

FDP_CRL_EXT.1

  • Failure to generate a CRL.
    • FULL_CRL_GENERATION (failure) 
      0.http-bio-20444-exec-9 - [01/Feb/2019:15:40:38 EST] [14] [6] [AuditEvent=FULL_CRL_GENERATION][SubjectID=caadmin][Outcome=Failure][FailureReason=Record not found] Full CRL generation

FDP_OCSPG_EXT.1

  • Failure to generate certificate status information.
    • OCSP_GENERATION (failure)

FIA_AFL.1

  • The reaching of the threshold for the Unsuccessful Authentication Attempts. The action Taken. The re-enablement of disabled non-administrative accounts.
    Not available. For password authentication only. Certificate System provides certificate-based authentication only.

FIA_CMCS_EXT.1

  • CMC requests (generated or received) containing certificate requests or revocation requests. CMC responses issued.
    • CMC_SIGNED_REQUEST_SIG_VERIFY 
      0.http-bio-20080-exec-22 - [24/Jan/2019:08:44:51 EST] [14] [6] [AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Failure][ReqType=$Unidentified$][CertSubject=$Unidentified$][SignerInfo=$Unidentified$] agent signed CMC request signature verification
    • CMC_USER_SIGNED_REQUEST_SIG_VERIFY
      • Successful request: 
        0.http-bio-20443-exec-1 - [18/Feb/2019:12:07:20 EST] [14] [6] [AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY][SubjectID=UID=test10,CN=test10,O=example.org][Outcome=Success][ReqType=enrollment][CertSubject=<null>][SignerInfo=UID=test10,CN=test10,O=example.org] User signed CMC request signature verification success
    • CMC_REQUEST_RECEIVED
      • Successful request: 
        0.http-bio-20443-exec-13 - [29/Jan/2019:04:26:49 EST] [14] [6] [AuditEvent=CMC_REQUEST_RECEIVED][SubjectID=$Unidentified$][Outcome=Success][CMCRequest=MIICoAYJKoZIhv...] CMC request received
      • Failed request: 
        0.http-bio-20443-exec-14 - [29/Jan/2019:07:15:27 EST] [14] [6] [AuditEvent=CMC_REQUEST_RECEIVED][SubjectID=$Unidentified$][Outcome=Success][CMCRequest=MIGOBgkqhkiG9w...] CMC request received
    • PROOF_OF_POSSESSION (Enrollment Event) 
      0.http-bio-20443-exec-13 - [29/Jan/2019:04:26:49 EST] [14] [6] [AuditEvent=PROOF_OF_POSSESSION][SubjectID=user1a][Outcome=Success][Info=method=EnrollProfile: verifyPOP: ] proof of possession
    • PROFILE_CERT_REQUEST (Enrollment Event) 
      0.http-bio-20443-exec-13 - [29/Jan/2019:04:26:49 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=user1a][Outcome=Success][ReqID=31][ProfileID=caECFullCMCSharedTokenCert][CertSubject=UID=user1a,OU=People,DC=rhel76,DC=test] certificate request made with certificate profiles
    • CERT_STATUS_CHANGE_REQUEST
      • Success: 
        0.http-bio-20443-exec-5 - [05/Feb/2019:05:57:12 EST] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=121][CertSerialNum=0x67][RequestType=on-hold] certificate revocation/unrevocation request made
      • Failure: 
        0.http-bio-20443-exec-13 - [05/Feb/2019:05:58:55 EST] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST][SubjectID=caadmin][Outcome=Failure][ReqID=<null>][CertSerialNum=0x67][RequestType=on-hold] certificate revocation/unrevocation request made
    • CERT_REQUEST_PROCESSED
      • Successful request: 
        0.http-bio-20443-exec-13 - [29/Jan/2019:04:26:49 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=$Unidentified$][Outcome=Success][ReqID=31][CertSerialNum=20] certificate request processed
    • CERT_STATUS_CHANGE_REQUEST_PROCESSED
      • Successful request: 
        0.http-bio-20443-exec-9 - [29/Jan/2019:07:43:36 EST] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=UID=user1a,OU=People,DC=rhel76,DC=test][Outcome=Success][ReqID=32][CertSerialNum=20][RequestType=revoke][RevokeReasonNum=Certificate_Hold][Approval=complete] certificate status change request processed
      • Failed request: 
        • 0.http-bio-20443-exec-14 - [29/Jan/2019:07:15:27 EST] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=<null>][Outcome=Failure][ReqID=<null>][CertSerialNum=20][RequestType=revoke][RevokeReasonNum=Certificate_Hold][Approval=rejected][Info=CMCOutputTemplate: SharedSecret.getSharedToken(BigInteger serial): shrTok not found in metaInfo] certificate status change request processed
        • 0.http-bio-20443-exec-20 - [29/Jan/2019:07:30:41 EST] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=UID=user1a,OU=People,DC=rhel76,DC=test][Outcome=Failure][ReqID=<null>][CertSerialNum=20][RequestType=revoke][RevokeReasonNum=Certificate_Hold][Approval=rejected][Info= certificate issuer DN and revocation request issuer DN do not match] certificate status change request processed
        • 0.http-bio-20443-exec-16 - [29/Jan/2019:07:55:27 EST] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=<null>][Outcome=Failure][ReqID=<null>][CertSerialNum=20][RequestType=revoke][RevokeReasonNum=Certificate_Hold][Approval=rejected][Info= shared secret not found] certificate status change request processed
    • CMC_RESPONSE_SENT
      • Enrollment
        • Successful response 
          0.http-bio-20443-exec-13 - [29/Jan/2019:04:26:49 EST] [14] [6] [AuditEvent=CMC_RESPONSE_SENT][SubjectID=user1a][Outcome=Success][CMCResponse=MIIHTAYJKoZI...] CMC response sent
      • Revocation
        • Successful revocation 
          0.http-bio-20443-exec-9 - [29/Jan/2019:07:43:36 EST] [14] [6] [AuditEvent=CMC_RESPONSE_SENT][SubjectID=$Unidentified$][Outcome=Success][CMCResponse=MIIExgYJKoZ...] CMC response sent
        • Failed revocation
          • Revocation does not happen 
            0.http-bio-20443-exec-20 - [29/Jan/2019:07:30:41 EST] [14] [6] [AuditEvent=CMC_RESPONSE_SENT][SubjectID=$Unidentified$][Outcome=Success][CMCResponse=MIIFDgYJKoZIh...] CMC response sent

FPT_SKY_EXT.1(2)/OTH

  • AUTHZ
    • Failure: Agent user attempts to retrieve audit log: 
      0.http-bio-8443-exec-2 - [22/Feb/2019:15:03:38 PST] [14] [6] [AuditEvent=AUTHZ][SubjectID=EC-CA-agent-2][Outcome=Failure][aclResource=certServer.log.content.signedAudit][Op=read][Info=Authorization Error] authorization failure
    • Success: Auditor user retrieved audit log: 
      0.http-bio-8443-exec-13 - [22/Feb/2019:15:25:34 PST] [14] [6] [AuditEvent=AUTHZ][SubjectID=EC-CA-auditor][Outcome=Success][aclResource=certServer.log.content.signedAudit][Op=read][Info=AuditResource.getAuditFile] authorization success

FTP_ITC.1

  • Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions.
    • See FCS_HTTPS_EXT.1
    • See FCS_TLSC_EXT.2