Appendix E. Audit Events
This appendix contains two parts. The first part, Section E.1, “Required Audit Events and Their Examples”, contains a list of required audit events grouped by the requirement ID from the CA Protection Profile V2.1, where each audit event is accompanied by one or more examples. The second part, Section E.2, “Audit Event Descriptions” provides individual audit event and their parameter description and format. Every audit event in the log is accompanied by the following information:
- The Java identifier of the thread. For example:
0.localhost-startStop-1
- The time stamp the event occurred at. For example:
[21/Jan/2019:17:53:00 IST]
- The log source (14 is SIGNED_AUDIT):
[14]
- The current log level (6 is Security-related events. See the Log Levels (Message Categories) section in the Red Hat Certificate System Planning, Installation, and Deployment Guide (Common Criteria Edition)). For example:
[6]
- The information about the log event (which is log event specific; see Section E.2, “Audit Event Descriptions” for information about each field in a particular log event). For example:
[AuditEvent=AUDIT_LOG_STARTUP][SubjectID=$System$][Outcome=Success] audit function startup
E.1. Required Audit Events and Their Examples
This section contains all required audit events per Common Criteria CA Protection Profile v.2.1.
For audit events descriptions, see Section E.2, “Audit Event Descriptions”.
FAU_GEN.1
- Start-up of the TSF audit functions
AUDIT_LOG_STARTUP
0.localhost-startStop-1 - [21/Jan/2019:17:53:00 IST] [14] [6] [AuditEvent=AUDIT_LOG_STARTUP][SubjectID=$System$][Outcome=Success] audit function startup
- All administrative actions invoked through the TFS interface
CONFIG_CERT_PROFILE
0.http-bio-20443-exec-35 - [02/Jan/2019:05:05:09 EST] [14] [6] [AuditEvent=CONFIG_CERT_PROFILE][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;rules+Operation;;OP_ADD+Resource;;caAgentExample+class_id;;caEnrollImpl+name;;caAgentExample Enrollment Profile+description;;This certificate profile is for enrolling user certificates+visible;;true] certificate profile configuration parameter(s) change
CERT_PROFILE_APPROVAL
0.http-bio-8443-exec-8 - [15/Nov/2018:15:37:19 PST] [14] [6] [AuditEvent=CERT_PROFILE_APPROVAL][SubjectID=cfuEC-0830-agent-2][Outcome=Success][ProfileID=caTPSCert][Op=disapprove] certificate profile approval
CONFIG_OCSP_PROFILE
0.http-bio-22443-exec-11 - [30/Jan/2019:06:18:02 EST] [14] [6] [AuditEvent=CONFIG_OCSP_PROFILE][SubjectID=ocspadmin][Outcome=Success][ParamNameValPairs=Scope;;ocspStoresRules+Operation;;OP_MODIFY+Resource;;ldapStore+includeNextUpdate;;false+byName;;true+implName;;com.netscape.cms.ocsp.LDAPStore+numConns;;0+caCertAttr;;cACertificate;binary+notFoundAsGood;;true+crlAttr;;certificateRevocationList;binary] OCSP profile configuration parameter(s) change
CONFIG_CRL_PROFILE
0.http-bio-20443-exec-48 - [29/Jan/2019:04:29:29 EST] [14] [6] [AuditEvent=CONFIG_CRL_PROFILE][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;crl+Operation;;OP_MODIFY+Resource;;MasterCRL+enableCRLUpdates;;true+updateSchema;;1+extendedNextUpdate;;true+alwaysUpdate;;false+enableDailyUpdates;;true+dailyUpdates;;4:30+enableUpdateInterval;;true+autoUpdateInterval;;240+nextUpdateGracePeriod;;0+nextAsThisUpdateExtension;;0] CRL profile configuration parameter(s) change
CONFIG_AUTH
0.http-bio-20443-exec-11 - [15/Jan/2019:08:36:39 EST] [14] [6] [AuditEvent=CONFIG_AUTH][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;instance+Operation;;OP_ADD+Resource;;plug502+implName;;UidPwdDirAuth+ldap.ldapconn.host;;server.example.com+dnpattern;;uid=test,ou=people,o=topology-02-CA+ldapStringAttributes;;mail+ldap.ldapconn.version;;3+ldap.ldapconn.port;;3389+ldap.maxConns;;10+ldap.basedn;;dc=example,dc=com+ldap.minConns;;3+ldap.ldapconn.secureConn;;false+ldapByteAttributes;;uid+ldap.password;;(sensitive)+ldap.ldapauth.authtype;;BasicAuth+ldap.ldapauth.bindDN;;cn=direcory manager] authentication configuration parameter(s) change
0.http-bio-20080-exec-25 - [29/Jan/2019:04:54:14 EST] [14] [6] [AuditEvent=CONFIG_AUTH][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;instance+Operation;;OP_ADD+Resource;;plug7487+implName;;AgentCertAuth] authentication configuration parameter(s) change
CONFIG_ROLE(success)
0.http-bio-20443-exec-50 - [18/Jan/2019:04:08:45 EST] [14] [6] [AuditEvent=CONFIG_ROLE][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;certs+Operation;;OP_ADD+Resource;;CA_AdminV+cert;;-----BEGIN CERTIFICATE-----MIIDYTCCAkmgAwIBAgIBfz...-----END CERTIFICATE-----] role configuration parameter(s) change
CONFIG_ROLE(Failure)
0.http-bio-20443-exec-39 - [18/Jan/2019:04:08:57 EST] [14] [6] [AuditEvent=CONFIG_ROLE][SubjectID=caadmin][Outcome=Failure][ParamNameValPairs=Scope;;users+Operation;;OP_ADD+Resource;;CA_AdminUnTrusted+password;;********+phone;;<null>+fullname;;CA_AdminUnTrusted+state;;<null>+userType;;<null>+email;;<null>] role configuration parameter(s) change
CONFIG_ACL
- CA
CA = 0.http-bio-20443-exec-18 - [29/Jan/2019:05:15:16 EST] [14] [6] [AuditEvent=CONFIG_ACL][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;acls+Operation;;OP_MODIFY+Resource;;testACL+aci;;allow (read,allow) group="testGroup"+desc;;ALLOW READ to testGroup+rights;;read,allow] ACL configuration parameter(s) change
CONFIG_SIGNED_AUDIT
- CA
0.http-bio-20443-exec-20 - [29/Jan/2019:02:44:04 EST] [14] [6] [AuditEvent=CONFIG_SIGNED_AUDIT][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Action;;disable] signed audit configuration parameter(s) change
- KRA
0.http-bio-21443-exec-9 - [30/Jan/2019:08:15:11 EST] [14] [6] [AuditEvent=CONFIG_SIGNED_AUDIT][SubjectID=kraadmin][Outcome=Success][ParamNameValPairs=Action;;enable] signed audit configuration parameter(s) change
- OCSP
0.http-bio-22443-exec-17 - [30/Jan/2019:08:17:06 EST] [14] [6] [AuditEvent=CONFIG_SIGNED_AUDIT][SubjectID=ocspadmin][Outcome=Success][ParamNameValPairs=Action;;enable] signed audit configuration parameter(s) change
- TKS
0.http-bio-23443-exec-15 - [30/Jan/2019:08:18:52 EST] [14] [6] [AuditEvent=CONFIG_SIGNED_AUDIT][SubjectID=tksadmin][Outcome=Success][ParamNameValPairs=Action;;enable] signed audit configuration parameter(s) change
- TPS
0.http-bio-25443-exec-5 - [30/Jan/2019:08:20:03 EST] [14] [6] [AuditEvent=CONFIG_SIGNED_AUDIT][SubjectID=tpsadmin][Outcome=Success][ParamNameValPairs=Action;;enable] signed audit configuration parameter(s) change
CONFIG_TRUSTED_PUBLIC_KEY
- CA
0.http-bio-20443-exec-9 - [29/Jan/2019:03:25:02 EST] [14] [6] [AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;installCert+Operation;;OP_MODIFY+Resource;;trustedCACert+pkcs10;;-----BEGIN CERTIFICATE-----MIIEBDCCAuygAwI...-----END CERTIFICATE-----+nickname;;<null>+pathname;;<null>+serverRoot;;<null>+serverID;;instanceID] certificate database configuration
- KRA
0.http-bio-21443-exec-17 - [30/Jan/2019:08:29:07 EST] [14] [6] [AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY][SubjectID=kraadmin][Outcome=Success][ParamNameValPairs=Scope;;installCert+Operation;;OP_MODIFY+Resource;;trustedCACert+pkcs10;;-----BEGIN CERTIFICATE-----MIIEBDCCAuygAw...-----END CERTIFICATE-----+nickname;;<null>+pathname;;<null>+serverRoot;;<null>+serverID;;instanceID] certificate database configuration
- OCSP
0.http-bio-22443-exec-25 - [30/Jan/2019:08:41:08 EST] [14] [6] [AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY][SubjectID=ocspadmin][Outcome=Success][ParamNameValPairs=Scope;;installCert+Operation;;OP_MODIFY+Resource;;trustedCACert+pkcs10;;-----BEGIN CERTIFICATE-----MIIEBDCCAuygAwIB...-----END CERTIFICATE-----+nickname;;<null>+pathname;;<null>+serverRoot;;<null>+serverID;;instanceID] certificate database configuration
- TKS
0.http-bio-23443-exec-23 - [30/Jan/2019:08:45:40 EST] [14] [6] [AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY][SubjectID=tksadmin][Outcome=Success][ParamNameValPairs=Scope;;installCert+Operation;;OP_MODIFY+Resource;;trustedCACert+pkcs10;;-----BEGIN CERTIFICATE-----MIIEBDCCAuygAwIBA...-----END CERTIFICATE-----+nickname;;<null>+pathname;;<null>+serverRoot;;<null>+serverID;;instanceID] certificate database configuration
- TPS
0.http-bio-22443-exec-23 - [30/Jan/2019:08:46:13 EST] [14] [6] [AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY][SubjectID=tpsadmin][Outcome=Success][ParamNameValPairs=Scope;;installCert+Operation;;OP_MODIFY+Resource;;trustedCACert+pkcs10;;-----BEGIN CERTIFICATE-----MIIEBDCCAuygAwIBA...-----END CERTIFICATE-----+nickname;;<null>+pathname;;<null>+serverRoot;;<null>+serverID;;instanceID] certificate database configuration
CONFIG_DRM
0.http-bio-21443-exec-1 - [24/Jan/2019:09:36:52 EST] [14] [6] [AuditEvent=CONFIG_DRM][SubjectID=kraadmin][Outcome=Success][ParamNameValPairs=Scope;;general+Operation;;OP_MODIFY+Resource;;RS_ID_CONFIG+noOfRequiredRecoveryAgents;;2] DRM configuration parameter(s) change
OCSP_ADD_CA_REQUEST_PROCESSED
- Success
0.http-bio-22443-exec-24 - [29/Jan/2019:03:15:59 EST] [14] [6] [AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED][SubjectID=ocspadmin][Outcome=Success][CASubjectDN=CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_example.com] Add CA for OCSP Responde
- Failure
0.http-bio-22443-exec-12 - [30/Jan/2019:06:44:32 EST] [14] [6] [AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED][SubjectID=ocspadmin][Outcome=Failure][CASubjectDN=<null>] Add CA for OCSP Responder
OCSP_REMOVE_CA_REQUEST_PROCESSED
0.http-bio-22443-exec-24 - [29/Jan/2019:03:13:43 EST] [14] [6] [AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED][SubjectID=ocspadmin][Outcome=Success][CASubjectDN=CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_example.com] Remove CA for OCSP Responder is successful
SECURITY_DOMAIN_UPDATE
- Operation: Issue_token
0.http-bio-20443-exec-10 - [16/Jan/2019:03:19:57 EST] [14] [6] [AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=operation;;issue_token+token;;2433856184928074456+ip;;192.0.2.1+uid;;caadmin+groupname;;Enterprise TKS Administrators] security domain update
- Operation: Add
0.http-bio-20443-exec-18 - [02/Jan/2019:04:39:21 EST] [14] [6] [AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=host;;server.example.com+name;;OCSP server.example.com 22443+sport;;22443+clone;;false+type;;OCSP+operation;;add] security domain update
CONFIG_SERIAL_NUMBER
- CA
0.http-bio-20443-exec-2 - [29/Jan/2019:07:53:21 EST] [14] [6] [AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=source;;updateNumberRange+type;;request+beginNumber;;9990001+endNumber;;10000000] serial number range update
- KRA
0.http-bio-21443-exec-7 - [18/Jan/2019:19:11:47 EST] [14] [6] [AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=source;;updateNumberRange+type;;serialNo+beginNumber;;fff0001+endNumber;;10000000] serial number range update
FDP_CER_EXT.1 (extended)
- Certificate generation
CERT_REQUEST_PROCESSED (SUCCESS)
0.http-bio-8443-exec-24 - [07/Sep/2018:10:21:57 PDT] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=7][CertSerialNum=7] certificate request processed
FDP_CER_EXT.2 (extended)
- Linking of certificates to certificate requests
PROFILE_CERT_REQUEST
0.http-bio-8443-exec-24 - [07/Sep/2018:10:21:57 PDT] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=7][ProfileID=caECFullCMCUserCert][CertSubject=CN=cfuEC-0830] certificate request made with certificate profiles
Note
TheReqID
field effectively links to theReqID
field of a successfulCERT_REQUEST_PROCESSED
event.
FDP_CER_EXT.3
- Failed certificate approvals
CERT_REQUEST_PROCESSED (FAILURE)
0.http-bio-20443-exec-4 - [21/Jan/2019:00:24:16 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=$NonRoleUser$][Outcome=Failure][ReqID=1483][InfoName=rejectReason][InfoValue=Request 1483 Rejected - Subject Name Not Matched UID=testuser00,E=example@example.com,CN=MyTestUser] certificate request processed
FIA_X509_EXT.1, FIA_X509_EXT.2
- Failed certificate validations; failed authentications
ACCESS_SESSION_ESTABLISH (FAILURE)
- User with revoked cert trying to perform an operation.
0.http-bio-21443-exec-9 - [12/Feb/2019:14:52:26 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.2][SubjectID=UID=KRA_AgentR,E=KRA_AgentR@example.org,CN=KRA_AgentR,OU=IDMQE,C=US][Outcome=Failure][Info=CERTIFICATE_REVOKED] access session establish failure
- User with expired cert trying to perform an operation.
0.http-bio-21443-exec-9 - [12/Feb/2019:14:52:26 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.2][SubjectID=UID=KRA_AgentR,E=KRA_AgentR@example.org,CN=KRA_AgentR,OU=IDMQE,C=US][Outcome=Failure][Info=CERTIFICATE_EXPIRED] access session establish failure
- CMC enrollment request submitted using a TLS client cert issued by an unknown CA.
0.http-bio-20443-exec-28 - [12/Feb/2019:16:31:08 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.2][SubjectID=CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE][Outcome=Failure][Info=UNKNOWN_CA] access session establish failure
- When client protocol does not match. For example: client use
ssl3
but server does not support.0.http-bio-20443-exec-11 - [12/Feb/2019:16:35:26 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.2][SubjectID=][Outcome=Failure][Info=HANDSHAKE_FAILURE] access session establish failure
- For incorrect protocol version. Example server supports
tls1.1
andtls1.2
but client sendstls1
.0.http-bio-20443-exec-46 - [12/Feb/2019:16:39:10 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.2][SubjectID=][Outcome=Failure][Info=PROTOCOL_VERSION] access session establish failure
- When client sends list of cipher but Server have no list of ciphers.Server:
0.http-bio-21443-exec-3 - [13/Feb/2019:07:40:44 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.2][SubjectID=][Outcome=Failure][Info=INTERNAL_ERROR] access session establish failure
FIA_UIA_EXT.1
- Privileged user identification and authentication
ACCESS_SESSION_ESTABLISH
- CA Example
0.http-bio-8443-exec-1 - [10/Oct/2018:15:42:13 PDT] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.1][SubjectID=][Outcome=Success] access session establish success
- TPS Example
0.http-bio-25443-exec-1 - [02/Jan/2019:04:44:12 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.1][SubjectID=][Outcome=Success] access session establish success
AUTH
- CA Example
0.http-bio-8443-exec-1 - [28/Nov/2018:16:23:15 PST] [14] [6] [AuditEvent=AUTH][SubjectID=caagentJoe][Outcome=Success][AuthMgr=CMCAuth] authentication success
- TPS Example
0.http-bio-25443-exec-1 - [25/Jan/2019:13:00:59 IST] [14] [6] [AuditEvent=AUTH][SubjectID=tpsadmin][Outcome=Success][AuthMgr=passwdUserDBAuthMgr] authentication success
AUTHZ
- CA Example
0.http-bio-8443-exec-1 - [28/Nov/2018:16:23:15 PST] [14] [6] [AuditEvent=AUTHZ][SubjectID=caagentJoe][Outcome=Success][aclResource=certServer.ee.profile][Op=submit] authorization success
- TPS Example
0.http-bio-25443-exec-1 - [25/Jan/2019:13:00:59 IST] [14] [6] [AuditEvent=AUTHZ][SubjectID=tpsadmin][Outcome=Success][aclResource=certServer.tps.account][Op=login][Info=AccountResource.login] authorization success
ROLE_ASSUME
- CA Example
0.http-bio-8443-exec-1 - [28/Nov/2018:16:23:15 PST] [14] [6] [AuditEvent=ROLE_ASSUME][SubjectID=caagentJoe][Outcome=Success][Role=Certificate Manager Agents] assume privileged role
- TPS Example
0.http-bio-25443-exec-9 - [25/Jan/2019:13:00:07 IST] [14] [6] [AuditEvent=ROLE_ASSUME][SubjectID=cfu][Outcome=Success][Role=Certificate Manager Agents] assume privileged role
FMT_SMR.2
- Modifications to the group of users that are part of a role
CONFIG_ROLE
SeeCONFIG_ROLE
event above.
FPT_FLS.1
- Failure with preservation of secure state
SELFTESTS_EXECUTION
- CA Example
0.localhost-startStop-1 - [10/Jan/2019:00:47:57 EST] [14] [6] [AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self tests execution (see selftests.log for details)
- TPS Example
0.localhost-startStop-1 - [22/Jan/2019:11:55:32 IST] [14] [6] [AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self tests execution (see selftests.log for details)
FPT_KST_EXT.2
- Private/secret keys are stored by the HSM and the only operations to "access" those keys are through the TSF as signing operations.
CERT_REQUEST_PROCESSED (failure) 0.http-bio-20443-exec-8 - [28/Jan/2019:13:48:14 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=$Unidentified$][Outcome=Failure][ReqID=28][InfoName=rejectReason][InfoValue=Request Key Type RSA Not Matched Rejected - {1}] certificate request processed
FPT_RCV.1
- The fact that a failure or service discontinuity occurred. Resumption of the regular operation.
- Failure:
SELFTESTS_EXECUTION (Failure)
- CA Example
0.localhost-startStop-1 - [29/Jan/2019:13:29:03 UTC] [14] [6] [AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self tests execution (see selftests.log for details)
- TPS Example
0.localhost-startStop-1 - [22/Jan/2019:11:55:32 IST] [14] [6] [AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Failure] self tests execution (see selftests.log for details)
- Self-test log, see 13.3.2. Configuring Self-Tests in Red Hat Certificat Systemitem's Planning, Installation, and Deployment Guide.
- Resumption:
AUDIT_LOG_STARTUP; SELFTESTS_EXECUTION (Success)
- TPS Example
0.localhost-startStop-1 - [21/Jan/2019:16:47:44 IST] [14] [6] [AuditEvent=AUDIT_LOG_STARTUP][SubjectID=$System$][Outcome=Success] audit function startup
- CA Example
0.localhost-startStop-1 - [04/Feb/2019:18:29:38 EST] [14] [6] [AuditEvent=SELFTESTS_EXECUTION][SubjectID=$System$][Outcome=Success] self tests execution (see selftests.log for details)
FPT_STM.1
- Changes to the time.
FPT_TUD_EXT.1
- Initiation of update.
FTA_SSL.4
- The termination of an interactive session.
ACCESS_SESSION_TERMINATED
0.http-bio-20443-exec-7 - [21/Jan/2019:03:42:17 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.0.2.1][ServerIP=192.0.2.1][SubjectID=CN=PKI Administrator,E=caadmin@example.com,OU=topology-02-CA,O=topology-02_example.com][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
- TPS
0.http-bio-25443-exec-1 - [02/Jan/2019:04:44:12 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.0.2.1][ServerIP=192.0.2.1][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session
FTP_TRP.1
- Initiation of the trusted channel. Termination of the trusted channel. Failures of the trusted path functions.
ACCESS_SESSION_ESTABLISH
2529:0.http-bio-20443-exec-8 - [29/Jan/2019:02:41:10 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.1][SubjectID=CN=PKI Administrator,E=tpsadmin@server.example.com,OU=topology-02-TPS,O=topology-02_example.com][Outcome=Failure][Info=UNKNOWN_CA] access session establish failure
- TPS
0.http-bio-25443-exec-4 - [25/Jan/2019:12:58:31 IST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=0:0:0:0:0:0:0:1][ServerIP=0:0:0:0:0:0:0:1][SubjectID=][Outcome=Failure][Info=RECORD_OVERFLOW] access session establish failure
ACCESS_SESSION_TERMINATED
0.http-bio-20443-exec-48 - [29/Jan/2019:04:30:49 EST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.0.2.1][ServerIP=192.0.2.1][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
- TPS
TPS=0.http-bio-25443-exec-19 - [25/Jan/2019:12:47:07 IST] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=192.0.2.1][ServerIP=192.0.2.1][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
FCS_CKM.1 and FCS_CKM.2
- Not available. There are no TOE-related functions where a TOE subsystem generates (or requests the OE to generate) a non-ephemeral key. All system certificates are generated in the same manner as user keys during the installation, before the TOE is running and, thus, before the it can audit.
FCS_CKM_EXT.4
- Not available
FCS_COP.1(2)
- All occurrences of signature generation using a CA signing key.
CERT_SIGNING_INFO
records CA signing certificate key info at system startup0.authorityMonitor - [03/Jan/2019:02:33:35 EST] [14] [6] [AuditEvent=CERT_SIGNING_INFO][SubjectID=$System$][Outcome=Success][SKI=E3:D2:5B:2A:F5:76:FF:7B:48:CA:94:18:5F:7B:BD:6B:95:FB:8F:30][AuthorityID=dbec10a4-1264-4759-96d5-6d2aadbf9d34] certificate signing info
CERT_REQUEST_PROCESSED (success)
0.http-bio-20443-exec-378 - [19/Jan/2019:05:57:39 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=1352][CertSerialNum=984] certificate request processed
OCSP_SIGNING_INFO
records OCSP signing certificate key info at system startup0.http-bio-29443-exec-3 - [10/Oct/2018:14:15:24 PDT] [14] [6] [AuditEvent=OCSP_SIGNING_INFO][SubjectID=$System$][Outcome=Success][SKI=71:B1:D0:AE:44:DF:ED:D0:20:15:2B:E3:37:E8:EE:04:EB:D6:F1:44] OCSP signing info
OCSP_GENERATION (success)
0.http-nio-22080-exec-3 - [31/Jan/2019:15:34:47 EST] [14] [6] [AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Success] OCSP response generation
CRL_SIGNING_INFO
records CRL signing certificate key info at system startup0.localhost-startStop-1 - [10/Jan/2019:09:10:27 EST] [14] [6] [AuditEvent=CRL_SIGNING_INFO][SubjectID=$System$][Outcome=Success][SKI=23:98:ED:52:5B:2C:27:C6:FF:7C:34:D1:D5:48:57:E9:B8:D1:4E:95] CRL signing info
FULL_CRL_GENERATION (success)
0.CRLIssuingPoint-testing123 - [30/Jan/2019:08:35:02 EST] [14] [6] [AuditEvent=FULL_CRL_GENERATION][SubjectID=$System$][Outcome=Success][CRLnum=6] Full CRL generation
DELTA_CRL_GENERATION (success)
0.CRLIssuingPoint-testing123 - [30/Jan/2019:08:35:01 EST] [14] [6] [AuditEvent=DELTA_CRL_GENERATION][SubjectID=$Unidentified$][Outcome=Success][CRLnum=5] Delta CRL generation
- Failure in signature generation.
CERT_REQUEST_PROCESSED (failure)
0.http-bio-20443-exec-8 - [28/Jan/2019:13:48:14 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=$Unidentified$][Outcome=Failure][ReqID=28][InfoName=rejectReason][InfoValue=Request Key Type RSA Not Matched Rejected - {1}] certificate request processed
OCSP_GENERATION (failure)
0.http-nio-22080-exec-6 - [31/Jan/2019:15:35:38 EST] [14] [6] [AuditEvent=OCSP_GENERATION][SubjectID=$NonRoleUser$][Outcome=Failure][FailureReason=Missing issuer certificate] OCSP response generation
FULL_CRL_GENERATION (failure)
FCS_HTTPS_EXT.1 and FCS_TLSS_EXT.2
- Failure to establish a HTTPS/TLS session.
ACCESS_SESSION_ESTABLISH (Failure)
See FTP_TRP.1
- Establishment/termination of a HTTPS/TLS session
ACCESS_SESSION_TERMINATED
See FIA_UIA_EXT.1
FCS_TLSC_EXT.2
- Failure to establish a TLS session.
CLIENT_ACCESS_SESSION_ESTABLISH (Failure)
0.http-bio-20443-exec-21 - [13/Feb/2019:07:48:08 EST] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH][ClientHost=192.0.2.1][ServerHost=pki1.example.com][ServerPort=21443][SubjectID=SYSTEM][Outcome=Failure][Info=send:java.io.IOException: SocketException cannot write on socket] access session failed to establish when Certificate System acts as client
When Server is not reachable by Client and Session ran into failures. In this scenario, CA acts as a client for KRA during Key Archival and KRA is not reachable by CA.0.http-bio-20443-exec-11 - [12/Feb/2019:18:20:03 EST] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH][ClientHost=192.0.2.1][ServerHost=pki1.example.com][ServerPort=21443][SubjectID=SYSTEM][Outcome=Failure][Info=send:java.io.IOException: Socket has been closed, and cannot be reused.] access session failed to establish when Certificate System acts as client
When CA's subsystem cert is revoked and it tried to access KRA.- KRA
0.http-bio-21443-exec-3 - [13/Feb/2019:08:15:53 EST] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=192.0.2.1][ServerIP=192.0.2.2][SubjectID=CN=Subsystem Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org][Outcome=Failure][Info=CERTIFICATE_REVOKED] access session establish failure
- CA
0.http-bio-20443-exec-10 - [13/Feb/2019:08:16:08 EST] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH][ClientHost=192.0.2.1][ServerHost=pki1.example.com][ServerPort=21443][SubjectID=SYSTEM][Outcome=Failure][Info=send:java.io.IOException: SocketException cannot write on socket] access session failed to establish when Certificate System acts as client
- Establishment/termination of a TLS session.
CLIENT_ACCESS_SESSION_TERMINATED
0.http-bio-8443-exec-6 - [10/Oct/2018:15:10:54 PDT] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED][ClientHost=192.0.2.1][ServerHost=192.0.2.1][ServerPort=29443][SubjectID=SYSTEM][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated when Certificate System acts as client
FDP_CRL_EXT.1
- Failure to generate a CRL.
FULL_CRL_GENERATION (failure)
0.http-bio-20444-exec-9 - [01/Feb/2019:15:40:38 EST] [14] [6] [AuditEvent=FULL_CRL_GENERATION][SubjectID=caadmin][Outcome=Failure][FailureReason=Record not found] Full CRL generation
FDP_OCSPG_EXT.1
- Failure to generate certificate status information.
OCSP_GENERATION (failure)
FIA_AFL.1
- The reaching of the threshold for the Unsuccessful Authentication Attempts. The action Taken. The re-enablement of disabled non-administrative accounts.Not available. For password authentication only. Certificate System provides certificate-based authentication only.
FIA_CMCS_EXT.1
- CMC requests (generated or received) containing certificate requests or revocation requests. CMC responses issued.
CMC_SIGNED_REQUEST_SIG_VERIFY
0.http-bio-20080-exec-22 - [24/Jan/2019:08:44:51 EST] [14] [6] [AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID=$NonRoleUser$][Outcome=Failure][ReqType=$Unidentified$][CertSubject=$Unidentified$][SignerInfo=$Unidentified$] agent signed CMC request signature verification
CMC_USER_SIGNED_REQUEST_SIG_VERIFY
- Successful request:
0.http-bio-20443-exec-1 - [18/Feb/2019:12:07:20 EST] [14] [6] [AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY][SubjectID=UID=test10,CN=test10,O=example.org][Outcome=Success][ReqType=enrollment][CertSubject=<null>][SignerInfo=UID=test10,CN=test10,O=example.org] User signed CMC request signature verification success
CMC_REQUEST_RECEIVED
- Successful request:
0.http-bio-20443-exec-13 - [29/Jan/2019:04:26:49 EST] [14] [6] [AuditEvent=CMC_REQUEST_RECEIVED][SubjectID=$Unidentified$][Outcome=Success][CMCRequest=MIICoAYJKoZIhv...] CMC request received
- Failed request:
0.http-bio-20443-exec-14 - [29/Jan/2019:07:15:27 EST] [14] [6] [AuditEvent=CMC_REQUEST_RECEIVED][SubjectID=$Unidentified$][Outcome=Success][CMCRequest=MIGOBgkqhkiG9w...] CMC request received
PROOF_OF_POSSESSION
(Enrollment Event)0.http-bio-20443-exec-13 - [29/Jan/2019:04:26:49 EST] [14] [6] [AuditEvent=PROOF_OF_POSSESSION][SubjectID=user1a][Outcome=Success][Info=method=EnrollProfile: verifyPOP: ] proof of possession
PROFILE_CERT_REQUEST
(Enrollment Event)0.http-bio-20443-exec-13 - [29/Jan/2019:04:26:49 EST] [14] [6] [AuditEvent=PROFILE_CERT_REQUEST][SubjectID=user1a][Outcome=Success][ReqID=31][ProfileID=caECFullCMCSharedTokenCert][CertSubject=UID=user1a,OU=People,DC=rhel76,DC=test] certificate request made with certificate profiles
CERT_STATUS_CHANGE_REQUEST
- Success:
0.http-bio-20443-exec-5 - [05/Feb/2019:05:57:12 EST] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST][SubjectID=caadmin][Outcome=Success][ReqID=121][CertSerialNum=0x67][RequestType=on-hold] certificate revocation/unrevocation request made
- Failure:
0.http-bio-20443-exec-13 - [05/Feb/2019:05:58:55 EST] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST][SubjectID=caadmin][Outcome=Failure][ReqID=<null>][CertSerialNum=0x67][RequestType=on-hold] certificate revocation/unrevocation request made
CERT_REQUEST_PROCESSED
- Successful request:
0.http-bio-20443-exec-13 - [29/Jan/2019:04:26:49 EST] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=$Unidentified$][Outcome=Success][ReqID=31][CertSerialNum=20] certificate request processed
CERT_STATUS_CHANGE_REQUEST_PROCESSED
- Successful request:
0.http-bio-20443-exec-9 - [29/Jan/2019:07:43:36 EST] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=UID=user1a,OU=People,DC=rhel76,DC=test][Outcome=Success][ReqID=32][CertSerialNum=20][RequestType=revoke][RevokeReasonNum=Certificate_Hold][Approval=complete] certificate status change request processed
- Failed request:
0.http-bio-20443-exec-14 - [29/Jan/2019:07:15:27 EST] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=<null>][Outcome=Failure][ReqID=<null>][CertSerialNum=20][RequestType=revoke][RevokeReasonNum=Certificate_Hold][Approval=rejected][Info=CMCOutputTemplate: SharedSecret.getSharedToken(BigInteger serial): shrTok not found in metaInfo] certificate status change request processed
0.http-bio-20443-exec-20 - [29/Jan/2019:07:30:41 EST] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=UID=user1a,OU=People,DC=rhel76,DC=test][Outcome=Failure][ReqID=<null>][CertSerialNum=20][RequestType=revoke][RevokeReasonNum=Certificate_Hold][Approval=rejected][Info= certificate issuer DN and revocation request issuer DN do not match] certificate status change request processed
0.http-bio-20443-exec-16 - [29/Jan/2019:07:55:27 EST] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=<null>][Outcome=Failure][ReqID=<null>][CertSerialNum=20][RequestType=revoke][RevokeReasonNum=Certificate_Hold][Approval=rejected][Info= shared secret not found] certificate status change request processed
CMC_RESPONSE_SENT
- Enrollment
- Successful response
0.http-bio-20443-exec-13 - [29/Jan/2019:04:26:49 EST] [14] [6] [AuditEvent=CMC_RESPONSE_SENT][SubjectID=user1a][Outcome=Success][CMCResponse=MIIHTAYJKoZI...] CMC response sent
- Revocation
- Successful revocation
0.http-bio-20443-exec-9 - [29/Jan/2019:07:43:36 EST] [14] [6] [AuditEvent=CMC_RESPONSE_SENT][SubjectID=$Unidentified$][Outcome=Success][CMCResponse=MIIExgYJKoZ...] CMC response sent
- Failed revocation
- Revocation does not happen
0.http-bio-20443-exec-20 - [29/Jan/2019:07:30:41 EST] [14] [6] [AuditEvent=CMC_RESPONSE_SENT][SubjectID=$Unidentified$][Outcome=Success][CMCResponse=MIIFDgYJKoZIh...] CMC response sent
FPT_SKY_EXT.1(2)/OTH
AUTHZ
- Failure: Agent user attempts to retrieve audit log:
0.http-bio-8443-exec-2 - [22/Feb/2019:15:03:38 PST] [14] [6] [AuditEvent=AUTHZ][SubjectID=EC-CA-agent-2][Outcome=Failure][aclResource=certServer.log.content.signedAudit][Op=read][Info=Authorization Error] authorization failure
- Success: Auditor user retrieved audit log:
0.http-bio-8443-exec-13 - [22/Feb/2019:15:25:34 PST] [14] [6] [AuditEvent=AUTHZ][SubjectID=EC-CA-auditor][Outcome=Success][aclResource=certServer.log.content.signedAudit][Op=read][Info=AuditResource.getAuditFile] authorization success
FTP_ITC.1
- Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions.
- See FCS_HTTPS_EXT.1
- See FCS_TLSC_EXT.2