Document title: PEP#258 - Audit Logging Document details Comments Help with document reviews |
Pegasus Enhancement Proposal (PEP)
PEP #: 258
Title: Audit Logging
Version: 1.5
Created: 23 August 2007
Authors: Yi Zhou
Status: Approved
Version History:
Version | Date | Author | Change Description |
---|---|---|---|
1.0 | 06 July 2006 | Yi Zhou | Initial Submittal |
1.1 | 03 August 2006 | Yi Zhou | Updated based on review comments. |
1.2 | 05 September 2006 | Yi Zhou | Updated based on architecture team review comments. |
1.3 | 11 September 2006 | Yi Zhou | Updates from 9/8/06 architecture
teleconference discussion.
|
1.4 | 1 December 2006 | Yi Zhou | Updates to reflect latest changes. |
1.5 | 23 August 2007 | Sushma Fernandes | Updates to reflect Certificate based authentication audit logging. Changes in BLUE. |
Abstract: This PEP proposes the addition of audit logging to OpenPegasus release 2.6. This will provide a mechanism to record some wbem client and provider activities and when and by whom these activities are performed.
Pegasus currently has no audit logging capability. Audit log data can provide a record of access, activity, and configuration change for a CIM server. The contents of the audit file include who, when, and what information of a request. It can be used to allow auditors to track activities of the various WBEM client operations and provider usages.
This PEP proposes addition of audit logging so that an auditor can track activities of the various WBEM client operations and provider usages.
The audit logging is enabled by compiling with PEGASUS_ENABLE_AUDIT_LOGGER flag to be true. By default, this build environment variable is set to true.
A dynamic configuration property, "enableAuditLog", is used to enable or disable audit logging at run time. By default, enableAuditLog is set to false.
The specific contents of each log item are listed below. Each message includes timestamp when the message is logged.
When one of following cases occurs, the name-value pairs of current environment variables, the names and values of all the current configuration properties, and the names and statuses of all the currently registered provider modules are logged:
Items | Contents | Audit Type | Audit Sub Type |
---|---|---|---|
Current configurations | current property names and property values | Configuration | Current Configuration |
Currently Registered Providers | name-status pairs of currently registered provider modules | Configuration | Current Provider Registration |
Current Environment Variables | name-value pairs of current environment variables | Configuration | Current Environment Variables |
Each message includes the user name who issues the request and IP address from where the request is issued. Note: Since IP addresses are spoofable, this information can not be trusted to always be correct.
Items | Contents | Audit Type | Audit Sub Type |
---|---|---|---|
Configuration Change: set or unset a configuration property value | property name, previous property value, new current or planned property value | Configuration | Configuration Change |
Provider Module Status Change | provider module name, previous provider module status, current provider module status | Configuration | Provider Module Status Change |
authentication type, IP address and authentication status | Authentication | Local Authentication, or Basic authentication | |
Authentication attempts to the CIM Server (both succesful and failed): Certificate based authentication | certificate issuer, certificate subject, serial number, IP address and authentication status | Authentication | Certificate based authentication |
User validation attempts associated with a successful Certificate based authentication (both successful and failed). | certificate username, certificate issuer, certificate subject, serial number, IP address and authentication status | Authentication | Certificate based user validation |
CIM Class operations: CreateClass, or DeleteClass, or ModifyClass | CIM operation type, ClassName, Namespace, result (CIM status code) of the request | CIMOperation | Schema Operation |
CIM Instance operations: CreateInstance, or DeleteInstance, or ModifyInstance | CIM operation type, ClassName, Namespace, the name of the affected instance, provider module name and provider name that serve the request, result (CIM status code) of the request | CIMOperation | Instance Operation |
InvokeMethod operation | Namespace, the name of the object on which the method is invoked, provider module name and provider name that serve the request, MethodName, result (CIM status code) of the request | CIMOperation | Instance Operation |
SetQualifier and DeleteQualifier operations | CIM operation type, Namespace, Qualifier name, result (CIM status code) of the request | CIMOperation | Schema Operation |
The proposal requires the following changes:
By default, if PEGASUS_USE_SYSLOG is defined, all the audit messages are written into the system log file. Each system log file entry (e.g. in the syslog file) has a well-defined tag (e.g. "cimserver audit ") to distinguish an entry made by audit logging. Otherwise, the audit message is written into a new file PegasusAudit.log which is defined in Logger.cpp. Platform maintainers may add support to write different audit type message or different audit event message to a different log file into the function "_writeAuditMessageToFile". This interface is not exposed externally.
The following interfaces are structured such way so that platform maintainers can have flexibility to write audit records based on their needs(e.g. write authentication failure records to one location and write current configuration change to another location etc). Also, provides infrastructure to allow actions to be invoked automatically based on the data.The class is as follows: class PEGASUS_COMMON_LINKAGE AuditLogger { public: enum AuditType { TYPE_AUTHENTICATION, TYPE_AUTHORIZATION, TYPE_CONFIGURATION, TYPE_CIMOPERATION }; enum AuditSubType { SUBTYPE_LOCAL_AUTHENTICATION, SUBTYPE_BASIC_AUTHENTICATION, SUBTYPE_CERTIFICATE_BASED_AUTHENTICATION, SUBTYPE_CERTIFICATE_BASED_USER_VALIDATION, SUBTYPE_USER_GROUP_AUTHORIZATION, SUBTYPE_NAMESPACE_AUTHORIZATION, SUBTYPE_PRIVILEGED_USER_CHECK, SUBTYPE_TRUSTSTORE_CHANGE, SUBTYPE_CURRENT_CONFIGURATION, SUBTYPE_CURRENT_PROVIDER_REGISTRATION, SUBTYPE_CURRENT_ENVIRONMENT_VARIABLES, SUBTYPE_CONFIGURATION_CHANGE, SUBTYPE_PROVIDER_REGISTRATION_CHANGE, SUBTYPE_PROVIDER_MODULE_STATUS_CHANGE, SUBTYPE_SCHEMA_OPERATION, SUBTYPE_INSTANCE_OPERATION, SUBTYPE_INDICATION_OPERATION }; enum AuditEvent { EVENT_START_UP, EVENT_AUTH_SUCCESS, EVENT_AUTH_FAILURE, EVENT_CREATE, EVENT_UPDATE, EVENT_DELETE, EVENT_INVOKE }; /** Constructs and logs audit message of the current configurations @param propertyNames - All the current property names while the CIM Server is running @param propertyValues - All the current property values while the CIM Server is running */ static void logCurrentConfig( const Array& propertyNames, const Array & propertyValues); ); /** Constructs and logs audit message of the currently registered providers while the CIM Server is running @param instances - all currently registered provider module instances while the CIM Server is running */ static void logCurrentRegProvider( const Array < CIMInstance > & instances ); /** Constructs and logs audit message of the current environment variables while the CIM Server is running */ static void logCurrentEnvironmentVar(); /** Constructs and logs audit message of setting the specified configuration property to the specified value @param userName - The user name for this operation @param propertyName - The specified configuration property name @param prePropertyValue - The previous value of the changed config property @param newPropertyValue - The new value of the changed config property @param isPlanned - True, sets planned value of the specified configuration property; Otherwise, sets current value of the specified configuration property */ static void logSetConfigProperty( const String & userName, const String & propertyName, const String & prePropertyValue, const String & newPropertyValue, Boolean isPlanned); /** Constructs and logs audit message of a CIM class update operation @param cimMethodName - The name of the CIM operation performed @param eventType - The AuditEvent associated with the CIM operation @param userName - User name for this operation @param ipAddr - Client IP address for this operation @param nameSpace - The namespace for the operation @param className - The name of the class @param statusCode - The CIM status code for the operation */ static void logUpdateClassOperation( const char* cimMethodName, AuditEvent eventType, const String& userName, const String& ipAddr, const CIMNamespaceName& nameSpace, const CIMName& className, CIMStatusCode statusCode); /** Constructs and logs audit message of a CIM qualifier update operation @param cimMethodName - The name of the CIM operation performed @param eventType - The AuditEvent associated with the CIM operation @param userName - User name for this operation @param ipAddr - Client IP address for this operation @param nameSpace - The namespace for the operation @param name - The name of the qualifier @param statusCode - The CIM status code for the operation */ static void logUpdateQualifierOperation( const char* cimMethodName, AuditEvent eventType, const String& userName, const String& ipAddr, const CIMNamespaceName& nameSpace, const CIMName& name, CIMStatusCode statusCode); /** Constructs and logs audit message of a CIM instance update operation @param cimMethodName - The name of the CIM operation performed @param eventType - The AuditEvent associated with the CIM operation @param userName - The user name for this operation @param ipAddr - Client IP address for this operation @param nameSpace - The namespace for the operation @param instanceName - The name of the affected instance @param moduleName - The provider module name that serves the request @param providerName - The provider name that serves the request @param statusCode - The CIM status code for the operation */ static void logUpdateInstanceOperation( const char* cimMethodName, AuditEvent eventType, const String& userName, const String& ipAddr, const CIMNamespaceName& nameSpace, const CIMObjectPath& instanceName, const String& moduleName, const String& providerName, CIMStatusCode statusCode); /** Constructs and logs audit message of a CIM InvokeMethod operation @param userName - The user name for this operation @param ipAddr - Client IP address for this operation @param nameSpace - The namespace for the operation @param objectName - The name of the object on which the method is invoked @param methodName - The name of the method to be executed @param moduleName - The provider module name that serves the request @param providerName - The provider name that serves the request @param statusCode - The CIM status code for the operation */ static void logInvokeMethodOperation( const String& userName, const String& ipAddr, const CIMNamespaceName& nameSpace, const CIMObjectPath& objectName, const CIMName& methodName, const String& moduleName, const String& providerName, CIMStatusCode statusCode); /** Constructs and logs audit message of a provider module status change @param moduleName - The name of the provider module @param currentModuleStatus - The current status of the provider module @param newModuleStatus - The new status of the provider module */ static void logUpdateProvModuleStatus( const String & moduleName, const Array currentModuleStatus, const Array newModuleStatus); /** Constructs and logs audit message of local authentication @param userName - The user name for this operation @param successful - True on successful basic authentication, false otherwise */ static void logLocalAuthentication( const String& userName, Boolean successful); /** Constructs and logs audit message of basic authentication @param userName - The user name for this operation @param ipAddr - Client IP address for this operation @param successful - True on successful basic authentication, false otherwise */ static void logBasicAuthentication( const String& userName, const String& ipAddr, Boolean successful);
/** Constructs and logs audit message of certificate based authentication @param issuerName - The issuer name of this certificate @param subjectName - The subject name of this certificate @param serialNumber - The serial number of this certificate @param ipAddr - Client IP address for this operation @param successful - True on successful basic authentication, false otherwise */ static void logCertificateBasedAuthentication( const String& issuerName, const String& subjectName, const String& serialNumber, const String& ipAddr, Boolean successful); /** Constructs and logs audit message of certificate based user validation @param userName - The username associated with this certificate @param issuerName - The issuer name of this certificate @param subjectName - The subject name associated with the certificate @param serialNumber - The serial number of this certificate @param ipAddr - Client IP address for this operation @param successful - True on successful user validation, false otherwise */ static void logCertificateBasedUserValidation( const String& userName, const String& issuerName, const String& subjectName, const String& serialNumber, const String& ipAddr, Boolean successful);
typedef void (*PEGASUS_AUDITLOGINITIALIZE_CALLBACK_T)(); typedef void (*PEGASUS_AUDITLOG_CALLBACK_T) (AuditType, AuditSubType, AuditEvent, Uint32, MessageLoaderParms &); /** Registers an audit log initialize callback If a non-null initialize callback function is registered, it will be called when the audit log is enabled. @param auditLogInitializeCallback - The audit log initialize callback function */ static void setInitializeCallback( PEGASUS_AUDITLOGINITIALIZE_CALLBACK_T auditLogInitializeCallback); /** If the enabled is true, the audit log initialize callback function is called to communicate that the audit log is enabled. @param enabled - True on config property "enableAuditLog" is enabled, false otherwise */ static void setEnabled(Boolean enabled); static Boolean isEnabled(); /** Registers writing audit messages to a file callback @param writeAuditMessageCallback - The callback function to write audit message */ static void writeAuditLogToFileCallback( PEGASUS_AUDITLOG_CALLBACK_T writeAuditMessageCallback); private: static Boolean _auditLogFlag; /** Callback function to be called when the audit log is enabled */ static PEGASUS_AUDITLOGINITIALIZE_CALLBACK_T _auditLogInitializeCallback; /** The function to write audit messages */ static PEGASUS_AUDITLOG_CALLBACK_T _writeAuditMessageToFile; /** Default function to write a auditMessage to a file @param AuditType - Type of audit record (Authentication etc) @param AuditSubType - Sub type of audit record (Local_Authentication etc) @param AuditEvent - Event of audit record (Start_Up etc) @param logLevel - Pegasus Severity (WARNING etc) All the audit messages are passed with pegasus severity "INFORMATION", except authentication attempts failed messages or authorization failed messages are passed with pegasus severity "WARNING" @param msgParms - The message loader parameters */ static void _writeAuditMessageToFile( _AuditType auditType, _AuditSubType auditSubType, _AuditEvent auditEvent, Uint32 logLevel, MessageLoaderParms & msgParms); /** gets module status value @param moduleStatus - The module status */ static String _getModuleStatusValue(const ArraymoduleStatus); }
The audit log is tested in the automated test suite. An uint test is added to src/Pegasus/Common/tests/AuditLogger directory. The test creates various audit cases and verifies the result.
To avoid flooding the log file with too much detail, only the CIM "write" operations are logged. The CIM "read" operations, indication generation, indication delivery, and indication consumptions are not logged in this release. They could be considered for the future, once the use model is better understood after users have had experience with this feature. Note: the categories of CIM "write" and "read" operations used here are consistent with the defines in pegasus user authorization module.
Any private data must not be logged (e.g. passwd info). Since pegasus does not have a mechanism to identify which parameter value of a method contains sensitive (private) data, method parameters (except "schema-related" parameters suc as class names and qualifier names) are not logged.
The audit data of Indication operations and Provider Registration operations are already included by the CIM Instance operations. If more specific information is needed for these operations, they could be considered in the future release after users have had experience with this feature.
Authorization and certificate based
authentication audit logging are not included in Pegasus 2.6 release because the
complication of the SSL implementation, it doesn't appear to be straight forward
to implement within 2.6 timeframe. They could be considered in the future
release.
Authorization audit logging is not included. It could be considered for a future release.
Certificate based authentication audit logging is included in the 2.7 release.
Action | Planned | Actual | Comment |
PEP Submitted | 7 July | 6 July | |
PEP Reviewed | 21 July | 25 July | |
PEP Approved | 4 August | 19 September | |
Code Committed | Pegasus 2.6 FC | 31 October |
Copyright (c) 2006 Hewlett-Packard
Development Company, L.P.; IBM Corp.; EMC Corporation; Symantec Corporation; The
Open Group.
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished
to do so, subject to the following conditions:
THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED
IN ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS
PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Template last modified: March 26th
2006 by Martin Kirk
Template version:
1.11