Audit Events

The AuditEvent interface provides a mechanism for passing additional audit information to Auditing providers during a writeEvent operation. This is the base interface that is extended by components in the Security Framework to compose specific audit event types. Extending this interface helps auditing providers determine the calling security component.

If you implement this interface and you expect to receive a ContextHandler argument from a caller, you can extend the AuditContext interface to provide more information.

Table 4-1 Audit Events
Audit Event Name	Interface Class	Interfaces Implemented
		AuditEvent	AuditContext
Authentication Audit Event	weblogic.security.spi.AuditAtnEvent	Yes	No
Authentication Audit Event V2	weblogic.security.spi.AuditAtnEventV2	Yes	Yes
Authorization Audit Event	weblogic.security.spi.AuditAtzEvent	Yes	Yes
Role Mapping Audit Event	weblogic.security.spi.AuditRoleEvent	Yes	Yes
Credential Mapping Audit Event	weblogic.security.spi.AuditCredentialMappingEvent	Yes	Yes
Management Audit Event	weblogic.security.spi.AuditMgmtEvent	Yes	No
Policy Audit Event	weblogic.security.spi.AuditPolicyEvent	Yes	No
Role Deployment Audit Event	weblogic.security.spi.AuditRoleDeploymentEvent	Yes	No
Provider Audit Record	com.bea.security.spi.ProviderAuditRecord	Yes	Yes

Table 4-2 WebLogic 9.x Audit Events
Audit Event Name	Interface Class	Interfaces Implemented
		Audit Event	Audit Context
Application Version Event	`weblogic.security.spi.AuditApplicationVersionEvent`	Yes	No
Authentication Audit Event	`weblogic.security.spi.AuditAtnEvent`	Yes	No
Authentication Audit Event V2	`weblogic.security.spi.AuditAtnEventV2`	Yes	Yes
Authorization Audit Event	`weblogic.security.spi.AuditAtzEvent`	Yes	Yes
CertPathBuilder Audit Event	`weblogic.security.spi.AuditCertPathBuilderEvent`	Yes	Yes
CertPathValidator Audit Event	`weblogic.security.spi.AuditCertPathValidatorEvent`	Yes	Yes
Configuration Audit Event	`weblogic.security.spi.AuditConfigurationEvent`	Yes	Yes
Credential Mapping Audit Event	`weblogic.security.spi.AuditCredentialMappingEvent`	Yes	Yes
Life Cycle Event	`weblogic.security.spi.AuditLifecycleEvent`	Yes	No
Audit Management Event	`weblogic.security.spi.AuditMgmtEvent`	Yes	No
Policy Audit Event	`weblogic.security.spi.AuditPolicyEvent`	Yes	No
Policy Consumer Audit Event	`weblogic.security.service.internal.PolicyConsumerAuditEvent`	AuditPolicyEvent	No
Provider Audit Record	`com.bea.security.spi.ProviderAuditRecord`	Yes	Yes
Role Consumer Audit Event	`weblogic.security.service.internal.RoleConsumerAuditEvent`	AuditRoleEvent	Yes
Role Deployment Audit Event	`weblogic.security.spi.AuditRoleDeploymentEvent`	Yes	No
Role Mapping Audit Event	`weblogic.security.spi.AuditRoleEvent`	Yes	Yes

The providers implement the appropriate AuditEvent interfaces and post those events to the Audit provider. The AuditEvents that also implement the AuditContext interface can provide more information via a ContextHandler.

The ContextHandler interface provides a way for an internal WebLogic container to pass additional information to a WebLogic Security Framework call, so that a security provider can obtain additional context information beyond what is provided by the arguments to a particular method. A ContextHandler is essentially a name/value list. The name/value list is also called a context element, and is represented by a ContextElement object.

What Events are Audited?

Depending on the interface that the AuditEvent has implemented, different information is audited. For all audit events, the toString() method is called on the event and that string is audited. Some audit events have a ContextHandler, such as the AuditAtzEvent and AuditRoleEvent, in which case the context is audited in addition to calling the toString() method on the AuditEvent. You can have many ContextElements, but each NAME/VALUE pair must be iterated over and audited.

The Log4j Audit Channel provider ships with Log4j renderers that are aware of these interfaces and know how to extract the appropriate audit information. You can change this behavior by writing custom renderers and updating the Custom Log4j Renderer Properties text box on the Advanced tab for the Log4j Auditor page in the Administration Console. A custom renderer is useful if only a particular subset of context elements are required or if the default style of audit events needs to be changed.

To be audited, you can select which severity the audit event must equal or be greater than; and you can select the types of AuditEvents by setting the Custom Audit Events attribute. If an AuditEvent implements or is an instance of any of the classes listed, then you can audit it. Only new custom events need to be listed here. The default events already exist and are controlled by selecting either: DISABLED, WITH_CONTEXT, or WITHOUT_CONTEXT on the Details tab for the Log4j Auditor page in the Administration Console. For a list of audit events, see Audit Events.

All audit events generated through the Java API are called through the Provider Audit Records interface using the AuditRecord method. This includes PolicyAdministrationEvent and ARMEAuthorizationEvent. A PolicyAdministrationEvent is generated when a policy change is made through the Administration Console. An ARMEAuthorizationEvent is generated when the ARME makes a authorization request for a policy change.

All audit events can be DISABLED or WITHOUT_CONTEXT. For those that have context, you can select WITH_CONTEXT. The AuditAtzEvents have more options then all the other types, you can select the events to audit based on the following options:

Custom Audit Context Extensions

The Log4J Audit Channel provider is used to audit events that are generated by the Security Framework, the runtime API, or custom implementations based on the weblogic.security.spi.AuditEvent interface AuditEvent class.

Audit plug-ins can be used to audit with minimal awareness of the audit data formats being passed in by the calling Security Framework component. Additionally, Log4j plug-ins written or supplied by third parties can implement actions (such as paging security personal) based on audit severity/criteria you set in the Log4j Audit Channel provider Details tab in the Administration Console. Some general descriptions or suggestions for the information suitable for auditing by AuditEvent are as follows:

Adding Application Context from the BLM API

In this release of AquaLogic Enterprise Security, the BLM API has been enhanced to allow you to send an Application Context to the auditing service.

An Audit Context is a name=value pair data structure that contains additional audit data that is made available to the Audit provider. Like the Audit Context, the Application Context is also a name=value pair data structure, and it contains additional application-specific audit data that is appended to the Audit Context when audit messages are written.

This additional information can be used by a custom Audit provider. Note, however, that the default Log4j Audit provider does not use this additional context.

When you create the Application Context, it is reused for each audit message associated with this BLM Context until it is overwritten by a call to set it, or you clear it.

The following BLM API methods have been added to provide for the Application Context:

Audit Event Interfaces and Audit Events

In the security provider interface package, WebLogic Security defines one top-level base interface (AuditEvent) with different derived interfaces that represent the different types of audit events.

The following sections describe when the security framework and security providers post seven major types of audit events:

For a list of the events that are audited for the default Admin policy, see Admin Policy Audit Events.

AuditAtnEvent

Authentication audit events are posted by the security framework. Table 4-3 describes the conditions under which the event is posted and severity level of the event.

Table 4-3 Authentication Audit Events
Component	Description	Severity
Security Framework	Posted after successful authentication of a user.	Success
Security Framework	Posted after unsuccessful authentication (a LoginException thrown from JAAS login method). This LoginException can be thrown by either JAAS framework or by JAAS LoginModule of WebLogic Server authentication provider.	Failure
Security Framework	Posted after an identity assertion to an anonymous user.	Success
Security Framework	Posted after an unsuccessful identity assertion (IdentityAssertionException thrown from identity assertion method).	Failure
Security Framework	Posted after an unsuccessful identity assertion (IOException is thrown by identity assertion callback handler when retrieving username from callback).	Failure
Security Framework	Posted after an unsuccessful identity assertion (UnsupportedCallbackException is thrown by identity assertion callback handler when retrieving username from callback).	Failure
Security Framework	Posted after an unsuccessful identity assertion (when username returned from identity assertion callback handler is null or zero length).	Failure
Security Framework	Posted after a successful identity assertion.	Success
Security Framework	Posted after an unsuccessful identity assertion.	Failure
Security Framework	Posted after a successful impersonate identity (anonymous identity).	Success
Security Framework	Posted after a successful impersonate identity.	Success
Security Framework	Posted after an unsuccessful impersonate identity.	Failure
Security Framework	Posted after a failure of principal validation.	Failure

AuditAtzEvent

Authorization audit events are posted by the security framework. Table 4-4 describes the conditions under which the events are posted and severity level of the event.

Table 4-4 Authorization Audit Events
Component	Description	Severity
Security Framework	Posted if access is not allowed to resource (exception thrown by authorization provider).	Failure
Security Framework	Posted if access is allowed to resource.	Success
Security Framework	Posted if access is not allowed to resource.	Failure

AuditCredentialMappingEvent

Credential Mapping audit events are posted by the security framework. Table 4-5. describes the condition under which the events are posted and severity level of the event.

Table 4-5 Credential Mapping Audit Events
Component	Description	Severity
Security Framework	Posted after each successful get of credentials.	Success

AuditMgmtEvent

Management audit events are not currently posted by either the security framework or by the supplied providers.

AuditPolicyEvent

AuditPolicyEvent are posted by the security framework and the WebLogic Authorization provider. The security framework posts audit policy events when policies are deployed to or undeployed from an authorization provider. The WebLogic Server authorization provider posts audit policy events when creating, deleting, or updating policies. Table 4-6 describes the conditions under which the events are posted and lists the event severity level.

Table 4-6 Audit Policy Events
Component	Description	Severity
Security Framework	Posted after successful deploy of policy.	Success
Security Framework	Posted after unsuccessful deploy of policy.	Failure
Security Framework	Posted after successful undeploy of policy.	Success
Security Framework	Posted after an unsuccessful undeploy of policy.	Failure
WebLogic Authorization Provider	Posted after the following events occur: A successful create of policy from console An unsuccessful create of policy from console (various exceptions) A successful remove of policy from console An unsuccessful remove of policy from console (various exceptions) A successful update of policy from console An unsuccessful update of policy from console (various exceptions)	Success

AuditRoleDeploymentEvent

The security framework posts audit role deployment events when roles are deployed to or undeployed from a role mapping provider. Table 4-7 describes the conditions under which the events are posted and lists the event severity level.

Table 4-7 Audit Role Deployment Events
Component	Description	Severity
Security Framework	Posted after each successful role deployment to a role mapping provider.	Success
Security Framework	Posted after each unsuccessful role deployment to a role mapping provider.	Failure
Security Framework	Posted after each successful role undeployment from a role mapping provider.	Success
Security Framework	Posted after each unsuccessful role undeployment from a role mapping provider.	Failure

AuditRoleEvent

The WebLogic Role Mapping provider posts audit role events when roles are created, deleted, or updated. Table 4-8 describes the conditions under which the events are posted and lists the event severity level.

Table 4-8 Audit Role Events
Component	Description	Severity
WebLogic Role Mapping Provider	Posted after the following events occur: A successful create of role from console An unsuccessful create of role from console (various exceptions) A successful remove of role from console An unsuccessful remove of role from console (various exceptions) A successful update of role from console An unsuccessful update of role from console (various exceptions)	Success

Admin Policy Audit Events

Table 4-9 lists and describes the administration policy events that are audited.

Table 4-9 Admin Policy Audit Events
Policy Element	Action	Type	Event Description
Declaration/Attribute	create	declaration	Create a new attribute declaration.
	delete	declaration	Delete an attribute declaration.
	rename	declaration, new_name	Rename an attribute declaration.
	modify	declaration	Modify an attribute declaration.
Declaration/Constant	create	declaration, value	Create a new constant.
	delete	declaration, value	Delete a constant.
	rename	declaration, value, new_name	Rename a constant.
	modify	declaration, value, new_value	Modify a constant.
Declaration/Enumeration	create	declaration, value	Create a new enumeration.
	delete	declaration, value	Delete an enumeration.
	rename	declaration, value, new_name	Rename an enumeration.
	modify	declaration, value, new_value	Modify an enumeration.
Declaration/Evaluation Function	create	declaration	Create an evaluation function.
	delete	declaration	Delete an evaluation function.
	rename	declaration, new_name	Rename an evaluation function.
Identity/Directory/Instance	create	directory	Create a directory.
	delete	directory	Delete a directory.
	cascade Delete	directory	Delete a directory and all its users.
	rename	directory, new_name	Rename a directory.
Identity/Directory/ AttributeMapping/ Single	create	attribute, default_value, directory	Add a scalar attribute to a directory attribute schema.
	delete	attribute, default_value, directory	Delete a scalar attribute from a directory attribute schema.
	modify	attribute, default_value, directory, new_default_value	Modify a scalar attribute in a directory attribute schema.
Identity/Directory/ AttributeMapping/ List	create	attribute, default_value, directory	Add a vector attribute to a directory attribute schema.
	delete	attribute, default_value directory	Delete a vector attribute from a directory attribute schema.
	modify	attribute, default_value, directory, new_default_value	Modify a vector attribute in a directory attribute schema.
Identity/Subject/ User	create	subject_name	Create a new user.
	copy	subject_name, new_subject_name	Copy a user.
	delete	subject_name	Delete a user.
	cascade Delete	subject_name	Cascade a user and all policies associated with the user.
	rename	subject_name, new_subject_name	Rename a user.
Identity/Subject/ Group	create	subject_name	Create a new group.
	delete	subject_name	Delete a group.
	rename	subject_name, new_subject_name	Rename a group.
	addMember	subject_name, member_subject	Add a member to a group.
	remove Member	subject_name, member_subject	Remove a member from a group.
Identity/Subject/ Attribute Assignment/ Single	create	attribute, value, subject_name	Set a value to a currently unset scalar subject attribute.
	delete	attribute, value, subject_name	Unset a currently set scalar subject attribute.
	modify	attribute, value, subject_name, new_value	Modify the value of a currently set scalar subject attribute.
Identity/Subject/ Attribute Assignment/List	create	attribute, value, subject_name	Set a value to a currently unset vector subject attribute.
	delete	attribute, value, subject_name	Unset a currently set vector subject attribute.
	modify	attribute, value, subject_name, new_value	Modify the value of a currently set vector subject attribute.
Identity/Subject/ Password	modify	subject_name	Modify the user password. The "subject_name" attribute contains the name of the user with which the password is associated.
Resource/Instance	create	resource, resource_type	Create a new resource.
	delete	resource	Delete a resource.
	cascade Delete	resource	Cascade delete of a resource. This includes deletion of all child resources and associated policies.
	rename	resource, new_name	Rename a resource.
Resource/Attribute Assignment/Single	create	attribute, resource, value	Set a value to a currently unset scalar resource attribute.
	delete	attribute, resource, value	Unset a currently set scalar resource attribute.
	modify	attribute, resource, value, new_value	Modify the value of a currently set scalar resource attribute.
Resource/Attribute Assignment/List	create	attribute, resource, value	Set a value to a currently unset vector resource attribute.
	delete	attribute, resource, value	Unset a currently set vector resource attribute.
	modify	attribute, resource, value, new_value	Modify the value of a currently set vector resource attribute
Resource/Metadata/ IsApplication	modify	resource, value, new_value	Toggle the "is application" resource metadata.
Resource/Metadata/ IsDistributionPoint	modify	resource, value, new_value	Toggle the "is distribution point" resource metadata.
Resource/Metadata/ Logical Name	create	logical_name, resource	Create a logical name for a resource.
	delete	logical_name, resource	Delete the logical name of a resource.
	rename	logical_name, resource, new_name	Rename the logical name of a resource.
Policy/Rule/Grant	create	action, resource, subject_name, constraint	Create a new grant policy. The "action", "resource", and "subject_name" attributes are lists.
	delete	action, resource, subject_name, constraint	Delete a grant policy. The "action", "resource", and "subject_name" attributes are lists.
	modify	action, resource, subject_name, constraint, new_action, new_resource, new_subject_name, new_constraint	Modify a grant policy. The "action", "resource", and "subject_name" attributes are lists.
Policy/Rule/Deny	create	action, resource, subject_name, constraint	Create a new deny policy. The "action", "resource", and "subject_name" attributes are lists.
	delete	action, resource, subject_name, constraint	Delete a deny policy. The "action", "resource", and "subject_name" attributes are lists.
	modify	action, action_type, resource, subject_name, subject_type, constraint, new_effect, new_action, new_action_type, new_resource, new_subject_name, new_subject_type, new_constraint	Modify a deny policy. The "action", "resource", and "subject_name" attributes are lists.
Policy/Rule/Delegate	create	action, resource, subject_name, delegator, constraint	Create a new delegate policy. The "action", "resource", and "subject_name" attributes are lists.
	delete	action, resource, subject_name, delegator, constraint	Delete a delegate policy. The "action", "resource", and "subject_name" attributes are lists.
	modify	action, resource, subject_name, delegator, constraint, new_action, new_resource, new_subject_name, new_delegator, new_constraint	Modify a delegate policy. The "action", "resource", and "subject_name" attributes are lists.
Policy/Action/Role/ Instance	create	action	Create a new role.
	delete	action	Delete a role.
	rename	action, new_name	Rename a role.
Policy/Action/ Privilege/Instance	create	action	Create a privilege.
	delete	action	Delete a privilege.
	rename	action, new_name	Rename a privilege.
Policy/Action/ Privilege/Group	create	action_group	Create a privilege group.
	delete	action_group	Delete a privilege group.
	rename	action_group, new_name	Rename a privilege group.
	addMember	action_group, action	Add a privilege to a privilege group.
	remove Member	action_group, action	Remove a privilege from a privilege group.
Policy/Analysis/ Inquiry Query	create	title, owner, effect_type, subjects, actions, resources, delegator	Create a new policy query.
	delete	title, owner	Delete a policy query.
	modify	title, owner, effect_type, subjects, actions, resources, delegator	Modify a policy query.
	execute	title, owner, effect_type, subjects, actions, resources, delegator	Execute a policy query. If this is an unsaved query "title" and "owner" is set to an emptystring.
Policy/Analysis/ Verification Query	create	title, owner, actions, resources	Create a new policy verification query.
	delete	title, owner	Delete a policy verification query.
	modify	title, owner, actions, resources	Modify a policy verification query.
	execute	title, owner, actions, resources	Execute a policy verification query. If this is an unsaved query "title" and "owner" is set to an emptystring.
Policy/Repository	deploy Update	resource, directory	Deploy a policy update. The "resource" is the distribution node; all nodes below it may be effected. This check is made for each chosen distribution point
Policy/Repository	deploy Structural Change	deleted_directories, deployed_engines, deleted_engines, deleted_bindings, deleted_applications	Deploy a structural change.
Infrastructure/Engines/ARME	create	engine	Create a new SSM.
	delete	engine	Delete an SSM.
	rename	engine, new_name	Rename an SSM.
	bind	engine, resource	Bind a resource to an SSM.
	unbind	engine, resource	Unbind a resource from an SSM.
Infrastructure/Engines/SCM	create	engine	Create an SCM.
	delete	engine	Delete an SCM.
	rename	engine, new_name	Rename an SCM.
	bind	engine, resource	Bind an SSM to an SCM. A "resource" contains the name of the SSM.
	unbind	engine, resource	Unbind an SSM from an SCM. A "resource" contains the name of the SSM.
Infrastructure/ Management/Console	login		Login to the ALES administration console.
Infrastructure/ Management/BulkManager	login		Login to the ALES policy loader.

Additional Audit Event Interfaces

Authentication - AuditAtnEvent

The AuditAtnEvent interface provides an interface for audit providers to determine the instance types of the extended authentication event type objects. Table 4-10 describes the event properties.

Table 4-10 Authentication - AuditAtnEvent
Event Property	Description
AUTHENTICATE	Represents the "simple authentication" authentication type.
USERLOCKED	Indicates that a user was locked because of a series of failed login attempts.
USERLOCKOUTEXPIRED	Indicates that a lock on a user has expired.
USERUNLOCKED	Indicates that a lock on a user was cleared.
ASSERTIDENTITY	Represents the identity assertion authentication token type.
IMPERSONATEIDENITY	Represents the impersonate identity authentication type.

When this event is generated, the following information associated with this AuditAtnEvent is available:

There are both pre- and post-authorization access control checks; each of which generates pre- and post-operation audit write events. The AuditAtzEvent event interface is used to report events that result when access is allowed on a resource. The Audit Channel provider is called on both the pre- and post-operation cases. The exceptions reported using this event must derive from the java.security.GeneralSecurityException.

When this event is generated, the following information associated with this AuditAtzEvent is available:

The resource container that handles the type of resource requested (for example, in WebLogic Server, the EJB container receives the request for an EJB resource) constructs a ContextHandler object that may be used by an authorization provider Access Decision to obtain information associated with the context of the request. This ContextHandler object is also available with this AuditAtzEvent. For more information about the ContextHandler object, see ContextHandler Object.

Policy Deployment - AuditPolicyDeployEvent

The AuditPolicyDeployEvent event interface is used when the Authorization Manager deployPolicy method is called. When this event is generated, the following information is available:

Policy Undeployment - AuditPolicyUndeployEvent

The AuditPolicyUndeployEvent event interface is used when the Authorization Manager undeployPolicy method is called. When this event is generated, the following information is available:

The exception that occurred (if any) while attempting to carry out this action. Typically, there is only an exception if the severity is error or failure.

Policy Events - AuditPolicyEvent

The AuditPolicyEvent event interface determines the instance types of extended Authorization event type objects. Table 4-11 describes the event subtypes.

Table 4-11 Policy Event- AuditPolicyEvent
Event Subtype	Description
DEPLOY	Indicates that a policy deployment event occurred.
UNDEPLOY	Indicates that a policy undeployment event occurred.
UPDATE	Indicates that a policy was updated.

Role Mapping - AuditRoleEvent

The AuditRoleEvent event provides an interface for auditing providers to determine the instance types of extended Role Mapping event type objects. Table 4-12 describes the event subtypes.

Table 4-12 Role Mapping - AuditRoleEvent
Event Subtype	Description
DEPLOY	Indicates that a role mapping deployment event occurred.
UNDEPLOY	Indicates that a role mapping undeployment event occurred.
UPDATE	Indicates that a role mapping was updated.

The resource container that handles the type of resource being requested (for example, with WebLogic Server, the EJB container receives the request for an EJB resource) constructs a ContextHandler object that may be used by an Authorization provider Access Decision to obtain information associated with the context of the request. This ContextHandler object is also available with this AuditAtzEvent. For more information about the ContextHandler object, see ContextHandler Object.

Role Deployment - AuditRoleDeployEvent

The AuditRoleDeployEvent event provides a interface used by the role mapping service to determine the instance types of extended Role Mapping deployment event type objects.

Role Undeployment - AuditRoleUndeployEvent

The AuditRoleUndeployEvent event provides a interface used by the role mapping service to determine the instance types of extended Role Mapping undeployment event type objects.

Predicate Events - AuditPredicateEvent

The AuditPredicateEvent event provides a interface for auditing providers to determine the instance type of extended predicate event type objects. A predicate event occurs when a policy expression is either registered or unregistered in the Administration Console. Table 4-13 describes the event subtypes.

Table 4-13 Predicate Events - AuditPredicateEvent
Event Subtype	Description
REGISTER	Occurs when a policy expression is registered.
UNREGISTER	Occurs when a policy expression is registered.

ContextHandler Object

A ContextHandler is a class that obtains additional context and container-specific information from the resource container, and provides that information to security providers making access or role mapping decisions. The ContextHandler interface provides a way for an application or container to pass additional information to a Security Framework call, so that a security provider can obtain contextual information beyond what is provided by the arguments to a particular method. A ContextHandler is essentially a name/value list and as such, it requires a security provider to know what names to look for. In other words, use of a ContextHandler requires close cooperation between the resource container and the security provider. Each name/value pair in a ContextHandler is known as a context element, and is represented by a ContextElement object.

A context handler is an object that is included with some event types that allows an audit provider to extract other information about the state of the application server at the time of the audit event. The audit provider may log this other contextual information as a way to elaborate on the event and provide other useful information about the causes of the event.

PolicyAdministrationEvent

The PolicyAdministrationEvent event is used when AquaLogic Enterprise Security policy is modified or deployed using the AquaLogic Enterprise Security Administration console or bulk loader. When this event is generated, the following information is available:

The exception that occurred (if any) while attempting to carry out this action. Typically, there will only be an exception if the severity is error or failure.

Using Custom Audit Providers

You can use a custom auditing provider instead of the Log4j Audit Channel provider. For a custom auditing provider to be configurable through the Administration Console, the MBean JAR file for the provider must be installed into the BEA_HOME..//lib/providers directory on both the machine on which the Administration Application is installed and on the machine on which the Security Service Module is installed. For complete instructions for configuring a custom security provider, see Configuring a Custom Security Provider in the Console Help.

Administration Reference