Audit Log
The audit log records creation, modification, and deletion of all user-accessible configuration elements, access to critical security data such as public keys. For each logged event it provides associated user-id, date, time, event type, and success/failure data for each event. As a result, the log supports after the fact investigation of loss or impropriety, and appropriate management response. Only admin-level users have audit log access. These users can retrieve, read, copy, and upload the audit log. The original log cannot be deleted or edited by any operator action.
- A configurable amount of time has elapsed since the last transfer.
- The size of the audit log (measured in Megabytes) has reached a configured threshold.
- The size of the audit log has reached a configured percentage of the allocated storage space.
Transfer is targeted to a designated directory of each SFTP target server.
Audit logs can be viewed after they transfer.
Audit Log Syntax
The audit log file is stored on the target SFTP server or servers with a filename that takes the format:
<hostname>-audit<timestamp>
- <hostname> is the name of the host to which the log gets sent.
- <timestamp> is a 12-digit string that takes the format YYYYMMDDHHMM.
myhost-audit-200903051630
Names an audit log file transferred to an SFTP server named 'myhost' on March 5, 2009 at 4:30 PM.
Audit Log Format
Audit log events are comma-separated-values (CSV) lists that have the following format:
{TimeStamp,user-id@address:port,Category,EventType,Result,Resource,Details,...}
{2009-0305 15:19:27,sftp-elvis@192.2.0.10:22,security,login,success,authentication,,.}
TimeStamp specifies the time that the event was written to the log
Category takes the values: security | configuration | system
EventType takes the values: create | modify | delete | login | logout | data-access | save-config | reboot | acquire-config
Result takes the values: successful | unsuccessful
Resource identifies the configuration element accessed by the user
- If EventType = create, details is “New = element added”
- If EventType = modify, details is “Previous = oldValue New = newValue”
- If EventType = delete, details is “Element = deleted element”
- If EventType = data-access, details is “Element = accessed element”
- Login—Every login attempt
2009-03-05 17:31:14,sftp-elvis@192.2.0.10:22,security,login, success,authentication,,.
- Logout—Every logout attempt
2009-03-05 18:44:03,sftp-elvis@192.2.0.10:22,security,logout,success,authentication,,.
- save-config—Every
save-config CLI command
2009-03-05 15:45:29,acliConsole-admin@console,configuration, save-config,success,CfgVersion=111,,.
- activate-config—Every
activate-config CLI command
2009-03-05 15:45:36,acliConsole-admin@console,configuration,activate-config,success,RunVersion=111,,.
- DataAccess
- a) attempt to retrieve data using SFTP
- b) attempt to export using ssh-key
- c) attempt to display security info using show security
- d) attempt to kill a session using kill
2009-03-05 15:25:59,sftp-elvis@192.2.0.10:22,security,data-access, success,code/auditaudit200903051518,,.
- Create
- a) any action that creates a configuration property
- b) any action that
creates a file
2009-03-05 15:45:01,acliConsole-admin@console,configuration,create, success,public-key, Element= <?xml version=’1.0’ standalone=’yes’?> <sshPubKeyRecord name=’dummy’ comment=’’ keyType=’2’ encrType=’1’ keySize=’1024’ pubKey=’’ privKey=’’ fingerPrint=’’ fingerPrintRaw=’’ lastModifiedBy=’acmin@console’ lastModifiedDate=’2009-03-05 15:45:01> </sshPubKeyRecord
- Modify
- a) any action that
modifies a configuration property
2009-03-05 15:48:01,acliConsole-admin@console,configuration,modify, success,public-key, Previous= <?xml version=’1.0’ standalone=’yes’?> <sshPubKeyRecord name=’dummy’ comment=’’ keyType=’2’ encrType=’1’ keySize=’1024’ pubKey=’’ privKey=’’ fingerPrint=’’ fingerPrintRaw=’’ lastModifiedBy=’acmin@console’ lastModifiedDate=’2009-03-05 15:45:01> </sshPubKeyRecord New= <?xml version=’1.0’ standalone=’yes’?> <sshPubKeyRecord name=’dummy’ comment=’’ keyType=’2’ encrType=’2’ keySize=’1024’ pubKey=’’ privKey=’’ fingerPrint=’’ fingerPrintRaw=’’ lastModifiedBy=’acmin@console’ lastModifiedDate=’2009-03-05 15:48:01> </sshPubKeyRecord
- a) any action that
modifies a configuration property
- Delete
- a) any action that deletes a configuration property
- b) any action that
deletes a file
2009-03-05 15:51:39,acliConsole-admin@console,configuration,delete, success,public-key, Element= <?xml version=’1.0’ standalone=’yes’?> <sshPubKeyRecord name=’dummy’ comment=’’ keyType=’2’ encrType=’2’ keySize=’1024’ pubKey=’’ privKey=’’ fingerPrint=’’ fingerPrintRaw=’’ lastModifiedBy=’acmin@console’ lastModifiedDate=’2009-03-05 15:51:39> </sshPubKeyRecord
Audit Log Format for HTTP Headers
When audit-http is enabled, the SBC logs HTTP requests so administrators can audit which IP address requested what resource.
- Timestamp
- Source IP and port
- The literal string "http"
- The destination IP and port
- The HTTP request line
- The HTTP return status
- The HTTP Referer
- The HTTP User-Agent
- All headers (only if detail-level is set to verbose)
Audit Log Samples
Examples of audit log entries may be related to authentication, file access, configuration changes, or http headers.
Authentication
An example of a successful login from the console:
2020-03-27 12:59:57,console-admin@console,security,login,success,authentication,,.
An example of a successful login with SSH:
2020-03-27 13:25:04,ssh-admin@10.0.0.1,security,login,success,keyboard-interactive/pam for admin from 10.0.0.1 port 52687 ssh2,,.
An example of a failed login with SSH:
2020-03-27 10:34:28,ssh-admin@10.0.0.1,security,login,failure,keyboard-interactive/pam for admin from 10.0.0.1 port 51368 ssh2,,.
An example of a successful login with SFTP:
2020-03-27 13:13:30,sftp-admin@10.0.0.1,security,data access,success,".",,.
File Access
An example of successfully accessing a file over SFTP:
2020-03-27 13:56:34,sftp-admin@10.0.0.1,security,create,success,"/opt/logs/syslog" flags READ mode 0666,,.
An example of failing to access a file over SFTP because of the file permissions:
2020-03-27 13:57:26,sftp-admin@10.0.0.1,security,create,failure,"/code/ssh/ssh_host_dsa_key.pub" flags READ mode 0666,,.
An example of successfully deleting a file over SFTP:
2020-03-27 13:34:25,sftp-admin@10.0.0.1,security,delete,success,name "/code/audit/ADMINSEC-audit202003261134",,.
An example of failing to delete a file over SFTP because of the file permissions:
2020-03-27 14:23:00,sftp-admin@10.0.0.1,security,delete,failure,name "/boot/bootloader",,.
An example of failing to delete a directory:
2020-03-27 14:09:51,sftp-admin@10.0.0.1,security,delete,failure,name "/code/ssh/",,.
Configuration Changes
An example of security information:
2020-03-27 13:59:32,console-admin@127.0.0.1:0,configuration,data access,failure,show security ssh-pub-key,,.
An example of saving the configuration:
2020-03-27 14:33:02,console-admin@127.0.0.1:0,configuration,save-config,success,CfgVersion=12,,.
An example of activating the configuration:
2020-03-27 14:33:07,console-admin@127.0.0.1:0,configuration,activate-config,success,RunVersion=12,,.
HTTP Headers
When audit-http is enabled and detail-level is set to brief, the following is an example log from a Web GUI HTTP request:
2019-11-22 12:11:44,10.0.0.1:49026,http,10.0.0.3:81,"POST /egi/acmePacketWebService HTTP/1.1",200,"http://10.0.0.3:81/","Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0",
And the following is an example log from a REST request:
2019-11-22 14:47:29,10.0.0.4:59296,http,10.0.0.3:8443,"POST /rest/v1.0/auth/token HTTP/1.1",200,,"curl/7.29.0",
Configure the Audit Log
The single instance audit-logging configuration element enables, sizes, and locates the audit log within the local file structure. It also specifies the conditions that trigger transfer of the log to one or more SFTP servers.
Example 1-1 Example Configuration
A sample audit log configuration appears below:
ORACLE(audit-logging)# state enabled
ORACLE(audit-logging)# file-transfer-time 1
ORACLE(audit-logging)# percentage-full 0
ORACLE(audit-logging)# max-file-size 0
ORACLE(audit-logging)# audit-http enabled
This configuration allocates 32MB (the default value) for audit logging HTTP headers in brief mode. Audit log transfer to a configured SFTP server or servers occurs on an hourly schedule; other transfer triggers are disabled.
Configure SFTP Audit Log Transfer
Prior to using SFTP-enabled file transfer, import a copy of the SFTP server’s host key as a known host on the SBC. Then export the SBC's public key and add it to the authorized_keys file of the SFTP server.
- Add the SBC's public key to the
authorized_keys file on the SFTP server.
- Import the SFTP server's host key into the SBC.
Configuring SFTP Servers
The multi-instance push-receiver configuration element identifies remote SFTP servers that receive audit log transfers.
Audit Log Alarms and Traps
Three audit log alarms and traps are provided to report significant or anomalous audit log activity.
The ALARM_AUDIT_LOG_FULL trap/alarm is generated in response to (1) the expiration of the file-transfer-time interval, (2) the crossing of the percentage-full threshold, or (3) the crossing of the max-file-size threshold. This trap/alarm is cleared when storage apace becomes available, generally upon successful transfer of the audit log to a remote SFTP server or servers.
The ALARM_ADMIN_AUDIT_PUSH_FAIL trap/alarm is generated in response to failure to transfer the audit log to a designated SFTP server. This trap/alarm is cleared when a subsequent transfer to the same recipient succeeds.
The ALARM_AUDIT_WRITE_FAILED trap/alarm is generated in response to failure to record an auditable event in the audit log. This trap/alarm is cleared when a subsequent write succeeds.