Part 7/9. Creating an event filter

Now open WebSphere Administrative console as “security_auditor”, the user who plays Auditor administrative role to create a new Event Type filter. An Event Type filter represents a type of security event, and when added to an Audit Event Factory and Audit Service Provider, allows this event to be sent to the audit log. WebSphere comes with four Event Type filters pre-configured.

  • Expand Security in Navigation pane
  • Click Security auditing
  • Click Event type filters under “Related Items”

Enabling Verbose Auditing will result in additional information being written to the audit log for every event.

  • Click New button

  • Give a name to the Event Type filter
  • Select the type of event, say SECURITY_AUTHZ
  • Select the type of outcome, say DENIED
  • Click OK button

  • Click Save hyperlink

7a. Configuring Audit Service Provider

The Audit Service Provider is a key component to be configured. This controls the security audit log file rotation policy as well. The event type filter created in the previous step has to be added to the Audit Service Provider to allow the events represented by the event type filter to be written to the audit log.

  • Open Administrative console as Auditor
  • Expand Security in Navigation pane
  • Click Security Auditing hyperlink
  • Click Audit service provider under Related Items

An Audit service provider is already pre-configured.

  • Click the existing Audit service provider

You will find the new Event Type filter under Selectable Filters

  • Select it and click on the right arrow to move it to Enabled Filters section
  • Click OK button

  • Click Save hyperlink

7b. Configuring Audit Event Factory

The Audit event factory is responsible for receiving the audit event messages and created event objects and forwards them to the Audit Service Provider. So in a way the Audit service provider is dependent on the Audit event factory object.

  • Open Administrative console as Auditor
  • Expand Security in Navigation pane
  • Click Audit event factory configuration

  • Click on the pre-configured Audit event factory object

  • Select the Event type filter created earlier
  • Click the right arrow to move it from Selectable filters to Enabled filters
  • Click OK button

  • Click Save hyperlink

  • Restart Application server
  • Try to stop the server using Auditor credentials

Notice that a message “ADMN0022E: Access is denied for the stop operation on Server MBean because of insufficient or empty credentials” is displayed in the command line.

steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$ sudo ./stopServer.sh server1 -username security_auditor -password websphere
ADMU0116I: Tool information is being logged in file
/opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/stopServer.log
ADMU0128I: Starting tool with the appsrv01 profile

ADMU3100I: Reading configuration for server: server1

ADMU0111E: Program exiting with error: javax.management.JMRuntimeException:

ADMN0022E: Access is denied for the stop operation on Server MBean

because of insufficient or empty credentials.

ADMU4113E: Verify that username and password information is correct. If

running tool from the command line, pass in the correct -username

and -password. Alternatively, update the <conntype>.client.props

file.

ADMU1211I: To obtain a full trace of the failure, use the -trace option.

ADMU0211I: Error details may be seen in the file:

/opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/stopServer.log

steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$

  • Open audit log using a text editor
  • Note the SECURITY_AUTHZ event written to the audit log

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply