Part 8/9. Signing your security audit records

Audit log can be digitally signed to make it tamper-proof. When the log is digitally signed, it is also Base-64 encoded which makes it impossible to read through a text editor without decoding it back. So the only way to read a digitally-signed audit log is by generating a html report using binaryAuditLogReader tool.

Open Administrative console as Auditor

Expand Security under Navigation Pane

Click on Security Auditing

Click on Audit record signing configuration under Related Items

  • Check Enable signing
  • Select a managed keystore (Accept the default value)
  • Select default for Certificate alias
  • Click OK button

  • Click Save hyperlink
  • Restart application server

  • Open audit log (found under <profile_root>/logs/<server_name>)

Note: The certification information used to sign is written under Signing_information element

Also note that the event is base-64 encoded

  • Generate HTML report and check whether you are able to still see the events
steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$ sudo ./wsadmin.sh -lang jython -username security_auditor -password websphere

WASX7209I: Connected to process “server1” on node node01 using SOAP connector; The type of process is: UnManagedProcess

WASX7031I: For help, enter: “print Help.help()”

wsadmin>AdminTask.binaryAuditLogReader(‘-interactive’)

Binary Audit Log Reader

Binary Audit Log Reader Command

*File name of the Binary Audit log (fileName): /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/BinaryAudit_steve-H67N-USB3-B3Node01Cell_node01_server1.log

Report mode selection (reportMode): basic

Event(s) filter (eventFilter):

Outcome(s) filter (outcomeFilter):

Sequence filter (sequenceFilter):

Timestamp filter (timeStampFilter):

Key Store Password (keyStorePassword):

*Output HTML file location (outputLocation): /home/steve/Documents/report.html

Data points to report (dataPoints):

Binary Audit Log Reader

F (Finish)

C (Cancel)

Select [F, C]: [F] F

WASX7278I: Generated command line: AdminTask.binaryAuditLogReader(‘[-fileName /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/BinaryAudit_steve-H67N-USB3-B3Node01Cell_node01_server1.log -reportMode basic -outputLocation /home/steve/Documents/report.html ]’)

‘true’

wsadmin>quit

steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply