Part 9/9. Encrypting the Security Audit Log

The Audit log can be encrypted to make the information unavailable for intruders. Configuration is a two step process. The keystore is to be configured with a digital certificate in the first step. Encryption has to be enabled with this keystore in the second step.

Digitally Signing the audit log, Encrypting the audit log, Selecting several Event Types to be written to the log, all these take up some CPU cycles. So evaluate your requirements carefully before enabling them, as otherwise they burden the CPU unnecessarily.

9.a Configuring Keystore and certificate required for encryption

  • Open Administrative Console and expand Security in Navigation pane
  • Click Security auditing
  • Click Audit encryption key stores and certificates

  • Click New

  • Give a name to the keystore
  • Enter the path where the keystore is to be created (Enter <profile_root>/properties/AuditKeyStore.p12)
  • Give a password for the keystore (You need to keep this password safe)
  • Confirm password by entering it again
  • Select PKCS12 as keystore type
  • Click OK button

  • Click Save hyperlink

  • Click on the keystore created just now

  • Click on Personal certificates hyperlink under Additional Properties
  • Click Create self-signed Certificate button (Note that for production use, you need to get this from a CA)

The encryption strength depends on the size of the key. The alias name is used to locate the certificate within the keystore.

  • Give an alias name
  • Select 1024 bits as the key size
  • Give a common name
  • Give the validity period for the certificate (Accept default value of 365 days)
  • Click OK button

9.b Audit record encryption configuration

  • Expand Security in Navigation Pane
  • Click Security auditing hyperlink
  • Click Audit record encryption configuration under Related Items

  • Check Enable Encryption
  • Select the keystore name from the drop-down
  • Select the alias name to locate the certificate within the keystore
  • Click OK button

  • Click Save hyperlink

  • Restart application server
  • Open audit log using a text editor

Note that the encryption information is written to the audit log confirming that the audit log is encrypted.

To view the contents of the encrypted audit log, the binaryAuditLogReader tool can be used to decrypt and generate an HTML report.

Notice that this time you need to provide the keystore password to successfully generate the HTML report.

steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$ sudo ./wsadmin.sh -lang jython -username security_auditor -password websphere

 

WASX7209I: Connected to process “server1” on node node01 using SOAP connector; The type of process is: UnManagedProcess

 

WASX7031I: For help, enter: “print Help.help()”

 

wsadmin>AdminTask.binaryAuditLogReader(‘-interactive’)

 

Binary Audit Log Reader

 

Binary Audit Log Reader Command

 

*File name of the Binary Audit log (fileName): /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/BinaryAudit_steve-H67N-USB3-B3Node01Cell_node01_server1.log

Report mode selection (reportMode): basic

 

Event(s) filter (eventFilter):

 

Outcome(s) filter (outcomeFilter):

 

Sequence filter (sequenceFilter):

 

Timestamp filter (timeStampFilter):

 

Key Store Password (keyStorePassword): websphere

 

*Output HTML file location (outputLocation): /home/steve/Documents/reportDecrypted.html

 

Data points to report (dataPoints):

 

Binary Audit Log Reader

 


F (Finish)
C (Cancel)

Select [F, C]: [F] F

WASX7278I: Generated command line: AdminTask.binaryAuditLogReader(‘[-fileName /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/BinaryAudit_steve-H67N-USB3-B3Node01Cell_node01_server1.log -reportMode basic -keyStorePassword ***** -outputLocation /home/steve/Documents/reportDecrypted.html ]’)
‘true’
wsadmin>quit

steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$

Note: The usage of the binaryAuditLogReader is recorded as a SECURITY_RESOURCE_ACCESS event.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply