<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Thanks Endi, nice catch on one missing audit.<br>
Per our discussion on irc, added the missing audit and pushed to
master:<br>
<a title="Ticket 1160 audit needed for getKeyInfo; audit missing for
auth/authz at ..."
href="https://fedorahosted.org/pki/changeset/c0d14140aca982ac637d5fd34f1c3ddb23836867/"
class="changeset">c0d14140aca982ac637d5fd34f1c3ddb23836867</a>
<br>
<br>
And a new ticket created to cover the desirable upgrade script:
<a href="https://fedorahosted.org/pki/ticket/1382" class="ext-link"><span
class="icon"></span>https://fedorahosted.org/pki/ticket/1382</a>
KRA: upgrade script maybe needed for CS.cfg to add new audit events
added in ticket 1160
<br>
<br>
Christina<br>
<br>
<br>
<div class="moz-cite-prefix">On 05/14/2015 01:04 PM, Endi Sukma
Dewata wrote:<br>
</div>
<blockquote cite="mid:5554FFD5.2080708@redhat.com" type="cite">On
5/13/2015 7:27 PM, Christina Fu wrote:
<br>
<blockquote type="cite">This patch (pki-cfu-0062) is to replace
pki-cfu-0060
<br>
after receiving help from Endi on how to test these key options
(thanks
<br>
Endi!), I have made some code changes for the tests I ran.
<br>
<br>
Just to show some of the test results:
<br>
<br>
...key-mod 0x2 --status active yields the following audit
messages:
<br>
0.http-bio-28443-exec-13 - [13/May/2015:19:04:01 EDT] [14] [6]
<br>
[AuditEvent=KEY_STATUS_CHANGE][SubjectID=kraadmin][Outcome=Success][KeyID=3][OldStatus=active][NewStatus=active][Info=KeyService.modifyKeyStatus]
<br>
Key Status Change
<br>
0.http-bio-28443-exec-14 - [13/May/2015:19:04:02 EDT] [14] [6]
<br>
[AuditEvent=SECURITY_DATA_RETRIEVE_KEY][SubjectID=kraadmin][Outcome=Success][RecoveryID=null][KeyID=3][Info=KeyService.getKeyInfo]
<br>
security data retrieval request
<br>
<br>
key-generate test3 --key-algorithm RSA --key-size 1024 yields
the
<br>
following audit message:
<br>
0.http-bio-28443-exec-19 - [13/May/2015:19:10:24 EDT] [14] [6]
<br>
[AuditEvent=ASYMKEY_GENERATION_REQUEST][SubjectID=kraadmin][Outcome=Success][GenerationRequestID=6][ClientKeyID=test3]
<br>
Asymkey generation request made
<br>
[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][GenerationRequestID=6][ClientKeyID=test3][KeyID=4][FailureReason=None]
<br>
Asymkey generation request processed
<br>
<br>
key-archive --clientKeyID test4 --passphrase "cfu secret"
yields the
<br>
following audit messages:
<br>
0.http-bio-28443-exec-24 - [13/May/2015:19:21:37 EDT] [14] [6]
<br>
[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][ArchivalRequestID=7][ClientKeyID=test4][KeyID=5][FailureReason=None]
<br>
security data archival request processed
<br>
0.http-bio-28443-exec-24 - [13/May/2015:19:21:37 EDT] [14] [6]
<br>
[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID=kraadmin][Outcome=Success][ArchivalRequestID=7][ClientKeyID=test4]
<br>
security data archival request made
<br>
<br>
thanks,
<br>
Christina
<br>
</blockquote>
<br>
Some comments:
<br>
<br>
1. There should be an upgrade script to update the CS.cfg in
existing KRA instances.
<br>
<br>
2. In KeyService.java:416 the method may return without audit
logging.
<br>
<br>
Everything else looks good.
<br>
<br>
</blockquote>
<br>
</body>
</html>