[Pki-devel] [PATCH] pki-cfu-0060-Ticket-1160-audit-needed-for-getKeyInfo-audit-missin.patch

Christina Fu cfu at redhat.com
Thu May 14 00:27:49 UTC 2015


This patch (pki-cfu-0062) is to replace pki-cfu-0060
after receiving help from Endi on how to test these key options (thanks 
Endi!), I have made some code changes for the tests I ran.

Just to show some of the test results:

...key-mod 0x2 --status active yields the following audit messages:
0.http-bio-28443-exec-13 - [13/May/2015:19:04:01 EDT] [14] [6] 
[AuditEvent=KEY_STATUS_CHANGE][SubjectID=kraadmin][Outcome=Success][KeyID=3][OldStatus=active][NewStatus=active][Info=KeyService.modifyKeyStatus] 
Key Status Change
0.http-bio-28443-exec-14 - [13/May/2015:19:04:02 EDT] [14] [6] 
[AuditEvent=SECURITY_DATA_RETRIEVE_KEY][SubjectID=kraadmin][Outcome=Success][RecoveryID=null][KeyID=3][Info=KeyService.getKeyInfo] 
security data retrieval request

  key-generate test3 --key-algorithm RSA --key-size 1024 yields the 
following audit message:
0.http-bio-28443-exec-19 - [13/May/2015:19:10:24 EDT] [14] [6] 
[AuditEvent=ASYMKEY_GENERATION_REQUEST][SubjectID=kraadmin][Outcome=Success][GenerationRequestID=6][ClientKeyID=test3] 
Asymkey generation request made
[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][GenerationRequestID=6][ClientKeyID=test3][KeyID=4][FailureReason=None] 
Asymkey generation request processed

key-archive  --clientKeyID test4 --passphrase  "cfu secret" yields the 
following audit messages:
0.http-bio-28443-exec-24 - [13/May/2015:19:21:37 EDT] [14] [6] 
[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][ArchivalRequestID=7][ClientKeyID=test4][KeyID=5][FailureReason=None] 
security data archival request processed
0.http-bio-28443-exec-24 - [13/May/2015:19:21:37 EDT] [14] [6] 
[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID=kraadmin][Outcome=Success][ArchivalRequestID=7][ClientKeyID=test4] 
security data archival request made

thanks,
Christina


On 05/11/2015 06:09 PM, Christina Fu wrote:
> This is the 2nd part of the patch for 
> https://fedorahosted.org/pki/ticket/1160 audit logging needed: REST 
> API auth/authz; kra for getKeyInfo
> which addresses the missing audit for kra getKeyInfo.
>
> note: this patch has no dependency on the first patch that I submitted 
> earlier, which addresses the missing auth/authz audit for REST interface.
>
> This is for preliminary review, as I don't have first hand info on how 
> to run most of the services offered here to properly test everything.  
> For efficiency purpose, I'm hoping to enlist some help from edewata/alee.
>
> thanks,
> Christina
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20150513/768fb0f1/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-cfu-0062-Ticket-1160-audit-needed-for-getKeyInfo-audit-missin.patch
Type: text/x-patch
Size: 32766 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20150513/768fb0f1/attachment.bin>


More information about the Pki-devel mailing list