[Pki-devel] [PATCH] pki-cfu-0060-Ticket-1160-audit-needed-for-getKeyInfo-audit-missin.patch

Endi Sukma Dewata edewata at redhat.com
Thu May 14 20:04:37 UTC 2015 

On 5/13/2015 7:27 PM, Christina Fu wrote:
> This patch (pki-cfu-0062) is to replace pki-cfu-0060
> after receiving help from Endi on how to test these key options (thanks
> Endi!), I have made some code changes for the tests I ran.
>
> Just to show some of the test results:
>
> ...key-mod 0x2 --status active yields the following audit messages:
> 0.http-bio-28443-exec-13 - [13/May/2015:19:04:01 EDT] [14] [6]
> [AuditEvent=KEY_STATUS_CHANGE][SubjectID=kraadmin][Outcome=Success][KeyID=3][OldStatus=active][NewStatus=active][Info=KeyService.modifyKeyStatus]
> Key Status Change
> 0.http-bio-28443-exec-14 - [13/May/2015:19:04:02 EDT] [14] [6]
> [AuditEvent=SECURITY_DATA_RETRIEVE_KEY][SubjectID=kraadmin][Outcome=Success][RecoveryID=null][KeyID=3][Info=KeyService.getKeyInfo]
> security data retrieval request
>
>   key-generate test3 --key-algorithm RSA --key-size 1024 yields the
> following audit message:
> 0.http-bio-28443-exec-19 - [13/May/2015:19:10:24 EDT] [14] [6]
> [AuditEvent=ASYMKEY_GENERATION_REQUEST][SubjectID=kraadmin][Outcome=Success][GenerationRequestID=6][ClientKeyID=test3]
> Asymkey generation request made
> [AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][GenerationRequestID=6][ClientKeyID=test3][KeyID=4][FailureReason=None]
> Asymkey generation request processed
>
> key-archive  --clientKeyID test4 --passphrase  "cfu secret" yields the
> following audit messages:
> 0.http-bio-28443-exec-24 - [13/May/2015:19:21:37 EDT] [14] [6]
> [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][ArchivalRequestID=7][ClientKeyID=test4][KeyID=5][FailureReason=None]
> security data archival request processed
> 0.http-bio-28443-exec-24 - [13/May/2015:19:21:37 EDT] [14] [6]
> [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID=kraadmin][Outcome=Success][ArchivalRequestID=7][ClientKeyID=test4]
> security data archival request made
>
> thanks,
> Christina

Some comments:

1. There should be an upgrade script to update the CS.cfg in existing 
KRA instances.

2. In KeyService.java:416 the method may return without audit logging.

Everything else looks good.

-- 
Endi S. Dewata

More information about the Pki-devel mailing list