[Pki-devel] [PATCH] pki-cfu-0060-Ticket-1160-audit-needed-for-getKeyInfo-audit-missin.patch
Christina Fu
cfu at redhat.com
Thu May 14 21:16:46 UTC 2015
Thanks Endi, nice catch on one missing audit.
Per our discussion on irc, added the missing audit and pushed to master:
c0d14140aca982ac637d5fd34f1c3ddb23836867
<https://fedorahosted.org/pki/changeset/c0d14140aca982ac637d5fd34f1c3ddb23836867/>
And a new ticket created to cover the desirable upgrade script:
https://fedorahosted.org/pki/ticket/1382 KRA: upgrade script maybe
needed for CS.cfg to add new audit events added in ticket 1160
Christina
On 05/14/2015 01:04 PM, Endi Sukma Dewata wrote:
> On 5/13/2015 7:27 PM, Christina Fu wrote:
>> This patch (pki-cfu-0062) is to replace pki-cfu-0060
>> after receiving help from Endi on how to test these key options (thanks
>> Endi!), I have made some code changes for the tests I ran.
>>
>> Just to show some of the test results:
>>
>> ...key-mod 0x2 --status active yields the following audit messages:
>> 0.http-bio-28443-exec-13 - [13/May/2015:19:04:01 EDT] [14] [6]
>> [AuditEvent=KEY_STATUS_CHANGE][SubjectID=kraadmin][Outcome=Success][KeyID=3][OldStatus=active][NewStatus=active][Info=KeyService.modifyKeyStatus]
>>
>> Key Status Change
>> 0.http-bio-28443-exec-14 - [13/May/2015:19:04:02 EDT] [14] [6]
>> [AuditEvent=SECURITY_DATA_RETRIEVE_KEY][SubjectID=kraadmin][Outcome=Success][RecoveryID=null][KeyID=3][Info=KeyService.getKeyInfo]
>>
>> security data retrieval request
>>
>> key-generate test3 --key-algorithm RSA --key-size 1024 yields the
>> following audit message:
>> 0.http-bio-28443-exec-19 - [13/May/2015:19:10:24 EDT] [14] [6]
>> [AuditEvent=ASYMKEY_GENERATION_REQUEST][SubjectID=kraadmin][Outcome=Success][GenerationRequestID=6][ClientKeyID=test3]
>>
>> Asymkey generation request made
>> [AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][GenerationRequestID=6][ClientKeyID=test3][KeyID=4][FailureReason=None]
>>
>> Asymkey generation request processed
>>
>> key-archive --clientKeyID test4 --passphrase "cfu secret" yields the
>> following audit messages:
>> 0.http-bio-28443-exec-24 - [13/May/2015:19:21:37 EDT] [14] [6]
>> [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID=kraadmin][Outcome=Success][ArchivalRequestID=7][ClientKeyID=test4][KeyID=5][FailureReason=None]
>>
>> security data archival request processed
>> 0.http-bio-28443-exec-24 - [13/May/2015:19:21:37 EDT] [14] [6]
>> [AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID=kraadmin][Outcome=Success][ArchivalRequestID=7][ClientKeyID=test4]
>>
>> security data archival request made
>>
>> thanks,
>> Christina
>
> Some comments:
>
> 1. There should be an upgrade script to update the CS.cfg in existing
> KRA instances.
>
> 2. In KeyService.java:416 the method may return without audit logging.
>
> Everything else looks good.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20150514/7db1d0e9/attachment.htm>
More information about the Pki-devel
mailing list