TPS Audit Events

Overview

TPS audit events can be configured in log.instance.SignedAudit.events property.

Notes:

Each operation is preceded by a separate AUTHZ_* event
Authentication event only happens once initially at login
Some operations with specific changes to fields within an object (e.g. profiles, authenticators) might produce larger quantity of data. Examples below are selected ones that produce less data.
Service or OP in general can be any of the services provided by the REST interface

Event properties:

SubjectID: the subject user that triggers the audit event
Outcome: Success or Failure of the action that triggers the audit event
Service: in general, the name of the operation method where the audit event occurs
ParamNameValPairs: name/value pairs where
- <name> and <value> are separated by the delimiter ;;
- If more than one <name>;;<value> pair, separated by +
- Secret component (password) MUST NOT be logged
Info: in general is used for capturing error info for failed cases; In case of success, it is usually left as null.

Default Events

TPS Configuration Events

CONFIG_TOKEN_GENERAL

This event is triggered when the general TPS configuration is updated.

[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID=tpsadmin][Outcome=Success][Service=C
onfigService.updateConfig[ParamNameValPairs=+applet._000;;######################
###################+applet._001;;# applet information+applet._002;;# SAF Key:+ap
plet._003;;# applet.aid.cardmgr_instance=A0000001510000+applet._004;;# Stock RSA
,KeyRecover applet : 1.4.54de790f.ijc+applet._005;;# Beta RSA/KeyRecovery/GP211/
SCP02 applet : 1.5.558cdcff.ijc+applet._006;;# Use GP211 applet only with SCP02
card+applet._007;;#########################################+applet.aid.cardmgr_i
nstance;;A0000000030000+applet.aid.netkey_file;;627601FF0000+applet.aid.netkey_i
nstance;;627601FF000000+applet.aid.netkey_old_file;;A000000001+applet.aid.netkey
_old_instance;;A00000000101+applet.delete_old;;true+applet.so_pin;;000000000000+
channel._000;;#########################################+channel._001;;# channel.
encryption:+channel._002;;#+channel._003;;#   - enable encryption for all operat
ion commands to token+channel._004;;#   - default is true+channel._005;;#  chann
el.blocksize=224+channel._006;;#  channel.defKeyVersion=0+channel._007;;#  chann
el.defKeyIndex=0+channel._008;;#+channel._009;;#  Config the size of memory mana
ged memory in the applet+channel._010;;#  Default is 5000, try not go get close
to the instanceSize+channel._011;;#  which defaults to 18000:+channel._012;;#+ch
annel._013;;#  * channel.instanceSize=18000+channel._014;;#  * channel.appletMem
orySize=5000+channel._015;;#########################################+channel.blo
cksize;;224+channel.defKeyIndex;;0+channel.defKeyVersion;;0+channel.encryption;;
true+failover.pod.enable;;false+general.applet_ext;;ijc+general.pwlength.min;;12
+general.search.sizelimit.default;;100+general.search.sizelimit.max;;2000+genera
l.search.timelimit.default;;10+general.search.timelimit.max;;10+general.verifyPr
oof;;1][Info=null] TPS token configuration parameter(s) change

CONFIG_TOKEN_PROFILE

This event is triggered when a token profile configuration is updated.

[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID=tpsadmin][Outcome=Success][Service=P
rofileService.updateProfile][ProfileID=cfuTestProfile5][ParamNameValPairs=+op.en
roll.cfuTestProfile5.entry0;;value0+op.enroll.cfuTestProfile5.entry1;;value1][In
fo=null] token profile configuration parameter(s) change

CONFIG_TOKEN_MAPPING_RESOLVER

This event is triggered when a token mapping resolver configuration is updated.

[AuditEvent=CONFIG_TOKEN_MAPPING_RESOLVER][SubjectID=tpsadmin][Outcome=Success][
Service=ProfileMappingService.removeProfileMapping][MappingResolverID=cfu4mappin
gResolver][ParamNameValPairs=][Info=null] token mapping resolver configuration p
arameter(s) change

CONFIG_TOKEN_AUTHENTICATOR

This event is triggered when a token authenticator configuration is updated.

[AuditEvent=CONFIG_TOKEN_AUTHENTICATOR][SubjectID=tpsadmin][Outcome=Success][OP=
AuthenticatorService.changeStatus][Authenticator=ldap2][ParamNameValPairs=+Statu
s;;Disabled+Action;;disable+authenticatorID;;ldap2][Info=null] token authenticat
or configuration parameter(s) change

CONFIG_TOKEN_CONNECTOR

This event is triggered when a token connector configuration is updated.

[AuditEvent=CONFIG_TOKEN_CONNECTOR][SubjectID=tpsadmin][Outcome=Success][OP=Conn
ectorService.changeStatus][Connector=tks1][ParamNameValPairs=+Status;;Enabled+Ac
tion;;enable][Info=null] token connector configuration parameter(s) change

CONFIG_TOKEN_RECORD

This event is triggered when a token record is updated.

[AuditEvent=CONFIG_TOKEN_RECORD][SubjectID=tpsadmin][Outcome=Success][OP=TokenSe
rvice.removeToken][TokenID=33333333333333333333][ParamNameValPairs=][Info=null]
token record configuration parameter(s) change

Token Events

TOKEN_OP_REQUEST

This event is triggered when token processor op request made.

OP can be format, enroll, or pinReset

[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token processor op request made

TOKEN_FORMAT_SUCCESS

This event is triggered when token format op succeeded.

[AuditEvent=TOKEN_FORMAT_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][KeyVersion={7}][Info={8}] token op format success

TOKEN_FORMAT_FAILURE

This event is triggered when token format op failed.

[AuditEvent=TOKEN_FORMAT_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][KeyVersion={7}][Info={8}] token op format failure

TOKEN_APPLET_UPGRADE_SUCCESS

This event is triggered when token apple upgrade succeeded.

[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade success

TOKEN_APPLET_UPGRADE_FAILURE

This event is triggered when token apple upgrade failed.

[AuditEvent=TOKEN_APPLET_UPGRADE_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade failure

TOKEN_STATE_CHANGE

This event is triggered when a token state has been changed.

[AuditEvent=TOKEN_STATE_CHANGE][SubjectID=tpsadmin][Outcome=Success][oldState=uninitialized][oldReason=null][newState=lost][newReason=onHold][ParamNameValPairs=+tokenStatus;;TEMP_LOST+tokenID;;77777777777777777777+UserID;;itsme][Info=null] token state changed

TPS Certificate Events

Properties:

CUID: card unique ID
MSN: manufacturer serial number
TokenType: TPS profile name
Serial: serial number in decimal
CA_ID: CA id as defined in TPS CS.cfg
KRA_ID: KRA id as defined in TPS CS.cfg

TOKEN_CERT_ENROLLMENT

This event is triggered when token certificate enrollment request is made.

[AuditEvent=TOKEN_CERT_ENROLLMENT][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate enrollment request made

TOKEN_CERT_RENEWAL

This event is used for TPS when token certificate renewal request is made.

[AuditEvent=TOKEN_CERT_RENEWAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate renewal request made

TOKEN_CERT_RETRIEVAL

This event is used for TPS when token certificate retrieval request is made.

[AuditEvent=TOKEN_CERT_RETRIEVAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate retrieval request made

TOKEN_CERT_STATUS_CHANGE_REQUEST

This event is used when a token certificate status change request (e.g. revocation) is made.

CUID must be the last token that the certificate was associated with
CertSerialNum must be the serial number (in decimal) of the certificate to be revoked
RequestType must be revoke, on-hold, off-hold

[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][CertSerialNum={5}][RequestType={6}][RevokeReasonNum={7}][CA_ID={8}][Info={9}] token certificate revocation/unrevocation request made

Token PIN Events

TOKEN_PIN_RESET_SUCCESS

This event is used when token pin reset request succeeded.

[AuditEvent=TOKEN_PIN_RESET_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][AppletVersion={4}][KeyVersion={5}] token op pin reset success

TOKEN_PIN_RESET_FAILURE

This event is used when token pin reset request failed.

[AuditEvent=TOKEN_PIN_RESET_FAILURE][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][AppletVersion={4}][KeyVersion={5}] token op pin reset failure

Token Key Events

TOKEN_KEY_RECOVERY

This event is triggered when token certificate key recovery request is made.

[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made

TOKEN_KEY_CHANGEOVER_REQUIRED

This event is triggered when token key changeover is required.

[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required

TOKEN_KEY_CHANGEOVER_SUCCESS

This event is triggered when token key changeover succeeded.

[AuditEvent=TOKEN_KEY_CHANGEOVER_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover success

TOKEN_KEY_CHANGEOVER_FAILURE

This event is triggered when token key changeover failed.

[AuditEvent=TOKEN_KEY_CHANGEOVER_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover failure

Token Authentication Events

TOKEN_AUTH_FAILURE

This event is triggered when authentication failed.

Outcome should always be failure in this event
When authentication failed, AttemptedID is logged instead of SubjectID, as in the event of TOKEN_AUTH_FAILURE
AuthMgr must be the authentication manager instance name that did this authentication

[AuditEvent=TOKEN_AUTH_FAILURE][IP={0}][AttemptedID={1}][CUID={2}][MSN={3}][Outcome={4}][OP={5}][tokenType={6}][AppletVersion={7}][AuthMgr={8}] token authentication failure

TOKEN_AUTH_SUCCESS

This event is triggered when authentication succeeded.

Outcome should always be success in this event
AuthMgr must be the authentication manager instance name that did this authentication

[AuditEvent=TOKEN_AUTH_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][OP={5}][tokenType={6}][AppletVersion={7}][AuthMgr={8}] token authentication success

Examples

Token Format

[AuditEvent=TOKEN_OP_REQUEST][IP=a.b.c.d][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=format][AppletVersion=0.0.6fbbc105] token op request made
[AuditEvent=TOKEN_AUTH_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=format][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][AuthMgr=ldap1] token authentication success
[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][KeyVersion=0101][oldAppletVersion=0.0.6fbbc105][newAppletVersion=1.4.54de790f][Info=null] token applet upgrade success
[AuditEvent=TOKEN_FORMAT_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][KeyVersion=0101][Info=null] token op format success

Token Enrollment

[AuditEvent=TOKEN_OP_REQUEST][IP=a.b.c.d][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=enroll][AppletVersion=0.0.6fbbc105] token op request made
[AuditEvent=TOKEN_AUTH_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=enroll][tokenType=userKey][AppletVersion=0.0.6fbbc105][AuthMgr=ldap1] token authentication success
[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][KeyVersion=0101][oldAppletVersion=0.0.6fbbc105][newAppletVersion=1.4.54de790f][Info=null] token applet upgrade success
[AuditEvent=TOKEN_CERT_ENROLLMENT][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][Outcome=success][tokenType=userKey][KeyVersion=0101][Serial=131][CA_ID=ca1][Info=null] token certificate enrollment request made

Token Find

Execute the following command to search tokens:

$ pki -n caadmin tps-token-find

The command will generate the following logs:

[AuditEvent=AUTH_SUCCESS][SubjectID=tpsadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=tpsadmin][Outcome=Success][aclResource=certServer.tps.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=tpsadmin][Outcome=Success][aclResource=certServer.tps.tokens][Op=read][Info=TokenResource.findTokens] authorization success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=tpsadmin][Outcome=Success][aclResource=certServer.tps.account][Op=logout][Info=AccountResource.logout] authorization success

Modifying Profile Mapping

[AuditEvent=AUTHZ_SUCCESS][SubjectID=tpsadmin][Outcome=Success][aclResource=certServer.tps.profile-mappings][Op=modify][Info=ProfileMappingResource.updateProfileMapping] authorization success

Pin Reset

[AuditEvent=TOKEN_OP_REQUEST][IP=a.b.c.d][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=pinReset][AppletVersion=0.0.6fbbc105] token op request made
[AuditEvent=TOKEN_AUTH_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=pinReset][tokenType=userKey][AppletVersion=0.0.6fbbc105][AuthMgr=ldap1] token authentication success
[AuditEvent=TOKEN_PIN_RESET_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][Outcome=success][AppletVersion=userKey][KeyVersion=0101] token op pin reset success

ExternalReg

Example audit messages for an externalReg enrollment request with user entries tokenType: delegateISEtoken certstoadd: 63,ca1,9,kra1 (That’s two cert enrollments and one "recovery"):

[AuditEvent=TOKEN_OP_REQUEST][IP=a.b.c.d][CUID=A10192030405028001C0][MSN=01%02%03%04%][Outcome=success][OP=enroll][AppletVersion=0.0.6fbbc105] token op request made
[AuditEvent=TOKEN_AUTH_SUCCESS][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][MSN=01%02%03%04%][Outcome=success][OP=enroll][tokenType=null][AppletVersion=0.0.6fbbc105][AuthMgr=ldap1] token authentication success
[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][MSN=01%02%03%04%][Outcome=success][KeyVersion=0101][oldAppletVersion=0.0.6fbbc105][newAppletVersion=1.4.54de790f][Info=null] token applet upgrade success
[AuditEvent=TOKEN_CERT_ENROLLMENT][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][Outcome=success][tokenType=delegateISEtoken][KeyVersion=0101][Serial=128][CA_ID=ca1][Info=null] token certificate enrollment request made
[AuditEvent=TOKEN_CERT_ENROLLMENT][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][Outcome=success][tokenType=delegateISEtoken][KeyVersion=0101][Serial=129][CA_ID=ca1][Info=null] token certificate enrollment request made
[AuditEvent=TOKEN_KEY_RECOVERY][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][Outcome=success][tokenType=delegateISEtoken][KeyVersion=0101][Serial=63][CA_ID=ca1][KRA_ID=kra1][Info=null] token certificate/key recovery request made 0.http-bio-8080-exec-2 - [15/Feb/2016:16:03:39 PST] [14] [6] [AuditEvent=TOKEN_CERT_RETRIEVAL][IP=a.b.c.d][SubjectID=user2a][CUID=A10192030405028001C0][Outcome=success][tokenType=delegateISEtoken][KeyVersion=0101][Serial=63][CA_ID=ca1][Info=null] token certificate retrieval request made

Formatting an active token that causes revocation

[AuditEvent=TOKEN_OP_REQUEST][IP=a.b.c.d][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=format][AppletVersion=0.0.6fbbc105] token op request made
[AuditEvent=TOKEN_AUTH_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][OP=format][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][AuthMgr=ldap1] token authentication success
[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][KeyVersion=0101][oldAppletVersion=0.0.6fbbc105][newAppletVersion=1.4.54de790f][Info=null] token applet upgrade success
[AuditEvent=TOKEN_FORMAT_SUCCESS][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=success][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][KeyVersion=0101][Info=null] token op format success
[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][Outcome=0][tokenType=tokenKey][CertSerialNum=131][RequestType=revoke][RevokeReasonNum=0][CA_ID=ca1][Info=null] token certificate revocation/unrevocation request made
[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][Outcome=0][tokenType=tokenKey][CertSerialNum=132][RequestType=revoke][RevokeReasonNum=0][CA_ID=ca1][Info=null] token certificate revocation/unrevocation request made

Format with invalid symkey required version

For example, the following requiredVersion not exist in TKS:

op.format.tokenKey.update.symmetricKeys.requiredVersion=2

[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=na][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][oldKeyVersion=0101][newKeyVersion=02%01%][Info=null] token key changeover required
[AuditEvent=TOKEN_KEY_CHANGEOVER_FAILURE][IP=a.b.c.d][SubjectID=user1a][CUID=A10192030405018001C0][MSN=01%02%03%04%][Outcome=failure][tokenType=tokenKey][AppletVersion=0.0.6fbbc105][oldKeyVersion=null][newKeyVersion=02%01%][Info=TPSEngine.computeSessionKey: invalid returned status: 1] token key changeover failure