2 Replies Latest reply on Aug 22, 2006 4:43 PM by Anil Saldanha

    Providing Auditing Capabilities

    Anil Saldanha Master

      It is a critical need for IT departments to audit security related information, for non-repudiation, government regulations etc etc. Currently, JBoss does not provide any suitable ways of auditing.

      Currently, for auditing, the user has to write a LoginModule that does plain auditing and nothing else or the weave the auditing logic into the other login modules.

      Ideally, there should be some means provided to the user to perform auditing.

      Let me point out some material on auditing capabilities provided in other app servers:
      Web Logic:
      http://www.onjava.com/pub/a/onjava/excerpt/weblogic_chap17/index1.html?page=3
      http://e-docs.bea.com/wls/docs81/javadocs/weblogic/security/spi/package-frame.html

      Sun's App Server:
      http://docs.sun.com/source/817-6087/dgsecure.html#wp35113

      This thread is dedicated to discussion of possible facilities for audit.

      User Forum Posting for reference:
      http://www.jboss.com/index.html?module=bb&op=viewtopic&t=76073

      TODO:
      If anyone has any more links to audit support provided by other vendors, please post here.

        • 1. Re: Providing Auditing Capabilities
          Anil Saldanha Master

          A bare minimum capability can be the following:

          1) A seperate JMX based service called "Audit Service" exists. This has all the knowledge about logging levels, ignore list, security domain list to log(if needed, if not every domain will be logged) etc. The logs exist in the {jboss.server.dir}/log/audit directory with the format xxx-audit-log (where xxx is the security domain).

          2) A flag exists in the Jaas Security Manager service that determines whether the auditing is on/off (OFF by default). If the audit is on, all operations on the security manager service will send audit events to the Audit service described in step 1. Now it is upto the Audit Service to determine whether it wants to log the event or not, based on the settings.

          Issues:
          1. Rolling over the audit logs periodically should be considered.

          http://jira.jboss.com/jira/browse/JBAS-2738

          • 2. Re: Providing Auditing Capabilities
            Anil Saldanha Master

            http://jira.jboss.com/jira/browse/JBAS-2738

            has been implemented in HEAD. The default Audit Provider is a logging provider that basically takes advantage of logging configuration provided by the logging framework to send the log to a particular sink (file, database, jms etc) and provide rolling features.

            A piece that is missing is the configuration of the audit providers at the security domain level.

            Currently the web layer (JBossWebRealm) and the EJB Security Interceptor do the audit logging for authentication and authorization attempts.