WebSphere Security Auditing

Source: http://www.themiddlewareshop.com/2012/07/01/websphere-security-auditingpart-1/
Posted by Steve Robinson on Jul 1, 2012 in Blog, WebSphere, WebSphere Application Server

This blog series will cover the basics of WebSphere Security Auditing. This is a feature of WAS that is often not implemented and so I thought it would be a good mini-series to discuss. I shall be producing 9 small bit-size blog items and some may be more detailed than others. Below is the main outline of what I will be delivering in the 9 part series. 1. ENABLE ADMINISTRATIVE SECURITY FOR THE PROFILE 2. CREATE AN USER 3. MAP USER TO AUDITOR ROLE 4. CONFIGURE AUDIT MONITOR 5. VERIFYING GENERATION OF AUDIT MESSAGES 6. GENERATE A HTML REPORT USING BINARYAUDITLOGREADER 7. CREATING AN EVENT FILTER 7A. CONFIGURING AUDIT SERVICE PROVIDER 7B. CONFIGURING AUDIT EVENT FACTORY 8. SIGNING YOUR SECURITY AUDIT RECORDS 9. ENCRYPTING THE SECURITY AUDIT LOG 9.A CONFIGURING KEYSTORE AND CERTIFICATE REQUIRED FOR ENCRYPTION 9.B AUDIT RECORD ENCRYPTION CONFIGURATION

Introduction
This document explains the steps involved in turning on security auditing feature in WebSphere application server.

Security Auditing feature enables logging of security events like successful/failed login attempts of users. Remember, this is a not a mechanism to control who can access what. The events are logged to a text file which can be read through a text editor. WebSphere also provides a tool called binaryAuditLogReader which can convert this text file into an html file for easier reading. WebSphere also helps in making sure that this audit log is not tampered with, by allowing the log to be digitally signed with a Digital certificate, if this is really required. A digitally signed log is Base-64 encoded and is tamper-proof, but is still not encrypted, so can be read by anyone. To make it completely unavailable to intruders, the log can also be encrypted using a key held in a key store. To decrypt the log back, the binaryAuditLogReader tool can be used. The dependency diagram shows what configuration is dependent on what. For example, if Security Auditing is disabled, then everything under that will not work.

Steps Involved 1. Enable Administrative Security for the profile

Administrative Security has to be enabled for the Security Audit feature to work. So to turn on Administrative Security, do the following.

Start the server if it is not running. Open WebSphere Administrative console. Expand Security and click on Global Security

Select Enable administrative security as shown in the screen capture.

Restart the server. (If this was already enabled, then the server need not be restarted)

2. Create a User
WebSphere Application server supports role based access control to various features. Security Auditing is one such feature which can be configured by a user mapped to Auditor role. This role was introduced in WebSphere Application Server Version 7.0. Search and confirm that a user with the same name does not exist before creating a new one.

Expand Users and Groups in Administrative Console in the Navigation Pane. Click Manage Users To view all the users, enter * in the Search for field and then click on Search button.

Create a new user to represent Security Auditor.

Click Manage Users link under Users and Groups. Enter the following detail o User ID: An ID that will be used later on to login to WebSphere Administrative console o Password: Users password o First name: Users first name o Last name: Users last name o E-mail: Users Email ID Click on Create button Mandatory text fields are given a light brown background color in WebSphere

administrative console. They are also marked with an asterisk.

A confirmation message is displayed as shown below.

3. Map User to Auditor Role

Now the user needs to be mapped to Auditor role, so that the user can login to WebSphere administrative console and configure security auditing.

Now click on Administrative user roles link on the left navigation pane Click on the Add button

1. Select the role Auditor. 2. Then Click on Search to locate the user. Users are shown in the Available section. 3. Select the user from Available section and move it to Mapped to role section by clicking on the arrow that point to the right. 4. Click OK button. The OK button did not work properly in Google Chrome browser at the time of writing this course material. It worked properly in Mozilla Firefox browser.

The following message is displayed, asking for confirmation.

Click Save hyperlink

10

4. Configure Audit Monitor

Did you know? You can buy my WebSphere 8 Network Deployment Essentials course for only $99 From The Middleware Shop.
Audit Monitor has to be configured next, which sends out notification if the security auditing subsystem fails.

Click Security auditing under Security from the left navigation pane Click Audit monitor Link under Related Items in the content pane

Click New button

11

Enter a name to the notification Check Message log check box Click OK

12

Click Save hyperlink

Check Enable Monitoring option. Select the notification created previously. Click OK button.

Click Save button when the following message is displayed

Note that the server has to be restarted for these changes to take effect

13

Check Enable security auditing check box. Select Log warning in Audit subsystem failure action drop-down o If you select No warning, then no notification is given in case of audit subsystem failure o Terminate server option will make the server to shutdown gracefully Select the primary auditor user name Click Apply button.

Click Save button

Note: This change requires a server restart to come into effect. At this point of time, the Security Auditing feature is enabled, and further configuration is optional.

14

15

5. Verifying generation of audit messages

Restart Server

The audit log can be viewed through a text editor.

Go to <profile_root>/logs/<server_name> directory and open the file with the name o BinaryAudit_<cell_name>_<node_name>_<server_name>.log

Note: Every event starts with a sequence number. The event type is displayed next. The fields are separated by a | character. This is hard to read, but easy to grep.

16

Now let us generate a security event and check the audit log.

Logout of the console Try to Login with an incorrect user name, say hacker

17

A security event should be generated and written to the log file. Open the log file again and check.

18

19

6. Generate a HTML report using binaryAuditLogReader

steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$ sudo ./wsadmin.sh -lang jython -username security_auditor -password websphere [sudo] password for steve: WASX7209I: Connected to process server1 on node node01 using SOAP connector; The type of process is: UnManagedProcess WASX7031I: For help, enter: print Help.help() wsadmin>AdminTask.binaryAuditLogReader(-interactive) Binary Audit Log Reader Binary Audit Log Reader Command *File name of the Binary Audit log (fileName): /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/BinaryAudit_steve-H67NUSB3-B3Node01Cell_node01_server1.log Report mode selection (reportMode): basic Event(s) filter (eventFilter): Outcome(s) filter (outcomeFilter): Sequence filter (sequenceFilter): Timestamp filter (timeStampFilter): Key Store Password (keyStorePassword): *Output HTML file location (outputLocation): /home/steve/Documents/basicAuditReport.html Data points to report (dataPoints): Binary Audit Log Reader F (Finish) C (Cancel) Select [F, C]: [F] F WASX7278I: Generated command line: AdminTask.binaryAuditLogReader([-fileName /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/BinaryAudit_steve-H67N-USB3B3Node01Cell_node01_server1.log -reportMode basic -outputLocation

20

/home/steve/Documents/basicAuditReport.html ]) true wsadmin>

21

7. Creating an event filter

Now open WebSphere Administrative console as security_auditor, the user who plays Auditor administrative role to create a new Event Type filter. An Event Type filter represents a type of security event, and when added to an Audit Event Factory and Audit Service Provider, allows this event to be sent to the audit log. WebSphere comes with four Event Type filters pre-configured.

Expand Security in Navigation pane Click Security auditing Click Event type filters under Related Items

Enabling Verbose Auditing will result in additional information being written to the audit log for every event.

Click New button

22

Give a name to the Event Type filter Select the type of event, say SECURITY_AUTHZ Select the type of outcome, say DENIED Click OK button

23

Click Save hyperlink

24

7a. Configuring Audit Service Provider

The Audit Service Provider is a key component to be configured. This controls the security audit log file rotation policy as well. The event type filter created in the previous step has to be added to the Audit Service Provider to allow the events represented by the event type filter to be written to the audit log.

Open Administrative console as Auditor Expand Security in Navigation pane Click Security Auditing hyperlink Click Audit service provider under Related Items

25

An Audit service provider is already pre-configured.

Click the existing Audit service provider

26

You will find the new Event Type filter under Selectable Filters

Select it and click on the right arrow to move it to Enabled Filters section Click OK button

Click Save hyperlink

7b. Configuring Audit Event Factory

27

The Audit event factory is responsible for receiving the audit event messages and created event objects and forwards them to the Audit Service Provider. So in a way the Audit service provider is dependent on the Audit event factory object.

Open Administrative console as Auditor Expand Security in Navigation pane Click Audit event factory configuration

Click on the pre-configured Audit event factory object

28

Select the Event type filter created earlier Click the right arrow to move it from Selectable filters to Enabled filters Click OK button

29

Click Save hyperlink

Restart Application server Try to stop the server using Auditor credentials

30

Notice that a message ADMN0022E: Access is denied for the stop operation on Server MBean because of insufficient or empty credentials is displayed in the command line.
steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$ sudo ./stopServer.sh server1 -username security_auditor -password websphere ADMU0116I: Tool information is being logged in file /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/stopServer.log ADMU0128I: Starting tool with the appsrv01 profile ADMU3100I: Reading configuration for server: server1 ADMU0111E: Program exiting with error: javax.management.JMRuntimeException: ADMN0022E: Access is denied for the stop operation on Server MBean because of insufficient or empty credentials. ADMU4113E: Verify that username and password information is correct. If running tool from the command line, pass in the correct -username and -password. Alternatively, update the <conntype>.client.props file. ADMU1211I: To obtain a full trace of the failure, use the -trace option. ADMU0211I: Error details may be seen in the file: /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/stopServer.log steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$

Open audit log using a text editor Note the SECURITY_AUTHZ event written to the audit log

31

32

8. Signing your security audit records

Audit log can be digitally signed to make it tamper-proof. When the log is digitally signed, it is also Base-64 encoded which makes it impossible to read through a text editor without decoding it back. So the only way to read a digitally-signed audit log is by generating a html report using binaryAuditLogReader tool. Open Administrative console as Auditor Expand Security under Navigation Pane Click on Security Auditing Click on Audit record signing configuration under Related Items

Check Enable signing Select a managed keystore (Accept the default value)
33

Select default for Certificate alias Click OK button

Click Save hyperlink Restart application server

34

Open audit log (found under <profile_root>/logs/<server_name>)

Note: The certification information used to sign is written under Signing_information element Also note that the event is base-64 encoded

35

Generate HTML report and check whether you are able to still see the events

steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$ sudo ./wsadmin.sh -lang jython -username security_auditor -password websphere WASX7209I: Connected to process server1 on node node01 using SOAP connector; The type of process is: UnManagedProcess WASX7031I: For help, enter: print Help.help() wsadmin>AdminTask.binaryAuditLogReader(-interactive)

36

Binary Audit Log Reader Binary Audit Log Reader Command *File name of the Binary Audit log (fileName): /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/BinaryAudit_steve-H67NUSB3-B3Node01Cell_node01_server1.log Report mode selection (reportMode): basic Event(s) filter (eventFilter): Outcome(s) filter (outcomeFilter): Sequence filter (sequenceFilter): Timestamp filter (timeStampFilter): Key Store Password (keyStorePassword): *Output HTML file location (outputLocation): /home/steve/Documents/report.html Data points to report (dataPoints): Binary Audit Log Reader F (Finish) C (Cancel) Select [F, C]: [F] F WASX7278I: Generated command line: AdminTask.binaryAuditLogReader([-fileName /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/BinaryAudit_steve-H67N-USB3B3Node01Cell_node01_server1.log -reportMode basic -outputLocation /home/steve/Documents/report.html ]) true wsadmin>quit steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$

37

38

9. Encrypting the Security Audit Log

The Audit log can be encrypted to make the information unavailable for intruders. Configuration is a two step process. The keystore is to be configured with a digital certificate in the first step. Encryption has to be enabled with this keystore in the second step. Digitally Signing the audit log, Encrypting the audit log, Selecting several Event Types to be written to the log, all these take up some CPU cycles. So evaluate your requirements carefully before enabling them, as otherwise they burden the CPU unnecessarily. 9.a Configuring Keystore and certificate required for encryption

Open Administrative Console and expand Security in Navigation pane Click Security auditing Click Audit encryption key stores and certificates

39

Click New

Give a name to the keystore

40

Enter the path where the keystore is to be created (Enter <profile_root>/properties/AuditKeyStore.p12) Give a password for the keystore (You need to keep this password safe) Confirm password by entering it again Select PKCS12 as keystore type Click OK button

Click Save hyperlink

Click on the keystore created just now

41

Click on Personal certificates hyperlink under Additional Properties Click Create self-signed Certificate button (Note that for production use, you need to get this from a CA)

42

The encryption strength depends on the size of the key. The alias name is used to locate the certificate within the keystore.

Give an alias name Select 1024 bits as the key size Give a common name Give the validity period for the certificate (Accept default value of 365 days) Click OK button

43

9.b Audit record encryption configuration

Expand Security in Navigation Pane Click Security auditing hyperlink Click Audit record encryption configuration under Related Items

Check Enable Encryption Select the keystore name from the drop-down Select the alias name to locate the certificate within the keystore Click OK button

44

Click Save hyperlink

45

Restart application server Open audit log using a text editor

Note that the encryption information is written to the audit log confirming that the audit log is encrypted.

To view the contents of the encrypted audit log, the binaryAuditLogReader tool can be used to decrypt and generate an HTML report. Notice that this time you need to provide the keystore password to successfully generate the HTML report.

46

steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$ sudo ./wsadmin.sh -lang jython -username security_auditor -password websphere WASX7209I: Connected to process server1 on node node01 using SOAP connector; The type of process is: UnManagedProcess WASX7031I: For help, enter: print Help.help() wsadmin>AdminTask.binaryAuditLogReader(-interactive) Binary Audit Log Reader Binary Audit Log Reader Command *File name of the Binary Audit log (fileName): /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/BinaryAudit_steve-H67NUSB3-B3Node01Cell_node01_server1.log Report mode selection (reportMode): basic Event(s) filter (eventFilter): Outcome(s) filter (outcomeFilter): Sequence filter (sequenceFilter): Timestamp filter (timeStampFilter): Key Store Password (keyStorePassword): websphere *Output HTML file location (outputLocation): /home/steve/Documents/reportDecrypted.html Data points to report (dataPoints): Binary Audit Log Reader

F (Finish) C (Cancel)

Select [F, C]: [F] F

WASX7278I: Generated command line: AdminTask.binaryAuditLogReader([-fileName /opt/IBM/WebSphere/AppServer/profiles/apprv01/logs/server1/BinaryAudit_steve-H67N-USB3B3Node01Cell_node01_server1.log -reportMode basic -keyStorePassword ***** -outputLocation /home/steve/Documents/reportDecrypted.html ]) true wsadmin>quit steve@steve-H67N-USB3-B3:/opt/IBM/WebSphere/AppServer/profiles/apprv01/bin$

47

Note: The usage of the binaryAuditLogReader is recorded as a SECURITY_RESOURCE_ACCESS event.

48