Monitoring, Logging & Auditing Requirements – TAM

1. Monitoring, Logging & Auditing Requirements – TAM Sunil K Verma Barclays

2. Overview • The purpose of this presentation is to understand & define the monitoring, logging and auditing requirements for Tivoli Access Manager (TAM) based on the industry practise.

3. Definition • Monitoring • Logging • Auditing

4. Similarities & Difference Monitoring Auditing Similarities 1 Continuous process 2 Support Business Processes Differences 1 Quality Control Quality Assurance 2 Capture real time data Analyze captured data 3 Do not "audit" operations Do not "monitor" operations 4 Sole responsibility of the Org Done by Regulatory body along with Org

5. Logging Vs. Auditing • capture for auditing purpose • define which audit control • control statistics • approach • native auditing • common audit service. • capture for diagnostic purpose • types of events to capture • when events are captured • where to write these events

6. Monitoring Requirements • Process Availability • Files System Usage • CPU & Memory Usage • Request log Monitoring • WebSEAL log file monitoring • Core file generation • Certification Expiration • WebSEAL threads • Application Response time • WebSEAL throughput

7. Logging Requirements • Log generation • Log transmission • Log storage and disposal • Log analysis

8. TAM Logging • WebSEAL HTTP Logging • request.log • agent.log • referer.log • Server message logging • msg_pdmgrd_utf8.log • msg_pdacld_utf8.log • msg_webseald.log • Server specific tracing • Runtime %PD_HOME%/etc/routing • Policy server %PD_HOME%/etc/pdmgrd_routing • Authorization server %PD_HOME%/etc/pdacld_routing • WebSEAL server %PD_WEB%/etc/routing

9. Contd.. Sample logging configuration parameters [logging] server-log = /var/pdweb/log/msg_webseald.log max-size = 2000000 flush-time = 20 requests = yes requests-file = /var/pdweb/log/request.log referers = yes referers-file = /var/pdweb/log/referer.log agents = yes agents-file = /var/pdweb/log/agent.log gmt-time = yes

10. Auditing Requirements Security events: • All successful and failed logins • Privileged account logon and activities • Creation, modification and deletion of TAM accounts • Changes to access permission • Changes to TAM configurations • Unauthorised manipulation of audit & logs • Use of shared or group accounts

11. Contd.. Security events must include: • date and time (including time zone information) • username identifier •       result (success or failure) of the event Audit log protection: • Alteration • Destruction • Tampering

12. Contd.. TAM Native audit event types: audit.authz Authorization events for WebSEAL servers audit.azn Authorization events for base servers audit.authn Authentication, credential acquisition authentication, password change, and logout events audit.authn.successful Successful authentication audit.authn.unsuccessful Failed authentication credential acquisition audit.http HTTP access events audit.http.successful Successful HTTP access events audit.http.unsuccessful Failed HTTP access events audit.mgmt Management events http.ref HTTP Referer header information http.agent HTTP User Agent head information http.clf HTTP request information in common log format

13. Thank You.