DefaultAuditFilter Properties

The audit filter component configures the resource classes for which the audit records should be routed to the associated destination.

Filter resource classes require a specific syntax. The audit token identifies the source for core audit requests of operations, such as auditing the results for authorization and authentication decisions, in addition to placing information such as active provider information into the audit trail. The audit records have their resource class prefixed by the prefix core. The CSI core is able to audit multiple items.

DefaultAuditFilter Configuration Properties

The property name default value description is:

(1)caseSensitiveFiltering false set to true to use case sensitivity when matching resource classes and actions
(2)filter 
default value="(ResourceClass=core.subject,Action=authorization.role)(ResourceClass=core.subject,Action=authorization.resource)
(ResourceClass=core.subject,Action=authentication)(ResourceClass=core.subject,Action=logout)(ResourceClass=core.profile)
(ResourceClass=providers.*)(ResourceClass=clients.*)"
description = the filter string that determines whether an audit record should be written out to the audit destination.

Syntax

Filter resource classes consist of one or more filter expressions that are delimited by parenthesis ( () ). Square brackets ([]) denote optional values. The syntax is:

[key1=value [,key2=value...]].

The allowed keys are: ResourceClass, Action, or Decision.

This table describes core auditable items:
Resource Class Action Description Attributes
provider activate Called when a provider is activated by CSI. The resource ID is the provider class name. Generated unique provider identifier.
subject authentication.provider The result of a provider's specific authentication request. Depending on the other providers active, the actual CSI request for authentication may not reflect this same decision.

This resource class is not a provider-generated audit record. CSI core generates this audit record automatically after receiving the provider's decision. The resource ID is not used.

  • Provider identifier
  • Decision (yes or no)
  • Failure reason (if any)
  • Context ID
subject authentication The aggregate decision after considering each of the appropriate provider's authentication decisions. This record shares the same request identifier as the corresponding authentication provider records. The resource ID is the subject identifier if authentication is successful.
  • Decision (yes or no)
  • Context ID
subject authorization.role.provider The result of a provider's specific role authorization request. The resource ID is the subject ID.
  • Provider identifier
  • Decision (yes, no or abstain)
  • Role name
  • Supplied subject identifier, if different from context subject
  • Context ID
subject authorization.role The result of a resource-based authorization request. The resource ID is the subject ID.
  • Resource name
  • Access requested
  • Decision (yes or no)
  • Supplied subject identifier, if different from context subject
  • Context ID
subject logout Generated when an authenticated context is destroyed. The resource ID is the subject ID.
  • Context ID
subject create.provider Provider-level record issued for anonymous self-registration requests. The resource ID is the subject identifier.
  • Provider identifier
  • Decision
  • Subject attributes
subject create Aggregate, generated when an anonymous self-registration request is made. The resource ID is the subject identifier.
  • Decision
  • Subject attributes
subject authorization.resource The aggregate authorization decision, which is made after considering each of the appropriate provider's result. The resource ID is the subject ID.
  • Resource ID
  • Access requested
  • Decision (yes or no)
  • Subject ID supplied, if different from context subject
  • Context ID

Examples