Auditor Filter Properties Reference

(Not applicable to Online Data Proxy) Configure multiple resource classes when defining an auditor for a named security configuration.

Filter resource classes require a specific syntax. Based on that syntax, an audit token is supplied to the core CSI classes. This audit token identifies the source for core audit requests of operations, such as auditing the results for authorization decisions, authentication decisions, in addition to placing information such as active provider information into the audit trail. The audit records have their resource class prefixed by the prefix core. CSI core will able to audit a large number of items.

Syntax

Filter resource classes consist of one or more filter expressions that are delimited by parenthesis ( () ). Square brackets ([]) denote optional values. The syntax is:

[key1=value [,key2=value...]].

The allowed keys are: ResourceClass, Action, or Decision.

This table describes core auditable items:

Resource Class	Action	Description	Attributes
provider	activate	Called when a provider is activated by CSI. The Resource ID is the provider class name.	Generated unique provider identifier.
subject	authentication.provider	The result of a provider's specific authentication request. Depending on the other providers active, the actual CSI request for authentication may not reflect this same decision. Note: that this is not a provider-generated audit record. CSI core will generate this audit record automatically after receiving the provider's decision. The resource ID is not used.	Provider identifier Decision (yes, no) Failure reason (if any) Context ID
subject	authentication	The aggregate decision after considering each of the appropriate provider's authentication decisions. This record shares the same request identifier as the corresponding authentication.provider records. The resource ID is Subject identifier if authentication successful.	Decision (yes or no) Context ID
subject	authorization.role.provider	The result of a provider's specific role authorization request. The resource ID is the subject ID.	Provider identifier Decision (yes, no or abstain) Role name Supplied subject identifier (if different from context subject) Context ID
subject	authorization.role	The result of a resource-based authorization request. The resource ID is the subject ID.	Resource name The access requested Decision (yes, no or abstain) Supplied subject identifier (if different from context subject) Context ID
subject	authorization.resource	The aggregate decision authorization decision after considering each of the appropriate provider's authorization decision. The resource ID is the subject ID.	Resource name Access requested Decision (yes, no) Supplied subject identifier (if different from context subject) Context ID
subject	logout	Generated when an authenticated context is destroyed. The resource ID is the subject ID.	Context ID
profile	access	Issued when profile is explicitly accessed. The resource ID is the profile name.	Context ID Decision (success or not) Provider identifier that provided the profile attributes (if successful) Failure reason (if available)
profile	create.cipher	Issued when profile is accessed to create a cipher. The resource ID is the profile name.	Context ID Decision (success or not) Provider identifier that provided the profile attributes (if successful) Failure reason (if available)
profile	create.digest	Issued when profile is accessed to create message digest. The resource ID is the profile name.	Context ID Decision (success or not) Provider identifier that provided the profile attributes (if successful) Failure reason (if available)
profile	create.signature	Issued when profile is accessed to create signature. The resource ID is the profile name.	Context ID Decision (success or not) Provider identifier that provided the profile attributes (if successful) Failure reason (if available)
subject	modify.provider	The provider-level record issued for subject modification requests. The resource ID is the subject ID.	Provider identifier Decision Modified attributes Context ID
subject	modify	Aggregate, generated when a subject modification request is made. The resource ID is the subject ID.	Decision Modified attributes Context ID
subject	create.provider	Provider-level record issued for anonymous self registration requests. The resource ID is the subject identifier.	Provider identifier Decision Subject attributes
subject	create	Aggregate, generated when an anonymous self-registration request is made. The resource ID is the subject identifier.	Decision Subject attributes

Examples

Example 1 – enable auditing of all of the CSI core resource classes that involve a deny decision:
```
(ResourceClass=core.*,Decision=Deny)
```
Example 2 – enable auditing for all core resource classes where the action is not the subject modification action:
```
Resource=core.*,Action!=subject.modify.*)
```