Access Auditing

This chapter provides an introduction to auditing with DirX Access as the source of audit messages. You don’t need to set up a running DirX Access installation. Instead, we’ll work with sample data content that was produced by performing a run through the DirX Access tutorial.

The sections in this chapter will take you through a set of common Access auditing use cases. You need to have a working knowledge of DirX Access in order to understand this section.

About DirX Access Components

DirX Access consists of a set of components that can deliver audit information. You configure the level of audit information to be delivered in the DirX Access environment (for details, see the DirX Access documentation). The most important DirX Access components with regard to producing audit information include:

  • Authentication Service - validates authentication credentials and creates internal subject representations.

  • Authorization Service - performs authorization (decision making, subject attribute finder, policy finder).

  • Configuration Service - manages persistent configuration objects.

  • FederationService - issues SAML tokens.

  • PolicyService - manages persistent authorization policies (policy making).

  • SSO Service - manages SSO token representation of internal subjects.

  • User Service - manages persistent user data.

Analyzing Access Actions

In these exercises, we’ll demonstrate how to analyze information about various user sessions using the Dashboard, Audit analysis, and Report views.

Exploring the Access Audit Trail with the Dashboard

To analyze access actions with the Dashboard:

  • In the DirX Audit Manager main page, select the Dashboard tab, if not already selected.

  • Examine the Authentication succeeded and failed audit events by month component.

  • Click ch3_accessAudit/media/image1 to open the Edit component dialog.

  • Click the Data tab if it’s not already selected.

  • In When, select Any time.

  • Click OK. The chart is recalculated. It contains aggregated data for authentication actions from all sources; that is, for DirX Access and DirX Identity in our case.

  • Drill down to audit events of the Failed authentication action in October 2022. Order the result table by the When column in ascending order. We can see several unsuccessful authentication events from various users with different authentication methods. You can use this dashboard component to quickly access a list of failed authentications for a selected period.

  • Click image2 to return to the Dashboard view.

Now we’ll examine the Authorization succeeded and failed audit events by month component in the same way:

  • Click image1 to open the Edit component dialog.

  • Click the Data tab if it’s not already selected.

  • In When, select Any time.

  • Click OK. The chart is recalculated.

  • Drill down to Succeeded authorization audit events in October 2022. Order the result table by the When column in ascending order. The sample messages visible in the drill down represent a collection of AuthorizationServiceDecisionMaking events from the PDP (Policy Decision Point), both Permit and Not Applicable decisions. The Deny decisions are included in the Failed bar of the chart (so they are not visible in the current drill down view).

  • Click image2 to return to the Dashboard view.

If you want to see authentication according to the method used to authenticate, you can use the Authentication total audit events by month and authentication method component:

  • Click image1 to open the Edit component dialog.

  • Click the Data tab if it’s not already selected.

  • In When, select Any time.

  • Click OK. The chart is recalculated. This component provides an overview of all authentication methods used in the selected period, which can be useful for identifying the methods most commonly used to authenticate or possibly some exceptional or rarely used methods. There are a number of samples, ranging from Basic and Form to RFC, OAuth and X509 authentications.

Analyzing Access Actions with the Audit analysis

In this exercise, we’ll analyze who accessed the audited applications with the Audit analysis:

  • Select the Audit analysis tab in the DirX Audit Manager main page.

  • In Source, select DirX Access.

  • In Operation, enter Login.

  • Click Search. You’ll receive 14 audit events in the result table.

  • Order the result table by the When column in ascending order.

Now we’ll use Audit analysis to examine some decisions that the AuthorizationServiceDecisionMaking component has made:

  • In Source, select DirX Access.

  • For Operation, use the Autocomplete component for the filter field and enter Authorization. You can change the component for value presentation manually by clicking image1or image3. Note that the autocomplete feature adds suggestion for all available authorization messages: Authorization - Deny, Authorization - Not applicable, Authorization - Permit.

  • Click Search. You’ll receive 10 audit events in the result table. Let’s examine one of the messages with the Permit decision in more detail.

  • Order the result table by the Operation column in ascending order. You’ll see some messages with the result Permit in the Operation column, some with the result Deny and others with the result Not Applicable. Analyze one of the messages with the result Permit.

  • Click the Show Details icon to display details of one of the messages with the Authorization - Permit operation.

  • Expand the What area where you can see the resource that the user tried to access.

  • The information about the user is stored in the Who field.

  • Close the details pop-up window.

Evaluating Related/Session Events

Next, we’ll explore how to display all events from one user session. All of these actions were triggered by the same user in between their logging in and out:

  • In Source, select DirX Access.

  • In Operation, enter Login.

  • In Who, enter Willa Sy.

  • Click Search. Five login events for Willa Sy are displayed.

  • Click the Show Related Events icon for the login event with the InitAuthnForm in What Type. This action retrieves all related events: events which were stored for the same user within the same session; that is, a list of messages with the same subject identifier. Order the result table by the When column in ascending order. You will first see the login, then an authorization event, a failed login, and also a logout event.

  • Click Back.

Tutorial sample data contains related messages only for some events. Other events are taken from different sessions, which means that when you click the Show Related Events icon for other events, only the related session event may or may not be displayed.

Exporting Audit Event Data

When you perform a search with Audit analysis, you can export the resulting audit events to a file and/or send it via email. Let’s run a report on the results of the search you just ran:

  • In the filter definition area, click Report. A pop-up dialog opens.

  • In Template, select EventMonitorAll.

  • In Format, select PDF.

  • In Encoding, select UTF-8.

  • In Rows, type 0 to export all records.

  • Click Export.

A new tab opens with the list of audit events that correspond to the search criteria.

Reviewing Access Activities with Reports

Finally, we’ll create a logins report, which is useful for providing a regular overview of access activities for each user:

  • In the DirX Audit Manager main page, click the Reports tab.

  • Add a new report set and then name it and describe it in Name and Description.

  • Add a new report file. Enter the Login tag in Tags or select this tag from the list. This action filters the list of reports to display only the seven login reports.

  • Select the Total Sum of Logins report from the list of reports by clicking on the name in the list.

  • The Report scope dialog opens for you to define the report’s parameters. In the When section, select Any time.

  • In the Source section, select Name in Identifying Attributes and then click Search. Check DirX Access and then click Add to copy it to the Selected table.

  • Uncheck Failed only to be able to view both successful and failed logins.

  • Click Finish to stop adding new reports to the file. Name the report file Logins by user and select PDF in Format.

  • Click OK.

  • In the Schedule tab, set the report set’s schedule to run As soon as possible and check No end time.

  • In the Send to tab, enter your email address.

  • Activate the report and then click Save.

Open the attachment in the email you receive and examine the report.

There are six other login reports available: Total sum of logins by date / month and authentication type / authentication method / authentication method type. Try running one or more of these reports (creating, adding, defining and saving them based on the steps you just ran through) to receive more detailed information on logins from the point of view of your selection.

You can notice a difference in event numbers if you compare any login report with the Dashboard chart on authentications. The reason is that the Dashboard chart includes both login and logout events, while reports contain only login events. By default, the Dashboard chart also contains both DirX Identity and DirX Access logins (although you can filter this by using the Dimension filter in the respective Dashboard component). We filtered only DirX Access logins for our Total Sum of Logins report.