Access Auditing

This chapter provides an introduction to auditing with DirX Access as the source of audit messages. You don’t need to set up a running DirX Access installation. Instead, we’ll work with sample data content that was produced by performing a run through the DirX Access tutorial.

The sections in this chapter will take you through a set of common Access auditing use cases. You need to have a working knowledge of DirX Access in order to understand this section.

About DirX Access Components

DirX Access consists of a set of components to deliver comprehensive audit information. The level of audit information provided can be configured within the DirX Access environment (for details, see the DirX Access documentation). The following DirX Access components are capable of generating audit information:

  • Application Repository Service – manages persistent configuration objects and authorization policies (policy making).

  • Authentication Service – validates authentication credentials and generates internal subject representations.

  • Authorization Service - performs authorization (decision making, subject attribute finder, policy finder).

  • Federation Service - issues various federation tokens.

  • SSO Service – handles SSO token representations for internal subjects.

  • User Service - reads persistent user data.

Analyzing Access Actions

In these exercises, we’ll demonstrate how to analyze information about various user sessions using the Dashboard, Audit analysis, and Report views.

Exploring the Access Audit Trail with the Dashboard

To analyze access actions with the Dashboard:

  • In the DirX Audit Manager main page, select the Dashboard tile, if not already selected.

  • Examine the Authentications and Authorizations product dashboard.

  • In When, select Any time. This sets the dashboard time filter to display all data for all dashlets without any time limitation.

  • Once the charts are recalculated they will display the tutorial data. Focus on the Authentication succeeded and failed audit events by month dashlet. It contains aggregated data for both succeeded and failed authentication actions from all sources; that is, for DirX Access and DirX Identity in our case. Click the Maximize Maximize icon option in the dashlet Toggle menu (3 dots) to maximize the dashlet.

  • Click the dashlet Toggle menu again and select Dashlet settings open the editing dialog again.

  • Now scroll down to the Dataset section. In Fact remove the Series-1 containing the Succeeded fact by clicking the Delete Delete icon icon.

  • Click Update. The chart is recalculated and now shows only several unsuccessful authentication actions from all sources. You can use this dashlet to quickly access a list of failed authentications for a selected period.

  • Click the Restore Restore icon button in the Toggle menu to return to the full dashboard and to show all dashlets again.

Now we’ll have a look at the Authorization succeeded and failed audit events by month dashlet. You can maximize it again. The sample messages visible in the chart represent a collection of AuthorizationServiceDecisionMaking events from the PDP (Policy Decision Point), both Permit and Not Applicable decisions. The Deny decisions are included in the Failed bar of the chart (so they are not visible in the current view due to the current Succeeded fact configuration).

If you want to see authentication according to the method used to authenticate, you can use the Authentication total audit events by month and authentication method dashlet. You can maximize it again. This chart provides an overview of all authentication methods used in the selected period, which can be useful for identifying the methods most commonly used to authenticate or possibly some exceptional or rarely used methods. There are a number of samples, ranging from Basic and Form to RFC, OAuth and X509 authentications.

  • When you click on a legend item its bar representation disappears from the chart - you can temporarily limit the displayed elements this way in order to focus on other ones if the chart contains a lot of items like in this case.

Analyzing Access Actions with the Audit analysis

In this exercise, we’ll analyze who accessed the audited applications with the Audit analysis:

  • Select the Audit analysis tile in the DirX Audit Manager main page.

  • In When, select Any time.

  • Add the Source filter. In Source, select DirX Access.

  • In Event Operation, enter Login.

  • Click Search. You’ll receive 14 audit events in the result table.

  • Order the result table by the When column in ascending order.

Now we’ll use Audit analysis to examine some decisions that the AuthorizationServiceDecisionMaking component has made:

  • In Source, select DirX Access.

  • For Operation, use the Autocomplete feature for the filter field and enter Authorization. Note that the autocomplete feature adds suggestion for all available authorization messages: Authorization - Deny, Authorization - Not applicable, Authorization - Permit.

  • Click Search. You’ll receive 10 audit events in the result table. Let’s examine one of the messages with the Permit decision in more detail.

  • Order the result table by the Event Operation column in descending order. You’ll see some messages with the result Permit in the Operation column, one messages with the result Deny, and several messages with the result Not Applicable. Analyze one of the messages with the result Permit.

  • Click the Show details icon to display details of one of the messages with the Authorization - Permit operation.

  • Expand the What area where you can see the resource that the user tried to access.

  • The information about the user is stored in the Who field.

  • Click the Back button to return to the search results.

Exporting Audit Event Data

When you perform a search with Audit analysis, you can export the displayed audit events. Let’s run a report on the results of the search you have just executed:

  • In the filter definition area, click the Report button. A pop-up dialog opens.

  • In Template, keep the Standard preset.

  • In Style, select a report color scheme of your choice or keep the default DirX Audit Deep blue.

  • In Format, select PDF.

  • In Action, you can choose if you want to download the exported file or directly open it in the browser.

  • Click Export.

A new tab opens with the exported report containing audit events from the current search results.

Reviewing Access Activities with Reports

Finally, we’ll create a logins report, which is useful for providing a regular overview of access activities for each user:

  • In the DirX Audit Manager main page, click the Reports tile.

  • Add a new report set and then name it and describe it in Name and Description.

  • Add a new report file. Enter the Login tag in Tags or select this tag from the list. This action filters the list of reports to display only the nine login reports.

  • Select the Total Sum of Logins report from the list of reports by clicking on the name in the list.

  • The Report scope dialog opens for you to define the report’s parameters.

  • In Template, keep the Standard preset

  • In Style, select a report color scheme of your choice or keep the default DirX Audit Deep blue. In the When section, select Any time.

  • In the Source section, the Name is selected in the first field (Identifying Attributes), click Search. Check DirX Access and then click + to copy it to the Selected table.

  • Uncheck Failed only to be able to view both successful and failed logins.

  • Click Create to add the configured report to the report file.

  • Name the report file Logins by user and keep PDF in Format.

  • Click Create to stop adding new reports to the file.

  • In the Schedule tab, set the report set’s schedule to run As soon as possible and keep N/A in the End date field.

  • In the Send to tab, enter your email address.

  • Activate the report by checking the Inactive switch below the report set name and then click Create to finish setting up the report set.

Open the attachment in the email you receive and examine the report.

There are eight other login reports available: Total sum of logins by date / month and authentication type / authentication method / authentication method type, Total sum of logins by method type and Total sum of logins by method type in the Last 3 Months. Try running one or more of these reports (creating, adding, defining and saving them based on the steps you just ran through) to receive more detailed information on logins from the point of view of your selection.

You can notice a difference in event numbers if you compare any login report with the Dashboard chart on authentications. The reason is that the Dashboard chart includes both login and logout events, while reports contain only login events. By default, the Dashboard chart also contains both DirX Identity and DirX Access logins (although you can filter this by using the Dimension filter in the respective dashlet). We filtered only DirX Access logins for our Total Sum of Logins report.