Conflicting Token Certificate Status Information - Red Hat CERTIFICATE SYSTEM 8 - AGENTS GUIDE Agents Manual

The are two parts for enabling audit logging. The first is enabling the audit log itself, using the Enable|
Disable radio buttons. The second part is enabling signed audit logging. This signs the audit log after
every entry with a special signing certificate as a sign that the log has not been tampered with.
By default, the audit log is enabled, and audit log signing is disabled. After enabling logging, then
administrators can set what operations are recorded in the audit log. The loggable events are listed in
Table 9.2, "Events Recorded to the Audit
from the audit log settings.
NOTE
Whenever the TPS audit logging configuration is changed, the TPS must be restarted for
the changes to go into effect.
Event
AUDIT_LOG_STARTUP
AUDIT_LOG_SHUTDOWN
LOGGING_SIGNED_AUDIT_SIGNING
AUTHZ_SUCCESS
AUTH_SUCCESS
ENROLLMENT
UPGRADE
AUTHZ_FAIL
ROLE_ASSUME
PIN_RESET
AUTH_FAIL
CONFIG_SIGNED_AUDIT
FORMAT
Table 9.2. Events Recorded to the Audit Log

9.5. Conflicting Token Certificate Status Information

The TPS stores the complete history of certificates' status, so that all changes in status can be
reviewed. However, the status shown on the token is that last status of the certificate at the time the
token was formatted. The status of the certificates on the token may not immediately reflect the real
status of the certificates. It is possible to have multiple tokens with the same certificate information
on them; it then is possible for the certificate status on these tokens to become out of sync with the
status information in the CA database. When viewing these tokens in the TPS agents page, then, the
certificate information can be inconsistent.
For example, Token #1 has two certificates stored on it, an encryption certificate (Encrypt #1) and a
signing certificate (Signing #1). If Token #1 is lost, then both of its certificates are revoked, so both
Encrypt #1 and Signing #1 are marked as revoked. When the user is issued a new token, Token #2,
then Encrypt #1 is recovered, and a new signing certificate, Signing #2, is issued. The status for the
three certificates, then, is as follows:
Conflicting Token Certificate Status Information
Log", and logging for these events can be added or removed
Description
The start of the subsystem, and thus the start of the audit function. This is always
The shutdown of the subsystem, and thus the shutdown of the audit function. This
Shows changes in whether the audit log is signed. This is always logged.
Shows when a user is successfully processed by the authorization servlets.
Shows when a user successfully authenticates.
Shows when a token is enrolled through the TPS.
Shows when the applet on the token is upgraded.
Shows when a user is not successfully processed by the authorization servlets.
A user assuming a role. A user assumes a role after passing through authenticatio
of administrator, auditor, and agent are tracked. Custom roles are not tracked.
Shows when the password used to access the token is reset.
Shows when a user does not successfully authenticate.
Records when any change is made to the configuration settings for the signed aud
Records when a token is formatted.
133