Chapter 6. Auditing and troubleshooting 209
interfaces for submission of events. Such events can be denoted as auditable
using configuration options at the CEI server, in which case CEI stores them in a
CEI XML event store that meets the auditing requirements described previously.
The Common Auditing and Reporting Service component allows staging of data
from the CEI XML event store into report tables. IBM products and customers
can provide audit reports based on auditable events staged into such report
tables. The Common Auditing and Reporting Service component also supports
the lifecycle of auditable events, including archive, restore, and audit reports on
restored archives. It enables common reporting against auditable events from
different products and sources.
The first release of the Audit Infrastructure delivered by the IBM Tivoli Common
Auditing and Reporting Service is used by the Access Manager for e-business
product for submitting, storing, and reporting auditable security events.
Archiving and restoring audit data
The relational database schema of the CEI XML event store is externalized so
the audit data stored in it can be archived by customers using third-party archival
tools of their choice. The Common Auditing and Reporting Service provides an
XML store utility that aids customers in archiving and restoring audit data. Also,
the Common Auditing and Reporting Service supports staging of restored audit
data into report tables so that audit reports can be run against restored audit
data.
Securing audit data
CEI emitter event interfaces are protected using J2EE declarative security to
ensure that only authenticated and authorized entities are allowed to use them.
Transmission of the Common Base security events to the CEI server can be
secured using SSL. Customers can protect access to the audit reports by using
the access control mechanism supported by the reporting tools. Customers also
need to protect the Common Auditing and Reporting Service XML event store
and the report tables using the access mechanisms provided by the database.
6.2.2 Reporting
The operational reports feature of the Common Auditing and Reporting Service
provides a number of compiled reports that provide information about
security-related activities that occur on your system.
The compiled Crystal Reports provided with Common Auditing and Reporting
Service include audit event history, password change activity, authentication
event history, authorization event history, event details, resource access, and
210 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
server availability reports. The compiled reports format allows you to run reports
without having the Crystal Reports Designer installed on the system.
The following out-of-the-box reports are available:
򐂰 General Audit Event Details Report
Displays all information about a single auditable event denoted by the event
reference ID parameter. Typically a user will run this report after running other
reports and deciding an event drill down is desired.
򐂰 General Audit Event History
Displays the total number of auditable events for each event type during a
specified time period. It also shows all events of the specified event type and
product name sorted by specified sort criterion and time stamp. This report
can be used for incident investigation and assuring compliance.
򐂰 Audit Event History by User
Displays total number of events for a specified user during a specified time
period. It also presents a list of all events of the specified event type and
product name sorted by time stamp and grouped by session ID during the
time period. The purpose of this report is to investigate activity of a particular
user during a specified time period.
򐂰 Failed Authentication History
Presents a list of all failed authentication events over the time period sorted
by specified sort criteria such as timestamp. This report can be used by an
administrator to investigate security incidents.
򐂰 Failed Authorization History
Lists all of the failed authorizations events during a specified time frame.
򐂰 Locked Account History
Displays all of the accounts that have been locked during a specified time
period.
򐂰 User Password Change History
Displays events related to password changes done by the users themselves
during a specified time period.
򐂰 Administrator and Self-Care Password Change History
Displays events related to password changes done by the user and the
administrator during a specified time period.

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.