Chapter 6. Auditing and troubleshooting 209
interfaces for submission of events. Such events can be denoted as auditable
using configuration options at the CEI server, in which case CEI stores them in a
CEI XML event store that meets the auditing requirements described previously.
The Common Auditing and Reporting Service component allows staging of data
from the CEI XML event store into report tables. IBM products and customers
can provide audit reports based on auditable events staged into such report
tables. The Common Auditing and Reporting Service component also supports
the lifecycle of auditable events, including archive, restore, and audit reports on
restored archives. It enables common reporting against auditable events from
different products and sources.
The first release of the Audit Infrastructure delivered by the IBM Tivoli Common
Auditing and Reporting Service is used by the Access Manager for e-business
product for submitting, storing, and reporting auditable security events.
Archiving and restoring audit data
The relational database schema of the CEI XML event store is externalized so
the audit data stored in it can be archived by customers using third-party archival
tools of their choice. The Common Auditing and Reporting Service provides an
XML store utility that aids customers in archiving and restoring audit data. Also,
the Common Auditing and Reporting Service supports staging of restored audit
data into report tables so that audit reports can be run against restored audit
Securing audit data
CEI emitter event interfaces are protected using J2EE declarative security to
ensure that only authenticated and authorized entities are allowed to use them.
Transmission of the Common Base security events to the CEI server can be
secured using SSL. Customers can protect access to the audit reports by using
the access control mechanism supported by the reporting tools. Customers also
need to protect the Common Auditing and Reporting Service XML event store
and the report tables using the access mechanisms provided by the database.
The operational reports feature of the Common Auditing and Reporting Service
provides a number of compiled reports that provide information about
security-related activities that occur on your system.
The compiled Crystal Reports provided with Common Auditing and Reporting
Service include audit event history, password change activity, authentication
event history, authorization event history, event details, resource access, and