[Prev]

8 Enumeration of Audit Events

To understand the wealth of audit trail data we start by enumerating them all:

Session Events Channel:
1. Session creation (possibly even an anonymous session)
2. Session upgrade (e.g. SSO on an anonymous session, step-up auth)
3. Session refresh
4. Session termination
5. Session expiry
6. Session revival (if appropriate, could be used as a factor in authentication)
User Authentication Events Channel:
1. Positive
2. Failure with Retry
3. Definitive Failure
Token Issuing Channel:
1. Tokens issued with:
  1. Issuer
  2. Subject
  3. Audience
  4. Policy constraints
  5. Validity time and/or usage count
  6. General content of the token
2. Token validation at relying party
3. Token use, to the appropriate extent
4. Token revocation when applicable
Authorization Channel:
1. Az request parameters
2. Az decision returned
3. Obligations
4. Promises to respect obligations
Service Requester Channel:
1. Choice of Service Provider
  1. Discovery
  2. Hardwired choice of Service
  3. Automated or algorithmic Choice of Service
  4. Choice of Service solicited from the User
2. Trust negotiation steps
3. Consent to send data, consent points, how was the answer obtained (e.g. automatic vs. interaction)
4. Service Call event
  1. Signature preparation, including choice of signing key
  2. Log of content of the message
  3. Peer authentication
  4. Success or failure to send message
5. Service Call exception
  1. Redirect or end point change
  2. Recredentialing
  3. Interaction requested
  4. Replay after interaction
  5. Dry-run
6. Service Call Response
  1. Log of content of the message
  2. Peer authentication (usually by Request-Response pattern)
  3. Success or failure to receive message
7. Service Call Response exception
  1. Failures, as detailed on the Faults Channel
  2. Application layer success or failure
8. Obligations processing
  1. Presence of obligation
  2. Specific processing steps
  3. Failure to process obligation
Service Responder Channel:
1. Trust establishment and trust negotiation steps
2. Request Acceptance
3. Response filtering and authorization decision
4. Attachment of obligations
PII Collection Channel
PII Release Channel
User Registration Channel:
1. Register
2. Modify
3. Deregister
SP Registration Channel:
1. Register
2. Modify
3. Change of Control
4. Deregister
User Reputation Channel:
1. Explicit complaint or praise
2. Other events that affect reputation
Service Reputation Channel:
1. Explicit complaint or praise
2. Other events that affect reputation
Browsing Event Channel (usually not shared)
Faults Channel:
1. Malformed protocol message
2. Insufficient sec mech
3. Signature verification fault
  1. Malformed
  2. Crypto (public key or hash)
  3. Certificate validity (missing CA trust chain)
4. Inappropriate use
  1. Audience
  2. Constraints
5. Expired tokens
6. Replay of message or token
7. Unsolicited message
8. Missing database entry
9. Explicit fault report
DoS Channel:
1. Invocation frequency alert
2. Data volume alert
3. Explicit DoS report (e.g. from monitoring organizations)
Intrusion Detection System and Firewall ACL Channel:
1. Scan alert
2. Attack fingerprint alert
3. Firewall deny rule triggered
Operations monitoring Channel:
1. Server / Service
  1. Up
  2. Down
  3. Scheduled downtime
  4. Congested
  5. Retry
  6. Fail Over
Audit Operation Channel (very restricted circulation):
1. Undertaking audits
2. Outcomes of audit
Billing Event Channel
Customer Care Event Channel

[Prev | Next]