Auditing
ActivID AS maintains a secure, tamper-evident audit log of all authentication, administration, and authorization requests.
The audit log entries contain a complete set of data to enable a compliance-oriented view of system activities, including action, system user, end user, channel, date, time, and outcome.
All permissions that modify the ActivID AS data are written to an audit log. These include:
- Initial configuration of ActivID AS
- Data administration activities (for example, modifying access privileges of users such as supervisors)
- User and authenticator management
In addition, all authentication requests are written to the audit log.
For situations where the action was carried out by a direct user on behalf of an indirect user, the identifiers of both users are recorded.
Audit functions are not specific to a particular authentication class, although the parameters recorded in the audit log will vary by authentication class. For example, an entry for a device authentication request will include the device serial number, whereas an entry for a Security Questions authentication will include the prompt codes.
ActivID AS records all API calls in an audit log which is stored in the ActivID AS database along with the ActivID AS data for configuration.
Online audit data can be viewed using the ActivID Management Console.
Archived audit data and logs can also be used to Generate Audit Log Reports for Forensics.
The FTRESSAUDITLOG CSV files are structured as follows:
Name | Data type | Max length | Description |
---|---|---|---|
SEQUENCEGENERATORID |
NUMBER |
28 |
Unique ID of the sequence number generator for a given row of data |
SEQUENCEGENERATORPOOLNAME |
VARCHAR2 |
20 |
The name of the pool from which the sequence generator is used |
SEQUENCENUMBER |
NUMBER |
28 |
The sequence number for a row of data |
TIMESTAMP |
NUMBER |
28 |
Date/time of audit entry |
MESSAGE |
VARCHAR2 |
100 |
Free text field used to store additional information in exceptions |
RESPONSE |
VARCHAR2 |
50 |
Indicates if the authentication request succeeded or failed. This field is only populated for authentication requests |
PARAMETERS |
VARCHAR2 |
3000 |
Contains additional parameters values specific to the action. |
USERID |
NUMBER |
28 |
Id of direct user who executed the action. |
TARGETUSERID |
NUMBER |
28 |
Id of user on whom the action was executed |
STATUS |
VARCHAR2 |
30 |
Indicates if the call successfully completed. Note that a failed authentication is still a successfully completed call. |
SESSIONID |
VARCHAR2 |
100 |
Session ID of direct user, who executed the action |
INDIRECTSESSIONID |
VARCHAR2 |
100 |
Session ID of indirect user. This field is only populated for indirect user authentications and logouts |
CHANNEL |
VARCHAR2 |
30 |
Channel over which the action was requested. |
CORRELATIONID |
VARCHAR2 |
200 |
Identifier of the process it was done from a remote system |
CORRELATIONTYPE |
VARCHAR2 |
10 |
Type of process it was done from a remote system |
HOSTADDRESS |
VARCHAR2 |
512 |
Hostname or the IP address of the remote system |
EVENTTYPE |
VARCHAR2 |
10 |
Type of event is audited For the internal audit, this is '4TRESS' |
EVENTID |
VARCHAR2 |
50 |
Identifier of the event that is audited (the name of the function that was called (for example, primaryAuthenticateDevice) is added as the 'action') |
ENTITYTYPE |
VARCHAR2 |
10 |
Type of object that is audited from the remote system |
ENTITYID |
VARCHAR2 |
20 |
Identifier of the object that is audited from the remote system |
DIRECTEXTREF |
VARCHAR2 |
255 |
External Reference ID of direct user who is executing the action |
INDIRECTEXTREF |
VARCHAR2 |
255 |
External Reference ID of indirect user on whom the action is being executed |
AUTHTYPECODE |
VARCHAR2 |
10 |
Authentication Type code, applicable, for authentication and administrative activities that relate directly to a specific authentication type |
OBFUSCATED |
CHAR |
1 |
Indicates if this event is anonymized (tokenized for GDPR ) |
AUDITSIGNATURE |
VARCHAR2 |
1000 |
Cryptographic row signature of audit record |
TEXT1/TEXT2 …/TEXT10 |
VARCHAR2 |
100 |
Additional fields containing information provided from the remote system that is audited |
It is recommended that the FTRESSAUDITLOG table is partitioned by range per day as described in the ActivID AS configuration guide for your database (available from the ActivID Customer Portal).
As the FTRESSAUDITLOG is partitioned based on timestamp, a partition is defined for each day of the month. This allows the queries to be more efficient when using search period criteria based on day.
Topics in this section