About ActivID CMS Audit Events

The ActivID Credential Management System tracks all significant events that occur in the system. It provides responses to questions – who, when, and for whom a device or a certificate has been issued.

The audit events can be generated through the GUI or the CCM Card and Credential Management API In the context of ActivID CMS, an Application Programming Interface (API) is an external interface (for example, the CCM API) that makes it possible for applications not supported by HID Global to incorporate ActivID functionality..

Audit Data Format

Typically, an ActivID CMS audit trail is composed of a single global record and n individual audit records.

The single global record, also called Audit Global Header, contains a global Message Authentication Code (MAC) that insures the integrity of the records. If some records have been tampered with, the MAC record becomes invalid.

The individual audit records are stored in the Event table and represent a complete set of data characterizing each event and also include an individual MAC control.

When the audit trail is stored in a database, two tables are used – one for the global record, one for the individual audit records. For details of the content of each of these tables, see Audit Data Tables.

Audit Trail Management

As the audit trail is an essential element of the system’s security, it is necessary to actively maintain it.

You should back up the audit data regularly – as for any other critical data. Furthermore, its size can quickly increase, so you should regularly archive and reduce the data to only what you need to keep.

The following sections propose procedures for backing up and archiving audit data. However, it does not detail the tools to be used, as they depend on the database type used to store the audit records.

Backing Up the Audit Trail

You can back up the audit trail using standard database backup methods.

You should back up all the audit tables (Audit Global Header, Audit Header Count, Audit Records, Audit System Parameters, and Audit Secret Keys), and make sure that the Audit Global Header and Audit Records are in sync (that is, that the Global Header record corresponds exactly to the status of the record table).

If they are not in sync, the global MAC record will be invalid. Most modern database systems are able to handle this issue by backing up related tables.

Archiving the Audit Trail

There are two ways to archive the audit data – either you archive the complete audit trail and restart a brand new one, or you archive the complete audit trail, remove the events from the database, and continue with the same trail.

Option 1: Archive the trail and restart a new one

  • Stop the ActivID CMS server to make sure that no new records are added to the process.

  • Back up the audit tables (Audit Global Header, Audit Header Count, Audit Records, Audit System Parameters, and Audit Secret Keys).

  • Delete the records of all the audit tables except for Audit Secret Keys.

Note: If you delete the records of the Audit Secret Keys table, new keys are regenerated; however, these new keys cannot be used to check the previous trail signatures.

  • Restart the server to recreate a new audit trail.

Option 2: Archive the trail, empty events and continue with the same trail

  • Archive the Global Header file.

  • Archive the Audit Records referenced in the Global Header that you have just saved (that is, records between ArchivedGlobalHeader.FirstEventNumber and ArchivedGlobalHeader.LastEventNumber).

  • Delete the records from the database.

  • Update the Global Header with the new 'running' audit trail characteristics (that is, GlobalHeader.FirstEventNumber = ArchivedGlobalHeader.LastEventNumber + 1 and GlobalHeader.MACseed = MAC of the ArchivedGlobalHeader.LastEventNumber record).

Note: Depending on the database system, it might be necessary to set a temporary lock on the Global Header table to synchronize its update with ActivID CMS.