Server: add Audit support for AuditSecurity event types

Description

Add partial support for Security AuditSecurity event types:

  • SecureChannel (Part 4 v1.05.04, §6.5.5): with reference to the Certificate Validation Error event if possible
  • Session (Part 4 v1.05.04, §6.5.6)
  • Certificate Validation Errors (Part 4 v1.05.04, indirect form §6.5.6): only implemented for SecureChannel certificate validation

Note: security audit events is not currently supported for certificate validation in X509 user authentication (see #1554)

Detailed description

How to activate this feature:

  • A new compilation option S2OPC_HAS_AUDITING shall be activated. It depends on S2OPC_EVENT_MANAGEMENT which shall also be activated.
  • SOPC_CommonHelper_Initialize expects a new configuration parameter for audits that allow to define which supported audit events are generated and if audit entry in a log file is activated
  • Role "SecurityAdmin" shall be obtained by client user to be able to receive the security audit events

Important note: "SecurityAdmin" shall be defined as necessary to receive Audit event types in OPC UA namespace NodeSet (AuditSecurityEventType, AuditChannelEventType, etc.), otherwise it might lead to security weakness providing information to unexpected client/user.

What it activates:

  • Auditing node (i=2994) boolean value is automatically set to true
  • Audit events are automatically generated from "Server" standard node as notifier: a user obtaining "SecurityAdmin" role is able to receive those events
  • (optional) Audit entry log traces are automatically generated in a file with a JSON-like format for each audit event content (limited to SOPC_LOG_MAX_USER_LINE_LENGTH characters)

This feature does not include

  • Audit of non-security-related events (Service, Discovery, etc.),
  • Management of user-defined subtypes of security events (Events types are hard-coded),

Code version identification

commit ddc9b796

Security impact

No security impact when role permissions are correctly configured.

Audit event types (AuditSecurityEventType, AuditChannelEventType, etc.) shall be configured to have permission "ReceiveEvents" only active for "SecurityAdmin" role (i=15704). Otherwise some security information might become accessible to unexpected client users through generated events (certificate failure reason, connection failure reason, etc.).

Implementation

Public API changes

  • sopc_audit.h module is created to provide configuration option and audit log entry access
  • sopc_event_helpers.h module is created to provide various helpers for events fields filling
  • SOPC_CommonHelper_Initialize expects a new configuration parameter for audits that allow to define which supported audit events are generated
  • SOPC_Logger_* module is refactored, the security audit log entry is managed by newly created SOPC_Audit module
  • SOPC_MIN_EVENT_NOTIFICATION_QUEUE_SIZE default value is now 100 to comply with UACTT tests needs and since it is a maximum size for the queue

PKI API changes

  • SOPC_PKIProvider_CheckHostName (optional) returns the certificate hostname URL
  • SOPC_PKIProvider_CheckLeafCertificate / SOPC_PKIProviderInternal_ValidateProfileAndCertificate (optional) returns context on certificate validation failure

Internal API changes

  • SOPC_ServerInternal_TriggerAuditEvent is added to generate both an event and an audit entry in log file
  • sopc_secure_channels_audit.h module is created to provide internal API to generate audits from the secure channel layer code
  • SOCKET_LISTENER_CONNECTION / INT_EP_SC_CREATE event provides peer IP/port information on connection that might be used as security audit entry id (when the one from request header is not available)
  • SOPC_SecureChannel_Config now contains secureChannelId and clientAuditInfo fields for audit purpose
  • SC_InitNewConnection has a new parameter / SOPC_SecureConnection now contains altClientAuditInfo for audit purpose (audit entry id alternative)

Audit tests

  • faulty_packet.py implements unit tests for "CLO with BAD channelId" and "OPN, CreateSession, ActivateSession, CloseSession with BAD sessionId": expected result uses audit entry log
  • UACTT tests partially passed, analysis of failed tests is the following:
    • AASET-004.js : SessionId is not provided when session is closed (terminated by server or timeout) which is expected on S2OPC side as the session does not exist anymore. It would require to keep track of previously created sesssion tokens.
    • AASET-005.js : NOT IMPLEMENTED (UACTT)
    • ACSET-001.js : expected timestamp is the current one when sending request instead of the one provided in request header. It should be the header one as the clock references might differ between server and source. Even by fixing this issue (allow 1s of difference in UACTT script), some AuditEntryId that are not identified are requested by UACTT (either not send by UACTT or in an encrypted message that has not been decrypted due to an error that occurs prior to this step)
    • ACSET-002.js : skipped => to be analyzed further
    • ACSET-004.js : session Id is NULL but not NULL => seems to be an issue in UACTT
    • AOSCET-001.js: ClientCertificate expected but not provided in the OPN request => seems to be an issue in UACTT
    • AOSCET-002.js : skipped => to be analyzed further
    • AOSCET-003.js : some AuditEntryId that are not identified are requested by UACTT: OPN encrypted message that has not been decrypted due to an error that occurs prior to this step. It seems expected behavior on S2OPC as we should not use CPU to try to decrypt untrusted messages.
    • AOSCET-004.js : idem
    • AOSCET-005.js : idem
    • AOSCET-006.js : NOT IMPLEMENTED (UACTT)

Known limitations

Support is partial for Security AuditSecurity event types as described in description.

Security audit events are not supported for certificate validation in X509 user authentication (see #1554)

Edited by Vincent Monfort