FHIR Chat · Audit · smart

Stream: smart

Topic: Audit

view this post on Zulip John Moehrke (Jun 15 2019 at 12:52):

Has anyone defined auditEvent profiles for the smart activities? Do OAuth implementations record these events in a local text log, what does that log look like?

view this post on Zulip Grahame Grieve (Jun 15 2019 at 12:52):

I do, if that's worth anything.

view this post on Zulip John Moehrke (Jun 15 2019 at 14:53):

That is worth solid gold... Can you share?

view this post on Zulip Grahame Grieve (Jun 15 2019 at 18:34):

ok. login:

view this post on Zulip Grahame Grieve (Jun 15 2019 at 18:36):

{
  "resourceType" : "AuditEvent",
  "text" : {
    "status" : "generated",
    "div" : "snip!"
  },
  "type" : {
    "system" : "http://nema.org/dicom/dcid",
    "code" : "110114",
    "display" : "User Authentication"
  },
  "subtype" : [
    {
      "system" : "http://nema.org/dicom/dcid",
      "code" : "110144",
      "display" : "Login"
    }
  ],
  "action" : "E",
  "recorded" : "2019-06-15T18:31:56.891Z",
  "outcome" : "0",
  "agent" : [
    {
      "who" : {
        "identifier" : {
          "system" : "urn:uuid:a22611cd-0cb4-4cba-a7a4-23052e2909af",
          "value" : "141"
        }
      },
      "altId" : "g",
      "name" : "g (unknown)",
      "requestor" : true,
      "network" : {
        "address" : "127.0.0.1",
        "type" : "4"
      }
    }
  ],
  "source" : {
    "site" : "http://local.fhir.org",
    "observer" : {
      "identifier" : {
        "system" : "urn:ietf:rfc:3986",
        "value" : "urn:uuid:a22611cd-0cb4-4cba-a7a4-23052e2909af"
      }
    },
    "type" : [
      {
        "system" : "http://hl7.org/fhir/security-source-type",
        "code" : "3",
        "display" : "Web Server"
      }
    ]
  }
}

view this post on Zulip Grahame Grieve (Jun 15 2019 at 18:36):

a22611cd-0cb4-4cba-a7a4-23052e2909af is the internal identifier for this system

view this post on Zulip Grahame Grieve (Jun 15 2019 at 18:36):

logout:

{
  "resourceType" : "AuditEvent",
  "text" : {
    "status" : "generated",
    "div" : "snip!"
  },
  "type" : {
    "system" : "http://nema.org/dicom/dcid",
    "code" : "110114",
    "display" : "User Authentication"
  },
  "subtype" : [
    {
      "system" : "http://nema.org/dicom/dcid",
      "code" : "110123",
      "display" : "Logout"
    }
  ],
  "action" : "E",
  "recorded" : "2019-06-15T18:33:20.333Z",
  "outcome" : "0",
  "agent" : [
    {
      "who" : {
        "identifier" : {
          "system" : "urn:uuid:a22611cd-0cb4-4cba-a7a4-23052e2909af",
          "value" : "141"
        }
      },
      "altId" : "g",
      "name" : "g (unknown)"
    },
    {
      "network" : {
        "address" : "127.0.0.1",
        "type" : "2"
      }
    }
  ],
  "source" : {
    "site" : "Health Intersections",
    "observer" : {
      "identifier" : {
        "system" : "urn:ietf:rfc:3986",
        "value" : "urn:uuid:a22611cd-0cb4-4cba-a7a4-23052e2909af"
      }
    },
    "type" : [
      {
        "system" : "http://hl7.org/fhir/security-source-type",
        "code" : "3",
        "display" : "Web Server"
      }
    ]
  }
}

view this post on Zulip John Moehrke (Jun 17 2019 at 12:37):

Those are just the login and out events. Not really the OAuth events. In using the lifecycle diagram from @Josh Mandel presentations I was expecting some audit events at each point: 1. Register of an ID, 2. Launch + Discovery, 3. Authorize grant_type, 4. Query, and 5 Refresh.
The logging of various CRUDE are done, but not specific enough to how the same auditEvent holds references to the token. Should be variations of these CRUDE that show a SMART token use? Seems it should be minimally the opaque token, leaving the details to the ( 3 ) Authorize grant_type auditEvent...

view this post on Zulip John Moehrke (Jun 17 2019 at 12:38):

https://docs.google.com/presentation/d/1CqRCrNB17XXzeff0guDo1inM-gdy2k0aBc16OcdZKHM/present?slide=id.g5b4e43b18c_0_97

view this post on Zulip John Moehrke (Jun 17 2019 at 12:44):

In IHE we define the AuditEvent for various events... then in the IUA profile (The IHE profile of OAuth) we express how the presence of an IUA token used to authorize ANY transaction or activity will augment that (ANY) transaction AuditEvent by adding an AuditEvent.agent. Thus the AuditEvent recorded for activity XYZ is the combination of the auditEvent pattern from activity XYZ + an AuditEvent.agent that expresses the security token used. This way activity XYZ (e.g. the CRUDE AuditEvent patterms given in FHIR) don't mention security, as security layer just augments the AuditEvent. This enables many security layer posibilities with consistency of AuditEvent for activity XYZ.

view this post on Zulip Michele Mottini (Jun 17 2019 at 13:18):

We record only login in our system. We generate a session ID (GUID) that links the login event to the corresponding following CRUD events. It goes in a custom extension in AuditEvent

view this post on Zulip John Moehrke (Jun 17 2019 at 13:58):

why do you think you need a custom extension? What is the definition so that we can consider it a core or core-extension?

view this post on Zulip Grahame Grieve (Jun 17 2019 at 17:43):

I think it would be good to have a session id in AuditEvent. I don't audit the selection of scopes, and should. In fact, I should only log the login once the scopes are selected because it's not functional till then

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -