Clarification on CAS eventlogs indicates admin changes related to “isec/ca-certificates”
search cancel

Clarification on CAS eventlogs indicates admin changes related to “isec/ca-certificates”

book

Article ID: 404021

calendar_today

Updated On:

Products

ISG Content Analysis Content Analysis Software Malware Analysis CAS-VA

Issue/Introduction

The following or similar log entries were observed on CAS device audit logs or syslog events from CAS.

The logs are from CAS, and the SIEM solution has received alerts from its audit logger indicating that the following administrative changes related to “isec/ca-certificates” were applied. 

CAS info audit_logger[6318]: INFO     : admin changed /isec/ca-certificates{ACA_ROOT}/fips-compliant to 'false'
CAS info audit_logger[6318]: INFO     : admin changed /isec/ca-certificates{ACA_ROOT}/read-only to 'false'
CAS info audit_logger[6318]: INFO     : admin changed /isec/ca-certificates{ACA_ROOT}/in-brtrusted to 'false'
CAS info audit_logger[6318]: INFO     : admin changed /isec/ca-certificates{ACA_ROOT}/in-bctp to 'false'
CAS info audit_logger[6318]: INFO     : admin changed /isec/ca-certificates{ACA_ROOT}/read-only to 'false'
CAS info audit_logger[6318]: INFO     : admin changed /isec/ccl{browser-trusted}/ca-certificate to '...'
CAS info audit_logger[6318]: INFO     : admin changed /isec/ca-certificates{ANCERT_CGN_V2}/fips-compliant to 'false'
CAS info audit_logger[6318]: INFO     : admin changed /isec/ca-certificates{ANCERT_CGN_V2}/read-only to 'false'
CAS info audit_logger[6318]: INFO     : admin changed /isec/ca-certificates{ANCERT_CGN_V2}/in-brtrusted to 'false'
CAS info audit_logger[6318]: INFO     : admin changed /isec/ca-certificates{ANCERT_CGN_V2}/in-bctp to 'false'
CAS info audit_logger[6318]: INFO     : admin changed /isec/ca-certificates{ANCERT_CGN_V2}/read-only to 'false'
CAS info audit_logger[6318]: INFO     : admin changed /isec/ccl{browser-trusted}/ca-certificate to '...'

Environment

Content Analysis event logs (syslog) are forwarded to the SIEM solution.

Cause

These log entries triggered alerts under the assumption that a privileged user modified critical security configurations, potentially violating certificate trust policies.

However, the changes were not initiated by any authenticated admin user.

These are system-generated logs. Such logs are common and indicate the system is removing or updating expired certificates and the CCL as part of periodic reconciliation.
The changes match the expected behavior of background processes related to Certificate Authority (CA) trust list updates.

Resolution

Recommendation: Suppress or downgrade alert severity for this log signature if no correlated admin session is found.

Powered by Wolken Software