Security Admin Events

The following table describes the Security Admin events (App ID = 16).  Beginning in Release 8.0, all Security Admin events are enabled by default except Flash Wear-Out Counters Reset (ID=15) and Power Package Modified (ID=16) events.

Event Name

ID

Description

Parameters

Trigger

AMT Provisioning Started

0

Intel AMT transitioned to setup mode (also called “in provisioning”).

Note:

This event is flagged as super_critical from Release 12.0 onward. Prior to Release 12.0, it is always written to the Log and cannot be flagged as critical.

None

The platform is connected to a network and has a PID-PPS pair, or a remote configuration local agent commanded Start Configuration, or a “bare metal” configuration sequence started.

The event will be logged also in SMB mode. (Manual Mode in Release 6.0)

Note: This event is always logged, even if auditing is not enabled. The timestamp of the event will always be 12:00 Jan 1, 2004 if the time had never been initialized when this event occurred.

Otherwise, with Release 6.0, it will be the time just before the previous unconfiguration.

Note: This event is NOT triggered by the Release 6.2/7.0 and later Host-Based (Local) Setup feature and is deprecated from Release 6.1. ISV software should obtain information about configuration occurrences from the following classes (via IPS_ProvisioningAuditRecord):

IPS_AdminProvisioningRecord

IPS_ClientProvisioningRecord

IPS_ManualProvisioningRecord

AMT Provisioning Completed

1

Intel AMT transitioned to operational mode (also called “post provisioning”).

Note: This event is flagged as super_critical from Release 12.0.30 onward. Prior to Release 12.0.30, it is always written to the Log and cannot be flagged as critical.

UINT8 ProvisioningMethod:

2 – Remote Configuration

3 – Manual Provisioning via MEBX

5 – Host-Based Provisioning Admin Mode

Note: Additional methods may be added in the future.

WS-MAN: AMT_SetupAndConfigurationService.CommitChanges completed successfully.

Note: Prior to Intel® AMT release 12.0.30, this event is NOT triggered by the Release 6.2/7.0 and later Host-Based (Local) Setup feature or by the Release 6.0 Manual Configuration feature. This event is deprecated from Release 6.1. ISV software should obtain information about configuration occurrences from the following classes (via IPS_ProvisioningAuditRecord):

IPS_AdminProvisioningRecord

IPS_ClientProvisioningRecord

IPS_TLSProvisioningRecord

IPS_ManualProvisioningRecord


In Intel AMT 12.0.30 and later, this event is generated by provisioning in Admin mode.

UINT8 HashType (Irrelevant for PSK)

1 – SHA1_160

2 – SHA_256

3 – SHA_384

For SHA1_160:
UINT8 TrustedRootCertHash[20]

For SHA_256:
UINT8 TrustedRootCertHash[32]

For SHA_384:
UINT8 TrustedRootCertHash[48] (Irrelevant for PSK)

UINT8 NumberOfCertificates (Irrelevant for PSK)

UINT8 CertSerialNumbers[], each number 16 bytes length, up to 3 serial numbers.

(Irrelevant for PSK)

UINT8 AdditionalCaSerialNums

(Irrelevant for PSK)

0 – There are additional certificates.

1 – There are no additional certificates.

UINT8 ProvServFQDNLength  (Irrelevant for PSK)

UINT8  ProvServFQDN[], up to 255 bytes.

(Irrelevant for PSK)

ACL Entry Added

2

User entry was added to the Intel AMT device

InitiatorType Type

Functions called and executed successfully:
WS-MAN:

AMT_AuthorizationService.AddUserAclEntryEx

CIM_AccountManagementService.CreateAccount

CIM_RemoteIdentity.Create

WebUI: Calling new user account.


Log may be recorded also when the method fails afterwards with PT_STATUS_INTERNAL_ERROR or PT_STATUS_FLASH_WRITE_LIMIT_
EXCEEDED return values.

UINT8 Username_Length

UINT32 SID

UINT8 Username

UINT8 Domain_Length

UINT8 Domain[]

ACL Entry Modified

3

User entry in the Intel AMT device was updated

UINT8 ParameterModified

(Bit combination):

0x01 Username

0x02 Password

0x04 Local realms

0x08 Remote realms

0x10 Kerberos domain

0x20 SID

Functions called and executed successfully:
WS-MAN:

AMT_AuthorizationService.UpdateUserAclEntryEx

CIM_Account.Put

CIM_Privilege.Put

WebUI: Calling Change User Account.

Calling Change Admin Account.

Log May be recorded also when the method fails afterwards with PT_STATUS_INTERNAL_ERROR or PT_STATUS_FLASH_WRITE_LIMIT_EXCEEDED return values.

InitiatorType Type

UINT8 Username _Length

UINT32 SID

UINT8 Username[]

UINT8 Domain_Length

UINT8 Domain[]

ACL Entry Removed

4

User entry in the Intel AMT device was removed

InitiatorType Type

Functions called and executed successfully:
WS-MAN: AMT_AuthorizationService.RemoveUserAclEntry

CIM_Account.Delete

CIM_RemoteIdentity.Remove

WebUI: Calling “remove user account”.

Log may be recorded also when the method fails afterwards with PT_STATUS_INTERNAL_ERROR return value.

UINT8 Username _Length

UINT32 SID

UINT8 Username[]

UINT8 Domain_Length

UINT8 Domain[]

ACL Access With Invalid credentials

5

User attempted to access Intel AMT or MEBx with invalid username or password

UINT8 Type

0 - AMT

1 - MEBx

MEBx invalid access – Event is logged after 3 invalid access attempts.

AMT invalid access - The event is logged each time the user is blocked due to numerous authentication failures.

ACL Entry Enabled

6

ACL entry state was changed (Enabled or Disabled)

UINT8 ACL Enabled

0 - disabled

1 - enabled

Change anonymous access via WebUI.

WS-MAN: CIM_Account.RequestStateChange

Log may be recorded also when the method fails afterwards with PT_STATUS_INTERNAL_ERROR or PT_STATUS_FLASH_WRITE_LIMIT_EXCEEDED return values.

InitiatorType Type

UINT8 Username _Length

UINT32 SID

UINT8 Username []

 

UINT8 Domain_Length

UINT8 Domain[]

TLS State Changed

7

TLS options changed

UINT8 RemoteStatus

0 - NoAuth

1 - Server

2 - Mutual

WS-MAN: AMT_TLSSettingData.Put

UINT8 LocalStatus

0 - NoAuth

1 - Server

2 - Mutual

TLS Server Certificate Set

8

TLS Server Certificate was defined

UINT8 CertSerialNum[20]

WS-MAN: AMT_TLSCredentialContext.Create

AMT_TLSCredentialContext.Put

TLS Server Certificate Removed

9

Attempted to remove certificate

UINT8 CertSerialNum[20]

WS-MAN: AMT_TLSCredentialContext.Delete

TLS Trusted Root Certificate Added

10

Trusted root certificate added.

Note: This event cannot be flagged as critical.

UINT8 CertSerialNum[20]

WS-MAN: AMT_PublicKeyManagementService.AddTrustedRootCertificate

TLS Trusted Root Certificate Removed

11

Trusted root certificate removed.

Note: This event cannot be flagged as critical.

UINT8 CertSerialNum[20]

WS-MAN: AMT_PublicKeyCertificate.Delete

TLS Pre-Shared Key Set

12

PreShared Key was defined

None

WS-MAN:

AMT_SetupAndConfigurationService.SetTLSPSK

Note: This trigger was removed in release 11.0.

Kerberos Settings Modified

13

Kerberos was enabled (Kerberos options set) or disabled.

Note: This event cannot be flagged as critical (Release 5.1 and later).

UINT8 TimeTolerance

WS-MAN: AMT_KerberosSettingData.Put is invoked and returns success.

Kerberos Master Key or Passphrase Modified

14

Kerberos master key or passphrase was modified.

Note: This event cannot be flagged as critical (Release 5.1 and later).

None

WS-MAN: AMT_KerberosSettingData.Put is invoked and returns success.

Flash Wear-Out Counters Reset

15

Flash Wear-out counter was reset.

Note: This event cannot be flagged as critical.

None

WS-MAN:

AMT_SetupAndConfigurationService.ResetFlashWearOutProtection

Starting with Release 6.2, the WS-MAN triggers are not actually perform a reset and the event is not logged. This trigger was removed entirely in Release 11.0.

Power Package Modified

16

Active power package was set

UINT8 PolicyGUID[16]

MEBx: Power package changed

WS-MAN: AMT_SystemPowerScheme.SetPowerScheme

WebUI: Power Policies page

If the power package is changed via the MEBx, the event will not be logged.

Set Realm Authentication Mode

17

Realm authentication mode changed.

UINT32 realm

 

WebUI: Anonymous access option is changed.

Log may be recorded also when the method fails afterwards with PT_STATUS_INTERNAL_ERROR or PT_STATUS_FLASH_WRITE_LIMIT_ EXCEEDED return values.

UINT8 Authentication mode

0 - NoAuth

1 - Auth

2 - Disable

Upgrade Client To Admin

18

The control mode of the Intel AMT was changed from Client Control to Admin Control

None

WS-MAN: (Release 7.0 and later releases) IPS_HostBasedSetupService.UpgradeClientToAdmin

AMT UnProvisioning Started

19

Intel AMT transitioned to unprovisioned state (also called preprovisioning)

Note: This event is flagged as super_critical from Release 12.0.30 onward. Prior to Release 12.0.30, it is always written to the Log and cannot be flagged as critical.

UINT8 UnprovisioningInitiator

1 – BIOS

2 - MEBx

3 – Local MEI

4 – Local WSMAN

5 – Remote WSMAN

WS-MAN:

AMT_SetupAndConfigurationService.Unprovision

AMT_SetupAndConfigurationService.PartialUnprovision started successfully.

HECI:

CFG_Unprovision()started successfully.

Copyright © 2006-2022, Intel Corporation. All rights reserved.