SecurityLog
public
class
SecurityLog
extends Object
java.lang.Object | |
↳ | android.app.admin.SecurityLog |
Definitions for working with security logs.
Device owner apps can control the logging with
DevicePolicyManager.setSecurityLoggingEnabled
. When security logs are enabled, device
owner apps receive periodic callbacks from DeviceAdminReceiver.onSecurityLogsAvailable
,
at which time new batch of logs can be collected via
DevicePolicyManager.retrieveSecurityLogs
. SecurityEvent
describes the type and
format of security logs being collected.
Summary
Nested classes | |
---|---|
class |
SecurityLog.
A class representing a security event log entry. |
Constants | |
---|---|
int |
LEVEL_
Event severity level indicating that the event requires urgent admin action. |
int |
LEVEL_
Event severity level indicating that the event corresponds to normal workflow. |
int |
LEVEL_
Event severity level indicating that the event may require admin attention. |
int |
TAG_ADB_SHELL_CMD
Indicates that a shell command was issued over ADB via |
int |
TAG_ADB_SHELL_INTERACTIVE
Indicates that an ADB interactive shell was opened via "adb shell". |
int |
TAG_APP_PROCESS_START
Indicates that an app process was started. |
int |
TAG_BACKUP_SERVICE_TOGGLED
Indicates that an admin has enabled or disabled backup service. |
int |
TAG_BLUETOOTH_CONNECTION
Indicates that the device attempts to connect to a Bluetooth device. |
int |
TAG_BLUETOOTH_DISCONNECTION
Indicates that the device disconnects from a connected Bluetooth device. |
int |
TAG_CAMERA_POLICY_SET
Indicates that the admin has set policy to disable camera. |
int |
TAG_CERT_AUTHORITY_INSTALLED
Indicates that a new root certificate has been installed into system's trusted credential storage. |
int |
TAG_CERT_AUTHORITY_REMOVED
Indicates that a new root certificate has been removed from system's trusted credential storage. |
int |
TAG_CERT_VALIDATION_FAILURE
Indicates a failure to validate X.509v3 certificate. |
int |
TAG_CRYPTO_SELF_TEST_COMPLETED
Indicates that cryptographic functionality self test has completed. |
int |
TAG_KEYGUARD_DISABLED_FEATURES_SET
Indicates that an admin has set disabled keyguard features. |
int |
TAG_KEYGUARD_DISMISSED
Indicates that keyguard has been dismissed. |
int |
TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT
Indicates that there has been an authentication attempt to dismiss the keyguard. |
int |
TAG_KEYGUARD_SECURED
Indicates that the device has been locked, either by the user or by a timeout. |
int |
TAG_KEY_DESTRUCTION
Indicates that a cryptographic key was destroyed. |
int |
TAG_KEY_GENERATED
Indicates that a cryptographic key was generated. |
int |
TAG_KEY_IMPORT
Indicates that a cryptographic key was imported. |
int |
TAG_KEY_INTEGRITY_VIOLATION
Indicates a failed cryptographic key integrity check. |
int |
TAG_LOGGING_STARTED
Indicates start-up of audit logging. |
int |
TAG_LOGGING_STOPPED
Indicates shutdown of audit logging. |
int |
TAG_LOG_BUFFER_SIZE_CRITICAL
Indicates that the audit log buffer has reached 90% of its capacity. |
int |
TAG_MAX_PASSWORD_ATTEMPTS_SET
Indicates that an admin has set a maximum number of failed password attempts before wiping data. |
int |
TAG_MAX_SCREEN_LOCK_TIMEOUT_SET
Indicates that an admin has set a maximum screen lock timeout. |
int |
TAG_MEDIA_MOUNT
Indicates that removable media has been mounted on the device. |
int |
TAG_MEDIA_UNMOUNT
Indicates that removable media was unmounted from the device. |
int |
TAG_NFC_DISABLED
Indicates that NFC service is disabled. |
int |
TAG_NFC_ENABLED
Indicates that NFC service is enabled. |
int |
TAG_OS_SHUTDOWN
Indicates that the Android OS has shutdown. |
int |
TAG_OS_STARTUP
Indicates that the Android OS has started. |
int |
TAG_PACKAGE_INSTALLED
Indicates that a package is installed. |
int |
TAG_PACKAGE_UNINSTALLED
Indicates that a package is uninstalled. |
int |
TAG_PACKAGE_UPDATED
Indicates that a package is updated. |
int |
TAG_PASSWORD_CHANGED
Indicates that a user has just changed their lockscreen password. |
int |
TAG_PASSWORD_COMPLEXITY_REQUIRED
Indicates that an admin has set a password complexity requirement, using the platform's pre-defined complexity levels. |
int |
TAG_PASSWORD_COMPLEXITY_SET
Indicates that an admin has set a requirement for password complexity. |
int |
TAG_PASSWORD_EXPIRATION_SET
Indicates that an admin has set a password expiration timeout. |
int |
TAG_PASSWORD_HISTORY_LENGTH_SET
Indicates that an admin has set a password history length. |
int |
TAG_REMOTE_LOCK
Indicates that an admin remotely locked the device or profile. |
int |
TAG_SYNC_RECV_FILE
Indicates that a file was pulled from the device via the adb daemon, for example via
|
int |
TAG_SYNC_SEND_FILE
Indicates that a file was pushed to the device via the adb daemon, for example via
|
int |
TAG_USER_RESTRICTION_ADDED
Indicates that an admin has set a user restriction. |
int |
TAG_USER_RESTRICTION_REMOVED
Indicates that an admin has removed a user restriction. |
int |
TAG_WIFI_CONNECTION
Indicates that an event occurred as the device attempted to connect to a managed WiFi network. |
int |
TAG_WIFI_DISCONNECTION
Indicates that the device disconnects from a managed WiFi network. |
int |
TAG_WIPE_FAILURE
Indicates a failure to wipe device or user data. |
Public constructors | |
---|---|
SecurityLog()
|
Inherited methods | |||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Constants
LEVEL_ERROR
public static final int LEVEL_ERROR
Event severity level indicating that the event requires urgent admin action.
Constant Value: 3 (0x00000003)
LEVEL_INFO
public static final int LEVEL_INFO
Event severity level indicating that the event corresponds to normal workflow.
Constant Value: 1 (0x00000001)
LEVEL_WARNING
public static final int LEVEL_WARNING
Event severity level indicating that the event may require admin attention.
Constant Value: 2 (0x00000002)
TAG_ADB_SHELL_CMD
public static final int TAG_ADB_SHELL_CMD
Indicates that a shell command was issued over ADB via adb shell <command>
The log entry contains a String
payload containing the shell command, accessible
via SecurityEvent.getData()
. If security logging is enabled on organization-owned
managed profile devices, the shell command will be redacted to an empty string.
Constant Value: 210002 (0x00033452)
TAG_ADB_SHELL_INTERACTIVE
public static final int TAG_ADB_SHELL_INTERACTIVE
Indicates that an ADB interactive shell was opened via "adb shell". There is no extra payload in the log event.
Constant Value: 210001 (0x00033451)
TAG_APP_PROCESS_START
public static final int TAG_APP_PROCESS_START
Indicates that an app process was started. The log entry contains the following
information about the process encapsulated in an Object
array, accessible via
SecurityEvent.getData()
:
String
)
System.currentTimeMillis()
(Long
)
Integer
)
Integer
)
String
)
String
)
If security logging is enabled on organization-owned managed profile devices, only events
happening inside the managed profile will be visible.
Constant Value: 210005 (0x00033455)
TAG_BACKUP_SERVICE_TOGGLED
public static final int TAG_BACKUP_SERVICE_TOGGLED
Indicates that an admin has enabled or disabled backup service. The log entry contains the
following information about the event encapsulated in an Object
array, accessible
via SecurityEvent.getData()
:
String
)
Integer
)
Integer
, 1 for enabled, 0 for disabled)
Constant Value: 210044 (0x0003347c)
TAG_BLUETOOTH_CONNECTION
public static final int TAG_BLUETOOTH_CONNECTION
Indicates that the device attempts to connect to a Bluetooth device.
The log entry contains the following information about the
event, encapsulated in an Object
array and accessible via
SecurityEvent.getData()
:
String
)
Integer
, 1 if successful, 0 otherwise)
String
)
Constant Value: 210039 (0x00033477)
TAG_BLUETOOTH_DISCONNECTION
public static final int TAG_BLUETOOTH_DISCONNECTION
Indicates that the device disconnects from a connected Bluetooth device.
The log entry contains the following information about the
event, encapsulated in an Object
array and accessible via
SecurityEvent.getData()
:
String
)
String
)
Constant Value: 210040 (0x00033478)
TAG_CAMERA_POLICY_SET
public static final int TAG_CAMERA_POLICY_SET
Indicates that the admin has set policy to disable camera.
The log entry contains the following information about the event, encapsulated in an
Object
array and accessible via SecurityEvent.getData()
:
String
)
Integer
)
Integer
)
Integer
, 1 if it's disabled,
0 if enabled)
Constant Value: 210034 (0x00033472)
TAG_CERT_AUTHORITY_INSTALLED
public static final int TAG_CERT_AUTHORITY_INSTALLED
Indicates that a new root certificate has been installed into system's trusted credential
storage. The log entry contains the following information about the event, encapsulated in an
Object
array and accessible via SecurityEvent.getData()
:
Integer
, 0 if operation failed, 1 if succeeded)
String
).
Integer
), only available from
version Build.VERSION_CODES.R
.
If security logging is enabled on organization-owned managed profile devices, only events
happening inside the managed profile will be visible.
Constant Value: 210029 (0x0003346d)
TAG_CERT_AUTHORITY_REMOVED
public static final int TAG_CERT_AUTHORITY_REMOVED
Indicates that a new root certificate has been removed from system's trusted credential
storage. The log entry contains the following information about the event, encapsulated in an
Object
array and accessible via SecurityEvent.getData()
:
Integer
, 0 if operation failed, 1 if succeeded)
String
).
Integer
), only available from
version Build.VERSION_CODES.R
.
If security logging is enabled on organization-owned managed profile devices, only events
happening inside the managed profile will be visible.
Constant Value: 210030 (0x0003346e)
TAG_CERT_VALIDATION_FAILURE
public static final int TAG_CERT_VALIDATION_FAILURE
Indicates a failure to validate X.509v3 certificate. The log entry contains a String
payload indicating the failure reason, accessible via SecurityEvent.getData()
.
Constant Value: 210033 (0x00033471)
TAG_CRYPTO_SELF_TEST_COMPLETED
public static final int TAG_CRYPTO_SELF_TEST_COMPLETED
Indicates that cryptographic functionality self test has completed. The log entry contains an
Integer
payload, indicating the result of the test (0 if the test failed, 1 if
succeeded) and accessible via SecurityEvent.getData()
.
Constant Value: 210031 (0x0003346f)
TAG_KEYGUARD_DISABLED_FEATURES_SET
public static final int TAG_KEYGUARD_DISABLED_FEATURES_SET
Indicates that an admin has set disabled keyguard features. The log entry contains the
following information about the event encapsulated in an Object
array, accessible via
SecurityEvent.getData()
:
String
)
Integer
)
Integer
)
Integer
).
Constant Value: 210021 (0x00033465)
TAG_KEYGUARD_DISMISSED
public static final int TAG_KEYGUARD_DISMISSED
Indicates that keyguard has been dismissed. This event is only logged if the device has a secure keyguard. It is logged regardless of how keyguard is dismissed, including via PIN/pattern/password, biometrics or via a trust agent. There is no extra payload in the log event.
See also:
Constant Value: 210006 (0x00033456)
TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT
public static final int TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT
Indicates that there has been an authentication attempt to dismiss the keyguard. The log
entry contains the following information about the attempt encapsulated in an Object
array, accessible via SecurityEvent.getData()
:
Integer
, 1 for successful, 0 for unsuccessful)
Integer
, 1 if strong authentication
method was used, 0 otherwise)
Constant Value: 210007 (0x00033457)
TAG_KEYGUARD_SECURED
public static final int TAG_KEYGUARD_SECURED
Indicates that the device has been locked, either by the user or by a timeout. There is no extra payload in the log event.
Constant Value: 210008 (0x00033458)
TAG_KEY_DESTRUCTION
public static final int TAG_KEY_DESTRUCTION
Indicates that a cryptographic key was destroyed. The log entry contains the following
information about the event, encapsulated in an Object
array and accessible via
SecurityEvent.getData()
:
Integer
, 0 if operation failed, 1 if succeeded)
String
)
Integer
).
If security logging is enabled on organization-owned managed profile devices, only events
happening inside the managed profile will be visible.
Constant Value: 210026 (0x0003346a)
TAG_KEY_GENERATED
public static final int TAG_KEY_GENERATED
Indicates that a cryptographic key was generated. The log entry contains the following
information about the event, encapsulated in an Object
array and accessible via
SecurityEvent.getData()
:
Integer
, 0 if operation failed, 1 if succeeded)
String
)
Integer
).
If security logging is enabled on organization-owned managed profile devices, only events
happening inside the managed profile will be visible.
Constant Value: 210024 (0x00033468)
TAG_KEY_IMPORT
public static final int TAG_KEY_IMPORT
Indicates that a cryptographic key was imported. The log entry contains the following
information about the event, encapsulated in an Object
array and accessible via
SecurityEvent.getData()
:
Integer
, 0 if operation failed, 1 if succeeded)
String
)
Integer
).
If security logging is enabled on organization-owned managed profile devices, only events
happening inside the managed profile will be visible.
Constant Value: 210025 (0x00033469)
TAG_KEY_INTEGRITY_VIOLATION
public static final int TAG_KEY_INTEGRITY_VIOLATION
Indicates a failed cryptographic key integrity check. The log entry contains the following
information about the event, encapsulated in an Object
array and accessible via
SecurityEvent.getData()
:
String
)
Integer
).
If security logging is enabled on organization-owned managed profile devices, only events
happening inside the managed profile will be visible.
Constant Value: 210032 (0x00033470)
TAG_LOGGING_STARTED
public static final int TAG_LOGGING_STARTED
Indicates start-up of audit logging. There is no extra payload in the log event.
Constant Value: 210011 (0x0003345b)
TAG_LOGGING_STOPPED
public static final int TAG_LOGGING_STOPPED
Indicates shutdown of audit logging. There is no extra payload in the log event.
Constant Value: 210012 (0x0003345c)
TAG_LOG_BUFFER_SIZE_CRITICAL
public static final int TAG_LOG_BUFFER_SIZE_CRITICAL
Indicates that the audit log buffer has reached 90% of its capacity. There is no extra payload in the log event.
Constant Value: 210015 (0x0003345f)
TAG_MAX_PASSWORD_ATTEMPTS_SET
public static final int TAG_MAX_PASSWORD_ATTEMPTS_SET
Indicates that an admin has set a maximum number of failed password attempts before wiping
data. The log entry contains the following information about the event encapsulated in an
Object
array, accessible via SecurityEvent.getData()
:
String
)
Integer
)
Integer
)
Integer
)
Constant Value: 210020 (0x00033464)
TAG_MAX_SCREEN_LOCK_TIMEOUT_SET
public static final int TAG_MAX_SCREEN_LOCK_TIMEOUT_SET
Indicates that an admin has set a maximum screen lock timeout. The log entry contains the
following information about the event encapsulated in an Object
array, accessible
via SecurityEvent.getData()
:
String
)
Integer
)
Integer
)
Long
)
Constant Value: 210019 (0x00033463)
TAG_MEDIA_MOUNT
public static final int TAG_MEDIA_MOUNT
Indicates that removable media has been mounted on the device. The log entry contains the
following information about the event, encapsulated in an Object
array and
accessible via SecurityEvent.getData()
:
String
)
String
). Redacted to empty string on organization-owned
managed profile devices.
Constant Value: 210013 (0x0003345d)
TAG_MEDIA_UNMOUNT
public static final int TAG_MEDIA_UNMOUNT
Indicates that removable media was unmounted from the device. The log entry contains the
following information about the event, encapsulated in an Object
array and
accessible via SecurityEvent.getData()
:
String
)
String
). Redacted to empty string on organization-owned
managed profile devices.
Constant Value: 210014 (0x0003345e)
TAG_NFC_DISABLED
public static final int TAG_NFC_DISABLED
Indicates that NFC service is disabled. There is no extra payload in the log event.
Constant Value: 210046 (0x0003347e)
TAG_NFC_ENABLED
public static final int TAG_NFC_ENABLED
Indicates that NFC service is enabled. There is no extra payload in the log event.
Constant Value: 210045 (0x0003347d)
TAG_OS_SHUTDOWN
public static final int TAG_OS_SHUTDOWN
Indicates that the Android OS has shutdown. There is no extra payload in the log event.
Constant Value: 210010 (0x0003345a)
TAG_OS_STARTUP
public static final int TAG_OS_STARTUP
Indicates that the Android OS has started. The log entry contains the following information
about the startup time software integrity check encapsulated in an Object
array,
accessible via SecurityEvent.getData()
:
String
)
String
).
Verified Boot state can be one of the following:
green
indicates that there is a full chain of trust extending from the
bootloader to verified partitions including the bootloader, boot partition, and all verified
partitions.
yellow
indicates that the boot partition has been verified using the embedded
certificate and the signature is valid.
orange
indicates that the device may be freely modified. Device integrity is
left to the user to verify out-of-band.
dm-verity mode can be one of the following:
enforcing
indicates that the device will be restarted when corruption is
detected.
eio
indicates that an I/O error will be returned for an attempt to read
corrupted data blocks.
disabled
indicates that integrity check is disabled.
For details see Verified Boot documentation.
Constant Value: 210009 (0x00033459)
TAG_PACKAGE_INSTALLED
public static final int TAG_PACKAGE_INSTALLED
Indicates that a package is installed.
The log entry contains the following information about the
event, encapsulated in an Object
array and accessible via
SecurityEvent.getData()
:
String
)
Long
)
Integer
)
Constant Value: 210041 (0x00033479)
TAG_PACKAGE_UNINSTALLED
public static final int TAG_PACKAGE_UNINSTALLED
Indicates that a package is uninstalled.
The log entry contains the following information about the
event, encapsulated in an Object
array and accessible via
SecurityEvent.getData()
:
String
)
Long
)
Integer
)
Constant Value: 210043 (0x0003347b)
TAG_PACKAGE_UPDATED
public static final int TAG_PACKAGE_UPDATED
Indicates that a package is updated.
The log entry contains the following information about the
event, encapsulated in an Object
array and accessible via
SecurityEvent.getData()
:
String
)
Long
)
Integer
)
Constant Value: 210042 (0x0003347a)
TAG_PASSWORD_CHANGED
public static final int TAG_PASSWORD_CHANGED
Indicates that a user has just changed their lockscreen password.
The log entry contains the following information about the
event, encapsulated in an Object
array and accessible via
SecurityEvent.getData()
:
Integer
)
Integer
)
Password complexity levels are defined as in
DevicePolicyManager.getPasswordComplexity()
Constant Value: 210036 (0x00033474)
TAG_PASSWORD_COMPLEXITY_REQUIRED
public static final int TAG_PASSWORD_COMPLEXITY_REQUIRED
Indicates that an admin has set a password complexity requirement, using the platform's
pre-defined complexity levels. The log entry contains the following information about the
event, encapsulated in an Object
array and accessible via
SecurityEvent.getData()
:
String
)
Integer
)
Integer
)
Integer
)
Constant Value: 210035 (0x00033473)
TAG_PASSWORD_COMPLEXITY_SET
public static final int TAG_PASSWORD_COMPLEXITY_SET
Indicates that an admin has set a requirement for password complexity. The log entry contains
the following information about the event, encapsulated in an Object
array and
accessible via SecurityEvent.getData()
:
String
)
Integer
)
Integer
)
Integer
)
Integer
)
Integer
)
Integer
)
Integer
)
Integer
)
Integer
)
Integer
)
See also:
DevicePolicyManager.setPasswordMinimumLength(ComponentName, int)
DevicePolicyManager.setPasswordQuality(ComponentName, int)
DevicePolicyManager.setPasswordMinimumLetters(ComponentName, int)
DevicePolicyManager.setPasswordMinimumNonLetter(ComponentName, int)
DevicePolicyManager.setPasswordMinimumLowerCase(ComponentName, int)
DevicePolicyManager.setPasswordMinimumUpperCase(ComponentName, int)
DevicePolicyManager.setPasswordMinimumNumeric(ComponentName, int)
DevicePolicyManager.setPasswordMinimumSymbols(ComponentName, int)
Constant Value: 210017 (0x00033461)
TAG_PASSWORD_EXPIRATION_SET
public static final int TAG_PASSWORD_EXPIRATION_SET
Indicates that an admin has set a password expiration timeout. The log entry contains the
following information about the event, encapsulated in an Object
array and accessible
via SecurityEvent.getData()
:
String
)
Integer
)
Integer
)
Long
).
Constant Value: 210016 (0x00033460)
TAG_PASSWORD_HISTORY_LENGTH_SET
public static final int TAG_PASSWORD_HISTORY_LENGTH_SET
Indicates that an admin has set a password history length. The log entry contains the
following information about the event encapsulated in an Object
array, accessible
via SecurityEvent.getData()
:
String
)
Integer
)
Integer
)
Integer
)
Constant Value: 210018 (0x00033462)
TAG_REMOTE_LOCK
public static final int TAG_REMOTE_LOCK
Indicates that an admin remotely locked the device or profile. The log entry contains the
following information about the event encapsulated in an Object
array, accessible via
SecurityEvent.getData()
:
String
),
Integer
).
Integer
)
Constant Value: 210022 (0x00033466)
TAG_SYNC_RECV_FILE
public static final int TAG_SYNC_RECV_FILE
Indicates that a file was pulled from the device via the adb daemon, for example via
adb pull
. The log entry contains a String
payload containing the path of the
pulled file on the device, accessible via SecurityEvent.getData()
.
Constant Value: 210003 (0x00033453)
TAG_SYNC_SEND_FILE
public static final int TAG_SYNC_SEND_FILE
Indicates that a file was pushed to the device via the adb daemon, for example via
adb push
. The log entry contains a String
payload containing the destination
path of the pushed file, accessible via SecurityEvent.getData()
.
Constant Value: 210004 (0x00033454)
TAG_USER_RESTRICTION_ADDED
public static final int TAG_USER_RESTRICTION_ADDED
Indicates that an admin has set a user restriction. The log entry contains the following
information about the event, encapsulated in an Object
array and accessible via
SecurityEvent.getData()
:
String
)
Integer
)
String
)
Constant Value: 210027 (0x0003346b)
TAG_USER_RESTRICTION_REMOVED
public static final int TAG_USER_RESTRICTION_REMOVED
Indicates that an admin has removed a user restriction. The log entry contains the following
information about the event, encapsulated in an Object
array and accessible via
SecurityEvent.getData()
:
String
)
Integer
)
String
)
Constant Value: 210028 (0x0003346c)
TAG_WIFI_CONNECTION
public static final int TAG_WIFI_CONNECTION
Indicates that an event occurred as the device attempted to connect to
a managed WiFi network. The log entry contains the following information about the
event, encapsulated in an Object
array and accessible via
SecurityEvent.getData()
:
String
, in the form "xx:xx:xx:xx:AA:BB")
String
). Event types are CONNECTED,
DISCONNECTED, ASSOCIATING, ASSOCIATED, EAP_METHOD_SELECTED, EAP_FAILURE,
SSID_TEMP_DISABLED, and OPEN_SSL_FAILURE.
String
)
Constant Value: 210037 (0x00033475)
TAG_WIFI_DISCONNECTION
public static final int TAG_WIFI_DISCONNECTION
Indicates that the device disconnects from a managed WiFi network.
The log entry contains the following information about the
event, encapsulated in an Object
array and accessible via
SecurityEvent.getData()
:
String
, in the form "xx:xx:xx:xx:AA:BB")
String
)
Constant Value: 210038 (0x00033476)
TAG_WIPE_FAILURE
public static final int TAG_WIPE_FAILURE
Indicates a failure to wipe device or user data. There is no extra payload in the log event.
Constant Value: 210023 (0x00033467)
Public constructors
SecurityLog
public SecurityLog ()