lightbulb_outline Please take our October 2018 developer survey. Start survey

SecurityLog

public class SecurityLog
extends Object

java.lang.Object
   ↳ android.app.admin.SecurityLog


Definitions for working with security logs.

Device owner apps can control the logging with DevicePolicyManager.setSecurityLoggingEnabled(ComponentName, boolean). When security logs are enabled, device owner apps receive periodic callbacks from DeviceAdminReceiver.onSecurityLogsAvailable(Context, Intent), at which time new batch of logs can be collected via DevicePolicyManager.retrieveSecurityLogs(ComponentName). SecurityLog.SecurityEvent describes the type and format of security logs being collected.

Summary

Nested classes

class SecurityLog.SecurityEvent

A class representing a security event log entry. 

Constants

int LEVEL_ERROR

Event severity level indicating that the event requires urgent admin action.

int LEVEL_INFO

Event severity level indicating that the event corresponds to normal workflow.

int LEVEL_WARNING

Event severity level indicating that the event may require admin attention.

int TAG_ADB_SHELL_CMD

Indicates that a shell command was issued over ADB via adb shell <command> The log entry contains a String payload containing the shell command, accessible via SecurityLog.SecurityEvent.getData().

int TAG_ADB_SHELL_INTERACTIVE

Indicates that an ADB interactive shell was opened via "adb shell".

int TAG_APP_PROCESS_START

Indicates that an app process was started.

int TAG_CERT_AUTHORITY_INSTALLED

Indicates that a new root certificate has been installed into system's trusted credential storage.

int TAG_CERT_AUTHORITY_REMOVED

Indicates that a new root certificate has been removed from system's trusted credential storage.

int TAG_CERT_VALIDATION_FAILURE

Indicates a failure to validate X.509v3 certificate.

int TAG_CRYPTO_SELF_TEST_COMPLETED

Indicates that cryptographic functionality self test has completed.

int TAG_KEYGUARD_DISABLED_FEATURES_SET

Indicates that an admin has set disabled keyguard features.

int TAG_KEYGUARD_DISMISSED

Indicates that keyguard has been dismissed.

int TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT

Indicates that there has been an authentication attempt to dismiss the keyguard.

int TAG_KEYGUARD_SECURED

Indicates that the device has been locked, either by the user or by a timeout.

int TAG_KEY_DESTRUCTION

Indicates that a cryptographic key was destroyed.

int TAG_KEY_GENERATED

Indicates that an authentication key was generated.

int TAG_KEY_IMPORT

Indicates that a cryptographic key was imported.

int TAG_KEY_INTEGRITY_VIOLATION

Indicates a failed cryptographic key integrity check.

int TAG_LOGGING_STARTED

Indicates start-up of audit logging.

int TAG_LOGGING_STOPPED

Indicates shutdown of audit logging.

int TAG_LOG_BUFFER_SIZE_CRITICAL

Indicates that the audit log buffer has reached 90% of its capacity.

int TAG_MAX_PASSWORD_ATTEMPTS_SET

Indicates that an admin has set a maximum number of failed password attempts before wiping data.

int TAG_MAX_SCREEN_LOCK_TIMEOUT_SET

Indicates that an admin has set a maximum screen lock timeout.

int TAG_MEDIA_MOUNT

Indicates that removable media has been mounted on the device.

int TAG_MEDIA_UNMOUNT

Indicates that removable media was unmounted from the device.

int TAG_OS_SHUTDOWN

Indicates that the Android OS has shutdown.

int TAG_OS_STARTUP

Indicates that the Android OS has started.

int TAG_PASSWORD_COMPLEXITY_SET

Indicates that an admin has set a requirement for password complexity.

int TAG_PASSWORD_EXPIRATION_SET

Indicates that an admin has set a password expiration timeout.

int TAG_PASSWORD_HISTORY_LENGTH_SET

Indicates that an admin has set a password history length.

int TAG_REMOTE_LOCK

Indicates that an admin remotely locked the device or profile.

int TAG_SYNC_RECV_FILE

Indicates that a file was pulled from the device via the adb daemon, for example via adb pull.

int TAG_SYNC_SEND_FILE

Indicates that a file was pushed to the device via the adb daemon, for example via adb push.

int TAG_USER_RESTRICTION_ADDED

Indicates that an admin has set a user restriction.

int TAG_USER_RESTRICTION_REMOVED

Indicates that an admin has removed a user restriction.

int TAG_WIPE_FAILURE

Indicates a failure to wipe device or user data.

Public constructors

SecurityLog()

Inherited methods

Constants

LEVEL_ERROR

added in API level 28
public static final int LEVEL_ERROR

Event severity level indicating that the event requires urgent admin action.

Constant Value: 3 (0x00000003)

LEVEL_INFO

added in API level 28
public static final int LEVEL_INFO

Event severity level indicating that the event corresponds to normal workflow.

Constant Value: 1 (0x00000001)

LEVEL_WARNING

added in API level 28
public static final int LEVEL_WARNING

Event severity level indicating that the event may require admin attention.

Constant Value: 2 (0x00000002)

TAG_ADB_SHELL_CMD

added in API level 24
public static final int TAG_ADB_SHELL_CMD

Indicates that a shell command was issued over ADB via adb shell <command> The log entry contains a String payload containing the shell command, accessible via SecurityLog.SecurityEvent.getData().

Constant Value: 210002 (0x00033452)

TAG_ADB_SHELL_INTERACTIVE

added in API level 24
public static final int TAG_ADB_SHELL_INTERACTIVE

Indicates that an ADB interactive shell was opened via "adb shell". There is no extra payload in the log event.

Constant Value: 210001 (0x00033451)

TAG_APP_PROCESS_START

added in API level 24
public static final int TAG_APP_PROCESS_START

Indicates that an app process was started. The log entry contains the following information about the process encapsulated in an Object array, accessible via SecurityLog.SecurityEvent.getData():

  • [0] process name (String)
  • [1] exact start time in milliseconds according to System.currentTimeMillis() (Long)
  • [2] app uid (Integer)
  • [3] app pid (Integer)
  • [4] seinfo tag (String)
  • [5] SHA-256 hash of the base APK in hexadecimal (String)

    Constant Value: 210005 (0x00033455)

  • TAG_CERT_AUTHORITY_INSTALLED

    added in API level 28
    public static final int TAG_CERT_AUTHORITY_INSTALLED

    Indicates that a new root certificate has been installed into system's trusted credential storage. The log entry contains the following information about the event, encapsulated in an Object array and accessible via SecurityLog.SecurityEvent.getData():

  • [0] result (Integer, 0 if operation failed, 1 if succeeded)
  • [1] subject of the certificate (String).

    Constant Value: 210029 (0x0003346d)

  • TAG_CERT_AUTHORITY_REMOVED

    added in API level 28
    public static final int TAG_CERT_AUTHORITY_REMOVED

    Indicates that a new root certificate has been removed from system's trusted credential storage. The log entry contains the following information about the event, encapsulated in an Object array and accessible via SecurityLog.SecurityEvent.getData():

  • [0] result (Integer, 0 if operation failed, 1 if succeeded)
  • [1] subject of the certificate (String).

    Constant Value: 210030 (0x0003346e)

  • TAG_CERT_VALIDATION_FAILURE

    added in API level 28
    public static final int TAG_CERT_VALIDATION_FAILURE

    Indicates a failure to validate X.509v3 certificate. The log entry contains a String payload indicating the failure reason, accessible via SecurityLog.SecurityEvent.getData().

    Constant Value: 210033 (0x00033471)

    TAG_CRYPTO_SELF_TEST_COMPLETED

    added in API level 28
    public static final int TAG_CRYPTO_SELF_TEST_COMPLETED

    Indicates that cryptographic functionality self test has completed. The log entry contains an Integer payload, indicating the result of the test (0 if the test failed, 1 if succeeded) and accessible via SecurityLog.SecurityEvent.getData().

    Constant Value: 210031 (0x0003346f)

    TAG_KEYGUARD_DISABLED_FEATURES_SET

    added in API level 28
    public static final int TAG_KEYGUARD_DISABLED_FEATURES_SET

    Indicates that an admin has set disabled keyguard features. The log entry contains the following information about the event encapsulated in an Object array, accessible via SecurityLog.SecurityEvent.getData():

  • [0] admin package name (String)
  • [1] admin user ID (Integer)
  • [2] target user ID (Integer)
  • [3] disabled keyguard feature mask (Integer).

    Constant Value: 210021 (0x00033465)

  • TAG_KEYGUARD_DISMISSED

    added in API level 24
    public static final int TAG_KEYGUARD_DISMISSED

    Indicates that keyguard has been dismissed. There is no extra payload in the log event.

    Constant Value: 210006 (0x00033456)

    TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT

    added in API level 24
    public static final int TAG_KEYGUARD_DISMISS_AUTH_ATTEMPT

    Indicates that there has been an authentication attempt to dismiss the keyguard. The log entry contains the following information about the attempt encapsulated in an Object array, accessible via SecurityLog.SecurityEvent.getData():

  • [0] attempt result (Integer, 1 for successful, 0 for unsuccessful)
  • [1] strength of authentication method (Integer, 1 if strong authentication method was used, 0 otherwise)

    Constant Value: 210007 (0x00033457)

  • TAG_KEYGUARD_SECURED

    added in API level 24
    public static final int TAG_KEYGUARD_SECURED

    Indicates that the device has been locked, either by the user or by a timeout. There is no extra payload in the log event.

    Constant Value: 210008 (0x00033458)

    TAG_KEY_DESTRUCTION

    added in API level 28
    public static final int TAG_KEY_DESTRUCTION

    Indicates that a cryptographic key was destroyed. The log entry contains the following information about the event, encapsulated in an Object array and accessible via SecurityLog.SecurityEvent.getData():

  • [0] result (Integer, 0 if operation failed, 1 if succeeded)
  • [1] alias of the key (String)
  • [2] requesting process uid (Integer).

    Constant Value: 210026 (0x0003346a)

  • TAG_KEY_GENERATED

    added in API level 28
    public static final int TAG_KEY_GENERATED

    Indicates that an authentication key was generated. The log entry contains the following information about the event, encapsulated in an Object array and accessible via SecurityLog.SecurityEvent.getData():

  • [0] result (Integer, 0 if operation failed, 1 if succeeded)
  • [1] alias of the key (String)
  • [2] requesting process uid (Integer).

    Constant Value: 210024 (0x00033468)

  • TAG_KEY_IMPORT

    added in API level 28
    public static final int TAG_KEY_IMPORT

    Indicates that a cryptographic key was imported. The log entry contains the following information about the event, encapsulated in an Object array and accessible via SecurityLog.SecurityEvent.getData():

  • [0] result (Integer, 0 if operation failed, 1 if succeeded)
  • [1] alias of the key (String)
  • [2] requesting process uid (Integer).

    Constant Value: 210025 (0x00033469)

  • TAG_KEY_INTEGRITY_VIOLATION

    added in API level 28
    public static final int TAG_KEY_INTEGRITY_VIOLATION

    Indicates a failed cryptographic key integrity check. The log entry contains the following information about the event, encapsulated in an Object array and accessible via SecurityLog.SecurityEvent.getData():

  • [0] alias of the key (String)
  • [1] owner application uid (Integer).

    Constant Value: 210032 (0x00033470)

  • TAG_LOGGING_STARTED

    added in API level 28
    public static final int TAG_LOGGING_STARTED

    Indicates start-up of audit logging. There is no extra payload in the log event.

    Constant Value: 210011 (0x0003345b)

    TAG_LOGGING_STOPPED

    added in API level 28
    public static final int TAG_LOGGING_STOPPED

    Indicates shutdown of audit logging. There is no extra payload in the log event.

    Constant Value: 210012 (0x0003345c)

    TAG_LOG_BUFFER_SIZE_CRITICAL

    added in API level 28
    public static final int TAG_LOG_BUFFER_SIZE_CRITICAL

    Indicates that the audit log buffer has reached 90% of its capacity. There is no extra payload in the log event.

    Constant Value: 210015 (0x0003345f)

    TAG_MAX_PASSWORD_ATTEMPTS_SET

    added in API level 28
    public static final int TAG_MAX_PASSWORD_ATTEMPTS_SET

    Indicates that an admin has set a maximum number of failed password attempts before wiping data. The log entry contains the following information about the event encapsulated in an Object array, accessible via SecurityLog.SecurityEvent.getData():

  • [0] admin package name (String)
  • [1] admin user ID (Integer)
  • [2] target user ID (Integer)
  • [3] new maximum number of failed password attempts (Integer)

    Constant Value: 210020 (0x00033464)

  • TAG_MAX_SCREEN_LOCK_TIMEOUT_SET

    added in API level 28
    public static final int TAG_MAX_SCREEN_LOCK_TIMEOUT_SET

    Indicates that an admin has set a maximum screen lock timeout. The log entry contains the following information about the event encapsulated in an Object array, accessible via SecurityLog.SecurityEvent.getData():

  • [0] admin package name (String)
  • [1] admin user ID (Integer)
  • [2] target user ID (Integer)
  • [3] new screen lock timeout in milliseconds (Long)

    Constant Value: 210019 (0x00033463)

  • TAG_MEDIA_MOUNT

    added in API level 28
    public static final int TAG_MEDIA_MOUNT

    Indicates that removable media has been mounted on the device. The log entry contains the following information about the event, encapsulated in an Object array and accessible via SecurityLog.SecurityEvent.getData():

  • [0] mount point (String)
  • [1] volume label (String).

    Constant Value: 210013 (0x0003345d)

  • TAG_MEDIA_UNMOUNT

    added in API level 28
    public static final int TAG_MEDIA_UNMOUNT

    Indicates that removable media was unmounted from the device. The log entry contains the following information about the event, encapsulated in an Object array and accessible via SecurityLog.SecurityEvent.getData():

  • [0] mount point (String)
  • [1] volume label (String).

    Constant Value: 210014 (0x0003345e)

  • TAG_OS_SHUTDOWN

    added in API level 28
    public static final int TAG_OS_SHUTDOWN

    Indicates that the Android OS has shutdown. There is no extra payload in the log event.

    Constant Value: 210010 (0x0003345a)

    TAG_OS_STARTUP

    added in API level 28
    public static final int TAG_OS_STARTUP

    Indicates that the Android OS has started. The log entry contains the following information about the startup time software integrity check encapsulated in an Object array, accessible via SecurityLog.SecurityEvent.getData():

  • [0] Verified Boot state (String)
  • [1] dm-verity mode (String).

    Verified Boot state can be one of the following:

  • green indicates that there is a full chain of trust extending from the bootloader to verified partitions including the bootloader, boot partition, and all verified partitions.
  • yellow indicates that the boot partition has been verified using the embedded certificate and the signature is valid.
  • orange indicates that the device may be freely modified. Device integrity is left to the user to verify out-of-band.

    dm-verity mode can be one of the following:

  • enforcing indicates that the device will be restarted when corruption is detected.
  • eio indicates that an I/O error will be returned for an attempt to read corrupted data blocks. For details see Verified Boot documentation.

    Constant Value: 210009 (0x00033459)

  • TAG_PASSWORD_COMPLEXITY_SET

    added in API level 28
    public static final int TAG_PASSWORD_COMPLEXITY_SET

    Indicates that an admin has set a requirement for password complexity. The log entry contains the following information about the event, encapsulated in an Object array and accessible via SecurityLog.SecurityEvent.getData():

  • [0] admin package name (String)
  • [1] admin user ID (Integer)
  • [2] target user ID (Integer)
  • [3] minimum password length (Integer)
  • [4] password quality constraint (Integer)
  • [5] minimum number of letters (Integer)
  • [6] minimum number of non-letters (Integer)
  • [7] minimum number of digits (Integer)
  • [8] minimum number of uppercase letters (Integer)
  • [9] minimum number of lowercase letters (Integer)
  • [10] minimum number of symbols (Integer)

    Constant Value: 210017 (0x00033461)

  • TAG_PASSWORD_EXPIRATION_SET

    added in API level 28
    public static final int TAG_PASSWORD_EXPIRATION_SET

    Indicates that an admin has set a password expiration timeout. The log entry contains the following information about the event, encapsulated in an Object array and accessible via SecurityLog.SecurityEvent.getData():

  • [0] admin package name (String)
  • [1] admin user ID (Integer)
  • [2] target user ID (Integer)
  • [3] new password expiration timeout in milliseconds (Long).

    Constant Value: 210016 (0x00033460)

  • TAG_PASSWORD_HISTORY_LENGTH_SET

    added in API level 28
    public static final int TAG_PASSWORD_HISTORY_LENGTH_SET

    Indicates that an admin has set a password history length. The log entry contains the following information about the event encapsulated in an Object array, accessible via SecurityLog.SecurityEvent.getData():

  • [0] admin package name (String)
  • [1] admin user ID (Integer)
  • [2] target user ID (Integer)
  • [3] new password history length value (Integer)

    Constant Value: 210018 (0x00033462)

  • TAG_REMOTE_LOCK

    added in API level 28
    public static final int TAG_REMOTE_LOCK

    Indicates that an admin remotely locked the device or profile. The log entry contains the following information about the event encapsulated in an Object array, accessible via SecurityLog.SecurityEvent.getData():

  • [0] admin package name (String),
  • [1] admin user ID (Integer).
  • [2] target user ID (Integer)

    Constant Value: 210022 (0x00033466)

  • TAG_SYNC_RECV_FILE

    added in API level 24
    public static final int TAG_SYNC_RECV_FILE

    Indicates that a file was pulled from the device via the adb daemon, for example via adb pull. The log entry contains a String payload containing the path of the pulled file on the device, accessible via SecurityLog.SecurityEvent.getData().

    Constant Value: 210003 (0x00033453)

    TAG_SYNC_SEND_FILE

    added in API level 24
    public static final int TAG_SYNC_SEND_FILE

    Indicates that a file was pushed to the device via the adb daemon, for example via adb push. The log entry contains a String payload containing the destination path of the pushed file, accessible via SecurityLog.SecurityEvent.getData().

    Constant Value: 210004 (0x00033454)

    TAG_USER_RESTRICTION_ADDED

    added in API level 28
    public static final int TAG_USER_RESTRICTION_ADDED

    Indicates that an admin has set a user restriction. The log entry contains the following information about the event, encapsulated in an Object array and accessible via SecurityLog.SecurityEvent.getData():

  • [0] admin package name (String)
  • [1] admin user ID (Integer)
  • [2] user restriction (String)

    Constant Value: 210027 (0x0003346b)

  • TAG_USER_RESTRICTION_REMOVED

    added in API level 28
    public static final int TAG_USER_RESTRICTION_REMOVED

    Indicates that an admin has removed a user restriction. The log entry contains the following information about the event, encapsulated in an Object array and accessible via SecurityLog.SecurityEvent.getData():

  • [0] admin package name (String)
  • [1] admin user ID (Integer)
  • [2] user restriction (String)

    Constant Value: 210028 (0x0003346c)

  • TAG_WIPE_FAILURE

    added in API level 28
    public static final int TAG_WIPE_FAILURE

    Indicates a failure to wipe device or user data. There is no extra payload in the log event.

    Constant Value: 210023 (0x00033467)

    Public constructors

    SecurityLog

    added in API level 24
    public SecurityLog ()