Security Events in WinCC OA

WCCOActrl (1), 2023.11.02 13:17:25.888, PARAM,INFO, 26/OaLogin, Area permission created, Area Permission: MyAreaPermission

• {AREA PERMISSION}: Area permission name

1. Open WinCC OA administrator
2. Create a new project or select an existing one
3. Start WinCC OA console
4. Create a new user group or select an existing one in User administration panel
5. Create an area permission

WCCOActrl (1), 2023.11.02 13:17:36.334, PARAM,INFO, 27/OaLogin, Area permission deleted, Area Permission: MyAreaPermission

• {AREA PERMISSION}: Area permission name

1. Open WinCC OA administrator
2. Create a new project or select an existing one
3. Start WinCC OA console
4. Create a new user group or select an existing one in User administration panel
5. Delete the area permission

WCCOActrl (1), 2023.11.02 13:16:11.276, PARAM,INFO, 22/OaLogin, User account added to group, User: MyUser, Groups: root | operatorAll | operator

• {USER}: Name of the user account
• {GROUPS}: Added groups associated with the user account

1. Open WinCC OA administrator
2. Create a new project or select an existing one
3. Start WinCC OA console
4. Create a new user group or select an existing one in User administration panel
5. Change association of the user user and its groups

WCCOActrl (1), 2023.10.01 10:29:13.655, PARAM, INFO, 18/OaLogin, User account testUser(8) has been deleted.

• {MANAGER NO}: Manager number of manager running the command channel
• {USER NAME}: Name of the user account
• {USER ID}: Internal ID of the user account

1. Open the User Administration
2. Select user, and click on the "Delete" button

WCCOActrl (1), 2023.11.02 13:16:26.165, PARAM,INFO, 23/OaLogin, User account deleted from group, User: MyUser, Groups: operatorAll | operator

• {USER}: Name of the user account
• {GROUPS}: Deleted groups associated with the user account

1. Open WinCC OA administrator
2. Create a new project or select an existing one
3. Start WinCC OA console
4. Create a new user group or select an existing one in User administration panel
5. Change association of the user user and its groups

WCCOActrl (2), 2023.10.01 10:29:13.655, PARAM, INFO, 17/OaLogin, User account testUser(8) has been disabled.

• {MANAGER NO}: Manager number running command channel script
• {USER NAME}: Name of the user account
• {USER ID}: Internal ID of the user account

1. Open the User Administration
2. Select user, and click on the "Deactivate" button

WCCOActrl (2), 2023.10.01 10:29:13.655, PARAM, INFO, 16/OaLogin, User account testUser(8) has been enabled.

• {MANAGER NO}: Manager number for command channel script
• {USER NAME}: Name of the user account
• {USER ID}: Internal ID of the user account

1. Open the User Administration
2. Click on the "Activate" button
3. Select user, and click on the "Activate" button

WCCOActrl (1), 2023.11.02 13:15:02.115, PARAM,INFO, 19/OaLogin, User group created, Group: MyGroup

• {GROUP}: Name of the successfully created user group

1. Open WinCC OA administrator
2. Create a new project or select an existing one
3. Start WinCC OA console
4. Create a new user group in User administration panel

WCCOActrl (1), 2023.11.02 13:15:17.960, PARAM,INFO, 20/OaLogin, User group deleted, Group: MyGroup

• {GROUP}: Name of the successfully deleted user group

1. Open WinCC OA administrator
2. Create a new project or select an existing one
3. Start WinCC OA console
4. Delete a new user group in User administration panel

WCCOActrl (1), 2023.11.02 13:15:39.016, PARAM,INFO, 21/OaLogin, User group permission changed, Group: MyGroup, Authorization level: 00000000000000000000000101010101

• {GROUP}: Name of the user group
• {AUTHORIZATION_LEVEL}: Name permission for user group

1. 1. Open WinCC OA administrator
2. 2. Create a new project or select an existing one
3. 3. Start WinCC OA console
4. 4. Create a new user group or select an existing one in User administration panel
5. 5. Change permission for selected user group

WCCOActrl (2), 2023.10.01 10:29:13.655, PARAM, INFO, 15/OaLogin, Password of user testUser(8) has been changed.

• {MANAGER NO}: Manager number running the command chanel script
• {USER NAME}: Name of the user account
• {USER ID}: Internal ID of the user account

1. Open the User Administration
2. Select user, and open the User characteristics panel
3. Set password using the "Password" button on the panel

WCCOAui (1), 2023.11.02 13:16:50.941, PARAM,INFO, 24/OaLogin, Workstation permission created, Workstation: MyWorkstationPermission, Group: MyGroup, Authorization level: 11111111 11111111 11111111 11111110

• {WORKSTATION}: Name of the workstation permission
• {GROUP}: Name of the user group
• {AUTHORIZATION_LEVEL}: Name permission for user group

1. Open WinCC OA administrator
2. Create a new project or select an existing one
3. Start WinCC OA console
4. Create a new user group or select an existing one in User administration panel
5. Create the new workstation permission

WCCOAui (1), 2023.11.02 13:17:06.806, PARAM,INFO, 25/OaLogin, Workstation permission deleted, Workstation: MyWorkstationPermission, Group: MyGroup

• {WORKSTATION}: Name of the workstation permission

1. Open WinCC OA administrator
2. Create a new project or select an existing one
3. Start WinCC OA console
4. Create a new user group or select an existing one in User administration panel
5. Delete the workstation permission

WCCILevent (0), 2023.11.15 15:08:17.696, SYS, INFO, 255, _auth config for System1:_Users.:_auth._default._read has been changed

• {NAME}: Name of the data-point and config that were changed

This event is issued when changing an _auth config (adding _auth config, removing _auth config, changing access rights/permissions) of an internal (that is for WinCC OA system relevant) data point.

Access rights can be applied to following configs:

• _address
• _alert
• _alert_class
• _alert_hdl
• _archive
• _cmd_conv
• _corr
• _default
• _distrib
• _dp_fct
• _general
• _lock
• _logger
• _msg_conv
• _original
• _pv_range
• _smooth
• _u_range

Open PARA and select the _Users data-point. Select the _auth config and change something and click Apply/OK.

WCCOActrl (2), 2023.03.14 12:18:20.232, SYS, INFO, 1, Manager Start, PROJ, SecurityEvents3.20, V 3.20 - 3.20 final platform Windows AMD64 linked at Feb 8 2023 08:27:48 (a0f2bb6075f)

• {MANAGER TYPE}: Type of manager, e.g. WCCOActrl or WCCOAevent
• {MANAGER NO}: Manager number

It indicates the start of one of the manager components (e.g. Data Manager, Event Manager, Control Manager, etc.). Dependent on the project context multiple starts within short time (some minutes) can indicate a severe deviation like repeated crashes or unauthorized access with trial starts. The WCCOAdatabg (data background manager) is stopped and started at every online backup, so these messages do not indicate a deviation.

1. Open WinCC OA administrator
2. Create a new project or select an existing one
3. Start WinCC OA console
4. Start one manager (eg. WCCOAdata) manually

WCCILproxy (1), 2023.09.29 12:19:12.422, SYS, INFO, 220, Multiplexing proxy Start, PROJ, SecurityEvents3.20, V 3.20 - 3.20 final platform Windows AMD64 linked at Sep 29 2023 12:19:02 (29e85fd5be6)

The Proxy Manager Start event message delivers multiple information about the module version, patch and link information.

This message indicates the start of the Proxy manager. It is similar to the Manager Start message but has an own Event ID.

1. Open WinCC OA administrator
2. Create a new project or select an existing one
3. Start WinCC OA console
4. Start Proxy manager manually

WCCILdata (0), 2023.05.04 12:00:59.812, SYS, INFO, 2, Manager Stop

• {MANAGER TYPE}: Type of manager, e.g. WCCOActrl or WCCOAevent
• {MANAGER NO}: Manager number

This event should be paired to its Manager Start event. A missing stop event indicates abnormal termination due to a crash or intentionally forced stop. The WCCOAdatabg (data background manager) is stopped and started at every online backup, so these messages don't indicate a deviation.

1. Open WinCC OA administrator
2. Create a new project or select an existing one
3. Start WinCC OA console
4. Start one manager (eg. WCCOAdata) manually
5. Stop this manager (eg. WCCOAdata) manually with normal termination

WCCILproxy (1), 2023.09.29 12:20:04.892, SYS, INFO, 221, Multiplexing proxy Stop

This message is similar to the Manager Stop message but has an own Event ID.

1. Open WinCC OA administrator
2. Create a new project or select an existing one
3. Start WinCC OA console
4. Start Data, Event and Proxy manager manually
5. Stop Proxy manager manually with normal termination

WCCILproxy (1), 2023.11.21 10:11:35.929, PARAM,INFO, 1/ContinuousMonitoring, Audit config entry changed, SE_LOGOFF ("Logoff") Security Log: TRUE

{DETAILS}: The details of the change

Change and save the configuration in the Security Events wizard.

WCCOAui (1), 2023.11.21 10:11:34.051, PARAM,INFO, 2/ContinuousMonitoring, Audit configuration was saved

Change and save the configuration in the Security Events wizard.

WCCOActrl (2), 2023.12.04 10:59:15.467, PARAM,INFO, 11/http, Authorized connect from para@md639abc.etm.net, /_info

• {user}: User attempting connection
• {peer host}: Host name of connecting peer
• {uri}: Requested uri without query parameters

Login with valid credentials (login panel) while serverside authentication and httpAuth are activated.

WCCILproxy (1), 2024.04.04 15:33:06.201, PARAM,WARNING, 209, Cannot find the host in the list of the allowed-hosts: (8.8.8.8:4897)

• {HOSTNAME}: Hostname of the server that the connection attempt should reach
• {PORT NUMBER}: Port number that was opened for network communication (see TCP/IP protocol information)

Configure the project using config entry [general]mxProxy; try to connect to a server that has no corresponding proxy entry of its hostname in the server configuration file.

WCCOActrl (2), 2024.04.04 15:42:22.090, PARAM,SEVERE, 254, Required chainPrefix: root-cert, received: IOWA-CA;rsa.expired;.

• {PREFIX}: Required prefix
• {BAD PREFIX}: Certificate prefix

This event indicates an erroneous or malicious connection attempt from remote.

Contact proxy from network using a certificate with a wrong issuer.

WCCILproxy (1), 2024.04.05 10:05:03.447, PARAM,WARNING, 218, Certificate /C=AT/ST=Burgenland/O=ETM/OU=IOWA/CN=IOWA-CA/emailAddress=info@etm.at is expired.

This event is issued by any of the WinCC OA processes (server, clients or Proxy) in case of a certificate that was not exchanged in time so that the current date exceeded the certificate expiration date. This event indicates an inattentive project security management.

Connect event manager via network using a certificate that has the expire date set to a date in the past.

WCCILdataSQLite(0), 2024.04.04 14:26:20.488, PARAM,SEVERE, 219, Certificate verification failed, due to: invalid certificate verification context. WCCOActrl (2), 2024.04.04 14:33:50.134, PARAM,SEVERE, 219, Certificate /C=AT/ST=Burgenland/L=Eisenstadt/O=ETM/OU=RD/CN=root-cert verification failed, due to: self-signed certificate in certificate chain.

This event is issued by one of the WinCC OA Managers or Proxy in case of a general certificate error. The description contains the details, for example: certificate chain broken, untrusted root, certificate is revoked, ...

It indicates an erroneous or malicious connection attempt from remote.

Connect to event manager via network using an invalid certificate (e.g. revoked or broken certificate).

WCCOActrl (2), 2023.05.04 12:05:05.157, SYS, INFO, 2/http, Server listens on Port https:// - 443. WCCOActrl (2), 2023.05.04 12:05:05.157, SYS, INFO, 2/http, Server listens on Port http:// - 80.

• {HTTP TYPE}: http or https (encrypted http) format
• {PORT NO}: Port number that was opened for network communication (see TCP/IP protocol information)

Start Control Manager manually either using a script that calls the httpServer() function or using webclient_http.ctl script

node (3), 2023.12.07 14:31:49.307, SYS, INFO, 1/javascript, Server listens on Port https:// - 443. node (3), 2023.12.07 14:31:49.307, SYS, INFO, 1/javascript, Server listens on Port sftp:// - 22.

• {PROTOCOL}: protocol used for the port
• {PORT NO}: Port number that was opened for network communication (see TCP/IP protocol information)

Start JavaScript Manager manually using a script that calls reportOpenPort() on the WinccoaManager instance in JavaScript

WCCOActrl (2), 2023.12.04 10:28:55.005, PARAM,WARNING, 7/http, Unauthorized connect from para@md639abc.etm.net, /_info

• {user}: User attempting connection
• {peer host}: Host name of connecting peer
• {uri}: Requested uri without query parameters

Login with invalid credentials (login panel) while serverside authentication and httpAuth are activated.

WCCOActrl (2), 2023.12.04 10:51:10.428, PARAM,WARNING, 8/http, Unauthorized connect from root@md639abc.etm.net; 'root' is no valid account for http server, /_info

• {peer host}: Host name of connecting peer
• {uri}: Requested uri without query parameters

Login with the root user (login panel) while serverside authentication and httpAuth are activated.

WCCOAui (2), 2023.10.30 13:30:39.498, PARAM,SEVERE, 201/OaLogin, Failed Login, User: root

• {USER}: Name of the attempting user

Multiple occurrences of this event in a short time can indicate attempts of unauthorized access to the System.

1. Open WinCC OA administrator
2. Create a new project or select an existing one
3. Start WinCC OA console
4. Add a WCCOAui Manager with following options: "-p vision/login.pnl"
5. Start this manager and enter invalid user credentials into the panel and click the login-button

WCCOAui (2), 2023.10.30 13:30:39.498, PARAM,INFO, 202/OaLogin, Logoff, User: root

• {USER}: Name of the logged off user

1. Open WinCC OA administrator
2. Create a new project or select an existing one
3. Start WinCC OA console
4. Configure the PanelTopology in a way that it is possible to logoff e.g. Template: "ETMMENU"
5. Add a WCCOAui Manager with following options: "-p vision/login.pnl"
6. Start this manager and enter valid user credentials into the panel and click the login-button
7. Logoff via the panel

WCCOAui (2), 2023.10.30 13:30:39.498, PARAM,INFO, 200/OaLogin, Successful Login, User: root

• {USER}: Name of the logged in user

1. Open WinCC OA administrator
2. Create a new project or select an existing one
3. Start WinCC OA console
4. Add a WCCOAui Manager with following options: "-p vision/login.pnl"
5. Start this manager and enter valid user credentials into the panel and click the login-button