Chapter 5. AuditVerify (Audit Log Verification)
The
AuditVerify
tool is used to verify that signed audit logs were signed with the private signing key and that the audit logs have not been compromised.
Auditors can verify the authenticity of signed audit logs using the
AuditVerify
tool. This tool uses the public key of the signed audit log signing certificate to verify the digital signatures embedded in a signed audit log file. The tool response indicates either that the signed audit log was successfully verified or that the signed audit log was not successfully verified. An unsuccessful verification warns the auditor that the signature failed to verify, indicating the log file may have been tampered with (compromised).
5.1. Setting up the Auditor's Database
AuditVerify
needs access to a set of security databases (usually the auditor's personal security databases) containing the signed audit log signing certificate and its chain of issuing certificates. One of the CA certificates in the issuance chain must be marked as trusted in the database.
Auditors should import the audit signing certificate into their personal certificate and key databases before running
AuditVerify
. The auditor should not use the security databases of the Certificate System instance that generated the signed audit log files. If there are no readily accessible certificate and key database, the auditor must create a set of certificate and key databases and import the signed audit log signing certificate chain.
Note
The
signedAudit
directory kept by the subsystem is not writeable by any user, including auditors.
Important
The auditor user must be a member of one of the following:
- the
pkiaudit
group, which is the default value of thepki_audit_group
variable under the[DEFAULT]
section of the/etc/pki/default.cfg
file - whatever system group was identified as the audit group by overriding the
pki_audit_group
variable when thepkispawn
utility was run to create the subsystem
To create the security databases and import the certificate chain:
- Create a special directory in the auditor's home directory to use to perform the verification. For example:
mkdir ~jsmith/auditVerifyDir
- Use the
certutil
tool to create an empty set of certificate databases in the auditor's home directory.certutil -d ~jsmith/auditVerifyDir -N
- Download the CA certificate from the CA's Retrieval page.
https://server.example.com:ca_https_port/ca/ee/ca/
- Import the CA certificate and log signing certificate into the databases, marking the CA certificate as trusted. The certificates can be obtained from the CA in ASCII format.If the CA certificate is in a file called
cacert.txt
and the log signing certificate is in a file calledlogsigncert.txt
, then thecertutil
is used to set the trust for the new audit security database directory pointing to those files, as follows:certutil -d ~jsmith/auditVerifyDir/ -A -n "CA Certificate" -t "CT,CT,CT" -a -i /var/lib/instance_ID/alias/cacert.txt certutil -d ~jsmith/auditVerifyDir -A -n "Log Signing Certificate"-t ",,P" -a -i /var/lib/instance_ID/alias/logsigncert.txt