Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 5. AuditVerify (Audit Log Verification)

The AuditVerify tool is used to verify that signed audit logs were signed with the private signing key and that the audit logs have not been compromised.
Auditors can verify the authenticity of signed audit logs using the AuditVerify tool. This tool uses the public key of the signed audit log signing certificate to verify the digital signatures embedded in a signed audit log file. The tool response indicates either that the signed audit log was successfully verified or that the signed audit log was not successfully verified. An unsuccessful verification warns the auditor that the signature failed to verify, indicating the log file may have been tampered with (compromised).

5.1. Setting up the Auditor's Database
링크 복사

AuditVerify needs access to a set of security databases (usually the auditor's personal security databases) containing the signed audit log signing certificate and its chain of issuing certificates. One of the CA certificates in the issuance chain must be marked as trusted in the database.
Auditors should import the audit signing certificate into their personal certificate and key databases before running AuditVerify. The auditor should not use the security databases of the Certificate System instance that generated the signed audit log files. If there are no readily accessible certificate and key database, the auditor must create a set of certificate and key databases and import the signed audit log signing certificate chain.

Note

The signedAudit directory kept by the subsystem is not writeable by any user, including auditors.

Important

The auditor user must be a member of one of the following:
  • the pkiaudit group, which is the default value of the pki_audit_group variable under the [DEFAULT] section of the /etc/pki/default.cfg file
  • whatever system group was identified as the audit group by overriding the pki_audit_group variable when the pkispawn utility was run to create the subsystem
To create the security databases and import the certificate chain:
  1. Create a special directory in the auditor's home directory to use to perform the verification. For example: 
    mkdir ~jsmith/auditVerifyDir
    Copy to Clipboard Toggle word wrap
  2. Use the certutil tool to create an empty set of certificate databases in the auditor's home directory. 
    certutil -d ~jsmith/auditVerifyDir -N
    Copy to Clipboard Toggle word wrap
  3. Download the CA certificate from the CA's Retrieval page. 
    https://server.example.com:ca_https_port/ca/ee/ca/
    Copy to Clipboard Toggle word wrap
  4. Import the CA certificate and log signing certificate into the databases, marking the CA certificate as trusted. The certificates can be obtained from the CA in ASCII format.
    If the CA certificate is in a file called cacert.txt and the log signing certificate is in a file called logsigncert.txt, then the certutil is used to set the trust for the new audit security database directory pointing to those files, as follows: 
    certutil -d ~jsmith/auditVerifyDir/ -A -n "CA Certificate" -t "CT,CT,CT" -a -i /var/lib/instance_ID/alias/cacert.txt

certutil -d ~jsmith/auditVerifyDir -A -n "Log Signing Certificate"-t ",,P" -a -i /var/lib/instance_ID/alias/logsigncert.txt
    Copy to Clipboard Toggle word wrap
맨 위로 이동
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2025 Red Hat