Home >

Configuring and Using Audit Logging

This section describes how to prepare and use audit logging with your Luna HSM.

Required Luna Client version is 5.2 or later; HSM firmware version is 6.10.x or later.

In summary, the steps are:

Initialize, to create the role on the HSM.

Configure the various logging parameters.

Begin collecting and verifying logs of HSM activities.

We also advise that you ensure very reliable timekeeping on the host computer - generally the most reliable option is to use NTP (network time protocol) from a recognized standards organization - and to keep the HSM time synchronized with host time. This ensures that HSM log events and log-file events are in close agreement, which is appreciated by auditing agencies.

If you see the message LUNA_RET_CONTAINER_HANDLE_INVALID this is because you have not yet initialized the "Audit" role on the HSM.

Separation

On a closed, hardened appliance such as Luna SA,with limited user scope, the audit user sees a reduced subset of commands suitable to the audit role, only.


 Name                 (short)    Description
 --------------------------------------------------------------------------------
 help                 he         Get Help
 exit                 e          Exit Luna Shell
 hsm                  hs         > Hsm
 audit                a          > Audit
 my                   m          > My
 network              n          > Network   

   

On an uncontrolled host computer, with a contained or attached Luna HSM, all utility commands (lunacm, cmu, ckdemo, etc.) are available to anyone with access to the computer, so a user can see any commands, but can use only those commands that are permitted by the HSM for a specific HSM credential. That is, someone with the audit password (or the white PED Key on a PED authenticated HSM) can use the "audit" commands,but no one else can, including the HSM's Security Officer (the HSM Administrator or SO). Similarly, the person controlling the audit role on the HSM is unable to use most HSM commands, unless that person also has the HSM Administrator / SO password (or the blue PED Key for PED-authenticated HSMs). Normally the roles are kept rigorously separate, in order to provide utmost confidence to auditing agencies and to anyone who relies upon their reports and validations.

An instance of lunacm engages a crypto session on the HSM, and then grants user-specific access to HSM functions depending upon the HSM credentials that are supplied. If you are logged into the computer, and using lunacm, and another person needs to access the HSM, you can hand over to them securely in one of two ways:

explicitly log out of the role that you have been using (SO, audit, Partition User)
OR

close lunacm

The first option allows the new person to simply take over your lunacm session, but without allowing them any HSM access that they cannot authenticate for themselves (with the correct password or PED Key). The second option closes the HSM session when the lunacm application closes, which also ends an existing login state. Never walk away from the HSM-containing (or HSM-attached) computer without logging out of any HSM role or closing the utility/application that you have been using.

Detailed steps

1.Before configuring audit logging for a Luna HSM, first ensure that the PedClient (also called the callback server) has been started.   If the callback server is not started, "audit" commands will return CKR_CALLBACK_ERROR.

2.Run the command:   
lunacm:>audit init
For password-authenticated HSM, you are prompted for a domain string or password; for PED-authenticated HSM, you are referred to Luna PED, which prompts for a white PED Key.   

3.Now that the Audit role exists on the HSM, the auditing function must be configured. However, before you can configure you must authenticate. Run the command:   
lunacm:>audit login
For password-authenticated HSM, you are prompted for a domain string or password; for PED-authenticated HSM, you are referred to Luna PED, which prompts for a white PED Key.   

4.When your credentials have been accepted run :   
lunacm:>audit config
The first time you configure, we suggest using only the "?" option, in order to see all the available options in the configuration process. For example,   
lunacm:>audit config eventmask l
will log everything the HSM does. This might be useful in some circumstances, but will quickly fill up log files. The addition of,   
lunacm:>audit config i h@15
would rotate the logs on an hourly interval, at the 15-minute mark of each hour - cutting down the size of individual log files, even in a situation of high-volume event recording, but would increase the number of files to be handled.   

5.Specify the audit log path on the host computer :  
lunacm:>audit config p /usr/safenet/lunaclient/log
In this case, "log" is a directory/folder name. and must NOT be a filename.
The system specifies each filename - attempting to set a path that includes a filename would result in CRK_LOG_BAD_FILE_NAME.

Log entries are made within the HSM, and are written to the currently active log file on the appliance file system. When a log file reaches the rotation trigger, it is closed, and a new file gets the next log entry. The number of log files on the host grows according to the logging settings and the rotation schedule that you configured (above). At any time, you can copy files to a remote computer and then clear the originals from the host, if you wish to free the space.

Export the Audit Logging secret from the HSM and import to the verifying HSM

1.On the host computer where HSM audit log files are being created, export the Audit Logging secret:
lunacm:> audit export

2.Exit lunacm and browse to see the filename of the wrapped log secret.
/user/safenet/lunaclient/bin :>cd ../../lunalog
/user/safenet/lunalog :>ls  
123456 7001347 k6secret.bin LogSecret_130115210057_123456.lws

3.On the computer where the HSM is attached, that you will use to verify the downloaded Audit Log file, run:
/user/safenet/lunaclient/bin :>scp audit@myhost1:/usr/safenet/lunalog/LogSecret_130115210057_123456.lws .
(substitute the actual file name of the exported secret in the above example command) and provide the audit user's credentials when prompted. This copies the identified file from the remote host computer's file system (in the "audit" account) and stores the copy on your local computer file system in the directory from which you issued the command.

4.Launch lunacm,
/user/safenet/lunaclient/bin :>./lunacm
For this example, we will assume that you have initialized the HSM Audit User role, using the same domain/secret as is associated with the source Luna HSM.

5.Import the Audit Logging secret into the locally attached HSM:   
lunacm:>audit import file 151170.lws

6.Verify the file   
lunacm:>audit verify file mylunsa1_audit_2013-02-28.tgz

You might need to provide the full path to the file, depending upon your current environment settings.   

Additional Considerations

1.The audit role PED key or password is a critical property to manage the audit logs. If that authentication secret is lost, the HSM must be factory reset (that is, zeroize the HSM) in order to initialize the audit role again. This is equivalent to the same situation for the HSM's Security Officer (or HSM Administrator).   The following examples illustrate some points of behavior.   

Example #1: HSM Adminstrator / SO or audit role is not initialized, no login is needed   
lunacm:>hsm init -l myHSM -d default -p userpin -f   
'hsm init' successful.   

lunacm:>audit init -d default -p userpin -f   
Command Result : 0 (Success)

Example #2: HSM Adminstrator / SO or audit role is initialized, but not logged in   
lunacm:>hsm init -l myHSM -d default -p userpin -f   
Error:  'hsm init' failed. (1010000 : LUNA_RET_USER_NOT_LOGGED_IN)   
lunacm:>audit init -d default -p userpin -f   
The audit sub-command failed. (LUNA_RET_USER_NOT_LOGGED_IN)

Example #3: HSM Adminstrator / SO or audit role is logged in, init with the correct password and new domain   
lunacm:>hsm init -l myHSM -d safenet -p userpin -f   
'hsm init' successful.   

lunacm:>audit init -d mysafenet -p userpin -f   
Command Result : 0 (Success)

Example #4: HSM Adminstrator / SO or audit role is logged in, init with the wrong password   
lunacm:>hsm init -l myHSM -d safenet -p wrongpin -f   
Error:  'hsm init' failed. (A00000 : LUNA_RET_UM_PIN_INCORRECT)   
lunacm:>audit init -d default -p wrongpin -f   
The audit sub-command failed. (LUNA_RET_UM_PIN_INCORRECT)

2. Multiple bad logins produce different results for the HSM Adminstrator / SO and the audit role, as follows.   
-          After 3 bad SO logins, the LUNA_RET_SO_LOGIN_FAILURE_THRESHOLD error is returned and the HSM is zeroized.   
-          After 3 bad audit logins, the LUNA_RET_SO_LOGIN_FAILURE_THRESHOLD error is returned, but the HSM is unaffected. If subsequent login attempt is executed within 30 seconds, the LUNA_RET_AUDIT_LOGIN_TIMEOUT_IN_PROGRESS error is returned. If you wait for more than 30 seconds and try login again with the correct password, the login will be successful.   

3.In the event that the current audit log file is locked or corrupted on a Luna PCI-E or a Luna G5 host, for example due to a system crash, the audit logger might enter a state where it would repeatedly try and fail to open the current audit log file. Any audit re-configuration attempt might also fail. Follow the procedure below to get out of the situation:  
-          Stop the pedClient (also known as callback server), which serves as the audit logger
-          Move the current audit log file to the ready_for_archive folder or directory
-          Start the pedClient  
You might not be able to verify the corrupted log file. All other log files should be verifiable.”