Home >

Administration Guide > Audit Logging > Configuring and Using Audit Logging

Configuring and Using Audit Logging

The overall sequence when initializing an HSM that will use Security Audit Logging is as follows:

1.Enable the appliance audit user.

This user is necessary to access and work with logs through the LunaSH interface. It is restricted from administrative functions.

2.Configure the SafeNet Network HSM appliance or the SafeNet PCIe HSM/SafeNet USB HSM host workstation to use the network time protocol (NTP).

Configure access to at least two geographically separated NTP servers for redundancy. Select at least one NTP server that is known to have a high degree of accuracy and reliability (servers associated with national standards bodies are good candidates) as one of the configured servers.

3.Initialize the Audit Officer role.

This enables logging for all subsequent actions performed by the SO and partition User(s).

4.Execute the ‘audit sync’ command.

This ensures that the HSM’s clock is synchronized with the host time (which should also be synchronized with the NTP server) and that all subsequent log records will have a valid and accurate timestamp.

5.Configure the audit category and level of audit

You can specify the level of audit appropriate for needs of the organization’s policy and the nature of the application(s) using the HSM. Security audits can generate a very large amount of data, which consumes HSM processing resources, host storage resources, and makes the job of the Audit Officer quite difficult when it comes time to review the logs. For this reason, ensure that you configure audit logging such that you capture only relevant data, and no more.

For example, the ‘First Key Usage Only’ category is intended to assist Audit Officers to capture the relevant data in a space-efficient manner for high processing volume applications. On the other hand, a top-level Certificate Authority would likely be required, by policy, to capture all operations performed on the HSM but, since it is typically not an application that would see high volumes, configuring the HSM to audit all events would not impose a significant space and/or performance premium in that situation.

6.Configure log rotation and remote logging server(s) as necessary.

The settings for these configuration elements will often be dictated by the organization’s Audit and/or IT policies and procedures. As with configuring the audit category, the Audit Officer should be prudent in making these configuration settings. It is recommended that the default setting of ‘Rotate Log Daily’ be maintained until the typical/average logging rate can be determined. The use of redundant remote log servers, accessible only by the members of the audit team, is strongly recommended.

7.Initialize the HSM and create partitions as necessary.

At this point, the HSM is ready to be turned over to the SO to initialize it and begin creating the partitions needed to serve the processing applications.

Configure Audit Logging for SafeNet Network HSM  

This section describes how to prepare and use audit logging with your SafeNet Network HSM.

Required SafeNet Network HSM appliance version is 5.2 or later; HSM firmware version is 6.10.9 or later.

In summary, the steps are:

Enable the appliance "audit" user and log into the appliance as that user.

Initialize, to create the role on the HSM.

Configure the various logging parameters.

Begin collecting and verifying logs of HSM activities.

To begin, you log in to LunaSH as an admin-level user, and enable the "audit" user:

lunash:>user  enable -username audit
            audit was enabled successfully.
        
 
            Command Result : 0 (Success) 
        

The first time you log into the SafeNet appliance as user "audit", you are prompted to change the password, from default "PASSWORD" to something more secure:


login as: audit
audit@192.20.11.202's password:
Last login: Wed Feb 11 11:02:12 2015 from 192.20.10.181

SafeNet Network HSM 6.0.0 Command Line Shell - Copyright (c) 2001-2015 SafeNet, Inc. All 
           rights reserved.


*****************************************************
**                                                 **
**   For security purposes, you must change your   **
**   password.                                     **
**                                                 **
**   Please ensure you store your new password     **
**   in a secure location.                         **
**                                                 **
**               DO NOT LOSE IT!                   **
**                                                 **
*****************************************************

Changing password for user audit.

You can now choose the new password.

A valid password should be a mix of upper and lower case letters,
digits, and other characters.  You can use an 8 character long
password with characters from at least 3 of these 4 classes.
An upper case letter that begins the password and a digit that
ends it do not count towards the number of character classes used.

Enter new password:
Re-type new password:
passwd: all authentication tokens updated successfully.
Password change successful)

[sa5] lunash:>


The audit user sees a reduced subset of commands suitable to the audit role, only.


 Name                 (short)    Description
 --------------------------------------------------------------------------------
 help                 he         Get Help
 exit                 e          Exit Luna Shell
 hsm                  hs         > Hsm
 audit                a          > Audit
 my                   m          > My
 network              n          > Network   

   

The audit user's commands are not available to the admin user. The audit user has no administrative control over the SafeNet Network HSM appliance. This is a first layer in the separation of roles.

This separation allows a user with no administrative control of the appliance and HSM to have oversight of the HSM logs, while also ensuring that an administrator cannot clear those logs,

To configure audit logging on SafeNet Network HSM

1.Using an SSH connection (or a local serial connection), log into the SafeNet appliance as "audit" (not as "admin").   

The default password is "PASSWORD". Ensure that you change the default password to a secure password. To fulfill the purpose of the Audit role, keep the "audit" user's password separate from, and unknown to, the HSM  Security Officer.   

2.Initialize the audit role on the HSM:   

3.lunash:> audit init

On password-authenticated HSMs, you are prompted for a domain string and password

On PED-authenticated HSMs, you are referred to SafeNet PED, which prompts for a white PED Key.   

4.Now that the audit role exists on the HSM, the auditing function must be configured. However, before you can configure you must log into the HSM as the audit user:  

lunash:> audit login

On password-authenticated HSMs, you are prompted to enter the password for the audit user.

On PED-authenticated HSMs, you are referred to SafeNet PED, which prompts for the white PED Key for the audit user.   

Note:  You are now logged into the appliance as user "audit" and into the HSM (within the appliance) as user "audit". Both are required. The "audit" commands, including HSM login as "audit". do not appear if you are logged in as "admin", "operator", "user", or any equivalent named appliance-level user.

5.Configure audit logging:

lunash:> audit config

Note:  The first time you configure audit logging, we suggest using only the "?" option, in order to see all the available options in the configuration process.

For example, the command audit config -p e -v all will log everything the HSM does. This might be useful in some circumstances, but will quickly fill up log files. The command audit config -p r -v h would rotate the logs every hour, cutting down the size of individual log files, even in a situation of high-volume event recording, but would increase the number of files to be handled.

Log Entries

Log entries are made within the HSM, and are written to the currently active log file on the appliance file system. When a log file reaches the rotation trigger, it is closed, and a new file gets the next log entry. The number log files on the appliance grows according to the logging settings and the rotation schedule that you configured (above). At any time, you can copy files to a remote computer and then clear the originals from the HSM, if you wish to free the space.

For SafeNet Network HSM, to simplify configuration within its closed and hardened environment, the following rules apply:

the maximum log file size is capped at 4 MB   

the log path is internal to the SafeNet HSM appliance

the rotation offset is set at 0.

Audit Log Operational Activities

To copy files off the appliance

1.View a list of the log files currently saved on the appliance:

lunash:>my file list

2.For this example, assume that the list includes a file named audit.tgz.

3.On the computer where you wish to capture and store the log files:

/usr/safenet/lunaclient/logs :>scp audit@mylunasa1:audit.tgz mylunsa1_audit_2014-02-28.tgz

Provide the audit user's credentials when prompted. This copies the identified file from the remote SafeNet Network HSM's file system (in the "audit" account) and stores the copy on your local computer file system with a useful name.

4.You can view and parse the plain-text portion of the file.

5.You can verify the authenticity of the retrieved file using a connected HSM to which you have imported the Audit Logging secret from the originating SafeNet Network HSM.

To export the Audit Logging secret from the HSM and import to the verifying HSM

1.On the SafeNet Network HSM where HSM audit log files are being created, export the audit logging secret:

lunash:> audit secret export

2.Use my file list to see the file name of the wrapped log secret.

3.On the computer where the HSM is attached, that you will use to verify the downloaded audit log file, run:

/usr/safenet/lunaclient/bin :>scp audit@mylunasa1:151170.lws .

Substitute the actual file name of the exported secret in the above example command) and provide the audit user's credentials when prompted. This copies the identified file from the remote SafeNet Network HSM's file system (in the "audit" account) and stores the copy on your local computer file system in the directory from which you issued the command.

4.Launch LunaCM,

/usr/safenet/lunaclient/bin :>./lunacm

5.For this example, we will assume that you have initialized the HSM Audit User role, using the same domain/secret as is associated with the source SafeNet Network HSM.

6.Import the Audit Logging secret into the locally attached HSM:   

lunacm:>audit import file 151170.lws

7.Verify the file:  

lunacm:>audit verify file mylunsa1_audit_2014-02-28.tgz

You might need to provide the full path to the file, depending upon your current environment settings.   

Deciphering the audit log records

In general, the audit logs are self-explanatory. Due to limitations in the firmware, however, some audit log records required further explanation, as detailed in the following sections:

Determining the serial number of a created partition from the audit log

An audit log entry similar to the following is generated when a partition is created on the HSM:

5,12/12/17 16:14:14,S/N 150718 session 1 Access 2147483651:2669 SO container operation LUNA_CREATE_CONTAINER returned RC_OK(0x00000000) container=20 (using PIN (entry=LUNA_ENTRY_DATA_AREA))

It is not obvious from this entry what the serial number is for the created partition. This information, however, can be derived from the log entry, since the partition serial number is simply a concatenation of the HSM serial number and the partition container number, which are specified in the log entry, as highlighted below:

5,12/12/17 16:14:14,S/N 150718 session 1 Access 2147483651:2669 SO container operation LUNA_CREATE_CONTAINER returned RC_OK(0x00000000) container=20 (using PIN (entry=LUNA_ENTRY_DATA_AREA))

In the example above, the HSM serial number is 150718 and the partition container number is 20. Note that the partition container number is a three-digit number with leading zeros suppressed, so that the actual partition container number is 020. To determine the partition serial number concatenate the two numbers as follows:

150718020

Use this number to identify the partition in subsequent audit log entiries.

Additional Considerations

The audit role PED key or password is a critical property to manage the audit logs. If that authentication secret is lost, the HSM must be factory reset (that is, zeroize the HSM) in order to initialize the audit role again. This is equivalent to the same situation for the HSM's Security Officer (SO).   

 Multiple bad logins produce different results for the SO and for the audit role, as follows:

  After 3 bad SO logins, the LUNA_RET_SO_LOGIN_FAILURE_THRESHOLD error is returned and the HSM is zeroized.

  After 3 bad audit logins, the LUNA_RET_AUDIT_LOGIN_FAILURE_THRESHOLD error is returned, but the HSM is unaffected. If subsequent login attempt is executed within 30 seconds, the LUNA_RET_AUDIT_LOGIN_TIMEOUT_IN_PROGRESS error is returned. If you wait for more than 30 seconds and try login again with the correct password, the login is successful.