audit
Access commands that allow the audit user to perform HSM auditing tasks.
NOTE Audit commands control HSM audit logging. They are visible only to the audit user, and are hidden from the appliance admin, operator, monitor, or any other non-auditor user.
Audit log and syslog entries are timestamped in UTC format.
TIP Performance and Audit Logging
Secure Audit Logging consumes HSM resources, so consider minimizing the intensity of logging that you invoke.
For example, when choosing asymmetric key usage, you have the option to specify event values to record with -value asymmetric or first.
When choosing symmetric key usage logging you can opt for the corresponding symmetric and symfirst.
An HMAC is generated for each log, so "first" and "symfirst" record the first use of a key (asymmetric sig/ver or symmetric enc/dec respectively) and are much more sparing of HSM cycles, and therefore preferred to configuring for a log entry at every individual use of a given key -- unless that level of detailed logging is mandated.
The audit user also has access to a limited set of commands grouped under the following command menus:
| hsm |
Provides access to the following: > The hsm show command. See hsm show >All hsm ped commands, except for the hsm ped vector commands. The audit appliance user is allowed to connect and disconnect remote PED connections, adjust timeout, and view connection information, but is not allowed to create (init) or erase a remote PED vector. See hsm ped. |
| my | Provides a set of commands equivalent to those provided to other non-admin users. See my |
| network | Provides only the show and ping commands. See network. |
Syntax
audit
changepwd
config
init
log
login
logout
remotehost
secret
show
sync
| Argument(s) | Shortcut | Description |
|---|---|---|
| changepwd | ch | Changes the audit user password or PED key. See audit changePwd. |
| config | co | Set the audit parameters. See audit config. |
| init | i | Initialize the audit role. See audit init. |
| log | log | Access commands that allow you to manage audit log files. See audit log. |
| login | logi | Login as the audit user. See audit login. |
| logout | logo | Logout the audit user. See audit logout. |
| remotehost | r | Configure audit logging remote hosts. See audit remotehost. |
| secret | se | Export or import the audit logging secret. See audit secret. |
| show | sh | Display the current audit logging configuration. See audit show. |
| sync | sy | Synchronizes the HSM time to the host time. See audit sync. |
