audit config

Set the configuration parameters for audit logging.

The callback service (cbs) on the appliance creates the audit log files when it reads the audit records from the HSM card. This happens as needed and as configured, unless the service stops or the appliance disk becomes full.

NOTE Audit log and syslog entries are timestamped in UTC format.

TIP Performance and Audit Logging

Secure Audit Logging consumes HSM resources, so consider minimizing the intensity of logging that you invoke.

For example, when choosing asymmetric key usage, you have the option to specify event values to record with -value asymmetric or first.
When choosing symmetric key usage logging you can opt for the corresponding symmetric and symfirst.

An HMAC is generated for each log, so "first" and "symfirst" record the first use of a key (asymmetric sig/ver or symmetric enc/dec respectively) and are much more sparing of HSM cycles, and therefore preferred to configuring for a log entry at every individual use of a given key -- unless that level of detailed logging is mandated.

User Privileges

Only specialized Audit users can access audit commands.

Syntax

audit config -parameter <parameter> -value <value> [-serial <serialnum>]

Argument(s)	Shortcut	Description
-parameter <parameter>	-p	Specifies the type of parameter to set. Valid values The value enclosed in parentheses [n] indicates a shortcut: >[e]vent - Include the list of events specified using the -value parameter in the log. >[r]otation - Rotate the logs as specified by the -value parameter.
-serial <serialnum>	-s	Reserved for future use. Specifies the serial number of the HSM. This option allows the system to distinguish between two connected HSMs.
-value <value>	-v	Event Values If -parameter is set to event, this specifies a comma-separated list of events to include in the log. Note: In addition to specifying an event category, you must also specify the conditions under which those events are to be logged - either f for failures, or s for successes, or both. See the examples. Valid values The value enclosed in parentheses [n] indicates a shortcut: >[f]ailure: log command failures >[s]uccess: log command successes >[a]ccess: log access attempts (logins) >[m]anage: log HSM management (init/reset/etc) >[k]eymanage: key management events (key create/delete) >asymmetri[c]: asymmetric key usage (sig/ver) >fi[r]st: first asymmetric key usage only (sig/ver) >s[y]mmetric: symmetric key usage (enc/dec) >symf[i]rst: first symmetric key usage only (enc/dec) >e[x]ternal: log messages from CA_LogExternal >lo[g]manage: log events relating to log configuration >a[l]l: log everything (user will be warned) >[n]one: turn logging off Rotation Values If -parameter is set to rotation, this specifies the log rotation interval. Valid values The value enclosed in parentheses [] indicates a shortcut: >[h]ourly >[d]aily >[w]eekly >[m]onthly >[n]ever

Argument(s)

Shortcut

Description

-parameter <parameter>

-p

Specifies the type of parameter to set.

Valid values

The value enclosed in parentheses [n] indicates a shortcut:

>[e]vent - Include the list of events specified using the -value parameter in the log.

>[r]otation - Rotate the logs as specified by the -value parameter.

-serial <serialnum>

-s

Reserved for future use.
Specifies the serial number of the HSM. This option allows the system to distinguish between two connected HSMs.

-value <value>

-v

Event Values

If -parameter is set to event, this specifies a comma-separated list of events to include in the log.

Note: In addition to specifying an event category, you must also specify the conditions under which those events are to be logged - either f for failures, or s for successes, or both. See the examples.

Valid values

The value enclosed in parentheses [n] indicates a shortcut:

>[f]ailure: log command failures

>[s]uccess: log command successes

>[a]ccess: log access attempts (logins)

>[m]anage: log HSM management (init/reset/etc)

>[k]eymanage: key management events (key create/delete)

>asymmetri[c]: asymmetric key usage (sig/ver)

>fi[r]st: first asymmetric key usage only (sig/ver)

>s[y]mmetric: symmetric key usage (enc/dec)

>symf[i]rst: first symmetric key usage only (enc/dec)

>e[x]ternal: log messages from CA_LogExternal

>lo[g]manage: log events relating to log configuration

>a[l]l: log everything (user will be warned)

>[n]one: turn logging off

Rotation Values

If -parameter is set to rotation, this specifies the log rotation interval.

Valid values

The value enclosed in parentheses [] indicates a shortcut:

>[h]ourly

>[d]aily

>[w]eekly

>[m]onthly

>[n]ever

Example

The following table provides some command usage examples:

Argument(s)	Description
lunash:> audit config -parameter event -value all	Log everything.
lunash:> audit config -parameter event -value none	Log nothing.
lunash:> audit config -parameter event -value failure	Log all command failures.
lunash:> audit config -parameter event -value failure,success,asymmetric	Log all key usage requests, both success and failure.
lunash:> audit config -parameter rotation -value daily	Rotate the log daily.



	SUPPORT	LEGAL
Luna Network HSM 7 Documentation © Copyright 2001-2024, Thales Group Last Updated: 2024-04-26 12:02:08 GMT-04:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information