audit config
Set the audit logging configuration parameters. This command allows you to configure the following:
>Which events are captured in the log
>The log rotation interval
NOTE After initializing the Audit role on a password-authenticated HSM, log in as the Auditor and set the domain (see role setdomain). This step is required before setting logging parameters or the log filepath, or importing/exporting audit logs.
The audit commands appear only when LunaCM's active slot is set to the administrative partition.
This command is not applicable on DPoD Luna Cloud HSM services.
Syntax
audit config [get] [path <filepath>] [evmask <mask>] [interval <interval>] [size <integer><k | m>]
| Argument(s) | Shortcut | Description |
|---|---|---|
| evmask <mask> | e |
The value you want to configure for the specified parameter. Valid values for the event parameter: Enter a comma-separated list of events to log. In addition to specifying an event category, you must also specify the conditions under which those events are to be logged - either 'f' for failures, or 's' for successes, or both. Any or all of the following may be specified: >[f]ailure: log command failures >[s]uccess: log command successes >[a]ccess: log access attempts (logins) >[m]anage: log HSM management (init/reset/etc) >[k]eymanage: key management events (key create/delete) >[u]sage: key usage (enc/dec/sig/ver) >fi[r]st: first key usage only (enc/dec/sig/ver) >e[x]ternal: log messages from CA_LogExternal >lo[g]manage: log events relating to log configuration >a[l]l: log everything (user will be warned) >[n]one: turn logging off Note: When specifying an event class to log, you must specify whether successful or failed events are to be logged. For example, to log all key management events you would use the command "audit config e t,s,f". |
| force | f | Force action without prompting for confirmation. |
| get | g | Get (show) the current configuration. |
| interval <interval> | i | Valid values for the rotation interval parameter
Enter one of the following options for the log rotation interval: >hourly [@min] >daily [@hour:min] >weekly [@day:hour:min] >monthly [@date:hour:min] >never |
| path <filepath> | p |
Path on the host to which logs will be written. As usual, any filepath that contains a space should be enclosed in quotation marks, to prevent misreading. The system throws an error if the specified path does not exist. CAUTION! Linux only. If you delete the directory specified by the path parameter, your cryptographic operations will continue without a warning or error. Logging will continue until the HSM FRAM is full, at which point a CKR_LOG_FULL message is generated. |
| size <integer><k | m> | s |
Size limit of a log, to trigger rotation. Valid values for the size parameter: An integer string signifying the size of the log in bytes. The optional modifiers k or m may be given after the string to specify KB or MB (for example, s 8388608, s 8192k, and s 8m all specify rotation when log size reaches 8MB). Valid Range: 4096k - 2097151k Default: 2097151k |
Example
audit config e s audit all command successes
audit config e f audit all command failures
audit config e u,f,s audit all key usage requests,
both success and failure
audit config e n log nothing
audit config p /usr/lunapci/log set path
audit config i daily@12:05 rotate logs daily at 12:05
audit config s 4096k rotate logs when 4MB is exceeded
lunacm:> audit config evmask all,failure,success
You have chosen to log all successful key usage events. This can result in
an extremely high volume of log messages, which will significantly degrade
the overall performance of the HSM.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error
lunacm:> audit config get
Current Logging Configuration
-----------------------------
event mask : Log everything
rotation interval : daily@0:00
rotation size (MB): 4
path to log : /var/audit/
Command Result : No Error
NOTE In the above example of output from audit config get, the configuration rotates the logs daily; "rotation size (KB)" indicates the maximum log size. With this configuration, multiple log files may be produced per day, none larger than 4MB.
