Configuring and Using Audit Logging

This section describes how to enable audit logging, configure the log rotation, and how to copy and verify the audit logs. It contains the following sections:

>Initialize the Audit User and Create the Audit Key

>Enable Audit Logging

>Configure Audit Logging

>Verify the Logs

>Disable Audit Logging

Initialize the Audit User and Create the Audit Key

The Admin SO and the Auditor must both be present to initialize the Audit role and create the Auditor PIN. This procedure assumes that you have already initialized the Admin token on the ProtectServer HSM.

To initialize the Audit user and create the Audit Key

1.Using an SSH connection (or a local serial connection), login to PSESH on the ProtectServer appliance as audit (not as admin), using the initial password "password". The first time you login as audit, you will be prompted to create a new, more secure password.

2.Initialize the Auditor role with the following command. The Admin SO must enter the SO PIN before the Auditor can set the new Auditor PIN.

psesh:> audit audit init

psesh:>audit audit init

Please Enter the SO PIN:
Please Enter the new Auditor's PIN:
Please re-enter the new Auditor's PIN:

Command Result : 0 (Success)

3.The Auditor can now generate the Audit Key. You will be prompted for the Auditor PIN, and to enter a minimum of 3 unique parameters, each at least 8 bytes in length (see Audit Key for more information).

psesh:> audit audit secret

psesh:>audit audit secret

Please Enter the Auditor's PIN:
Please enter number of params (minimum 3): 3
Please enter parameter #0:12345678
Please enter parameter #1:87654321
Please enter parameter #2:18273645
Audit Key created successfully

Command Result : 0 (Success)

Enable Audit Logging

The Admin SO must enable audit logging on the HSM.

To enable Audit logging

1.On a client machine, set the Enable PCI Audit Logs flag using ctconf. You will be prompted for the Admin SO PIN:

ctconf -fb

>ctconf -fb
ProtectToolkit C Configuration Utility
Copyright (c) Safenet, Inc.

Please enter Administrator's pin (Device 0, S/N: 518687):

Set new security mode:
Security Mode     : PCI Audit Logging Enabled

See Enable PCI Audit Logs for more information.

2.You must reset the HSM to load the new Audit Key:

hsmreset

CAUTION!   Whenever the Audit Key is regenerated, you must reset the HSM in order to load the new key. If you do not load the new key, the HSM will still generate logs, but you will be unable to verify them.

Configure Audit Logging

Configure audit logging using the PSESH commands available to the audit user. See audit for full syntax. The following procedure must be performed by the Auditor.

To configure Audit logging

1.Using an SSH connection (or a local serial connection), login to PSESH on the ProtectServer appliance as audit.

2.Enable the audittrace service:

psesh:> audit service enable

psesh:>audit service enable

Audit Log is enabled
Audit Log is started

Command Result : 0 (Success)

3.Configure the rotation schedule. By default, logs do not rotate. You can choose an hourly, daily, or weekly rotation schedule.

psesh:> audit log rotation {-hourly | -daily | -weekly}

psesh:>audit log rotation -daily

Setting Daily rotation.

Command Result : 0 (Success)

Verify the Logs

The Auditor must package the logs and transfer them to a client machine in order to verify them.

To verify the logs

1.Using an SSH connection (or a local serial connection), login to PSESH on the ProtectServer appliance as audit.

2.Package the logs for export:

psesh:> syslog tarlogs

Generating package list...
Generating tarlogs...
The tar file containing logs is now available via scp as filename 'pselogs.tgz'.

Command Result : 0 (Success)

3.Use scp/pscp to transfer the package from the appliance. On a client machine, enter one of the following commands:

Windows: pscp audit@<appliance_IP>:pselogs.tgz <filename>

Linux: scp audit@<appliance_IP>:pselogs.tgz <filename>

...where <filename> is the new package filename. Use "." to keep pselogs.tgz, but ensure that there is no other file with that name in the destination directory; it will be overwritten.

4.Extract the log files into a directory.

5.Use the auditverify tool to verify the file applog in the extracted directory:

auditverify -l applog

Please Enter the Auditor's PIN:
Starting to verify
2017-07-12 14:12:29,success,0,Audit Log initial message      ,0000000000000000000000000000000000000000000000000000000000000000,692f41f2ec2bbb42411c7b2c5e3230b39dab28bd5178ef1b3e71b34331500765
2017-07-12 14:53:44,success,0,CS_Initialize:                 ,692f41f2ec2bbb42411c7b2c5e3230b39dab28bd5178ef1b3e71b34331500765,6afe98063371c25d675616827ec51d5d23f879312d935c230ebe566db3e064a0
2017-07-12 14:53:44,success,1,CS_OpenSession:                ,6afe98063371c25d675616827ec51d5d23f879312d935c230ebe566db3e064a0,868b4457c44c525febad5c87d9d27ee745829aa38f9ac6bf2405a788f8c3ea89
2017-07-12 14:53:44,success,1,CS_OpenSession:                ,868b4457c44c525febad5c87d9d27ee745829aa38f9ac6bf2405a788f8c3ea89,8e65ee17ce0d0b835fd746558d5c114a45baf6e4e7f579b1f7b22f204db51538
2017-07-12 14:53:44,success,1,CS_FindObjects:                ,8e65ee17ce0d0b835fd746558d5c114a45baf6e4e7f579b1f7b22f204db51538,7ff4201694d9b5a68b6f3e205c75380e10975cddd9ff45641cd82fdb7d7eee17
2017-07-12 14:53:44,success,1,CS_GetAttributeValue:          ,7ff4201694d9b5a68b6f3e205c75380e10975cddd9ff45641cd82fdb7d7eee17,c2fd9b7bd90e370a8684259f120beda70f3ce2a7aa217e753f02864618066fc8
2017-07-12 14:53:44,success,1,CS_CloseSession:               ,c2fd9b7bd90e370a8684259f120beda70f3ce2a7aa217e753f02864618066fc8,a3ef1d28edcf2b1eb4efa2f7d075241e2bf1253f85b7dc36895b2ce07cd4732b
...<snip>...
2017-07-11 19:12:40,success,0,CS_Login:                      ,afc0b246dda667297c4a546c5c7db3b241381ed103589acf920f4c681dbedf14,527710e30d5ff9f13f2922a0a4ffaaeb7d25724587f92224e27d9e6f7abf4618
2017-07-11 19:12:40,success,0,CS_GenerateKeyPair:            ,527710e30d5ff9f13f2922a0a4ffaaeb7d25724587f92224e27d9e6f7abf4618,12ef60bbd62da32a7daf16b2769a557a342ee0ad02f790386340af942d684ace
2017-07-11 19:12:40,success,0,CS_CloseSession:               ,12ef60bbd62da32a7daf16b2769a557a342ee0ad02f790386340af942d684ace,7ba56613669ef06ac298014ac8b51bcff09fe00a0561a16de53ff7ba567d91eb
2017-07-11 19:12:40,success,0,CS_Finalize:                   ,7ba56613669ef06ac298014ac8b51bcff09fe00a0561a16de53ff7ba567d91eb,29bdaa88157935cb3d7962f7cbaf0c8311a1da7440e34b1a8aee9fcdda6bd360
File is verified successfully

Disable Audit Logging

The Admin SO or the Auditor can stop audit logging. Audit logging will also be stopped by any event that resets the security flags on the HSM, such as a tamper event or factory reset.

To stop audit logging as Admin SO

1.Login to a client machine.

2.Use ctconf to remove all security flags, including the Enable PCI Audit Logs flag. Enter the Administrator's PIN when prompted:

ctconf -f0

Please enter Administrator's pin (Device 0, S/N: 518687):

Set new security mode:
Security Mode     : Default (No flags set)
To stop audit logging as Auditor

1.Using an SSH connection (or a local serial connection), login to PSESH on the ProtectServer appliance as audit.

2.Disable the audittrace service:

audit service disable

psesh:>audit service disable

Audit Log Service is disabled
Stopping audittrace:                                       [  OK  ]
Audit Log Service is stopped

Command Result : 0 (Success)

NOTE   Disabling the audittrace service will only prevent audit logs from being recorded. The HSM will continue to generate logs as long as the Enable PCI Audit Logs flag is set, potentially impacting HSM performance. For more information about the Enable PCI Audit Logs security flag, see Enable PCI Audit Logs.