Audit Logging Overview
Each event that occurs on the HSM can be recorded in the HSM event log, allowing you to audit your HSM usage. The HSM event log is viewable and configurable by the audit user only.
NOTE Audit logging is available on ProtectServer External 2 and ProtectServer External 2 Plus only; it is not supported on ProtectServer PCIe 2.
Logged Events
The types of events that can be logged include:
>Administrative events
>Object Management events
>Object Use events
Events are logged whether they fail or succeed. For a complete list of logged events, see Audit Log Events and Structure.
The Auditor Role
The audit logging function is controlled by two roles that must be used together:
>The audit appliance account (use SSH or PuTTy to log in as audit, instead of admin, or pseoperator)
>The Auditor HSM account (must be initialized, setting the Auditor PIN)
On ProtectServer, audit logging is managed by an audit user (an appliance system role), in combination with the HSM audit role, through a subset of PSESH commands. The audit user can perform only the audit-logging and self-related tasks. Other HSM appliance users have no access to the audit logging commands.
Upon first login, the audit user is asked to change their password. That user must initialize the HSM Auditor role before configuring audit logging.
To simplify configuration,
>The log path is kept internal.
>The log rotation is initially set to "never".
Audit User on the Appliance
The appliance audit user is a standard user account on ProtectServer, with the default password "password".
The audit user has a limited set of operations available, as reflected in the reduced command set available when logged in to the shell (PSESH).
login as: audit Using keyboard-interactive authentication. Password: Last login: Thu Jul 13 10:21:02 2017 from 10.124.0.32 PSe 1.11-01 Command Line Shell - Copyright (c) 2001-2017 SafeNet, Inc. All rights reserved. [PSe-II] psesh:>help The following top-level commands are available: Name (short) Description -------------------------------------------------------------------------------- audit a > Manage Audit Log Files help h Get Help exit e Exit PSE-II Shell syslog sy > Syslog user u Set User Password
Auditor Role on the HSM
The Auditor role allows complete separation of Audit responsibilities from the Admin Security Officer and User roles. The Admin SO and User are unable to work with the log files, and the Auditor is unable to perform administrative tasks on the HSM.
Use the PSESH command audit audit init to initialize the Auditor role and set the Auditor PIN. See audit audit for command syntax.
Audit Key
Log records are HMACed using an Audit Key, which is later used to verify the logs. The HSM generates the Audit Key from a unique set of parameters entered by the Auditor. If the key is lost or destroyed, these parameters can be re-entered to regenerate the same key. With the same parameters, the key can also be regenerated on another HSM. This allows one HSM's logs to be verified by another HSM.
Audit Key generation requires a minimum of three unique parameters, each at least 8 characters long. For additional security, a key can be generated using input from multiple people, so that one person alone can never regenerate the key.
The Audit Key is stored in the Administrative token, and has the following fixed attributes:
>Always sensitive
>Encryption, signing, wrapping, unwrapping are disabled
>Available only to the Auditor role in the HSM (CKA_AUDIT_KEY)
Use the PSESH command audit audit secret to generate the Audit Key. See audit audit for command syntax.
Log Verification
The Auditor must export the logs to a client machine using scp/pscp, and then use the auditverify utility to verify and view the extracted logs. The auditverify utility requires the Auditor to sign in using the Auditor PIN. See Verify the Logs for the complete procedure.
See Audit Log Events and Structure for a guide on reading the audit logs.
Log Capacity and Rotation
When the HSM logs an event, the log is stored on the HSM, which has a limited capacity. The Auditor must set a schedule for log rotation (hourly, daily, or weekly). Logs will be then periodically packaged and stored on the appliance, which has a much greater storage capacity.
CAUTION! The default log rotation setting is "never". Failing to set a log rotation schedule may allow the HSM storage to fill up, interfering with cryptographic processes.
Short-term log storage within the HSM is important only in the rare situations where the HSM remains functioning but cannot reach the appliance file system.