Audit logging overview
Each command that occurs on the HSM can be viewed in the HSM entry log, allowing you to audit your HSM usage. The HSM entry log is viewable and configurable by the audit user only.
Note
Audit logging is available on ProtectServer 3 External and ProtectServer 3+ External only; it is not supported on ProtectServer 3 PCIe.
Logged entries
The types of entries that can be logged include:
-
Administrative command entries
-
Object Management entries
-
Object Use entries
Entries are logged whether they fail or succeed. For a complete list of logged entries, see Audit log entries and structure.
The Auditor role
The audit logging function is controlled by two roles that must be used together:
-
The audit appliance account (use SSH or PuTTy to log on as audit, instead of admin, or pseoperator)
-
The Auditor HSM account (must be initialized, setting the Auditor PIN)
On ProtectServer, audit logging is managed by an audit user (an appliance system role), in combination with the HSM audit role, through a subset of PSESH commands. The audit user can perform only the audit-logging and self-related tasks. Other HSM appliance users have no access to the audit logging commands.
Upon first login, the audit user is asked to change their password. That user must initialize the HSM Auditor role before configuring audit logging.
To simplify configuration,
-
The log path is kept internal.
-
The log rotation is initially set to "never".
Audit user on the appliance
The appliance audit user is a standard user account on ProtectServer, with the default password "password".
The audit user has a limited set of operations available, as reflected in the reduced command set available when logged on to the shell (PSESH).
login as: audit
Using keyboard-interactive authentication.
Password:
Last login: Thu Jul 13 10:21:02 2017 from 10.124.0.32
PSe 1.11-01 Command Line Shell - Copyright (c) 2001-2017 SafeNet, Inc. All rights reserved.
[PSE3] psesh:>help
The following top-level commands are available:
Name (short) Description
--------------------------------------------------------------------------------
audit a > Manage Audit Log Files
help h Get Help
exit e Exit PSE-II Shell
syslog sy > Syslog
user u Set User Password
Auditor role on the HSM
The Auditor role allows complete separation of Audit responsibilities from the Admin Security Officer and User roles. The Admin SO and User are unable to work with the log files, and the Auditor is unable to perform administrative tasks on the HSM.
Use the PSESH command audit audit init to initialize the Auditor role and set the Auditor PIN. See audit audit for command syntax.
Audit key
Log records are HMACed using an Audit Key, which is later used to verify the logs. The HSM generates the Audit Key from a unique set of parameters entered by the Auditor. If the key is lost or destroyed, these parameters can be re-entered to regenerate the same key. With the same parameters, the key can also be regenerated on another HSM. This allows one HSM's logs to be verified by another HSM.
Audit Key generation requires a minimum of three unique parameters, each at least 8 characters long. For additional security, a key can be generated using input from multiple people, so that one person alone can never regenerate the key.
The Audit Key is stored in the Administrative token, and has the following fixed attributes:
-
Always sensitive
-
Encryption, signing, wrapping, unwrapping are disabled
-
Available only to the Auditor role in the HSM (CKA_AUDIT_KEY)
Use the PSESH command audit audit secret to generate the Audit Key. See audit audit for command syntax.
Log verification
The Auditor must export the logs to a client machine using scp/pscp, and then use the auditverify utility to verify and view the extracted logs. The auditverify utility requires the Auditor to sign in using the Auditor PIN. See Verify the logs for the complete procedure.
See Audit log entries and structure for a guide on reading the audit logs.
Log capacity and rotation
The Auditor must set a schedule for log rotation (hourly, daily, or weekly). Logs will then be packaged and stored on the ProtectServer HSM appliance. See Configuring and using audit logging for a guide on enabling or disabling audit logging, configuring the log rotation and copying/verifying the audit logs.
Caution
The default log rotation setting is "never". When you set the rotation it will allow the storage to fill up slower. You must remove the files to maintain space on the HSM storage. Failing to set a log rotation schedule may allow the HSM storage to fill up quicker, interfering with cryptographic processes.