Configuring and using audit logging
This section describes how to enable or disable audit logging, configure the log rotation, and how to copy and verify the audit logs.
Tip
Audit logging consumes resources, so consider minimizing the intensity and duration of logging that you invoke. See Log capacity and rotation for more information.
Initialize the Audit user and create the audit key
The Admin SO and the Auditor must both be present to initialize the Audit role and create the Auditor PIN. This procedure assumes that you have already initialized the Admin token on the ProtectServer 3 HSM.
To initialize the Audit user and create the Audit Key
-
Using an SSH connection (or a local serial connection), login to PSESH on the ProtectServer appliance as audit (not as admin), using the initial password "password". The first time you login as audit, you will be prompted to create a new, more secure password.
-
Initialize the Auditor role with the following command. The Admin SO must enter the SO PIN before the Auditor can set the new Auditor PIN
psesh:> audit audit init
-
The Auditor can now generate the Audit Key. You will be prompted for the Auditor PIN, and to enter a minimum of 3 unique parameters, each at least 8 bytes in length (see Audit key for more information).
psesh:> audit audit secret
Enable audit logging
The Admin SO must enable audit logging on the HSM.
To enable audit logging
-
On a client machine, set the Enable PCI Audit Logs flag. You will be prompted for the Admin SO PIN:
See Enable PCI Audit Logs for more information.
-
You must reset the HSM to load the new Audit Key:
hsmreset
Caution
Whenever the Audit Key is regenerated, you must reset the HSM in order to load the new key. If the HSM is not reset after a new key is generated then you will be unable to generate any logs.
Configure audit logging
Configure audit logging using the PSESH commands available to the audit user. See audit for full syntax. The following procedure must be performed by the Auditor.
To configure audit logging
-
Using an SSH connection (or a local serial connection), login to PSESH on the ProtectServer appliance as audit.
-
Enable the audittrace service:
psesh:> audit service enable
-
Configure the rotation schedule. By default, logs do not rotate. You can choose an hourly, daily, or weekly rotation schedule.
psesh:> audit log rotation {-hourly | -daily | -weekly}
Verify the logs
The Auditor must package the logs and transfer them to a client machine in order to verify them.
To verify the logs
-
Using an SSH connection (or a local serial connection), login to PSESH on the ProtectServer appliance as audit.
-
Package the logs for export:
psesh:> audit log tarlogs
-
Use scp/pscp to transfer the package from the appliance. On a client machine, enter one of the following commands:
-
Windows: pscp -scp audit@<appliance_IP>:auditlogs.tgz <filename>
-
Linux: scp audit@<appliance_IP>:auditlogs.tgz <filename>
...where <filename> is the new package filename. Use "." to keep auditlogs.tgz, but ensure that there is no other file with that name in the destination directory; it will be overwritten.
-
-
Extract the log files into a directory.
-
Use the auditverify tool to verify the file applog in the extracted directory:
auditverify -l applog
Disable audit logging
The Admin SO or the Auditor can stop audit logging. Audit logging will also be stopped by any event that resets the security flags on the HSM, such as a tamper event or factory reset.
To stop audit logging as Admin SO
-
Login to a client machine.
-
Remove all security flags, including the Enable PCI Audit Logs flag. Enter the Administrator's PIN when prompted:
To stop audit logging as Auditor
-
Using an SSH connection (or a local serial connection), login to PSESH on the ProtectServer appliance as audit.
-
Disable the audittrace service:
psesh:>audit service disable
Note
Disabling the audittrace service will only prevent audit logs from being recorded. The HSM will continue to generate logs as long as the Enable PCI Audit Logs flag is set, potentially impacting HSM performance. For more information about the Enable PCI Audit Logs security flag, see Enable PCI Audit Logs.