Configuring and using audit logging
This section describes how to enable or disable audit logging, configure the log rotation, and how to copy and verify the audit logs.
Tip
Audit logging consumes resources, so consider minimizing the intensity and duration of logging that you invoke. See Log capacity and rotation for more information.
Initialize the Audit user and create the audit key
The Admin SO and the Auditor must both be present to initialize the Audit role and create the Auditor PIN. This procedure assumes that you have already initialized the Admin token on the ProtectServer 3 HSM.
To initialize the Audit user and create the Audit Key
-
Using an SSH connection (or a local serial connection), login to PSESH on the ProtectServer appliance as audit (not as admin), using the initial password "password". The first time you login as audit, you will be prompted to create a new, more secure password.
-
Initialize the Auditor role with the following command. The Admin SO must enter the SO PIN before the Auditor can set the new Auditor PIN
psesh:> audit audit init
psesh:>audit audit init Please Enter the SO PIN: Please Enter the new Auditor's PIN: Please re-enter the new Auditor's PIN: Command Result : 0 (Success)
-
The Auditor can now generate the Audit Key. You will be prompted for the Auditor PIN, and to enter a minimum of 3 unique parameters, each at least 8 bytes in length (see Audit key for more information).
psesh:> audit audit secret
psesh:>audit audit secret Please Enter the Auditor's PIN: Please enter number of params (minimum 3): 3 Please enter parameter #0:12345678 Please enter parameter #1:87654321 Please enter parameter #2:18273645 Audit Key created successfully Command Result : 0 (Success)
Enable audit logging
The Admin SO must enable audit logging on the HSM.
To enable audit logging
-
On a client machine, set the Enable PCI Audit Logs flag. You will be prompted for the Admin SO PIN:
>ctconf -fb ProtectToolkit C Configuration Utility Copyright (c) Safenet, Inc. Please enter Administrator's pin (Device 0, S/N: 518687): Set new security mode: Security Mode : PCI Audit Logging Enabled
See Enable PCI Audit Logs for more information.
-
You must reset the HSM to load the new Audit Key:
hsmreset
Caution
Whenever the Audit Key is regenerated, you must reset the HSM in order to load the new key. If the HSM is not reset after a new key is generated then you will be unable to generate any logs.
Configure audit logging
Configure audit logging using the PSESH commands available to the audit user. See audit for full syntax. The following procedure must be performed by the Auditor.
To configure audit logging
-
Using an SSH connection (or a local serial connection), login to PSESH on the ProtectServer appliance as audit.
-
Enable the audittrace service:
psesh:> audit service enable
psesh:>audit service enable Audit Log is enabled Audit Log is started Command Result : 0 (Success)
-
Configure the rotation schedule. By default, logs do not rotate. You can choose an hourly, daily, or weekly rotation schedule.
psesh:> audit log rotation {-hourly | -daily | -weekly}
psesh:>audit log rotation -daily Setting Daily rotation. Command Result : 0 (Success)
Verify the logs
The Auditor must package the logs and transfer them to a client machine in order to verify them.
To verify the logs
-
Using an SSH connection (or a local serial connection), login to PSESH on the ProtectServer appliance as audit.
-
Package the logs for export:
psesh:> audit log tarlogs
Generating package list... Generating tarlogs... The tar file containing logs is now available via scp as filename 'auditlogs.tgz'. Command Result : 0 (Success)
-
Use scp/pscp to transfer the package from the appliance. On a client machine, enter one of the following commands:
-
Windows: pscp -scp audit@<appliance_IP>:auditlogs.tgz <filename>
-
Linux: scp audit@<appliance_IP>:auditlogs.tgz <filename>
...where <filename> is the new package filename. Use "." to keep auditlogs.tgz, but ensure that there is no other file with that name in the destination directory; it will be overwritten.
-
-
Extract the log files into a directory.
-
Use the auditverify tool to verify the file applog in the extracted directory:
auditverify -l applog
Please Enter the Auditor's PIN: Starting to verify 2017-07-12 14:12:29,success,0,Audit Log initial message ,0000000000000000000000000000000000000000000000000000000000000000,692f41f2ec2bbb42411c7b2c5e3230b39dab28bd5178ef1b3e71b34331500765 2017-07-12 14:53:44,success,0,CS_Initialize: ,692f41f2ec2bbb42411c7b2c5e3230b39dab28bd5178ef1b3e71b34331500765,6afe98063371c25d675616827ec51d5d23f879312d935c230ebe566db3e064a0 2017-07-12 14:53:44,success,1,CS_OpenSession: ,6afe98063371c25d675616827ec51d5d23f879312d935c230ebe566db3e064a0,868b4457c44c525febad5c87d9d27ee745829aa38f9ac6bf2405a788f8c3ea89 2017-07-12 14:53:44,success,1,CS_OpenSession: ,868b4457c44c525febad5c87d9d27ee745829aa38f9ac6bf2405a788f8c3ea89,8e65ee17ce0d0b835fd746558d5c114a45baf6e4e7f579b1f7b22f204db51538 2017-07-12 14:53:44,success,1,CS_FindObjects: ,8e65ee17ce0d0b835fd746558d5c114a45baf6e4e7f579b1f7b22f204db51538,7ff4201694d9b5a68b6f3e205c75380e10975cddd9ff45641cd82fdb7d7eee17 2017-07-12 14:53:44,success,1,CS_GetAttributeValue: ,7ff4201694d9b5a68b6f3e205c75380e10975cddd9ff45641cd82fdb7d7eee17,c2fd9b7bd90e370a8684259f120beda70f3ce2a7aa217e753f02864618066fc8 2017-07-12 14:53:44,success,1,CS_CloseSession: ,c2fd9b7bd90e370a8684259f120beda70f3ce2a7aa217e753f02864618066fc8,a3ef1d28edcf2b1eb4efa2f7d075241e2bf1253f85b7dc36895b2ce07cd4732b ...<snip>... 2017-07-11 19:12:40,success,0,CS_Login: ,afc0b246dda667297c4a546c5c7db3b241381ed103589acf920f4c681dbedf14,527710e30d5ff9f13f2922a0a4ffaaeb7d25724587f92224e27d9e6f7abf4618 2017-07-11 19:12:40,success,0,CS_GenerateKeyPair: ,527710e30d5ff9f13f2922a0a4ffaaeb7d25724587f92224e27d9e6f7abf4618,12ef60bbd62da32a7daf16b2769a557a342ee0ad02f790386340af942d684ace 2017-07-11 19:12:40,success,0,CS_CloseSession: ,12ef60bbd62da32a7daf16b2769a557a342ee0ad02f790386340af942d684ace,7ba56613669ef06ac298014ac8b51bcff09fe00a0561a16de53ff7ba567d91eb 2017-07-11 19:12:40,success,0,CS_Finalize: ,7ba56613669ef06ac298014ac8b51bcff09fe00a0561a16de53ff7ba567d91eb,29bdaa88157935cb3d7962f7cbaf0c8311a1da7440e34b1a8aee9fcdda6bd360 File is verified successfully
Disable audit logging
The Admin SO or the Auditor can stop audit logging. Audit logging will also be stopped by any event that resets the security flags on the HSM, such as a tamper event or factory reset.
To stop audit logging as Admin SO
-
Login to a client machine.
-
Remove all security flags, including the Enable PCI Audit Logs flag. Enter the Administrator's PIN when prompted:
Please enter Administrator's pin (Device 0, S/N: 518687): Set new security mode: Security Mode : Default (No flags set)
To stop audit logging as Auditor
-
Using an SSH connection (or a local serial connection), login to PSESH on the ProtectServer appliance as audit.
-
Disable the audittrace service:
psesh:>audit service disable
psesh:>audit service disable Audit Log Service is disabled Stopping audittrace: [ OK ] Audit Log Service is stopped Command Result : 0 (Success)
Note
Disabling the audittrace service will only prevent audit logs from being recorded. The HSM will continue to generate logs as long as the Enable PCI Audit Logs flag is set, potentially impacting HSM performance. For more information about the Enable PCI Audit Logs security flag, see Enable PCI Audit Logs.