RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1404794 - Audit Log Signature verification failures
Summary: Audit Log Signature verification failures
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Endi Sukma Dewata
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks: 1463347
TreeView+ depends on / blocked
 
Reported: 2016-12-14 16:31 UTC by Matthew Harmsen
Modified: 2020-10-04 21:24 UTC (History)
6 users (show)

Fixed In Version: pki-core-10.5.1-1.el7
Doc Type: Bug Fix
Doc Text:
Signed audit log verification now works correctly Previously, due to improper logging system initialization and incorrect signature calculation by the verification tool, signed audit log verification could fail on the first log entry and after log rotation. With this update, the logging system and the verification tool have been fixed. As a result, signed audit log verification now works correctly in the mentioned scenarios.
Clone Of:
: 1463347 (view as bug list)
Environment:
Last Closed: 2018-04-10 16:56:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2681 0 None None None 2020-10-04 21:20:40 UTC
Github dogtagpki pki issues 2754 0 None None None 2020-10-04 21:24:40 UTC
Red Hat Product Errata RHBA-2018:0925 0 None None None 2018-04-10 16:57:52 UTC

Description Matthew Harmsen 2016-12-14 16:31:34 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/pki/ticket/2561

It was observed that when audit signing logs rotate, the first signature entry in the next log file (for the last entries of the previous rotated log file) would sometimes fail to verify.
To reproduce, set log.instance.SignedAudit.maxFileSize to a small number (e.g. 3)
and restart the server; Do a few issuance to cause some entries to be written and rotate; run AuditVerify to observe.
Comment 4 Endi Sukma Dewata 2017-06-13 03:55:18 UTC 
Steps to reproduce:

1. Install CA. By default log signing is disabled, so there are no signatures.
2. Run pki-server ca-audit-file-verify.
3. Set log.instance.SignedAudit.logSigning=true in /etc/pki/pki-tomcat/ca/CS.cfg.
4. Restart Tomcat. This will generate some signatures.
5. Run pki-server ca-audit-file-verify.
6. Set log.instance.SignedAudit.maxFileSize=5 in /etc/pki/pki-tomcat/ca/CS.cfg.
7. Restart Tomcat. This will trigger log rotation since the current log file size already exceeds the limit. It will also generate additional signatures.
8. Run pki-server ca-audit-file-verify.

Actual result:

* In step 2 the CLI reported 1 invalid signature due to unsigned log.
* In step 5 the CLI reported 1 invalid signature due to a bug in AuditVerify when validating the first signature.
* In step 8 the CLI reported 2 invalid signatures. The first one is the same as in step 5. The second one is invalid due to a bug on the server during log rotation.

Expected result:

* In step 2 the CLI should report no invalid signatures because there are no signatures.
* In step 5 the CLI should report no invalid signatures because the first signature should be ignored.
* In step 8 the CLI should report no invalid signatures because subsequent signatures should be valid regardless of log rotation.
Comment 5 Endi Sukma Dewata 2017-06-14 22:39:45 UTC 
Fixed in master:
* https://github.com/dogtagpki/pki/commit/ab2e24b3087368a2aadfcda77323a7d0aa70db80
* https://github.com/dogtagpki/pki/commit/fac7ebb8fd21f60a06241d6e132c8a4f5972a773
Comment 9 bhavik 2017-12-27 18:02:01 UTC 
Build verified with 10.5.1-5
[root@bkr-hv01-guest02 ~]# yum list pki-*
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Installed Packages
pki-base.noarch                                                                                          10.5.1-5.el7                                                             @RHEL75     
pki-base-java.noarch                                                                                     10.5.1-5.el7                                                             @RHEL75     
pki-ca.noarch                                                                                            10.5.1-5.el7                                                             @RHEL75     
pki-console.noarch                                                                                       10.5.1-3.el7pki                                                          @RHCS93     
pki-kra.noarch                                                                                           10.5.1-5.el7                                                             @RHEL75     
pki-ocsp.noarch                                                                                          10.5.1-5.el7pki                                                          @RHCS93     
pki-server.noarch                                                                                        10.5.1-5.el7                                                             @RHEL75     
pki-symkey.x86_64                                                                                        10.5.1-5.el7                                                             @RHEL75     
pki-tks.noarch                                                                                           10.5.1-5.el7pki                                                          @RHCS93     
pki-tools.x86_64                                                                                         10.5.1-5.el7                                                             @RHEL75     
pki-tps.x86_64                                                                                           10.5.1-5.el7pki                                                          @RHCS93     


Steps followed as per https://bugzilla.redhat.com/show_bug.cgi?id=1404794#c4 mentioned by Endi

Before changing log.instance.SignedAudit.maxFileSize=5 in /etc/pki/topology-02-CA/ca/CS.cfg.

[root@bkr-hv01-guest02 ~]# pki-server ca-audit-file-verify -i topology-02-CA

Verification process complete.
Valid signatures: 155
Invalid signatures: 0

After changing log.instance.SignedAudit.maxFileSize=5 in /etc/pki/topology-02-CA/ca/CS.cfg.

Restarted tomcat instance

[root@bkr-hv01-guest02 ~]# pki-server ca-audit-file-verify -i topology-02-CA

Verification process complete.
Valid signatures: 163
Invalid signatures: 0

files created 
ca_audit                 ca_audit.20171227124631

New signatures where added due to new log file rotation.

Since no invalid signatures found marking this as verified.
Comment 15 errata-xmlrpc 2018-04-10 16:56:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925
Note You need to log in before you can comment on or make changes to this bug.