Bug 1404794 - Audit Log Signature verification failures
Summary: Audit Log Signature verification failures
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core   
(Show other bugs)
Version: 7.3
Hardware: All Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Endi Sukma Dewata
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 1463347
TreeView+ depends on / blocked
 
Reported: 2016-12-14 16:31 UTC by Matthew Harmsen
Modified: 2018-04-10 16:57 UTC (History)
6 users (show)

Fixed In Version: pki-core-10.5.1-1.el7
Doc Type: Bug Fix
Doc Text:
Signed audit log verification now works correctly Previously, due to improper logging system initialization and incorrect signature calculation by the verification tool, signed audit log verification could fail on the first log entry and after log rotation. With this update, the logging system and the verification tool have been fixed. As a result, signed audit log verification now works correctly in the mentioned scenarios.
Story Points: ---
Clone Of:
: 1463347 (view as bug list)
Environment:
Last Closed: 2018-04-10 16:56:24 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0925 None None None 2018-04-10 16:57 UTC

Description Matthew Harmsen 2016-12-14 16:31:34 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/pki/ticket/2561

It was observed that when audit signing logs rotate, the first signature entry in the next log file (for the last entries of the previous rotated log file) would sometimes fail to verify.
To reproduce, set log.instance.SignedAudit.maxFileSize to a small number (e.g. 3)
and restart the server; Do a few issuance to cause some entries to be written and rotate; run AuditVerify to observe.

Comment 4 Endi Sukma Dewata 2017-06-13 03:55:18 UTC
Steps to reproduce:

1. Install CA. By default log signing is disabled, so there are no signatures.
2. Run pki-server ca-audit-file-verify.
3. Set log.instance.SignedAudit.logSigning=true in /etc/pki/pki-tomcat/ca/CS.cfg.
4. Restart Tomcat. This will generate some signatures.
5. Run pki-server ca-audit-file-verify.
6. Set log.instance.SignedAudit.maxFileSize=5 in /etc/pki/pki-tomcat/ca/CS.cfg.
7. Restart Tomcat. This will trigger log rotation since the current log file size already exceeds the limit. It will also generate additional signatures.
8. Run pki-server ca-audit-file-verify.

Actual result:

* In step 2 the CLI reported 1 invalid signature due to unsigned log.
* In step 5 the CLI reported 1 invalid signature due to a bug in AuditVerify when validating the first signature.
* In step 8 the CLI reported 2 invalid signatures. The first one is the same as in step 5. The second one is invalid due to a bug on the server during log rotation.

Expected result:

* In step 2 the CLI should report no invalid signatures because there are no signatures.
* In step 5 the CLI should report no invalid signatures because the first signature should be ignored.
* In step 8 the CLI should report no invalid signatures because subsequent signatures should be valid regardless of log rotation.

Comment 9 bhavik 2017-12-27 18:02:01 UTC
Build verified with 10.5.1-5
[root@bkr-hv01-guest02 ~]# yum list pki-*
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Installed Packages
pki-base.noarch                                                                                          10.5.1-5.el7                                                             @RHEL75     
pki-base-java.noarch                                                                                     10.5.1-5.el7                                                             @RHEL75     
pki-ca.noarch                                                                                            10.5.1-5.el7                                                             @RHEL75     
pki-console.noarch                                                                                       10.5.1-3.el7pki                                                          @RHCS93     
pki-kra.noarch                                                                                           10.5.1-5.el7                                                             @RHEL75     
pki-ocsp.noarch                                                                                          10.5.1-5.el7pki                                                          @RHCS93     
pki-server.noarch                                                                                        10.5.1-5.el7                                                             @RHEL75     
pki-symkey.x86_64                                                                                        10.5.1-5.el7                                                             @RHEL75     
pki-tks.noarch                                                                                           10.5.1-5.el7pki                                                          @RHCS93     
pki-tools.x86_64                                                                                         10.5.1-5.el7                                                             @RHEL75     
pki-tps.x86_64                                                                                           10.5.1-5.el7pki                                                          @RHCS93     


Steps followed as per https://bugzilla.redhat.com/show_bug.cgi?id=1404794#c4 mentioned by Endi

Before changing log.instance.SignedAudit.maxFileSize=5 in /etc/pki/topology-02-CA/ca/CS.cfg.

[root@bkr-hv01-guest02 ~]# pki-server ca-audit-file-verify -i topology-02-CA

Verification process complete.
Valid signatures: 155
Invalid signatures: 0

After changing log.instance.SignedAudit.maxFileSize=5 in /etc/pki/topology-02-CA/ca/CS.cfg.

Restarted tomcat instance

[root@bkr-hv01-guest02 ~]# pki-server ca-audit-file-verify -i topology-02-CA

Verification process complete.
Valid signatures: 163
Invalid signatures: 0

files created 
ca_audit                 ca_audit.20171227124631

New signatures where added due to new log file rotation.

Since no invalid signatures found marking this as verified.

Comment 15 errata-xmlrpc 2018-04-10 16:56:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925


Note You need to log in before you can comment on or make changes to this bug.