Bug 481237 - Audit log signing
Audit log signing
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: Logging (Show other bugs)
unspecified
All Linux
low Severity medium
: 1.0
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-01-22 17:53 EST by Christina Fu
Modified: 2015-01-04 18:36 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:31:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit framework change for base/ (22.27 KB, text/plain)
2009-01-22 18:05 EST, Christina Fu
no flags Details
caAuditSigningCert.profile for local ca (1.62 KB, application/octet-stream)
2009-01-22 18:06 EST, Christina Fu
no flags Details
caInternalAuthAuditSigningCert.cfg for remote subsystems (5.81 KB, text/plain)
2009-01-22 18:08 EST, Christina Fu
no flags Details
signed audit spec file changes in dogtag (5.39 KB, text/plain)
2009-01-22 18:10 EST, Christina Fu
no flags Details
reload caAuditSigningCert.profile with type text (1.62 KB, text/plain)
2009-01-22 22:13 EST, Christina Fu
no flags Details

  None (edit)
Description Christina Fu 2009-01-22 17:53:41 EST
revive audit log signing.  Framework is there, but
1. audit signing cert is not created by default at post-install config wizard
2. AuditVerify tool is broken
3. newer subsystems such as TKS needs more audit messages
Comment 1 Christina Fu 2009-01-22 18:05:21 EST
Created attachment 329749 [details]
audit framework change for base/
Comment 2 Christina Fu 2009-01-22 18:06:45 EST
Created attachment 329750 [details]
caAuditSigningCert.profile for local ca
Comment 3 Christina Fu 2009-01-22 18:08:27 EST
Created attachment 329751 [details]
caInternalAuthAuditSigningCert.cfg for remote subsystems
Comment 4 Christina Fu 2009-01-22 18:10:08 EST
Created attachment 329752 [details]
signed audit spec file changes in dogtag
Comment 5 Christina Fu 2009-01-22 18:11:00 EST
jmagne please review.
Comment 6 Jack Magne 2009-01-22 18:19:01 EST
Attachements id=329749, 329750, 329571, 329752 +jmagne.

Also, the .profile attachment confuses the system. Might want to make it of type text next time.
Comment 7 Christina Fu 2009-01-22 22:13:04 EST
Created attachment 329771 [details]
reload caAuditSigningCert.profile with type text
Comment 8 Christina Fu 2009-01-22 22:56:36 EST
$ svn commit
Sending        base/ca/shared/conf/CS.cfg
Adding         base/ca/shared/conf/caAuditSigningCert.profile
Adding         base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
Sending        base/common/src/LogMessages_en.properties
Sending        base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
Sending        base/java-tools/build.xml
Sending        base/java-tools/src/com/netscape/cmstools/AuditVerify.java
Sending        base/kra/shared/conf/CS.cfg
Sending        base/ocsp/shared/conf/CS.cfg
Sending        base/tks/shared/conf/CS.cfg
Sending        dogtag/ca/pki-ca.spec
Sending        dogtag/common/pki-common.spec
Sending        dogtag/java-tools/pki-java-tools.spec
Sending        dogtag/kra/pki-kra.spec
Sending        dogtag/ocsp/pki-ocsp.spec
Sending        dogtag/tks/pki-tks.spec
Transmitting file data ................
Committed revision 183.
Comment 9 Christina Fu 2009-01-23 11:20:02 EST
How to test (for CA, DRM/KRA, TKS, OCSP):
1. edit CS.cfg and change value of log.instance.SignedAudit.logSigning from false to true.
2. restart subsystem
3. do something (enrollment, add user, etc.) to trigger some audit logging
4. go to the CA and find the cert "... Audit Signing Certificate...", copy the base64 encoding and paste it in a file, say audit.cert
5. create nss db and import the cert
6. run AuditVerify to verify the audit logs

note: the first signature verified will always fail due to the extra data written to the log file before signed audit begins.  I might file a separate bug to fix that.
Comment 12 Jenny Galipeau 2009-06-29 10:44:08 EDT
Verified:

[root@qe-blade-11 results]# AuditVerify -d /var/lib/pki-ca/alias/ -n "auditSigningCert cert-pki-ca" -a /home/jgalipea/loglist.txt -v
======
File: /var/lib/pki-ca/logs/signedAudit/ca_audit
======
Line 124: VERIFICATION FAILED: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:1 to /var/lib/pki-ca/logs/signedAudit/ca_audit:123
Line 126: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:124 to /var/lib/pki-ca/logs/signedAudit/ca_audit:125
Line 128: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:126 to /var/lib/pki-ca/logs/signedAudit/ca_audit:127
Line 131: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:128 to /var/lib/pki-ca/logs/signedAudit/ca_audit:130
Line 134: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:131 to /var/lib/pki-ca/logs/signedAudit/ca_audit:133
Line 137: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:134 to /var/lib/pki-ca/logs/signedAudit/ca_audit:136
Line 139: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:137 to /var/lib/pki-ca/logs/signedAudit/ca_audit:138
Line 143: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:139 to /var/lib/pki-ca/logs/signedAudit/ca_audit:142
Line 146: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:143 to /var/lib/pki-ca/logs/signedAudit/ca_audit:145
Line 149: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:146 to /var/lib/pki-ca/logs/signedAudit/ca_audit:148
Line 153: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:149 to /var/lib/pki-ca/logs/signedAudit/ca_audit:152
Line 155: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:153 to /var/lib/pki-ca/logs/signedAudit/ca_audit:154
Line 158: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:155 to /var/lib/pki-ca/logs/signedAudit/ca_audit:157
Line 162: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:158 to /var/lib/pki-ca/logs/signedAudit/ca_audit:161
Line 166: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:162 to /var/lib/pki-ca/logs/signedAudit/ca_audit:165

Verification process complete.
Valid signatures: 14
Invalid signatures: 1

Note You need to log in before you can comment on or make changes to this bug.