Bug 481237 - Audit log signing
Summary: Audit log signing
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: Logging
Version: unspecified
Hardware: All
OS: Linux
low
medium
Target Milestone: 1.0
Assignee: Christina Fu
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 443788
TreeView+ depends on / blocked
 
Reported: 2009-01-22 22:53 UTC by Christina Fu
Modified: 2015-01-04 23:36 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-07-22 23:31:28 UTC
Embargoed:


Attachments (Terms of Use)
audit framework change for base/ (22.27 KB, text/plain)
2009-01-22 23:05 UTC, Christina Fu
no flags Details
caAuditSigningCert.profile for local ca (1.62 KB, application/octet-stream)
2009-01-22 23:06 UTC, Christina Fu
no flags Details
caInternalAuthAuditSigningCert.cfg for remote subsystems (5.81 KB, text/plain)
2009-01-22 23:08 UTC, Christina Fu
no flags Details
signed audit spec file changes in dogtag (5.39 KB, text/plain)
2009-01-22 23:10 UTC, Christina Fu
no flags Details
reload caAuditSigningCert.profile with type text (1.62 KB, text/plain)
2009-01-23 03:13 UTC, Christina Fu
no flags Details

Description Christina Fu 2009-01-22 22:53:41 UTC
revive audit log signing.  Framework is there, but
1. audit signing cert is not created by default at post-install config wizard
2. AuditVerify tool is broken
3. newer subsystems such as TKS needs more audit messages

Comment 1 Christina Fu 2009-01-22 23:05:21 UTC
Created attachment 329749 [details]
audit framework change for base/

Comment 2 Christina Fu 2009-01-22 23:06:45 UTC
Created attachment 329750 [details]
caAuditSigningCert.profile for local ca

Comment 3 Christina Fu 2009-01-22 23:08:27 UTC
Created attachment 329751 [details]
caInternalAuthAuditSigningCert.cfg for remote subsystems

Comment 4 Christina Fu 2009-01-22 23:10:08 UTC
Created attachment 329752 [details]
signed audit spec file changes in dogtag

Comment 5 Christina Fu 2009-01-22 23:11:00 UTC
jmagne please review.

Comment 6 Jack Magne 2009-01-22 23:19:01 UTC
Attachements id=329749, 329750, 329571, 329752 +jmagne.

Also, the .profile attachment confuses the system. Might want to make it of type text next time.

Comment 7 Christina Fu 2009-01-23 03:13:04 UTC
Created attachment 329771 [details]
reload caAuditSigningCert.profile with type text

Comment 8 Christina Fu 2009-01-23 03:56:36 UTC
$ svn commit
Sending        base/ca/shared/conf/CS.cfg
Adding         base/ca/shared/conf/caAuditSigningCert.profile
Adding         base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
Sending        base/common/src/LogMessages_en.properties
Sending        base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
Sending        base/java-tools/build.xml
Sending        base/java-tools/src/com/netscape/cmstools/AuditVerify.java
Sending        base/kra/shared/conf/CS.cfg
Sending        base/ocsp/shared/conf/CS.cfg
Sending        base/tks/shared/conf/CS.cfg
Sending        dogtag/ca/pki-ca.spec
Sending        dogtag/common/pki-common.spec
Sending        dogtag/java-tools/pki-java-tools.spec
Sending        dogtag/kra/pki-kra.spec
Sending        dogtag/ocsp/pki-ocsp.spec
Sending        dogtag/tks/pki-tks.spec
Transmitting file data ................
Committed revision 183.

Comment 9 Christina Fu 2009-01-23 16:20:02 UTC
How to test (for CA, DRM/KRA, TKS, OCSP):
1. edit CS.cfg and change value of log.instance.SignedAudit.logSigning from false to true.
2. restart subsystem
3. do something (enrollment, add user, etc.) to trigger some audit logging
4. go to the CA and find the cert "... Audit Signing Certificate...", copy the base64 encoding and paste it in a file, say audit.cert
5. create nss db and import the cert
6. run AuditVerify to verify the audit logs

note: the first signature verified will always fail due to the extra data written to the log file before signed audit begins.  I might file a separate bug to fix that.

Comment 12 Jenny Severance 2009-06-29 14:44:08 UTC
Verified:

[root@qe-blade-11 results]# AuditVerify -d /var/lib/pki-ca/alias/ -n "auditSigningCert cert-pki-ca" -a /home/jgalipea/loglist.txt -v
======
File: /var/lib/pki-ca/logs/signedAudit/ca_audit
======
Line 124: VERIFICATION FAILED: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:1 to /var/lib/pki-ca/logs/signedAudit/ca_audit:123
Line 126: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:124 to /var/lib/pki-ca/logs/signedAudit/ca_audit:125
Line 128: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:126 to /var/lib/pki-ca/logs/signedAudit/ca_audit:127
Line 131: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:128 to /var/lib/pki-ca/logs/signedAudit/ca_audit:130
Line 134: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:131 to /var/lib/pki-ca/logs/signedAudit/ca_audit:133
Line 137: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:134 to /var/lib/pki-ca/logs/signedAudit/ca_audit:136
Line 139: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:137 to /var/lib/pki-ca/logs/signedAudit/ca_audit:138
Line 143: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:139 to /var/lib/pki-ca/logs/signedAudit/ca_audit:142
Line 146: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:143 to /var/lib/pki-ca/logs/signedAudit/ca_audit:145
Line 149: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:146 to /var/lib/pki-ca/logs/signedAudit/ca_audit:148
Line 153: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:149 to /var/lib/pki-ca/logs/signedAudit/ca_audit:152
Line 155: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:153 to /var/lib/pki-ca/logs/signedAudit/ca_audit:154
Line 158: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:155 to /var/lib/pki-ca/logs/signedAudit/ca_audit:157
Line 162: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:158 to /var/lib/pki-ca/logs/signedAudit/ca_audit:161
Line 166: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:162 to /var/lib/pki-ca/logs/signedAudit/ca_audit:165

Verification process complete.
Valid signatures: 14
Invalid signatures: 1


Note You need to log in before you can comment on or make changes to this bug.