Red Hat Bugzilla – Bug 481237
Audit log signing
Last modified: 2015-01-04 18:36:11 EST
revive audit log signing. Framework is there, but
1. audit signing cert is not created by default at post-install config wizard
2. AuditVerify tool is broken
3. newer subsystems such as TKS needs more audit messages
Created attachment 329749 [details]
audit framework change for base/
Created attachment 329750 [details]
caAuditSigningCert.profile for local ca
Created attachment 329751 [details]
caInternalAuthAuditSigningCert.cfg for remote subsystems
Created attachment 329752 [details]
signed audit spec file changes in dogtag
jmagne please review.
Attachements id=329749, 329750, 329571, 329752 +jmagne.
Also, the .profile attachment confuses the system. Might want to make it of type text next time.
Created attachment 329771 [details]
reload caAuditSigningCert.profile with type text
$ svn commit
Transmitting file data ................
Committed revision 183.
How to test (for CA, DRM/KRA, TKS, OCSP):
1. edit CS.cfg and change value of log.instance.SignedAudit.logSigning from false to true.
2. restart subsystem
3. do something (enrollment, add user, etc.) to trigger some audit logging
4. go to the CA and find the cert "... Audit Signing Certificate...", copy the base64 encoding and paste it in a file, say audit.cert
5. create nss db and import the cert
6. run AuditVerify to verify the audit logs
note: the first signature verified will always fail due to the extra data written to the log file before signed audit begins. I might file a separate bug to fix that.
[root@qe-blade-11 results]# AuditVerify -d /var/lib/pki-ca/alias/ -n "auditSigningCert cert-pki-ca" -a /home/jgalipea/loglist.txt -v
Line 124: VERIFICATION FAILED: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:1 to /var/lib/pki-ca/logs/signedAudit/ca_audit:123
Line 126: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:124 to /var/lib/pki-ca/logs/signedAudit/ca_audit:125
Line 128: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:126 to /var/lib/pki-ca/logs/signedAudit/ca_audit:127
Line 131: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:128 to /var/lib/pki-ca/logs/signedAudit/ca_audit:130
Line 134: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:131 to /var/lib/pki-ca/logs/signedAudit/ca_audit:133
Line 137: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:134 to /var/lib/pki-ca/logs/signedAudit/ca_audit:136
Line 139: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:137 to /var/lib/pki-ca/logs/signedAudit/ca_audit:138
Line 143: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:139 to /var/lib/pki-ca/logs/signedAudit/ca_audit:142
Line 146: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:143 to /var/lib/pki-ca/logs/signedAudit/ca_audit:145
Line 149: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:146 to /var/lib/pki-ca/logs/signedAudit/ca_audit:148
Line 153: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:149 to /var/lib/pki-ca/logs/signedAudit/ca_audit:152
Line 155: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:153 to /var/lib/pki-ca/logs/signedAudit/ca_audit:154
Line 158: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:155 to /var/lib/pki-ca/logs/signedAudit/ca_audit:157
Line 162: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:158 to /var/lib/pki-ca/logs/signedAudit/ca_audit:161
Line 166: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:162 to /var/lib/pki-ca/logs/signedAudit/ca_audit:165
Verification process complete.
Valid signatures: 14
Invalid signatures: 1