1AuditVerify(1)     PKI Signed Audit Log Verification Command    AuditVerify(1)
2
3
4

NAME

6       AuditVerify  -  Command-Line  utility  for verifying Certificate System
7       signed audit logs.
8
9

SYNOPSIS

11       AuditVerify  -d  dbdir  -n  signing-cert-nickname  -a  logListFile  [-P
12       db-prefix] [-v]
13
14

DESCRIPTION

16       The  AuditVerify  command  provides command-line utility to verify that
17       signed audit logs were signed with the appropriate  PKI  audit  private
18       signing  key  and that the audit logs have not been compromised.  Audi‐
19       tors can verify the authenticity and integrity  of  signed  audit  logs
20       using  the  AuditVerify  tool.   This  tool  uses the public key of the
21       signed audit log signing certificate to verify the  digital  signatures
22       embedded  in a signed audit log file.  The tool result indicates either
23       that the signed audit log was successfully verified or that the  signed
24       audit  log was not successfully verified.  An unsuccessful verification
25       warns the auditor that the signature failed to verify,  indicating  the
26       log file may have been tampered with (compromised).
27
28
29       Note:  An  auditor can be any user that has the privilege to peruse the
30       PKI audit logs.
31
32

OPTIONS

34       -d dbdir
35           Specifies the directory containing the security databases with  the
36       imported audit log signing certificate.
37           This directory is almost always the auditor's own personal certifi‐
38       cate databases in a personal directory,
39           such as $HOME/.dogtag/nssdb.
40
41
42       -n signing-cert-nickname
43           Gives the nickname of the certificate used to sign the log files.
44           The nickname is whatever was used when the log signing  certificate
45       was imported into that database.
46
47
48       -P db-prefix
49           Optional. The prefix to prepend to the certificate and key database
50       filenames.
51           If used, a value of empty quotation marks (“”) should be  specified
52       for this argument,
53           since  the  auditor is using separate certificate and key databases
54       from the PKI server
55           and it is unlikely that the prefix should be prepended to  the  new
56       audit security database files.
57
58
59       -a logListFile
60           Specifies  the  file  which  contains  the  list  of file paths (in
61       chronological order)
62           of the signed audit logs to be verified.
63           The contents of the logListFile are the full  paths  to  the  audit
64       logs.
65
66
67       -v
68           Optional. Specifies verbose output.
69
70

Setting up the Auditor's Database

72       AuditVerify  needs  access  to a set of security databases (usually the
73       auditor's personal security databases) containing the signed audit  log
74       signing  certificate and its chain of issuing certificates.  One of the
75       CA certificates in the issuance chain must be marked as trusted in  the
76       database.
77
78
79       Auditors  should  import  the audit signing certificate into their per‐
80       sonal certificate database before  running  AuditVerify.   The  auditor
81       should  not  use the security databases of the PKI server instance that
82       generated the signed audit log files.  If there are no readily accessi‐
83       ble certificate and key database, the auditor must create a set of cer‐
84       tificate and key databases and import the signed audit log signing cer‐
85       tificate chain.
86
87
88       To create the security databases and import the certificate chain, cre‐
89       ate a special directory in the auditor's home directory to use to  per‐
90       form the verification. For example:
91
92
93              $ mkdir -p $HOME/.dogtag/nssdb
94
95
96
97       Use  the  certutil tool to create an empty set of certificate databases
98       in the auditor's home directory.
99
100
101              $ certutil -N -d $HOME/.dogtag/nssdb
102
103
104
105       Download  the  CA  certificate  from  the  CA's   Retrieval   page   at
106       https://server.example.com:8443/ca/ee/ca.    The  certificates  can  be
107       obtained from the CA in ASCII format.
108
109
110       Then import the CA certificate and log  signing  certificate  into  the
111       databases  and set trust of the certificates.  If the CA certificate is
112       in a file called cacert.pem and the log signing  certificate  is  in  a
113       file  called  logsigncert.pem, then the certutil can be used to set the
114       trust for the new audit security database directory pointing  to  those
115       files, as follows:
116
117
118              $ certutil -A -d $HOME/.dogtag/nssdb -n "CA Certificate" -t "CT,CT,CT" -a -i cacert.pem
119              $ certutil -A -d $HOME/.dogtag/nssdb -n "Log Signing Certificate" -t ",,P" -a -i logsigncert.pem
120
121
122
123       Note:  The signedAudit directory kept by the subsystem is not writeable
124       by any user, including auditors.
125
126

Operation

128       After a separate audit database directory has been configured, create a
129       text  file containing a list of the log files to be verified.  The name
130       of this file is referenced in the AuditVerify  command.   For  example,
131       this file could be logListFile.txt:
132
133
134              /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit.20030227102711
135              /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit.20030226094015
136              /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit
137
138
139
140       Assuming the audit databases do not contain prefixes and are located in
141       the user home directory, such as $HOME/.dogtag/nssdb, and  the  signing
142       certificate nickname is "Log Signing Certificate", the AuditVerify com‐
143       mand is run as follows:
144
145
146              $ AuditVerify -d $HOME/.dogtag/nssdb -n "Log Signing Certificate" -a logListFile.txt -P "" -v
147
148
149
150       Note: It has been observed that if audit signing is enabled after  sys‐
151       tem  is first started, the first audit signature would not be verified.
152       What happens is that the signature starts calculating from it's in-mem‐
153       ory audit log message when it signs, and since log signing is turned on
154       mid-way (not from a fresh new log file), the previous content were  not
155       signed  along  for calculating the first signature (and rightfully so).
156       When AuditVerify is run, it does not know where the log signing begins,
157       so  it  assumes it starts from the beginning of the file till the first
158       signature.  This is why the first signature (if signing  is  turned  on
159       mid-way) will always appear to be incorrect.
160
161

SEE ALSO

163       pki(1)
164
165

AUTHORS

167       Christina Fu lt;cfu@redhat.comgt;.
168
169
171       Copyright  (c)  2016 Red Hat, Inc.  This is licensed under the GNU Gen‐
172       eral Public License, version 2 (GPLv2).  A  copy  of  this  license  is
173       available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
174
175
176
177PKI                              July 7, 2016                   AuditVerify(1)
Impressum