1AuditVerify(1) PKI Signed Audit Log Verification Command AuditVerify(1)
2
6 AuditVerify - Command-Line utility for verifying Certificate System
7 signed audit logs.
8
11 AuditVerify -d dbdir -n signing-cert-nickname -a logListFile [-P
12 db-prefix] [-v]
13
16 The AuditVerify command provides command-line utility to verify that
17 signed audit logs were signed with the appropriate PKI audit private
18 signing key and that the audit logs have not been compromised. Audi‐
19 tors can verify the authenticity and integrity of signed audit logs
20 using the AuditVerify tool. This tool uses the public key of the
21 signed audit log signing certificate to verify the digital signatures
22 embedded in a signed audit log file. The tool result indicates either
23 that the signed audit log was successfully verified or that the signed
24 audit log was not successfully verified. An unsuccessful verification
25 warns the auditor that the signature failed to verify, indicating the
26 log file may have been tampered with (compromised).
27 Note: An auditor can be any user that has the privilege to peruse the
30 PKI audit logs.
31
34 -d dbdir
35 Specifies the directory containing the security databases with the
36 imported audit log signing certificate.
37 This directory is almost always the auditor's own personal certifi‐
38 cate databases in a personal directory,
39 such as $HOME/.dogtag/nssdb.
40 -n signing-cert-nickname
43 Gives the nickname of the certificate used to sign the log files.
44 The nickname is whatever was used when the log signing certificate
45 was imported into that database.
46 -P db-prefix
49 Optional. The prefix to prepend to the certificate and key database
50 filenames.
51 If used, a value of empty quotation marks (“”) should be specified
52 for this argument,
53 since the auditor is using separate certificate and key databases
54 from the PKI server
55 and it is unlikely that the prefix should be prepended to the new
56 audit security database files.
57 -a logListFile
60 Specifies the file which contains the list of file paths (in
61 chronological order)
62 of the signed audit logs to be verified.
63 The contents of the logListFile are the full paths to the audit
64 logs.
65 -v
68 Optional. Specifies verbose output.
69
72 AuditVerify needs access to a set of security databases (usually the
73 auditor's personal security databases) containing the signed audit log
74 signing certificate and its chain of issuing certificates. One of the
75 CA certificates in the issuance chain must be marked as trusted in the
76 database.
77 Auditors should import the audit signing certificate into their per‐
80 sonal certificate database before running AuditVerify. The auditor
81 should not use the security databases of the PKI server instance that
82 generated the signed audit log files. If there are no readily accessi‐
83 ble certificate and key database, the auditor must create a set of cer‐
84 tificate and key databases and import the signed audit log signing cer‐
85 tificate chain.
86 To create the security databases and import the certificate chain, cre‐
89 ate a special directory in the auditor's home directory to use to per‐
90 form the verification. For example:
91 $ mkdir -p $HOME/.dogtag/nssdb
94 Use the certutil tool to create an empty set of certificate databases
98 in the auditor's home directory.
99 $ certutil -N -d $HOME/.dogtag/nssdb
102 Download the CA certificate from the CA's Retrieval page at
106 ⟨https://server.example.com:8443/ca/ee/ca⟩. The certificates can be
107 obtained from the CA in ASCII format.
108 Then import the CA certificate and log signing certificate into the
111 databases and set trust of the certificates. If the CA certificate is
112 in a file called cacert.pem and the log signing certificate is in a
113 file called logsigncert.pem, then the certutil can be used to set the
114 trust for the new audit security database directory pointing to those
115 files, as follows:
116 $ certutil -A -d $HOME/.dogtag/nssdb -n "CA Certificate" -t "CT,CT,CT" -a -i cacert.pem
119 $ certutil -A -d $HOME/.dogtag/nssdb -n "Log Signing Certificate" -t ",,P" -a -i logsigncert.pem
120 Note: The signedAudit directory kept by the subsystem is not writeable
124 by any user, including auditors.
125
128 After a separate audit database directory has been configured, create a
129 text file containing a list of the log files to be verified. The name
130 of this file is referenced in the AuditVerify command. For example,
131 this file could be logListFile.txt:
132 /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit.20030227102711
135 /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit.20030226094015
136 /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit
137 Assuming the audit databases do not contain prefixes and are located in
141 the user home directory, such as $HOME/.dogtag/nssdb, and the signing
142 certificate nickname is "Log Signing Certificate", the AuditVerify com‐
143 mand is run as follows:
144 $ AuditVerify -d $HOME/.dogtag/nssdb -n "Log Signing Certificate" -a logListFile.txt -P "" -v
147 Note: It has been observed that if audit signing is enabled after sys‐
151 tem is first started, the first audit signature would not be verified.
152 What happens is that the signature starts calculating from it's in-mem‐
153 ory audit log message when it signs, and since log signing is turned on
154 mid-way (not from a fresh new log file), the previous content were not
155 signed along for calculating the first signature (and rightfully so).
156 When AuditVerify is run, it does not know where the log signing begins,
157 so it assumes it starts from the beginning of the file till the first
158 signature. This is why the first signature (if signing is turned on
159 mid-way) will always appear to be incorrect.
160
163 pki(1)
164
167 Christina Fu <cfu@redhat.com>.
168
171 Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU Gen‐
172 eral Public License, version 2 (GPLv2). A copy of this license is
173 available at ⟨http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt⟩.
174PKI July 7, 2016 AuditVerify(1)