1AuditVerify(1) PKI Signed Audit Log Verification Command AuditVerify(1)
2
3
4
6 AuditVerify - Command-Line utility for verifying Certificate System
7 signed audit logs.
8
9
11 AuditVerify -d dbdir -n signing-cert-nickname -a logListFile [-P db-
12 prefix] [-v]
13
14
16 The AuditVerify command provides command-line utility to verify that
17 signed audit logs were signed with the appropriate PKI audit private
18 signing key and that the audit logs have not been compromised. Audi‐
19 tors can verify the authenticity and integrity of signed audit logs us‐
20 ing the AuditVerify tool. This tool uses the public key of the signed
21 audit log signing certificate to verify the digital signatures embedded
22 in a signed audit log file. The tool result indicates either that the
23 signed audit log was successfully verified or that the signed audit log
24 was not successfully verified. An unsuccessful verification warns the
25 auditor that the signature failed to verify, indicating the log file
26 may have been tampered with (compromised).
27
28
29 Note: An auditor can be any user that has the privilege to peruse the
30 PKI audit logs.
31
32
34 -d dbdir
35 Specifies the directory containing the security databases with the
36 imported audit log signing certificate.
37 This directory is almost always the auditor's own personal certifi‐
38 cate databases in a personal directory,
39 such as $HOME/.dogtag/nssdb.
40
41
42 -n signing-cert-nickname
43 Gives the nickname of the certificate used to sign the log files.
44 The nickname is whatever was used when the log signing certificate
45 was imported into that database.
46
47
48 -P db-prefix
49 Optional. The prefix to prepend to the certificate and key database
50 filenames.
51 If used, a value of empty quotation marks (“”) should be specified
52 for this argument,
53 since the auditor is using separate certificate and key databases
54 from the PKI server
55 and it is unlikely that the prefix should be prepended to the new
56 audit security database files.
57
58
59 -a logListFile
60 Specifies the file which contains the list of file paths (in
61 chronological order)
62 of the signed audit logs to be verified.
63 The contents of the logListFile are the full paths to the audit
64 logs.
65
66
67 -v
68 Optional. Specifies verbose output.
69
70
72 AuditVerify needs access to a set of security databases (usually the
73 auditor's personal security databases) containing the signed audit log
74 signing certificate and its chain of issuing certificates. One of the
75 CA certificates in the issuance chain must be marked as trusted in the
76 database.
77
78
79 Auditors should import the audit signing certificate into their per‐
80 sonal certificate database before running AuditVerify. The auditor
81 should not use the security databases of the PKI server instance that
82 generated the signed audit log files. If there are no readily accessi‐
83 ble certificate and key database, the auditor must create a set of cer‐
84 tificate and key databases and import the signed audit log signing cer‐
85 tificate chain.
86
87
88 To create the security databases and import the certificate chain, cre‐
89 ate a special directory in the auditor's home directory to use to per‐
90 form the verification. For example:
91
92
93 $ mkdir -p $HOME/.dogtag/nssdb
94
95
96
97 Use the certutil tool to create an empty set of certificate databases
98 in the auditor's home directory.
99
100
101 $ certutil -N -d $HOME/.dogtag/nssdb
102
103
104
105 Download the CA certificate from the CA's Retrieval page at
106 https://pki.example.com:8443/ca/ee/ca. The certificates can be ob‐
107 tained from the CA in ASCII format.
108
109
110 Then import the CA certificate and log signing certificate into the
111 databases and set trust of the certificates. If the CA certificate is
112 in a file called cacert.pem and the log signing certificate is in a
113 file called logsigncert.pem, then the certutil can be used to set the
114 trust for the new audit security database directory pointing to those
115 files, as follows:
116
117
118 $ certutil -A -d $HOME/.dogtag/nssdb -n "CA Certificate" -t "CT,CT,CT" -a -i cacert.pem
119 $ certutil -A -d $HOME/.dogtag/nssdb -n "Log Signing Certificate" -t ",,P" -a -i logsigncert.pem
120
121
122
123 Note: The signedAudit directory kept by the subsystem is not writeable
124 by any user, including auditors.
125
126
128 After a separate audit database directory has been configured, create a
129 text file containing a list of the log files to be verified. The name
130 of this file is referenced in the AuditVerify command. For example,
131 this file could be logListFile.txt:
132
133
134 /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit.20030227102711
135 /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit.20030226094015
136 /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit
137
138
139
140 Assuming the audit databases do not contain prefixes and are located in
141 the user home directory, such as $HOME/.dogtag/nssdb, and the signing
142 certificate nickname is "Log Signing Certificate", the AuditVerify com‐
143 mand is run as follows:
144
145
146 $ AuditVerify -d $HOME/.dogtag/nssdb -n "Log Signing Certificate" -a logListFile.txt -P "" -v
147
148
149
150 Note: It has been observed that if audit signing is enabled after sys‐
151 tem is first started, the first audit signature would not be verified.
152 What happens is that the signature starts calculating from it's in-mem‐
153 ory audit log message when it signs, and since log signing is turned on
154 mid-way (not from a fresh new log file), the previous content were not
155 signed along for calculating the first signature (and rightfully so).
156 When AuditVerify is run, it does not know where the log signing begins,
157 so it assumes it starts from the beginning of the file till the first
158 signature. This is why the first signature (if signing is turned on
159 mid-way) will always appear to be incorrect.
160
161
163 pki(1)
164
165
167 Christina Fu <cfu@redhat.com>.
168
169
171 Copyright (c) 2016 Red Hat, Inc. This is licensed under the GNU Gen‐
172 eral Public License, version 2 (GPLv2). A copy of this license is
173 available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
174
175
176
177PKI July 7, 2016 AuditVerify(1)