Remote Audit Logging
With Luna Network HSM 7, the audit logs can be sent to one or more remote logging servers. Either UDP or TCP protocol can be specified. The default is UDP and port 514. You might choose another port for syslog remote logging or audit remote logging, so that syslog and audit log do not conflict.
NOTE You or your network administrator will need to adjust your firewall to pass this traffic (iptables, firewalld, etc.).
Audit logging to the local file system or to a remote server requires that times be synchronized.
HSM clock management by SO - The Audit role has always been able to set time, and beginning with Luna HSM Firmware 7.8.0 and newer, clock management can be performed by the HSM SO using
NOTE You can encounter the error CKR_TIME_NOT_INITIALIZED if
Additionally, other operations need HSM time properly set and synchronized - remote Audit logging, for example, expects tight drift control, to prevent log messages appearing out of order.
Clock synchronization, leading back to trusted time source, is needed on both the source HSM and the target.
UDP Considerations
If you are using the UDP protocol for logging, the following statements are required in the /etc/rsyslog.conf file:
$ModLoad imudp $InputUDPServerRun (PORT)
Possible approaches include the following:
>With templates:
$template AuditFile,"/var/log/luna/audit_remote.log" if $syslogfacility-text == 'local3' then ?AuditFile;AuditFormat
>Without templates:
local3.* /var/log/audit.log;AuditFormat
>Dynamic filename:
$template DynFile,"/var/log/luna/%HOSTNAME%.log" if $syslogfacility-text == 'local3' then ?DynFile;AuditFormat
NOTE The important thing to remember is that the incoming logs go to local3, and the port/protocol that is set on the Luna appliance must be the same that is set on the server running rsyslog.
Example using TCP
The following example illustrates how to setup a remote Linux system to receive the audit logs using TCP:
1.Register the remote Linux system IP address or hostname with the Luna Network HSM 7:
lunash:> audit remotehost add -host 192.20.9.160 -protocol tcp -port 1660
2.Modify the remote Linux system /etc/rsyslog.conf file to receive the audit logs:
$ModLoad imtcp
$InputTCPServerRun 514
$template AuditFormat,"%msg:F,94:2%\n"
#save log messages from Luna Network HSM 7 local3.* /var/log/luna/audit.log;AuditFormat
3.Modify the remote Linux system /etc/sysconfig/rsyslog file to receive the remote logs:
# Enables logging from remote machines. The listener will listen to the specified port. SYSLOGD_OPTIONS="-r -m 0"
4.Restart the rsyslog daemon on the remote Linux system:
# service rsyslog restart
5.Monitor the audit logs on the remote Linux system:
# tail -f /var/log/luna/audit.log
Mutual authentication with CA signed certificates.
>The remote log server and the Luna Network HSM 7 appliance each generate a private key and CSR.
>The remote log server and the Luna Network HSM 7 appliance add the received signed certificates.
>The remote log server and Luna Network HSM 7 appliance add the CA certificate to their trust store.
>User configures server information.
Example: Configure a remote server with mutual authentication, tcp and CA-signed certificates
1.Generate a CSR.
lunash:>audit remotehost cert gen -csr
2.Export the CSR and sign it with the CA certificate.
3.At the CA server receive the CSR, sign the cert from the Luna Network HSM 7 appliance and return it.
[CAserver]# scp operator@192.168.14.93:client_syslog_csr.csr . [CAserver]# <CAserver-side command(s) to sign the cert> [CAserver]# scp ca.pem operator@192.168.14.93: [CAserver]# scp client_sign.pem operator@192.168.14.93:
4.Add the CA certificate to the Luna Network HSM 7 appliance.
lunash:>audit remotehost cert installCA ca.pem Attempting to install ca.pem CA certificate installed successfully. The syslog service needs to be (re)started before a secure connection can be established. Command Result : 0 (Success)
5.Import the signed client certificate to the Luna Network HSM 7 appliance and add it.
lunash:>audit remotehost cert install client_sign.pem Attempting to install client_sign.pem HSM certificate installed successfully. The syslog service needs to be (re)started before a secure connection can be enabled. Command Result : 0 (Success)
6.Add the remote server configuration.
lunash:>audit remotehost add -host 192.168.140.45 -protocol tcp -port 30007 -mode mutual -tls Stopping syslog: [ OK ] Starting syslog: [ OK ] 192.168.140.45 added successfully Make sure the rsyslog service on 192.168.140.45 is properly configured to receive the logs Command Result : 0 (Success)
7.Execute a command in lunash and ensure that the log entry from the Luna Network HSM 7 appliance is received on the server.
lunash:>audit remotehost list Remote logging server(s): ========================= [192.168.140.45]:30007, tcp, tls Command Result : 0 (Success)
...at the server...
Jun 21 14:25:37 192.168.141.93 [localhost] hsm[13889]: info : 0 : Command: audit remotehost list : admin : 192.168.106.144/62166
Example of remote audit logging to same host as syslog (7.8.5 onward)
We show the actions of two sessions on the same appliance, to demonstrate remote syslog and remote audit log operating independently (as long as the shared-in-common log server certs and CA are available on the Luna Network HSM 7appliance.
Recall that the admin user, opening an ssh session to the appliance has access and authority
>to see and use [*almost] any host-related commands as well as
>to log into the cryptographic module to perform tasks as any HSM/crypto-module account for which the appliance admin possesses that role's authentication.
The exception is that the audit user logs into the appliance in its own ssh session and
>has access to only a very limited set of appliance commands, and
>can access the cryptographic module only as the HSM audit role, which can perform only audit-related operations within the crypto module.
1.For purpose of illustration, we provide a "clean" start, by having the admin user run a factory reset of the appliance's syslog service.
[[aa3312] lunash:>sysconf config factoryReset -service syslog -force Force option used. Proceed prompt bypassed. Please be patient while the operation is running... Resetting service(s) to factory defaults: ----------------------------------------- syslog : succeeded Command Result : 0 (Success) aa3312] lunash:>syslog remotehost list Remote logging server(s): ========================= Command Result : 0 (Success)
So, now, no remote logging is going on, because no remote host is available to send to. Any certs and related configuration for the syslog service are gone.
2.Logging in as audit
[aa3312] lunash:>my file list Command Result : 0 (Success) [aa3312] lunash:>audit remotehost cert status CA Certificate: Not Configured HSM Certificate: Not Configured HSM Private Key: Not Configured Command Result : 0 (Success) [aa3312] lunash:>audit remotehost cert gen -csr CSR generated successfully. Command Result : 0 (Success) [aa3312] lunash:>my file list 1021 Jun 10 16:24 client_syslog_csr.csr Command Result : 0 (Success) [aa3312] lunash:>
3.The server receives the cert signing request, signs, and sends back to Luna Network HSM 7appliance.
[root@aa1239]# scp -O audit@192.168.142.30:client_syslog_csr.csr . [root@aa1239]# ./signWithCA.sh -f client_syslog_csr.csr -c ca.pem -k ca-key.pem [root@aa1239]# scp -O client_sign.pem audit@192.168.142.30: [root@aa1239]# scp -O ca.pem audit@192.168.142.30: [root@aa1239]# ./setserver.sh -P relp -p 514 -m mutual -c ca -h 192.168142.30 -t
4.Back at the Luna Network HSM 7 appliance, the audit user receives and configures for remote audit logging.
[aa3312] lunash:>my file list 1176 Jun 10 16:26 ca.pem 1131 Jun 10 16:25 client_sign.pem 1021 Jun 10 16:24 client_syslog_csr.csr Command Result : 0 (Success) [aa3312] lunash:>audit remotehost cert status CA Certificate: Not Configured HSM Certificate: Not Configured HSM Private Key: Configured Command Result : 0 (Success) [aa3312] lunash:>audit remotehost cert installcA ca.pem Attempting to install ca.pem Stopping syslog: [ OK ] Starting syslog: [ OK ] CA certificate installed successfully. Command Result : 0 (Success) [aa3312] lunash:>audit remotehost cert status CA Certificate: Configured HSM Certificate: Not Configured HSM Private Key: Configured Command Result : 0 (Success) [aa3312] lunash:>audit remotehost cert install client_sign.pem Attempting to install client_sign.pem Stopping syslog: [ OK ] Starting syslog: [ OK ] HSM certificate installed successfully. Command Result : 0 (Success) [aa3312] lunash:>audit remotehost cert status CA Certificate: Configured HSM Certificate: Configured HSM Private Key: Configured Command Result : 0 (Success) [aa3312] lunash:>audit remotehost add -host 192.168.140.45 -protocol relp -port 30007 -mode mutual -tls -name server.rsyslog.com Stopping syslog: [ OK ] Starting syslog: [ OK ] 192.168.140.45 added successfully Make sure the rsyslog service on 192.168.140.45 is properly configured to receive the logs Command Result : 0 (Success) [aa3312] lunash:>audit remotehost list Remote logging server(s): ========================= 192.168.140.45:30007, relp, tls Command Result : 0 (Success) [aa3312] lunash:> [aa3312] lunash:>audit login -p <audituserpassword> Command Result : 0 (Success) [aa3312] lunash:>audit remotehost cert status CA Certificate: Configured HSM Certificate: Configured HSM Private Key: Configured Command Result : 0 (Success) [aa3312] lunash:>audit remotehost list Remote logging server(s): ========================= 192.168.140.45:30007, relp, tls Command Result : 0 (Success) [aa3312] lunash:>
At this point, remote audit logging is configured to proceed over port 30007.
The recent actions by audit user (the login to the HSM) generate log events that go out via port 30007.
2024-06-10T16:29:44.284899-04:00 aa3312 pedClient: ^ 2841,24/06/10 20:29:42,S/N 521169 session 3
Access ae105c3103f20cf7 operation LUNA_LOGIN returned RC_OK(0x00000000) roleID=8 container=3 ,D6B4FC3651332CC1D319C649B559363FEFC3F9B314A28C394FB4B5FB421F9ACF,190B004082600D003662676600000000AE105C3103F20CF7D1F30700000000000300000003000000070000000800000000000000
16:29:47.214958 eno1 In IP (tos 0x0, ttl 64, id 13592, offset 0, flags [DF], proto TCP (6), length 596)
192.168.142.30.34242 > aa1239.lab.hsm.30007: Flags [P.], cksum 0x60e8 (correct), seq 1668:2224, ack 136, win 298, length 556
0x0000: 4500 0254 3518 4000 4006 d448 0a7c 8e1e E..T5.@.@..H.|..
0x0010: 0a7c 8c2d 85c2 0202 c76a a769 166d 8be7 .|.-.....j.i.m..
0x0020: 5018 012a 60e8 0000 1703 0302 2700 0000 P..*`.......'...
.... more deleted for space...
5.On the same Luna Network HSM 7appliance, the admin user is looking at syslog.
[aa3312] lunash:>syslog remotehost cert status CA Certificate: Configured HSM Certificate: Configured HSM Private Key: Configured Command Result : 0 (Success) [aa3312] lunash:>syslog remotehost list Remote logging server(s): ========================= Command Result : 0 (Success) [aa3312] lunash:>syslog remotehost add -host 192.168.140.45 -protocol tcp -port 30006 -mode mutual -tls Stopping syslog: [ OK ] Starting syslog: [ OK ] 192.168.140.45 added successfully Make sure the rsyslog service on 192.168.140.45 is properly configured to receive the logs Command Result : 0 (Success) [aa3312] lunash:>syslog remotehost list Remote logging server(s): ========================= 192.168.140.45:30006, tcp, tls Command Result : 0 (Success) [aa3312] lunash:>
Syslog for appliance/host events is configured and working on port 300006.
Remote syslog, and the previously configured remote audit logging are sharing the same certs and CA but are operating via different ports on the appliance.
6.We could verify by having each user run a command and we could then look at the logs on server aa1239.
First the audit user:
[aa3312] lunash:>audit login -p userpin123
Command Result : 0 (Success)
[aa3312] lunash:>
2024-06-10T17:03:35.746501-04:00 aa3312 pedClient: ^ 3312,24/06/10 21:03:33,S/N 521169
session 3 Access ae105c3103f20cf7 operation LUNA_LOGIN returned RC_OK(0x00000000) roleID=8 container=3 ,82CFC8ED542050F3BCE19EEC5B99C51837567BF9CBF8A355877800CF43A649BE,F00C004082600D00256A676600000000AE105C3103F20CF7D1F30700000000000300000003000000070000000800000000000000
17:03:38.733018 eno1 In IP (tos 0x0, ttl 64, id 19234, offset 0, flags [DF], proto TCP (6), length 597)
192.168.142.30.34386 > aa1239.lab.hsm.30007: Flags [P.], cksum 0xfbb5 (correct), seq 89473:90030, ack 8846, win 480, length 557
0x0000: 4500 0255 4b22 4000 4006 be3d 0a7c 8e1e E..UK"@.@..=.|..
0x0010: 0a7c 8c2d 8652 0202 7f5d 8f6b 32ba 7abb .|.-.R...].k2.z.
0x0020: 5018 01e0 fbb5 0000 1703 0302 2800 0000 P...........(...
... more, trimmed for space...
Then the appliance admin user:
[aa3312] lunash:>syslog remotehost list
Remote logging server(s):
=========================
192.168.140.45:30006, tcp, tls
Command Result : 0 (Success)
[aa3312] lunash:>
2024-06-10T17:05:00-04:00 aa3312 hsm[18834]: info : 0 : Command: syslog remotehost list : admin : 10.105.188.126/58071
192.168.142.30.34012 > aa1239.lab.hsm.30006: Flags [P.], cksum 0xde22 (correct), seq 432:576, ack 1, win 252, length 144
0x0000: 4500 00b8 19a4 4000 4006 f158 0a7c 8e1e E.....@.@..X.|..
0x0010: 0a7c 8c2d 84dc 7536 a640 e683 f507 15fb .|.-..u6.@......
0x0020: 5018 00fc de22 0000 1703 0300 8b00 0000 P...."..........
0x0030: 0000 0000 0720 5ef1 84ab 843e 6c86 e748 ......^....>l..H
0x0040: c601 0b74 d9ee 0a72 2d35 e68d 902b 5c9d ...t...r-5...+\.
0x0050: 5846 3af6 8b8f 030f 1f16 e647 034f 841e XF:........G.O..
0x0060: 49eb 0704 7455 89d4 c1d3 a155 dc34 191c I...tU.....U.4..
0x0070: 41eb 8fa0 d66e b733 7c64 23f0 c239 86bd A....n.3|d#..9..
0x0080: 128a 2db0 fc99 5329 879c 24c7 ce8e b546 ..-...S)..$....F
0x0090: a560 42cf 4e70 adac b0ec cb76 09f0 52cc .`B.Np.....v..R.
0x00a0: 2a7f 0a92 35db 3f61 cd80 c352 4e57 5ccd *...5.?a...RNW\.
0x00b0: 8aef b1a3 4e49 6354 ....NIcT
7.Now (only for demonstration purposes), the audit user in their ssh session deletes their remote server configuration (using port 30007).
[aa3312] lunash:>audit remotehost delete -host 192.168.140.45 -port 30007 WARNING! This action will delete the remote server configuration for 192.168.140.45 with port 30007. If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit' > proceed Proceeding... Stopping syslog: [ OK ] Starting syslog: [ OK ] Command Result : 0 (Success) [aa3312] lunash:>audit remotehost list Remote logging server(s): ========================= Command Result : 0 (Success) [aa3312] lunash:>
8.The audit user no longer has remote logging configured. How about the admin user and remote syslogging for appliance (non-crypto module) events?
[aa3312] lunash:>syslog remotehost list Remote logging server(s): ========================= 192.168.140.45:30006, tcp, tls Command Result : 0 (Success) [aa3312] lunash:>
Syslog still has its connection, and logs are still being sent via port 30006
2024-06-10T17:06:47-04:00 aa3312 hsm[18834]: info : 0 : Command: syslog remotehost list : admin : 192.168.188.126/58071 192.168.142.30.34022 > aa1239.lab.hsm.30006: Flags [P.], cksum 0x59f7 (correct), seq 1590:1734, ack 1552, win 252, length 144 0x0000: 4500 00b8 b6ba 4000 4006 5442 0a7c 8e1e E.....@.@.TB.|.. 0x0010: 0a7c 8c2d 84e6 7536 1423 61a4 aba4 9e64 .|.-..u6.#a....d 0x0020: 5018 00fc 59f7 0000 1703 0300 8b00 0000 P...Y........... 0x0030: 0000 0000 02d1 7276 4c90 e88d cb9e a410 ......rvL....... 0x0040: cef1 53a2 95ed 2e37 931d 071b ceb9 5856 ..S....7......XV 0x0050: cc81 5d97 4d72 9302 4024 9ba3 d3a9 4640 ..].Mr..@$....F@ 0x0060: 0d4e 3946 c9b2 b58a 1535 1c08 4a1f 5f59 .N9F.....5..J._Y 0x0070: 22b7 43a3 850b 07a4 1ca7 57fd b428 6157 ".C.......W..(aW 0x0080: 7359 4fe5 0b99 f8b2 6220 3979 9bac b3ec sYO.....b.9y.... 0x0090: 8398 91af 6edb ca03 d693 518c 75bd a0bf ....n.....Q.u... 0x00a0: 8256 93a9 0e74 9199 9d05 499f f1f8 4b1d .V...t....I...K. 0x00b0: 6572 a435 b0af 1265 er.5...e [aa3312] lunash:>audit login -p userpin123 Command Result : 0 (Success) [aa3312] lunash:> 2024-06-10T17:07:41-04:00 aa3312 hsm[18390]: info : 0 : Command: audit login -password * : audit : 10.105.188.126/58070 192.168.142.30.34022 > aa1239.lab.hsm.30006: Flags [P.], cksum 0x2a3e (correct), seq 2118:2262, ack 1552, win 252, length 144 0x0000: 4500 00b8 b6be 4000 4006 543e 0a7c 8e1e E.....@.@.T>.|.. 0x0010: 0a7c 8c2d 84e6 7536 1423 63b4 aba4 9e64 .|.-..u6.#c....d 0x0020: 5018 00fc 2a3e 0000 1703 0300 8b00 0000 P...*>.......... 0x0030: 0000 0000 0686 c0ef 967f f629 0582 e004 ...........).... 0x0040: 880d 7344 218e d76d 1ec0 5767 fdb3 126e ..sD!..m..Wg...n 0x0050: ab7a 7391 f381 a595 fa12 8df3 88c4 7934 .zs...........y4 0x0060: ad57 d6f7 4039 2030 2def cbf2 2b06 018e .W..@9.0-...+... 0x0070: 7fca 9716 cab5 a23f 37a8 0cd0 5d7f db20 .......?7...]... 0x0080: 56af 8ea8 3ff7 03e1 aa51 2c42 3d64 f33c V...?....Q,B=d.< 0x0090: b327 f771 b7ab e6e5 fad0 c934 6060 994a .'.q.......4``.J 0x00a0: 5f7e aeb6 ea49 7485 575e 4ca1 379f 121d _~...It.W^L.7... 0x00b0: 127d 3b6d 945d 7cf5 .};m.]|.
And, events (like login) are still being logged via syslog, and out via port 30006, because the certs and CA are available on the appliance, but no more HSM audit logs are being sent via port 30007. Deleting the configuration of one (without removing the certs and CA) does not have any impact on the operation of the other's remote logging.
