audit config
Set the audit logging configuration parameters. This command allows you to configure the following:
>Which events are captured in the log
>The log rotation interval
NOTE After initializing the Audit role on a password-authenticated HSM, log in as the Auditor and set the domain (see role setdomain). This step is required before setting logging parameters or the log filepath, or importing/exporting audit logs.
The audit commands appear only when LunaCM's active slot is set to the administrative partition.
This command is not applicable on DPoD Luna Cloud HSM services.
Syntax
audit config [get] [path <filepath>] [evmask <mask>] [interval <interval>] [size <integer><k | m>]
Argument(s) | Shortcut | Description |
---|---|---|
evmask <mask> | e |
The value you want to configure for the specified parameter. Valid values for the event parameter: Enter a comma-separated list of events to log. In addition to specifying an event category, you must also specify the conditions under which those events are to be logged - either 'f' for failures, or 's' for successes, or both. Any or all of the following may be specified: >[f]ailure: log command failures >[s]uccess: log command successes >[a]ccess: log access attempts (logins) >[m]anage: log HSM management (init/reset/etc) >[k]eymanage: key management events (key create/delete) >[u]sage: key usage (enc/dec/sig/ver) >fi[r]st: first key usage only (enc/dec/sig/ver) >e[x]ternal: log messages from CA_LogExternal >lo[g]manage: log events relating to log configuration >a[l]l: log everything (user will be warned) >[n]one: turn logging off Note: When specifying an event class to log, you must specify whether successful or failed events are to be logged. For example, to log all key management events you would use the command "audit config e t,s,f". |
force | f | Force action without prompting for confirmation. |
get | g | Get (show) the current configuration. |
interval <interval> | i | Valid values for the rotation interval parameter
Enter one of the following options for the log rotation interval: >hourly [@min] >daily [@hour:min] >weekly [@day:hour:min] >monthly [@date:hour:min] >never |
path <filepath> | p |
Path on the host to which logs will be written. As usual, any filepath that contains a space should be enclosed in quotation marks, to prevent misreading. The system throws an error if the specified path does not exist. CAUTION! Linux only. If you delete the directory specified by the path parameter, your cryptographic operations will continue without a warning or error. Logging will continue until the HSM FRAM is full, at which point a CKR_LOG_FULL message is generated. |
size <integer><k | m> | s |
Size limit of a log, to trigger rotation. Valid values for the size parameter: An integer string signifying the size of the log in bytes. The optional modifiers k or m may be given after the string to specify KB or MB (for example, s 8388608, s 8192k, and s 8m all specify rotation when log size reaches 8MB). Valid Range: 4096k - 2097151k Default: 2097151k |
Example
audit config e s audit all command successes audit config e f audit all command failures audit config e u,f,s audit all key usage requests, both success and failure audit config e n log nothing audit config p /usr/lunapci/log set path audit config i daily@12:05 rotate logs daily at 12:05 audit config s 4096k rotate logs when 4MB is exceeded lunacm:> audit config evmask all,failure,success You have chosen to log all successful key usage events. This can result in an extremely high volume of log messages, which will significantly degrade the overall performance of the HSM. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now -> proceed Command Result : No Error lunacm:> audit config get Current Logging Configuration ----------------------------- event mask : Log everything rotation interval : daily@0:00 rotation size (MB): 4 path to log : /var/audit/ Command Result : No Error
NOTE In the above example of output from audit config get, the configuration rotates the logs daily; "rotation size (KB)" indicates the maximum log size. With this configuration, multiple log files may be produced per day, none larger than 4MB.
Example removing key management actions from items to log
lunacm:>audit config get
Current Logging Configuration
-----------------------------
event mask : Log failure+success+access+manage+keymanage
rotation interval : infinite
rotation size : never (2097151 KB max file size)
path to log : /root/logging
Command Result : No Error
lunacm:>audit config e f,s,a,m
Command Result : No Error
lunacm:>audit config get
Current Logging Configuration
-----------------------------
event mask : Log failure+success+access+manage
rotation interval : infinite
rotation size : never (2097151 KB max file size)
path to log : /root/logging
Command Result : No Error
Now perform a partition clone in or out with any CPV4 cipher enabled (CPV=0, CPV3 disabled)
lunacm:>partition clone -o 0 -slot 27 -p userpinco
Logging in to target slot 27
Checking if objects already exist on target slot 27.
Cloning the objects.
Handle 294 on slot 26 is now handle 70 on slot 27
Handle 293 on slot 26 is now handle 75 on slot 27
Handle 290 on slot 26 is now handle 76 on slot 27
Handle 289 on slot 26 is now handle 79 on slot 27
Handle 286 on slot 26 is now handle 101 on slot 27
Handle 285 on slot 26 is now handle 104 on slot 27
Handle 282 on slot 26 is now handle 105 on slot 27
Handle 281 on slot 26 is now handle 313 on slot 27
Handle 278 on slot 26 is now handle 314 on slot 27
Handle 277 on slot 26 is now handle 317 on slot 27
Handle 274 on slot 26 is now handle 318 on slot 27
Handle 273 on slot 26 is now handle 321 on slot 27
Handle 270 on slot 26 is now handle 322 on slot 27
Handle 269 on slot 26 is now handle 325 on slot 27
Handle 266 on slot 26 is now handle 326 on slot 27
Handle 265 on slot 26 is now handle 329 on slot 27
Handle 262 on slot 26 is now handle 330 on slot 27
Handle 261 on slot 26 is now handle 333 on slot 27
Handle 258 on slot 26 is now handle 334 on slot 27
Handle 257 on slot 26 is now handle 337 on slot 27
Handle 254 on slot 26 is now handle 338 on slot 27
Handle 253 on slot 26 is now handle 341 on slot 27
Handle 250 on slot 26 is now handle 342 on slot 27
Handle 249 on slot 26 is now handle 345 on slot 27
Handle 246 on slot 26 is now handle 346 on slot 27
Handle 245 on slot 26 is now handle 349 on slot 27
Handle 242 on slot 26 is now handle 350 on slot 27
Handle 241 on slot 26 is now handle 353 on slot 27
Handle 238 on slot 26 is now handle 354 on slot 27
Handle 237 on slot 26 is now handle 357 on slot 27
Handle 234 on slot 26 is now handle 358 on slot 27
Handle 233 on slot 26 is now handle 361 on slot 27
Handle 230 on slot 26 is now handle 362 on slot 27
Handle 229 on slot 26 is now handle 365 on slot 27
Handle 226 on slot 26 is now handle 366 on slot 27
Handle 225 on slot 26 is now handle 369 on slot 27
Handle 222 on slot 26 is now handle 370 on slot 27
Handle 221 on slot 26 is now handle 373 on slot 27
Handle 218 on slot 26 is now handle 374 on slot 27
Handle 217 on slot 26 is now handle 377 on slot 27
Handle 214 on slot 26 is now handle 378 on slot 27
Handle 213 on slot 26 is now handle 381 on slot 27
Handle 210 on slot 26 is now handle 382 on slot 27
Handle 209 on slot 26 is now handle 385 on slot 27
Handle 206 on slot 26 is now handle 386 on slot 27
Handle 205 on slot 26 is now handle 389 on slot 27
Handle 202 on slot 26 is now handle 390 on slot 27
Handle 201 on slot 26 is now handle 393 on slot 27
Handle 198 on slot 26 is now handle 394 on slot 27
Handle 197 on slot 26 is now handle 397 on slot 27
Handle 194 on slot 26 is now handle 398 on slot 27
Handle 193 on slot 26 is now handle 401 on slot 27
Handle 190 on slot 26 is now handle 402 on slot 27
Handle 189 on slot 26 is now handle 405 on slot 27
Handle 186 on slot 26 is now handle 406 on slot 27
Handle 185 on slot 26 is now handle 409 on slot 27
Handle 182 on slot 26 is now handle 410 on slot 27
Handle 181 on slot 26 is now handle 413 on slot 27
Handle 178 on slot 26 is now handle 414 on slot 27
Handle 177 on slot 26 is now handle 417 on slot 27
Handle 174 on slot 26 is now handle 418 on slot 27
Handle 173 on slot 26 is now handle 421 on slot 27
Handle 170 on slot 26 is now handle 422 on slot 27
Handle 169 on slot 26 is now handle 425 on slot 27
Handle 166 on slot 26 is now handle 426 on slot 27
Handle 165 on slot 26 is now handle 429 on slot 27
Handle 162 on slot 26 is now handle 430 on slot 27
Handle 161 on slot 26 is now handle 433 on slot 27
Handle 158 on slot 26 is now handle 434 on slot 27
Handle 157 on slot 26 is now handle 437 on slot 27
Handle 154 on slot 26 is now handle 438 on slot 27
Handle 153 on slot 26 is now handle 441 on slot 27
Handle 150 on slot 26 is now handle 442 on slot 27
Handle 149 on slot 26 is now handle 445 on slot 27
Handle 146 on slot 26 is now handle 446 on slot 27
Handle 145 on slot 26 is now handle 449 on slot 27
Handle 142 on slot 26 is now handle 450 on slot 27
Handle 141 on slot 26 is now handle 453 on slot 27
Handle 138 on slot 26 is now handle 454 on slot 27
Handle 137 on slot 26 is now handle 457 on slot 27
Handle 134 on slot 26 is now handle 458 on slot 27
Handle 133 on slot 26 is now handle 461 on slot 27
Handle 130 on slot 26 is now handle 462 on slot 27
Handle 129 on slot 26 is now handle 465 on slot 27
Handle 126 on slot 26 is now handle 466 on slot 27
Handle 125 on slot 26 is now handle 469 on slot 27
Handle 122 on slot 26 is now handle 470 on slot 27
Handle 121 on slot 26 is now handle 473 on slot 27
Handle 118 on slot 26 is now handle 474 on slot 27
Handle 117 on slot 26 is now handle 477 on slot 27
Handle 114 on slot 26 is now handle 478 on slot 27
Handle 113 on slot 26 is now handle 481 on slot 27
Handle 110 on slot 26 is now handle 482 on slot 27
Handle 109 on slot 26 is now handle 485 on slot 27
Handle 97 on slot 26 is now handle 486 on slot 27
Handle 85 on slot 26 is now handle 489 on slot 27
Handle 94 on slot 26 is now handle 490 on slot 27
Handle 93 on slot 26 is now handle 493 on slot 27
Handle 89 on slot 26 is now handle 494 on slot 27
Handle 86 on slot 26 is now handle 497 on slot 27
Migrated 100 objects
Command Result : No Error
lunacm:>
Scroll back through the last hundred or so lines of Secure Log output, and see no mention of migration or insert/extract commands
9925517,22/01/14 20:38:13,S/N 18373207469733 session 5 Access 9b24f87f487d51eb operation LUNA_OPEN_SESSION returned RC_OK(0x00000000) session handle 5 ,60DABCE85788BEDFD0C7857D4330034EEDD747DB706547472E6DE707EB986940,8D7397408260240035DFE161000000009B24F87F487D51EBA52E81D8B51000000500000000000000000000000000000000000000 9925518,22/01/14 20:38:13,S/N 18373207469733 session 5 Access 9b24f87f487d51eb operation LUNA_CLOSE_SESSION returned RC_OK(0x00000000) session handle 5 ,50AEBF8088ADF075AE9455A5112F3AACA09AB5E1CCE1D412D8BF357D31C1B87C,8E7397400260260035DFE161000000009B24F87F487D51EBA52E81D8B51000000500000000000000000000000000000000000000 9925519,22/01/14 20:38:23,S/N 18373207469732 session 5 Access 9b24f87f487d51eb operation LUNA_OPEN_SESSION returned RC_OK(0x00000000) session handle 5 ,49CD7DFC8D0B287E2AA3489D7E187379253AA4D68B82388DC8955810A995DC3B,8F739740826024003FDFE161000000009B24F87F487D51EBA42E81D8B51000000500000000000000000000000000000000000000 9925520,22/01/14 20:38:23,S/N 18373207469732 session 5 Access 9b24f87f487d51eb operation LUNA_LOGIN returned RC_OK(0x00000000) roleID=0 container=6 ,D9659DCEECFCD6052879937A937E4B3A92074E03A823CC93889F191FC66E0655,9073974002600D003FDFE161000000009B24F87F487D51EBA42E81D8B51000000500000006000000070000000000000000000000 9925521,22/01/14 20:39:38,S/N 18373207469732 session 6 Access 9b24f87f487d51eb operation LUNA_OPEN_SESSION returned RC_OK(0x00000000) session handle 6 ,4C4F730BB22262F55140F142EB27670F64D3B9393722CE278A95FA6FC3DE1816,91739740826024008ADFE161000000009B24F87F487D51EBA42E81D8B51000000600000000000000000000000000000000000000 9925522,22/01/14 20:39:38,S/N 18373207469733 session 7 Access 9b24f87f487d51eb operation LUNA_OPEN_SESSION returned RC_OK(0x00000000) session handle 7 ,FFB17D3BCFDE980AC91EBB09D62FD415A3341BB9A1211023B0FF4570F0030AA9,92739740826024008ADFE161000000009B24F87F487D51EBA52E81D8B51000000700000000000000000000000000000000000000 9925523,22/01/14 20:39:38,S/N 18373207469733 session 7 Access 9b24f87f487d51eb operation LUNA_LOGIN returned RC_OK(0x00000000) roleID=0 container=63 ,DAC77E99B544B1F9A475106F90B456AB3A1829C1C356AE7B94A7B4E0A346437B,9373974002600D008ADFE161000000009B24F87F487D51EBA52E81D8B5100000070000003F000000070000000000000000000000 9925524,22/01/14 20:39:38,S/N 18373207469732 session 6 Access 9b24f87f487d51eb operation LUNA_CLOSE_SESSION returned RC_OK(0x00000000) session handle 6 ,1586983CA033CF8C8AB9A8E638ED971021D1D4B991945F9BB10E59FF15BCF8B2,94739740026026008ADFE161000000009B24F87F487D51EBA42E81D8B51000000600000000000000000000000000000000000000 9925525,22/01/14 20:39:38,S/N 18373207469733 session 7 Access 9b24f87f487d51eb operation LUNA_LOGOUT returned RC_OK(0x00000000) roleID=0 container=63 ,A961ED9AAC4011288D8D9BDB4595FF67C28DF64D7B7D883C0003D523F526E43F,9573974002600E008ADFE161000000009B24F87F487D51EBA52E81D8B5100000070000003F000000000000000000000000000000 9925526,22/01/14 20:39:38,S/N 18373207469733 session 7 Access 9b24f87f487d51eb operation LUNA_CLOSE_SESSION returned RC_OK(0x00000000) session handle 7 ,0284B1730007D473C9FC37DA8221F636592E0B35B351FF5D4E5C16D87F9DE1F4,96739740026026008ADFE161000000009B24F87F487D51EBA52E81D8B51000000700000000000000000000000000000000000000 9925527,22/01/14 20:40:18,S/N 18373207469732 session 5 Access 9b24f87f487d51eb operation LUNA_CLOSE_SESSION returned RC_OK(0x00000000) session handle 5 ,8212A73324B5EEC5E2AA7DA2BBBE04F17A5E7F0D0F978B34BB7298A5B4EA0F66,9773974002602600B2DFE161000000009B24F87F487D51EBA42E81D8B51000000500000000000000000000000000000000000000