Command Line Tools Guide
Red Hat Certificate System                                                            
Previous
 Contents
 Index
 Next

Chapter 4

AuditVerify

About the AuditVerify Tool

The AuditVerify tool is used to verify that signed audit logs were signed with the signed audit private signing key, and that the signed audit log has not been compromised.

Auditors can verify the authenticity of signed audit logs using the AuditVerify tool. This tool uses the public key of the signed audit log signing certificate to verify the digital signatures embedded in a signed audit log. The tool returns output indicating either that the signed audit log was successfully verified or that the signed audit log was not successfully verified. An unsuccessful verification warns the auditor that the signature failed to verify, indicating the log file may have been tampered with (compromised).

Setting Up the Auditor's Database

The AuditVerify tool needs access to a set of security databases containing the signed audit log signing certificate and its chain of issuing certificates. One of the CA certificates in the issuance chain must be marked as trusted in the database.

The auditor should import the audit signing certificate into his/her own certificate and key databases before running the tool. The auditor should not use the same security databases as the CS instance that generated the signed audit log files.

If the auditor does not have a readily accessible certificate and key database, the auditor will have to create a set of certificate and key databases and import the signed audit log signing certificate chain.

To create the security databases and import the certificate chain (Note: if the auditor has a readily accessible certificate and key database, steps 1 and 2 should be skipped):

  1. As an auditor, create the security database directory in your file system. For example:
mkdir dbdir
  1. Use the certutil tool to create an empty set of certificate databases in the directory you just created. For example:
certutil -d <dbdir> -N
  1. Import the CA certificate and log signing certificate into the databases, marking the CA certificate as trusted. The certificates can be obtained from the CA in ASCII format.
For example:
If the CA's certificate is in a file called cacert, and the log signing certificate is in a file called logsigncert, the commands would be:
certutil -d dbdir -A -n "CA Certificate" -t "CT,CT,CT" -a -i cacert
certutil -d dbdir -A -n "Log Signing Certificate" -a -i logsigncert

Audit Verify Tool Syntax

The AuditVerify tool has the following syntax:
AuditVerify -d <dbdir> -n <signing_certificate_nickname> -a <log_list_file> -P <cert/key_db_prefix> [-v]
where:
dbdir
The directory containing the security databases where you have imported the audit log signing certificate.
signing_certificate_nickname
The nickname of the certificate used to sign the log files. The nickname will be whatever you used when you imported the log signing certificate into that database.
log_list_file
A text file you create containing a comma separated list (in chronological order) of the signed audit logs you are verifying (e.g., the content of the log_list_file would look like the following:
/user/server/CSRoot/cert-ca/logs/signedAudit/ca_cert-ca_audit,/user/server/CSRoot/cert-ca/logs/signedAudit/ca_cert-ca_audit.20030227102711,/user/server/CSRoot/cert-ca/logs/signedAudit/ca_cert-ca_audit.20030226094015)
cert/key_db_prefix
The prefix to prepend to the certificate and key database filenames.
In most cases, since the auditor is using his own personal certificate and key databases, empty quotation marks ("") should be specified for this argument, since no prefix was prepended to the security database files you created.
-v
Specifies verbose output. This argument is optional.

Return Values

When you use the AuditVerify Tool, you will receive one of the following return values:

0
Indicates that the signed audit log has been successfully verified.
1
Indicates that the tool did not successfully run to completion.
2
Indicates that one or more invalid signatures were found when running the tool on the specified file. This means that one or more of the logs that you were verifying failed to verify.

Using the Audit Verify Tool

Once you have an appropriately-configured database directory, you can use the AuditVerify tool by following these steps:

  1. Create a text file containing a comma-separated list of the files you want to verify. The name of this file will be used in the AuditVerify command to identify this file. In this example this file is called logListFile.
For example, this file might contain the following contents:
auditlog.1213, auditlog.1214, auditlog.1215
  1. Got to the following directory:
<server_root>/bin/cert/tools
  1. Issue the AuditVerify command. For example:
AuditVerify -d /user/home/smith/.redhat -n auditsigningcert -a /etc/audit/logListFile -P "" -v



Previous
 Contents
 Index
 Next
© 2001 Sun Microsystems, Inc. Used by permission. © 2005 Red Hat, Inc. All rights reserved.
Read the Full Copyright and Third-Party Acknowledgments.

 last updated July 18, 2005