Entrust nShield Security Manual page 23

installed in every nShield Connect). It uses a cryptographic mechanism to assure the
integrity of the audit log distributed to third party SIEM Collectors.
• The SIEM Collectors should be located in a protected environment that limits
physical access to the processing platform(s), on which the collector and validation
applications are running, to authorized users.
• The availability of log messages delivered to the SIEM Collectors should be
maintained through a set of controls including:
◦ Configuring multiple SIEM Collectors for each HSM
◦ Regular backups
◦ Physical and logical controls.
• A mechanism should be supplied to support the reliable delivery of logging
messages to the SIEM Collectors.
• The network should be configured correctly to help prevent message corruption,
congestion, forwarding loops and incorrect delivery.
• The Audit Logging Verification process provided by Entrust to support the
authenticated supply of a Trusted Root to the customer should be followed. See the
User Guide for your HSM for further information on Audit Logging Verification.
• Prior to shutting down the nShield Connect, a delay of at least 17 minutes should be
made after the final log messages has been dispatched to the SIEM to ensure that
the outstanding integrity verification message for those log messages is dispatched.
This requires that no further commands are entered that generate log messages
during this period. The receipt of the verification message on the SIEM should be
confirmed prior to HSM shutdown.
• The integrity verification messages allows missing or altered log messages to be
detected. In the event of a power failure, or an SOS on the nShield Connect, the loss
/manipulation of any log message received after the last integrity verifications
message cannot be detected, and therefore these log messages cannot be trusted.
4.7.3. nShield Connect tamper log
The nShield Connect's Tamper Log is located within the nShield Connect and protected
by the nShield Connect's tamper mechanisms. It cannot be erased.
4.7.4. nShield Connect system and hardserver logs
The nShield Connect's System and Hardserver Logs can be stored within the nShield
Connect's tamper response boundary or pushed out to the RFS or a remote syslog
server. If the logs are stored locally then they will be protected by the tamper response
boundary but will be lost if the nShield Connect is rebooted. Logging stops when the file
system is full.
nShield® Security Manual 23 of 90