1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Software
  5. CERTIFICATE SYSTEM 7.3 - ADMINISTRATION
  6. Manual

Auditverify; 5.1. About Thetool; Setting Up The Auditor's Database; Syntax - Red Hat CERTIFICATE SYSTEM 7.3 - COMMAND-LINE Manual

Command-line tools guide
Hide thumbs Also See for CERTIFICATE SYSTEM 7.3 - COMMAND-LINE:
Table of Contents

Advertisement

Chapter 5.

AuditVerify

5.1. About the AuditVerify Tool
The AuditVerify tool is used to verify that signed audit logs were signed with the private signing
key and that the audit logs have not been compromised.
Auditors can verify the authenticity of signed audit logs using the AuditVerify tool. This tool uses
the public key of the signed audit log signing certificate to verify the digital signatures embedded in
a signed audit log file. The tool response indicates either that the signed audit log was successfully
verified or that the signed audit log was not successfully verified. An unsuccessful verification warns
the auditor that the signature failed to verify, indicating the log file may have been tampered with
(compromised).

5.2. Setting up the Auditor's Database

AuditVerify needs access to a set of security databases containing the signed audit log signing
certificate and its chain of issuing certificates. One of the CA certificates in the issuance chain must be
marked as trusted in the database.
The auditor should import the audit signing certificate into certificate and key databases before
running AuditVerify. The auditor should not use the security databases of the Certificate System
instance that generated the signed audit log files. If there are no readily accessible certificate and key
database, the auditor must create a set of certificate and key databases and import the signed audit
log signing certificate chain.
To create the security databases and import the certificate chain, do the following:
1. Create the security database directory in the filesystem.
mkdir /var/lib/instance_ID/logs/signedAudit/dbdir
2. Use the certutil tool to create an empty set of certificate databases.
certutil -d /var/lib/instance_ID/logs/signedAudit/dbdir -N
3. Import the CA certificate and log signing certificate into the databases, marking the CA certificate
as trusted. The certificates can be obtained from the CA in ASCII format.
If the CA certificate is in a file called cacert.txt and the log signing certificate is in a file called
logsigncert.txt, both in the Certificate System alias/ directory, then the certutil is used
to set the trust for the new audit security database directory pointing to those files, as follows:
certutil -d /var/lib/instance_ID/logs/signedAudit/dbdir -A -n "CA Certificate" -t
"CT,CT,CT" -a -i /var/lib/instance_ID/alias/cacert.txtcertutil -d /var/lib/instance_ID/
logs/signedAudit/dbdir -A -n "Log Signing Certificate" -a -i /var/lib/instance_ID/alias/
logsigncert.txt

5.3. Syntax

The AuditVerify tool has the following syntax:
15

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the CERTIFICATE SYSTEM 7.3 - COMMAND-LINE and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Red Hat CERTIFICATE SYSTEM 7.3 - COMMAND-LINE

Related Content for Red Hat CERTIFICATE SYSTEM 7.3 - COMMAND-LINE

Table of Contents