Accessibility of Audit Information

Perform necessary actions to ensure that vHSM’s audit configurations follow the recommended practices for safe and unsafe audit parameters.

This health check verifies whether audit information is accessible and usable by log consumers. It ensures that vHSM’s audit configurations follow the recommended practices for safe and unsafe audit parameters.

Health Check Name: audit_visibility

Accessed APIs

Method

API Endpoint

Description

READ

/sys/mounts/:mount/tune

Reads tuning parameters of the mount path.

Configuration Parameters

Parameter

Type

Default

Description

ignored_parameters

List

nil

A list of parameters to ignore when checking for HMAC audit status.

Health Check Results

This check provides informational feedback about whether audit data parameters are properly HMAC’d or left in cleartext as expected.
It ensures adherence to the list of safe and unsafe audit fields.
Results will not trigger warnings or errors but serve as guidance for improving audit visibility.

Recommended Actions

To improve audit log visibility and control what is HMAC’d or excluded, fine-tune the audit parameters using the following command:

Note: Ensure to replace the <mount> value with the actual mount path of the secrets engine being tuned.

vhsm secrets tune \
  -audit-non-hmac-response-keys=certificate \
  -audit-non-hmac-response-keys=issuing_ca \
  -audit-non-hmac-response-keys=serial_number \
  -audit-non-hmac-response-keys=error \
  -audit-non-hmac-response-keys=ca_chain \
  -audit-non-hmac-request-keys=certificate \
  -audit-non-hmac-request-keys=issuer_ref \
  -audit-non-hmac-request-keys=common_name \
  -audit-non-hmac-request-keys=alt_names \
  -audit-non-hmac-request-keys=other_sans \
  -audit-non-hmac-request-keys=ip_sans \
  -audit-non-hmac-request-keys=uri_sans \
  -audit-non-hmac-request-keys=ttl \
  -audit-non-hmac-request-keys=not_after \
  -audit-non-hmac-request-keys=serial_number \
  -audit-non-hmac-request-keys=key_type \
  -audit-non-hmac-request-keys=private_key_format \
  -audit-non-hmac-request-keys=managed_key_name \
  -audit-non-hmac-request-keys=managed_key_id \
  -audit-non-hmac-request-keys=ou \
  -audit-non-hmac-request-keys=organization \
  -audit-non-hmac-request-keys=country \
  -audit-non-hmac-request-keys=locality \
  -audit-non-hmac-request-keys=province \
  -audit-non-hmac-request-keys=street_address \
  -audit-non-hmac-request-keys=postal_code \
  -audit-non-hmac-request-keys=permitted_dns_domains \
  -audit-non-hmac-request-keys=policy_identifiers \
  -audit-non-hmac-request-keys=ext_key_usage_oids \
  -audit-non-hmac-request-keys=csr \
  <mount>

PreviousPerformance Impact NextAllow If-Modified-Since Requests

Last updated 1 month ago

Was this helpful?

vhsm secrets tune \ -audit-non-hmac-response-keys=certificate \ -audit-non-hmac-response-keys=issuing_ca \ -audit-non-hmac-response-keys=serial_number \ -audit-non-hmac-response-keys=error \ -audit-non-hmac-response-keys=ca_chain \ -audit-non-hmac-request-keys=certificate \ -audit-non-hmac-request-keys=issuer_ref \ -audit-non-hmac-request-keys=common_name \ -audit-non-hmac-request-keys=alt_names \ -audit-non-hmac-request-keys=other_sans \ -audit-non-hmac-request-keys=ip_sans \ -audit-non-hmac-request-keys=uri_sans \ -audit-non-hmac-request-keys=ttl \ -audit-non-hmac-request-keys=not_after \ -audit-non-hmac-request-keys=serial_number \ -audit-non-hmac-request-keys=key_type \ -audit-non-hmac-request-keys=private_key_format \ -audit-non-hmac-request-keys=managed_key_name \ -audit-non-hmac-request-keys=managed_key_id \ -audit-non-hmac-request-keys=ou \ -audit-non-hmac-request-keys=organization \ -audit-non-hmac-request-keys=country \ -audit-non-hmac-request-keys=locality \ -audit-non-hmac-request-keys=province \ -audit-non-hmac-request-keys=street_address \ -audit-non-hmac-request-keys=postal_code \ -audit-non-hmac-request-keys=permitted_dns_domains \ -audit-non-hmac-request-keys=policy_identifiers \ -audit-non-hmac-request-keys=ext_key_usage_oids \ -audit-non-hmac-request-keys=csr \ <mount>