Accessibility of Audit Information

Perform necessary actions to ensure that vHSM’s audit configurations follow the recommended practices for safe and unsafe audit parameters.

This health check verifies whether audit information is accessible and usable by log consumers. It ensures that vHSM’s audit configurations follow the recommended practices for safe and unsafe audit parameters.

Health Check Name: audit_visibility

Accessed APIs

Method
API Endpoint
Description

READ

/sys/mounts/:mount/tune

Reads tuning parameters of the mount path.

Configuration Parameters

Parameter
Type
Default
Description

ignored_parameters

List

nil

A list of parameters to ignore when checking for HMAC audit status.

Health Check Results

  • This check provides informational feedback about whether audit data parameters are properly HMAC’d or left in cleartext as expected.

  • It ensures adherence to the list of safe and unsafe audit fields.

  • Results will not trigger warnings or errors but serve as guidance for improving audit visibility.

To improve audit log visibility and control what is HMAC’d or excluded, fine-tune the audit parameters using the following command:

Note: Ensure to replace the <mount> value with the actual mount path of the secrets engine being tuned.

vhsm secrets tune \
  -audit-non-hmac-response-keys=certificate \
  -audit-non-hmac-response-keys=issuing_ca \
  -audit-non-hmac-response-keys=serial_number \
  -audit-non-hmac-response-keys=error \
  -audit-non-hmac-response-keys=ca_chain \
  -audit-non-hmac-request-keys=certificate \
  -audit-non-hmac-request-keys=issuer_ref \
  -audit-non-hmac-request-keys=common_name \
  -audit-non-hmac-request-keys=alt_names \
  -audit-non-hmac-request-keys=other_sans \
  -audit-non-hmac-request-keys=ip_sans \
  -audit-non-hmac-request-keys=uri_sans \
  -audit-non-hmac-request-keys=ttl \
  -audit-non-hmac-request-keys=not_after \
  -audit-non-hmac-request-keys=serial_number \
  -audit-non-hmac-request-keys=key_type \
  -audit-non-hmac-request-keys=private_key_format \
  -audit-non-hmac-request-keys=managed_key_name \
  -audit-non-hmac-request-keys=managed_key_id \
  -audit-non-hmac-request-keys=ou \
  -audit-non-hmac-request-keys=organization \
  -audit-non-hmac-request-keys=country \
  -audit-non-hmac-request-keys=locality \
  -audit-non-hmac-request-keys=province \
  -audit-non-hmac-request-keys=street_address \
  -audit-non-hmac-request-keys=postal_code \
  -audit-non-hmac-request-keys=permitted_dns_domains \
  -audit-non-hmac-request-keys=policy_identifiers \
  -audit-non-hmac-request-keys=ext_key_usage_oids \
  -audit-non-hmac-request-keys=csr \
  <mount>

Last updated

Was this helpful?