# Accessibility of Audit Information This health check verifies whether audit information is accessible and usable by log consumers. It ensures that vHSM’s audit configurations follow the recommended practices for safe and unsafe audit parameters. **Health Check Name: `audit_visibility`** #### **Accessed APIs** | Method | API Endpoint | Description | | ------ | ------------------------- | ------------------------------------------ | | READ | `/sys/mounts/:mount/tune` | Reads tuning parameters of the mount path. | #### **Configuration Parameters** | Parameter | Type | Default | Description | | -------------------- | ---- | ------- | ------------------------------------------------------------------- | | `ignored_parameters` | List | `nil` | A list of parameters to ignore when checking for HMAC audit status. | #### **Health Check Results** * This check provides **informational feedback** about whether audit data parameters are properly HMAC’d or left in cleartext as expected. * It ensures adherence to the list of **safe and unsafe audit fields**. * Results will not trigger warnings or errors but serve as guidance for improving audit visibility. #### **Recommended Actions** To improve audit log visibility and control what is HMAC’d or excluded, fine-tune the audit parameters using the following command: {% hint style="info" %} **Note:** Ensure to replace the `` value with the actual mount path of the secrets engine being tuned. {% endhint %} ```bash vhsm secrets tune \ -audit-non-hmac-response-keys=certificate \ -audit-non-hmac-response-keys=issuing_ca \ -audit-non-hmac-response-keys=serial_number \ -audit-non-hmac-response-keys=error \ -audit-non-hmac-response-keys=ca_chain \ -audit-non-hmac-request-keys=certificate \ -audit-non-hmac-request-keys=issuer_ref \ -audit-non-hmac-request-keys=common_name \ -audit-non-hmac-request-keys=alt_names \ -audit-non-hmac-request-keys=other_sans \ -audit-non-hmac-request-keys=ip_sans \ -audit-non-hmac-request-keys=uri_sans \ -audit-non-hmac-request-keys=ttl \ -audit-non-hmac-request-keys=not_after \ -audit-non-hmac-request-keys=serial_number \ -audit-non-hmac-request-keys=key_type \ -audit-non-hmac-request-keys=private_key_format \ -audit-non-hmac-request-keys=managed_key_name \ -audit-non-hmac-request-keys=managed_key_id \ -audit-non-hmac-request-keys=ou \ -audit-non-hmac-request-keys=organization \ -audit-non-hmac-request-keys=country \ -audit-non-hmac-request-keys=locality \ -audit-non-hmac-request-keys=province \ -audit-non-hmac-request-keys=street_address \ -audit-non-hmac-request-keys=postal_code \ -audit-non-hmac-request-keys=permitted_dns_domains \ -audit-non-hmac-request-keys=policy_identifiers \ -audit-non-hmac-request-keys=ext_key_usage_oids \ -audit-non-hmac-request-keys=csr \ ```