Audit logs can be signed
to ensure the integrity of your audit data. By signing your audit
records, modifications of the audit logs can be traced.
Before you begin
Restriction: Signing
audit data is only available for data created using the default audit
service provider. If you are using the SMF emitter or a 3rd party
emitter you will not be able to sign your data.
Before configuring
your security audit records to be signed, enable global security and
security auditing in your environment. You must be assigned the auditor
role and the administrator role to configure audit record signing.
About this task
Procedure
- Click .
- Select
the Enable signing check box to specify that your audit records should
be signed. All other fields on this panel will be unavailable
until this check box has been selected.
- Select
the keystore that contains the signing certificate from the Managed
keystore containing the signing certificate dropdown menu.
- If you are using an existing certificate to sign your audit
records, ensure Certificate in keystore is selected and specify the
intended certificate in the Certificate alias dropdown menu.
- If you are generating a new certificate to sign
your audit records, select Create a new certificate in the selected
keystore and follow these steps:
- Enter
the name of your new certificate in the Certificate alias field.
- Select on of the following options: Import
the encryption certificate, Automatically generate certificate or
Import a certificate. The certificate used to encrypt the
data in the audit log files can either be created or imported.
- If
you selected Import the encryption certificate, then you will use
the encryption certificate to also sign your audit records. Skip to
the last step on this page to complete this configuration.
- If
you selected to generate a certificate, then skip to the last step
on this page to complete this configuration.
- If you selected
to import a certificate from an existing keystore, then continue on
with step c.
- Enter the name
of the keystore file in the Key file name field.
- Enter the path to the keystore file in the Path field.
- Select the keystore type from the Type dropdown
list. The default value of the Type dropdown list is PKCS12.
- Enter the password associated with the keystore
in the Key File password field.
- Click Get
key file aliases to populate the Certificate alias to import dropdown
menu.
- Select the certificate to be imported
from the Certificate alias to import dropdown menu.
- Click OK.
Results
After you have completed these steps, your audit logs will
be digitally signed to ensure the integrity of the data.
What to do next
After you have finished configuring your audit logs to be
signed, you can ensure the confidentiality of your audit logs by configuring
the audit subsystem to encrypt your audit records.