Inspecting the Audit Log
1. Installation
You need a tool and a flatbuffers schema from Sharemind HI to inspect the audit log.
1.1. Prerequisites
-
Credentials for APT repository : username and password
-
Ubuntu 22.04 platform on a x86-64 CPU.
1.2. Installation
You need the following Sharemind HI packages:
Package |
Relevant Files |
Description |
|
|
The application for decrypting the audit log. |
|
|
The FlatBuffers schema for interpreting the content of the decrypted audit log entries. |
These can be installed as follows:
# Add Sharemind repository key
wget -qO - https://repo.cyber.ee/sharemind/apt/pubkey.gpg | sudo apt-key add -
# Install HTTPS repository support for APT
sudo apt install apt-transport-https
# Add Sharemind repository
user="..." # provided in a separate document
pass="..." # provided in a separate document
path="HI-$user"
repo_url="https://$user:$pass@repo.cyber.ee/sharemind/apt/$path"
. /etc/os-release # for $UBUNTU_CODENAME.
echo "deb [arch=amd64] $repo_url $UBUNTU_CODENAME non-free" \
| sudo tee /etc/apt/sources.list.d/sharemind-hi.list
# Update
sudo apt update
sudo apt install sharemind-hi-audit={hivsn} sharemind-hi-audit-fbs-dev={hisvn}
# Recommended
sudo apt-mark hold sharemind-hi-audit sharemind-hi-audit-fbs-devFurther, you might want to install the flatc binary from the FlatBuffers project, version 1.12.0 or higher.
Please refer to http://google.github.io/flatbuffers/ on how to install it.
2. Obtaining the Audit Log Key
Download the audit log encryption key from the Sharemind HI server:
sharemind-hi-client -c client.yaml -a auditLogDownloadKey \
-- --output audit_log.key3. Obtaining the Audit Log
The audit log should be stored in a solution specific way. Hence the audit log retrieval needs to be solved in a solution specific way as well.
When you have the audit log, you can decrypt it as follows:
sharemind-hi-audit -a decrypt \
-- --input audit_log.enc --key audit_log.key --output audit_logThe audit_log file contains a FlatBuffer whose schema is in the following file:
/usr/include/sharemind-hi/sharemind-hi/fbs/enclave_messages_audit.fbs
4. Inspecting the Audit Log
You can either choose to analyse the FlatBuffer through a custom application using the FlatBuffers library, or convert the FlatBuffer to a human readable format like JSON[1] and read it directly or analyse it with other tools like jq [2]:
# The output will be written to `audit_log.json`.
flatc \
--json /usr/include/sharemind-hi/sharemind-hi/fbs/enclave_messages_audit.fbs \
--include-prefix /usr/include/sharemind-hi/sharemind-hi/fbs \
-- audit_log
# A simple example how to print which actions were performed:
jq -n -f audit_log.json \
| jq -r '.entries | map(.buffer.entry_type) | .[]' \
| sed -E 's/LogEntry(.*)/\1/' \
| sed -E 's/([a-z])([A-Z])/\1 \2/g' \
| cat -n