will create a list.csv file with the audit logs from Feb. 25 to Feb. 26, 2025.
🚀 To ensure the authenticity and integrity of records, and confirm that they have not been tampered with, HMAC (Hash-based Message Authentication Code) is used. For each record, the HMAC is calculated by concatenating the record's information with the HMAC of a previous record. Each HMAC is recalculated every five minutes.
The concatenated HMAC of all the lines of the file is shown at the end of the exported file:
🚀 The -o parameter for the file output is present only when executing the export command.
🚀 The verify -i parameter can be used to check whether the audit logs have been tampered with. Use -i to specify the input file that must be verified. In the following example, the list.csv file is verified:
The verify parameter will print a message that can belong to three categories:
The file is ok, there are no lines in error
######################################
CHECK FILE: THE FILE IS OK
HMAC: 885d5e3c1c421073794fe8a781b87a3182cf4aa4dedc0d87720663157491d8c5
######################################
The file is ok, but there are lines in error
This occurs when the file is intact, but the corresponding content in the database is not.
######################################
CHECK FILE: THE FILE IS OK
HMAC: be348c541a9a621b8c5b292801433ff2324192e5e88afd50f561e21fd8a3d563
######################################
LINES WITH ERROR:
"2025-02-26 12:21:44.593","Ceman Audit","AUD0007A","a9aca5af-3a63-47bc-98a8-704c77df7cd8","User 'ghibli-superuser' has logged in","CEMAN","10.120.1.1","ghibli-superuser","LOGIN","CEMAN","10.120.1.1","CEMAN","8af881e59541f6f4019541fdc3920015","HMAC ERROR-AUD-E01"
"2025-02-26 12:21:47.005","Ceman Audit","AUD0007A","2df8dac7-4c42-4784-a63f-f7a5b2b32826","User 'ghibli-superuser' has logged in","CEMAN","10.120.1.1","ghibli-superuser","LOGIN","CEMAN","10.120.1.1","CEMAN","8af881e59541f6f4019541fdccff0018","HMAC ERROR - PREVIOUS RECORD NOT FOUND-AUD-E02"
######################################
Look for these entries, indicating that the file is not intact in the database:
HMAC ERROR-AUD-E01: this indicates that the HMAC has been tampered with in the database.
HMAC ERROR - PREVIOUS RECORD NOT FOUND-AUD-E02: this indicates that the line was deleted from the database.
The file has been tampered with
The HMAC of the file is given for reference.
######################################
CHECK FILE: THE FILE IS TAMPERED
HMAC: da9fc54bf809cada462b0ad432815d6e5fcfaf03076dfabb126d15884dff1b22
######################################
The Audit Exporter CLI
default@ceman:/ceman/bin$ ./audit.sh
Usage: audit [-hLV] [-C=<connectTimeoutSeconds>] [-R=<readTimeoutSeconds>]
-u=<username> (-p=<passwordFile> | -P) [COMMAND]
Audit Exporter CLI
-C, --connect-timeout-seconds=<connectTimeoutSeconds>
Connect timeout seconds (default if not specified:
`300`)
-h, --help Show this help message and exit.
-L, --enable-console-log Enable console log
-p, --password-file=<passwordFile>
Single-line file containing the password in clear
text
-P, --password Interactive password, prompted on console if not
specified
-R, --read-timeout-seconds=<readTimeoutSeconds>
Read timeout seconds (default if not specified:
`300`)
-u, --username=<username> Username
-V, --version Print version information and exit.
Commands:
help Displays help information about the specified command
export Export Audit
verify Export Verify
