Digital signing
Digital signing of audit data is used to show attempts at log tampering and provide for non-repudiation of the audit log.
Each file within each load gets a digital signature. The signature and the sequence information are stored in the audit database.
Digital signing on the system is done by setting up a public/private cryptographic pair of keys and setting the history configuration to use that key pair.
To set the audit digital signature key, use the syntax as in the following example:
ALTER HISTORY CONFIG
KEY <keystore name>.<key name>;
To turn off signing, use the following command:
ALTER HISTORY CONFIG
KEY NONE
To verify the signature, in addition to displaying the keys, the following sample script that
checks the key against the signature is
provided:
nzverifyauditsig.sh
The output returns a verification or a failure message, as in the following:
- signature verified
- signature could not be verified