Bug ID 818253: Generate signature files for logs

Last Modified: Mar 01, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
14.1.0,,,,,, 14.1.2,,,,,,,, 15.0.0, 15.0.1,,,,, 15.1.0,,,,,, 16.0.0,, 16.0.1

Fixed In:, 15.1.1,

Opened: Aug 27, 2019
Severity: 2-Critical


To achieve DoDIN APL certification, the BIG-IP system must guarantee the integrity of log files using the standards' recommendation of encrypting those files on the local store. The BIG-IP system does not generate signature files for logs. As a result, the system stores the audit information (i.e., the log files stored in /var/log folder and other subfolders) without creating integrity files.


Audit log files are stored without integrity files on the local system.


Viewing the audit information stored in /var/log and other locations.


Disable local logging for audit logs and send them to remote syslog, for example: tmsh modify sys syslog include "filter f_audit { facility(local0) and not message(AUDIT); }; "

Fix Information

There is now a LogIntegrity utility provided to generate signature files for logs. -- To enable the feature: tmsh modify sys db logintegrity.support value enable -- To set the LogIntegrity loglevel: tmsh modify sys db logintegrity.loglevel value debug You must create private key and store it in SecureVault before enabling this feature. To do so: 1. Generate a private key with the name logfile_integrity.key, for example: tmsh create sys crypto key logfile_integrity.key key-type rsa-private key-size 2048 gen-certificate security-type password country US city Seattle state WA organization "Example, Inc." ou "Example-Creation Team" common-name www.example.com email-address admin@example.com lifetime 365 2. Generate RSA encrypted private SSL keys: 2a. Go to the filestore location on the BIG-IP system: cd /config/filestore/files_d/Common_d/certificate_key_d/ ls | grep logfile_integrity:Common:logfile_integrity.key_63031_2 openssl rsa -aes256 -in :Common:logfile_integrity.key_63031_2 -out logfile_integrity_secure.key 2b. Specify the PEM password/passphrase (e.g., root0101) to use to protect the SSL private key (in this example, logfile_integrity_secure.key is the password protected private key): 2c. run command to list the generated files ls | grep logfile_integrity :Common:logfile_integrity.key_63031_2 logfile_integrity_secure.key 3. Install the generated password protected SSL private key with the same password (e.g., root0101) used in step 2 to store in 'secure vault' on the BIG-IP system: tmsh install sys crypto key logfile_integrity.key passphrase example root0101 from-local-file logfile_integrity_secure.key Once the feature is enabled and the private key installed, The signature files are generated under /var/log/digest whenever log files get rotated. If you want to verify Signatures, follow these steps: 1. Go to the filestore location on the BIG-IP system : cd /config/filestore/files_d/Common_d/certificate_d 2. Execute the following command to generate the public key. openssl x509 -in :Common:logfile_integrity.key_63031_2 -noout -pubkey > certificatefile.pub.cer 3.Verify the signature file using public key: openssl dgst -sha256 -verify /config/filestore/files_d/Common_d/certificate_d/certificatefile.pub.cer -signature /var/log/digest/audit.1.sig /var/log/audit.1

Behavior Change