Last Modified: Oct 07, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 16.0.0, 16.0.0.1, 16.0.1
Fixed In:
16.1.0, 16.0.1.1, 15.1.1, 14.1.2.8
Opened: Aug 27, 2019 Severity: 2-Critical
To achieve DoDIN APL certification, the BIG-IP system must guarantee the integrity of log files using the standards' recommendation of encrypting those files on the local store. The BIG-IP system does not generate signature files for logs. As a result, the system stores the audit information (i.e., the log files stored in /var/log folder and other subfolders) without creating integrity files.
Audit log files are stored without integrity files on the local system.
Viewing the audit information stored in /var/log and other locations.
Disable local logging for audit logs and send them to remote syslog, for example: tmsh modify sys syslog include "filter f_audit { facility(local0) and not message(AUDIT); }; "
There is now a LogIntegrity utility provided to generate signature files for logs. -- To enable the feature: tmsh modify sys db logintegrity.support value enable -- To set the LogIntegrity loglevel: tmsh modify sys db logintegrity.loglevel value debug You must create private key and store it in SecureVault before enabling this feature. To do so: 1. Generate a private key with the name logfile_integrity.key, for example: tmsh create sys crypto key logfile_integrity.key key-type rsa-private key-size 2048 gen-certificate security-type password country US city Seattle state WA organization "Example, Inc." ou "Example-Creation Team" common-name www.example.com email-address admin@example.com lifetime 365 2. Generate RSA encrypted private SSL keys: 2a. Go to the filestore location on the BIG-IP system: cd /config/filestore/files_d/Common_d/certificate_key_d/ ls | grep logfile_integrity:Common:logfile_integrity.key_63031_2 openssl rsa -aes256 -in :Common:logfile_integrity.key_63031_2 -out logfile_integrity_secure.key 2b. Specify the PEM password/passphrase (e.g., root0101) to use to protect the SSL private key (in this example, logfile_integrity_secure.key is the password protected private key): 2c. run command to list the generated files ls | grep logfile_integrity :Common:logfile_integrity.key_63031_2 logfile_integrity_secure.key 3. Install the generated password protected SSL private key with the same password (e.g., root0101) used in step 2 to store in 'secure vault' on the BIG-IP system: tmsh install sys crypto key logfile_integrity.key passphrase example root0101 from-local-file logfile_integrity_secure.key Once the feature is enabled and the private key installed, The signature files are generated under /var/log/digest whenever log files get rotated. If you want to verify Signatures, follow these steps: 1. Go to the filestore location on the BIG-IP system : cd /config/filestore/files_d/Common_d/certificate_d 2. Execute the following command to generate the public key. openssl x509 -in :Common:logfile_integrity.key_63031_2 -noout -pubkey > certificatefile.pub.cer 3.Verify the signature file using public key: openssl dgst -sha256 -verify /config/filestore/files_d/Common_d/certificate_d/certificatefile.pub.cer -signature /var/log/digest/audit.1.sig /var/log/audit.1