GET LOG ENTRIES Command

Fetch device audit log.

Description

Fetch all current entries from the device Log Store.

Shell Example

yubihsm> audit get 0
0 unlogged boots found
0 unlogged authentications found
Found 6 items
item:    46 -- cmd: 0x4b -- length:  234 -- session key: 0x0001
  -- target
key: 0xcf94 -- second key: 0x997e -- result: 0xcb -- tick: 335725
  -- hash: 415f51f1f035a1b713e730e4464e4033
item:    47 -- cmd: 0x4c -- length:   77 -- session key: 0x0001
  -- target
key: 0xaff7 -- second key: 0xffff -- result: 0xcc -- tick: 351714
  -- hash: 5496a60d478c2b9c801d8d32ca66b554
item:    48 -- cmd: 0x00 -- length:    0 -- session key: 0xffff
  -- target
key: 0x0000 -- second key: 0x0000 -- result: 0x00 -- tick: 0 -- hash:
   14ac7747ba9bbb243cfc70befeb5349b
item:    49 -- cmd: 0x03 -- length:   10 -- session key: 0xffff
  -- target
key: 0x0001 -- second key: 0xffff -- result: 0x83 -- tick: 139 -- hash:
   b20a8f25c025e693a8e869b433294a20
item:    50 -- cmd: 0x04 -- length:   17 -- session key: 0xffff
  -- target
key: 0x0001 -- second key: 0xffff -- result: 0x84 -- tick: 139 -- hash:
   ebfae425c319ac7a0afbb8b92597de7c
item:    51 -- cmd: 0x67 -- length:    2 -- session key: 0x0001
  -- target
key: 0xffff -- second key: 0xffff -- result: 0xe7 -- tick: 697 -- hash:
   2e395d1b706668737e1d2215813db47e

Protocol Details

Command

Tc = 0x4d
Lc = 0
Vc = Ø

Response

Tr = 0xcd
Lr = 2 + 2 + 1 + (N * 32)
Vr = B || O || N || E1 || E2 || || EN

Parameters:

B := Number of unlogged boot events (if the log buffer is full and audit enforce is set) (2 bytes)

O := Number of unlogged authentication events (if the log buffer is full and audit enforce is set) (2 bytes)

N := Number of elements in the list (1 byte)

Ei:= Generic log entry composed of

  • Command number (two bytes)
  • Command ID (one byte)
  • Command length (two bytes)
  • ID of the originating session’s authentication key (two bytes)
  • Target key affected by the command (two bytes)
  • Secondary key if the command affected more than one key (two bytes)
  • Result of the command on success or an error code if unsuccessful (one byte)
  • Systick when the command was processed (4 bytes)
  • Digest (16 bytes)

The digest is computed as trunc(16, SHA256(Ei.Data || trunc(16, Ei-1.Digest))). For the initial log entry, a random string of 32 bytes is used, instead of the digest of the previous message.

When the device initializes after a reset, a log entry with all fields set to 0xff is logged.

When the device boots up, a log entry with all fields set to 0x00 is logged.