Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Sample Code Audits of Configuration Changes

 

This sample code audits all changes to the configuration secret data and sends the logs to a file named Audit-File:

This sample code expands the scope of the minimum audit to audit all changes to the configuration, not just secret data, and sends the logs to a file named Audit-File:

Example: System Logging of Configuration Changes

This example shows a sample configuration and makes changes to users and secret data. It then shows the information sent to the audit server when the secret data is added to the original configuration and committed with the load command.

The new configuration changes the secret data configuration statements and adds a new user.

Table 1 shows sample for syslog auditing for NDcPPv2:

Table 1: Auditable Events

Requirement

Auditable Events

Additional Audit Record Contents

How event generated

FCS_SSH_EXT.1

Failure to establish an SSH session.

Establishment/Termination of an SSH session.

Reason for failure.

Non-TOE endpoint of connection (IP address) for both successes and failures.

Identification & Authentication (FIA_UIA_EXT.1 – logging in) Large packet test.

FIA_UIA_EXT.1

All use of the identification and authentication mechanism.

Provided user identity, origin of the attempt (e.g., IP address).

Identification & Authentication (FIA_UIA_EXT.1 – logging in)

FIA_UAU_EXT.2

All use of the authentication mechanism.

Origin of the attempt (e.g., IP address).

Identification & Authentication (FIA_UIA_EXT.1 – logging in)

FPT_STM.1

Changes to the time.

The old and new values for the time. Origin of the attempt (e.g., IP address).

Time updates (FPT_STM.1)

FPT_TUD_EXT.1

Initiation of update.

No additional information.

Proper TOE Updates (FPT_TUD_EXT.1.3)

FPT_TST_EXT.1

Indication that TSF self-test was completed.

Any additional information generated by the tests beyond “success” or “failure”.

Entered ‘request system fips self-test’ at command line.

FTA_SSL_EXT.1

Any attempts at unlocking of an interactive session.

No additional information.

Local Interactive Session Timeout Enforcement (FTA_SSL_EXT.1)

FTA_SSL.3

The termination of a remote session by the session locking mechanism.

No additional information.

Remote Session Timeout Enforcement (FTA_SSL.3)

FTA_SSL.4

Initiation of the trusted channel. Termination of the trusted channel.

Failure of the trusted channel functions.

Identification of the initiator and target of failed trusted channels establishment attempt.

Audit Server Configuration (FAU_STG_EXT.1).

FTP_ITC.1

Used as entropy input string to the HMAC DRBG.

Power cycle.

A critical value of the internal state of DRBG.

FTP_TRP.1

Initiation of the trusted channel.

Termination of the trusted channel.

Failures of the trusted path functions.

Identification of the claimed user identity.

See audit results for FCS_SSH_EXT.1.

FTP_TRP.1

Initiation of the trusted channel.

Termination of the trusted channel.

Failures of the trusted path functions.

Identification of the claimed user identity.

See audit results for FCS_SSH_EXT.1.