Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Sample Code Audits of Configuration Changes

 

This sample code audits all changes to the configuration secret data and sends the logs to a file named Audit-File:

This sample code expands the scope of the minimum audit to audit all changes to the configuration, not just secret data, and sends the logs to a file named Audit-File:

Example: System Logging of Configuration Changes

This example shows a sample configuration and makes changes to users and secret data. It then shows the information sent to the audit server when the secret data is added to the original configuration and committed with the load command.

The new configuration changes the secret data configuration statements and adds a new user.

Table 1 shows sample for syslog auditing for NDcPPv2.1:

Table 1: Auditable Events

Requirement

Auditable Events

Additional Audit Record Contents

How event generated

FCS_SSH_EXT.1

Failure to establish an SSH session.

Establishment/Termination of an SSH session.

Reason for failure.

Non-TOE endpoint of connection (IP address) for both successes and failures.

Identification & Authentication (FIA_UIA_EXT.1 – logging in) Large packet test.

FIA_UIA_EXT.1

All use of the identification and authentication mechanism.

Provided user identity, origin of the attempt (e.g., IP address).

Identification & Authentication (FIA_UIA_EXT.1 – logging in)

FIA_UAU_EXT.2

All use of the authentication mechanism.

Origin of the attempt (e.g., IP address).

Identification & Authentication (FIA_UIA_EXT.1 – logging in)

FPT_STM.1

Changes to the time.

The old and new values for the time. Origin of the attempt (e.g., IP address).

Time updates (FPT_STM.1)

FPT_TUD_EXT.1

Initiation of update.

No additional information.

Proper TOE Updates (FPT_TUD_EXT.1.3)

FPT_TST_EXT.1

Indication that TSF self-test was completed.

Any additional information generated by the tests beyond “success” or “failure”.

Entered ‘request system fips self-test’ at command line.

FTA_SSL_EXT.1

Any attempts at unlocking of an interactive session.

No additional information.

Local Interactive Session Timeout Enforcement (FTA_SSL_EXT.1)

FTA_SSL.3

The termination of a remote session by the session locking mechanism.

No additional information.

Remote Session Timeout Enforcement (FTA_SSL.3)

FTA_SSL.4

Initiation of the trusted channel. Termination of the trusted channel.

Failure of the trusted channel functions.

Identification of the initiator and target of failed trusted channels establishment attempt.

Audit Server Configuration (FAU_STG_EXT.1).

FTP_ITC.1

Used as entropy input string to the HMAC DRBG.

Power cycle.

A critical value of the internal state of DRBG.

FTP_TRP.1

Initiation of the trusted channel.

Termination of the trusted channel.

Failures of the trusted path functions.

Identification of the claimed user identity.

See audit results for FCS_SSH_EXT.1.

FIA_AFL.1

Unsuccessful login attempts limit is met or exceeded.

Origin of the attempt (for example, IP address).

Authentication failure during remote authentication.

FMT_MOF.1/ Manual Update

Any attempt to initiate a manual update.

No additional information.

Trigger an update of the firmware on the TOE.

FMT_MTD.1/ Core Data

All management activities of TSF data.

No additional information.

Creation, modification, or deletion of the TOE data.

FIA_X509_EXT.1/ Rev

Unsuccessful attempt to validate a certificate.

Reason for failure.

Trigger a firmware update on the TOE.

FPT_TUD_EXT.2

Failure of update.

Reason for failure (including identifier of invalid certificate).

Modification or corruption of an image certificate is detected.

FMT_MOF.1/ Functions

Modification of the behavior of the transmission of audit data to an external IT entity, the handling of audit data, the audit functionality when Local Audit Storage Space is full.

No additional information.

Attempt to modify the transmission or handling behavior of audit data on the TOE.

FMT_MOF.1/ Services

Starting and stopping of services.

No additional information.

Enable or disable of services on the TOE.

FMT_MTD.1/ Crypto Keys

Management of cryptographic keys.

No additional information.

Creation, modification, or deletion of the cryptographic keys.

Related Documentation