Fidelis Common Criteria Скачать руководство пользователя страница 13 | Manualshive

Страница: 13 / 25

background image

Fidelis Network Common Criteria Configuration Guide Version 9.0.3

10

www.fidelissecurity.com

If a system daemon fails to start for other reasons than integrity check failure, the event will be logged in

/var/log/messages

. Depending on the daemon and the reason for its failure, more detailed

information may be found in the corresponding log in /FSS/log/.

Audit Events

The table below lists and describes applicable audit events and administrative actions for each of the
security functional requirements (SFRs) covered by Common Criteria.
The general order of the audit events is as follows:
1.

Date.

2.

Time.

3.

TOE Component IP address.

4.

TOE Component name (hostname).

5.

Process name or audit function name (e.g. FSS audit).

6.

Process ID (optional).

7.

Audit event description string. This is specific to audit event type.
See the table below for examples and details.

Table 2. SFRs and Auditable Events

SFR

Event

Additional
Information

Sample Log

FAU_GEN.1 Start-up of audit

functions

None

Sep 8 11:38:12 10.42.212.199 localhost
syslog-ng[2368]: syslog-ng starting up;
version='3.7.3'
Sep 8 14:25:43 localhost FSS
audit[2423]: System startup

Shutdown of audit
functions

None

Sep 8 11:34:59 10.42.212.199 04
localhost syslog-ng[2369]: syslog-ng
shutting down; version='3.7.3'
Sep 8 14:23:17 localhost FSS
audit[4273]: System shutdown

FCO_CPC_
EXT.1

Enabling
communications
between a pair of
components.
Disabling
communications
between a pair of
components.

Identity and
type of TOE
component
being
registered or
unregistered.
Identities of
the TLS
endpoints
involved in
the
transaction.

Sep  7 16:47:22 localhost FSS
audit[70423]: admin registered Sensor
linux90col Type: metadatav
Sep  7 16:47:22 localhost FSS
audit[70437]: Sensor <linux90col> TLS
SUCCESS: Local: localhost, Remote:
10.89.184.31
Sep  7 16:47:23 localhost FSS
audit[70441]: Sensor <linux90col>
sensor registered successfully

FCS_HTTPS Failure to establish a Reason for

Mar 17 10:01:51 10.42.209.241 FSS:

«
...
11
12
13
14
15
...
»

Содержание Common Criteria

Страница 1: ...Fidelis Network Common Criteria Configuration Guide Version 9 0 3 ...

Страница 2: ...ts original electronic form and print copies for personal use This document cannot be modified or converted to any other electronic or machine readable form in whole or in part without prior written approval of Fidelis Cybersecurity While we have done our best to ensure that the material found in this document is accurate Fidelis Cybersecurity makes no guarantee that the information contained here...

Страница 3: ...cess 4 Change the Default Account Passwords 4 Command Line Session Inactivity Timeout 4 Configure Password Requirements for Local Users 5 Enhanced Information for Common Criteria Configuration of 1 7 Appendix C Common Criteria 7 Common Criteria Compliant Configuration 7 Common Criteria Compliant Trusted Channels to External Components 8 System Updates 8 Digital Signatures for Updates 8 Common Crit...

Страница 4: ...de 1 The information in the following sections is new or corrected information related to the Enterprise Setup and Configuration Guide 1 reproduced as entire sections in this document This document provides or references all the necessary instructions to configure monitor and maintain Fidelis Network as certified by Common Criteria This Configuration Guide is applicable to Fidelis Network Version ...

Страница 5: ...ck user name at the top of the GUI For iLO the user ID and password are on the unit s label on top of the server Once the user connects to the iLO via a web browser these credentials are needed After logging in the user ID and password can be changed For IMM account and initial password are Account Initial password How to reset USERID PASSW0RD with a zero not the letter O Click Login Settings in t...

Страница 6: ... 5 After configuration is complete type exit to log out Appendix A Security Certificates and Common Access Cards Obtaining and Importing a Certificate Follow instructions in this section to generate a Certificate Signing Request CSR obtain a certificate CA certificates CRL import these for use by a Fidelis Network component Run all commands in this section as root In all commands subsystem is the ...

Страница 7: ... the certificate For example the component with IPv4 address 192 168 1 40 hostname sensor1 and domain mycompany local should have Subject Alternative Name as follows X509v3 extensions X509v3 Subject Alternative Name IP Address 191 168 1 40 IP Address 0 0 0 0 0 FFFF C0A8 128 DNS sensor1 DNS sensor1 mycompany local In Common Criteria compliant mode of operation the verifyhost parameter in configurat...

Страница 8: ...length is administrator configurable from 1 to 999 characters Recommended value is 8 Fidelis Network components utilize Linux Pluggable Authentication Module PAM which provides dynamic authentication support for component applications and services To configure minimum password length for logging into the component via the console the pam cracklib module minlen parameter must be set to the desired ...

Страница 9: ...alue and includes the number of characters in the password as well as complexity factors from the password itself For example if and how many capitals numbers or special characters it has In addition to the number of characters in the new password credit of 1 in length is given for each different kind of character other upper lower and digit The default for this parameter is 9 ...

Страница 10: ...m administrator privileges 6 Log in as the system administrator user and create user accounts for each person who will use the K2 The admin account should not be used anymore 7 Ensure that session timeouts are set for command line Command Line Session Inactivity Timeout and GUI access GUI Session Inactivity Timeout 8 Create a custom login banner Refer to Custom Login Banner 9 If you are using LDAP...

Страница 11: ...d LDAP servers with TLS enabled communications Refer to Enable Client Authentication Refer to chapter 13 of User Guide System Updates Digital Signatures for Updates Fidelis checks for software updates available on the Fidelis Insight Cloud using HTTPS connections A software update is available as a tar package along with its digital signature created using RSA secret key Fidelis will download both...

Страница 12: ...verification check failure Power on Self Tests and Process Manager Each system daemon that utilizes Cryptographic Module of the component openssl 1 0 1e fips performs Power on Self Test POST upon initialization In case of POST failure the process or service will fail to initialize and the Cryptographic Module initialization failure messages are entered in var log messages for example Jun 3 23 01 0...

Страница 13: ...s and Auditable Events SFR Event Additional Information Sample Log FAU_GEN 1 Start up of audit functions None Sep 8 11 38 12 10 42 212 199 localhost syslog ng 2368 syslog ng starting up version 3 7 3 Sep 8 14 25 43 localhost FSS audit 2423 System startup Shutdown of audit functions None Sep 8 11 34 59 10 42 212 199 04 localhost syslog ng 2369 syslog ng shutting down version 3 7 3 Sep 8 14 23 17 lo...

Страница 14: ...ailure Aug 10 10 31 28 localhost FSS audit 91999 Sensor linux90s sensor Error loading CA file FSS etc pki cacert pem Aug 10 10 31 28 localhost TLS ERROR error 02001002 system library fopen No such file or directory Aug 10 10 31 28 localhost error 2006D080 BIO routines BIO_new_file no such file Aug 10 10 31 28 localhost error 0B084002 x509 certificate routines X509_load_cert_crl_file system lib FCS...

Страница 15: ...TLS ERROR Local ffff 10 89 184 31 Remote ffff 10 89 184 32 error 140890B2 SSL routines SSL3_GET_CLIENT_CERTIFI CATE no certificate returned FIA_AFL 1 Unsuccessful login attempts limit is met or exceeded Administrator identity and the origin of the login attempt e g IP address Sep 8 11 26 18 localhost FSS audit 106367 k2admin failed attempt to login from 10 89 184 30 calling login Sep 8 11 26 28 lo...

Страница 16: ... Cybersecurity OU Research and De velpoment CN Vadim Fidelis RootCA1 emailAddress VF RootCA1 fidelissecurity com Aug 11 13 34 33 localhost Subject C US ST MD L Bethesda O Fidelis Cybersecurity OU Research and D evelpoment CN VF RCA1 Server1 emailAddress VF RCA1 Server1 fidelissecurity com Aug 11 13 34 33 localhost TLS ERROR Local ffff 10 89 184 31 Remote ffff 10 89 184 32 error 140890B2 SSL routin...

Страница 17: ...F data TSF data affected by the change Sep 8 15 07 43 localhost FSS audit 21670 FSS etc login cf changed pw_minlen from 0 to 10 Sep 8 15 12 58 localhost FSS audit 24675 New file FSS jail FPDATA k2admin contentfinger print big txt created FMT_MTD 1 CryptoKeys Management of cryptographic keys Key Management action generation destruction import and Critical Security Parameter CSP identification Sep 8...

Страница 18: ...T Sep 8 23 40 11 localhost SHA 256 fingerprint AA 20 D3 46 F7 5D 08 58 E5 86 6 C 41 E6 14 7B A1 E4 6B FA A7 EB 38 A1 2F D1 4B F8 A4 70 73 C B 4C FPT_ITT 1 Initiation of the trusted channel Termination of the trusted channel Failure of the trusted channel functions Identification of the initiator and target of failed trusted channels establishment attempt Mar 29 16 18 37 localhost FSS audit 77497 a...

Страница 19: ...w York New time Fri Sep 8 17 46 40 UTC 2017 EST5EDT Set by localhost FPT_TUD_E XT 1 Initiation of update Identification of the initiator software update version and target s of update Feb 21 10 47 03 localhost FSS audit 32671 admin started install of version 9 0 3 20180221 for components linux90col Result of the update attempt success or failure Target of update distributed TOE component identific...

Страница 20: ...111 time_reopen 10 FTP_TRP 1 Admin Initiation of the trusted channel Identification of the claimed user identity Mar 17 09 52 00 10 42 209 241 FSS audit admin logged on from 10 42 29 155 Termination of the trusted channel Identification of the claimed user identity Mar 17 10 00 07 10 42 209 241 FSS audit admin logged out from 10 42 209 241 Failure of the trusted channel functions Identification of...

Страница 21: ...b Proxy and processes it for policy violations Making Configuration Changes The vi editor bin vi may be used when making manual changes to files on a Fidelis Network system Set Up FIPS 140 2 Certificates Fidelis Network ships with FIPS 140 2 mode for communication enabled by default Users must install and set up FIPS 140 2 compliant certificates and enable FIPS 140 2 encryption for data storage on...

Страница 22: ...1 Failure to establish a TLS session due to misconfiguration CA certificate file is not found CRL file is not found Verify that correct CA certificate and CRL files are installed in the path specified by the error message Aug 10 10 31 28 localhost FSS audit 91999 Sensor linux90s sensor Error loading CA file FSS etc pki cacert pem Aug 10 10 31 28 localhost TLS ERROR error 02001002 system library fo...

Страница 23: ...r and or TLS Client set as appropriate Aug 11 13 34 33 localhost FSS audit 42996 TLS ERROR Local ffff 10 89 184 31 Remote ffff 10 89 184 32 Certificate verification error 26 unsupported certificate purpose Aug 11 13 34 33 localhost Depth 0 Aug 11 13 34 33 localhost Issuer C US ST MD L Bethesda O Fidelis Cybersecurity OU Research and De velpoment CN Vadim Fidelis RootCA1 emailAddress VF RootCA1 fid...

Страница 24: ...nnection is first established upon successful registration of the component to K2 test functions are available to verify proper connections However network connections may fail for many reasons Fidelis Network will continually attempt to reestablish the connection until working order is restored Messages are available from log files to indicate any detected errors in communications After restoring...

Страница 25: ...iguration Guide Version 9 0 3 22 www fidelissecurity com References 1 Fidelis Cybersecurity Fidelis Network Version 9 0 3 Enterprise Setup and Configuration Guide 2017 2 Fidelis Cybersecurity Fidelis Network Version 9 0 3 User Guide 2017 ...

Отзывы:

Нет отзывов

Похожие инструкции для Common Criteria

Бренд: Sagem Страницы: 19

Бренд: EAW Страницы: 2

Elinx EIRP305-T

Бренд: B&B Electronics Страницы: 19

Бренд: Idis Страницы: 123

Бренд: Idis Страницы: 29

Бренд: Idis Страницы: 28

DirectIP DR-1304P

Бренд: Idis Страницы: 82

Бренд: iDirect Страницы: 130

Бренд: Teac Страницы: 20

cMT-FHDX Series

Бренд: Maple Systems Страницы: 2

Бренд: NETGEAR Страницы: 2

NJ220 - IntelliJack Switch

Бренд: 3Com Страницы: 82

Conel UR5i v2 Libratum

Бренд: B&B Electronics Страницы: 32

Бренд: RAK Страницы: 30

System Storage DS3200

Бренд: IBM Страницы: 2

Digital Encoder Plus

Бренд: IDT Страницы: 98

Бренд: Cameo Страницы: 23

DiamondLink 3201

Бренд: Patton Страницы: 12

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды