Security Relevant Events - Cisco ASR 1000 Series Common Criteria Operational User Guidance And Preparative Procedures

5 Security Relevant Events

ASR can maintain logs in multiple locations: local storage of the generated audit records, and
when configured for a syslog backup will simultaneously offload those events to the external
syslog server. ASR administrators should review logs at both locations.
The TOE generates an audit record whenever an audited event occurs. The types of events that
cause audit records to be generated include, cryptography related events, identification and
authentication related events, and administrative events (the specific events and the contents of
each audit record are listed in Table 7 below). Each of the events is specified in syslog records
in enough detail to identify the user for which the event is associated, when the event occurred,
where the event occurred, the outcome of the event, and the type of event that occurred.
Additionally, the startup and shutdown of the audit functionality is audited.
The audit trail consists of the individual audit records; one audit record for each event that
occurred. The audit record can contain up to 80 characters and a percent sign (%), which follows
the time-stamp information. The audit fields in each audit event will contain at a minimum the
following:
Example Audit Event: Nov 19 13:55:59: %CRYPTO-6-SELF_TEST_RESULT: Self test info:
(DES encryption/decryption ... passed)
Date: Nov 19
Time: 13:55:59
Type of event: %CRYPTO-6-SELF_TEST_RESULT
Subject identity: Available when the command is run by an authorized TOE administrator user
such as "user: lab". In cases where the audit event is not associated with an authorized user, an
IP address may be provided for the Non-TOE endpoint and/ or TOE.
IP address: (Optional) May be provided along with the subject identity of a specific authorized
TOE administrator.
Port number: (Optional) May be provided along with the IP address for throughput traffic
Outcome (Success or Failure): Success may be explicitly stated with "success" or
"passed"contained within the audit event or is implicit in that there is not a failure or error
message. More specifically for failed logins, a "Login failed" will appear in the audit event. For
successful logins, a "Login success" will appear in the associated audit event. For failed events
"failure" will be denoted in the audit event. For other audit events a detailed description of the
outcome may be given in lieu of an explicit success or failure. For example, for an IPsec session
where the lifetime of the SA has expired a detailed description is given in the associated audit
event: "SA lifetime threshold reached, expiring in 1412 seconds."