User Password, Login, And Access Policies - Cisco ONS 15454 DWDM Installation And Operation Manual

Chapter 20 Security Reference
Table 20-3
Security Level
Maintenance
Retrieve

20.2.2.2 User Password, Login, and Access Policies

Superusers can view real-time lists of users who are logged into CTC or TL1 user logins by node.
Superusers can also provision the following password, login, and node access policies:
•
•
•
•
20.3 Audit Trail
The Cisco ONS 15454 maintains a Telcordia GR-839-CORE-compliant audit trail log that resides on the
TCC2/TCC2P card. Audit trails are useful for maintaining security, recovering lost transactions and
enforcing accountability. Accountability refers to tracing user activities; that is, associating a process or
action with a specific user. This record shows who has accessed the system and what operations were
performed during a given period of time. The log includes authorized Cisco logins and logouts using the
operating system command line interface, CTC, and TL1; the log also includes FTP actions, circuit
creation/deletion, and user/system generated actions.
Event monitoring is also recorded in the audit log. An event is defined as the change in status of an
element within the network. External events, internal events, attribute changes, and software
upload/download activities are recorded in the audit trail.
The audit trail is stored in persistent memory and is not corrupted by processor switches, resets or
upgrades. However, if a user pulls both TCC2/TCC2P cards, the audit trail log is lost.
See the
20.3.1 Audit Trail Log Entries
Table 20-4
August 2005
ONS 15454 Default User Idle Times (continued)
Idle Time
60 minutes
Unlimited
Password expirations and reuse—Superusers can specify when users must change their passwords
and when they can reuse them.
Login attempts—Superusers can specify the maximum number of times a user is allowed to attempt
to login to CTC.
Locking out and disabling users—Superusers can provision the number of invalid logins that are
allowed before locking out users and the length of time before inactive users are disabled. The
number of allowed lockout attempts is set to the number of allowed login attempts.
Node access and user sessions—Superusers can limit the number of CTC sessions one user can have,
and they can prohibit access to the ONS 15454 using the LAN or TCC2/TCC2P RJ-45 connections.
In addition, a Superuser can select secure shell (SSH) instead of Telnet at the CTC Provisioning >
Security > Access tabs. SSH is a terminal-remote host Internet protocol that uses encrypted links. It
provides authentication and secure communication over unsecure channels. Port 22 is the default
port and cannot be changed.
"NTP-G108 Viewing the Audit Trail Records" procedure on page 13-14
contains the columns listed in Audit Trail window.
Cisco ONS 15454 DWDM Installation and Operations Guide, R6.0
20.3 Audit Trail
as necessary.
20-7