Security Relevant Events - Cisco ISR 4000 series Configuration Manual

Cisco ISR 4000 Family Routers Administrator Guidance
5.

Security Relevant Events

The TOE is able to generate audit records that are stored internally within the TOE whenever an
audited event occurs, as well as simultaneously offloaded to an external syslog server. The details
for protection of that communication are covered in section 3.3.5 above.
The administrator can set the level of the audit records to be stored in a local buffer, displayed on
the console, sent to the syslog server, or all of the above. The details for configuration of these
settings are covered in Section 0 above.
The local log buffer is circular. Newer messages overwrite older messages after the buffer is full.
Administrators are instructed to monitor the log buffer using the show logging privileged EXEC
command to view the audit records. The first message displayed is the oldest message in the
buffer.
When configured for a syslog backup the TOE will simultaneously offload events from a separate
buffer to the external syslog server. This buffer is used to queue events to be sent to the syslog
server if the connection to the server is lost. It is a circular buffer, so when the events overrun the
storage space overwrites older events.
The tables below include the security relevant events that are applicable to the TOE. Table 7
General Auditable Events includes general applicable events, and Table 8 Auditable
Administrative Events includes auditable events for administrator actions.
Note: In Table 7, if Embedded Event Manager is used, as outlined in Section 3.3.4, that
\%HA_EM-6-LOG logs will be created for each command executed, in addition to the %PARSER-
5-CFGLOG_LOGGEDCMD syslog.
The TOE generates an audit record whenever an audited event occurs. The types of events that
cause audit records to be generated include, cryptography related events, identification and
authentication related events, and administrative events (the specific events and the contents of
each audit record are listed in the table below). Each of the events is specified in syslog records
in enough detail to identify the user for which the event is associated, when the event occurred,
where the event occurred, the outcome of the event, and the type of event that occurred.
Additionally, the startup and shutdown of the audit functionality is audited.
The local audit trail consists of the individual audit records; one audit record for each event that
occurred. The audit record can contain up to 80 characters and a percent sign (%), which follows
the time-stamp information. The audit fields in each audit event will contain at a minimum the
following:
Example Audit Event: Nov 19 13:55:59: %CRYPTO-6-SELF_TEST_RESULT: Self test info:
(DES encryption/decryption ... passed)
Date: Nov 19
Time: 13:55:59
Type of event: %CRYPTO-6-SELF_TEST_RESULT
Subject identity: Available when the command is run by an authorized TOE administrator user
such as "user: lab". In cases where the audit event is not associated with an authorized user, an IP
address may be provided for the Non-TOE endpoint and/ or TOE.
Page 43 of 66