Cisco Prime Infrastructure 3.2 Common Criteria ... · 1.3 Document References ... Secure...

1

Cisco Prime Infrastructure 3.2

Common Criteria Configuration Guide

Version 0.7

25 April 2018

2

Table of Contents

1. Introduction ........................................................................................................................... 8

1.1 Audience ......................................................................................................................... 8

1.2 Purpose .......................................................................................................................... 8

1.3 Document References ................................................................................................... 8

1.4 Supported Hardware and Software ............................................................................. 9

1.5 Operational Environment ............................................................................................. 9

1.5.1 Required non-TOE Hardware/ Software/ Firmware ............................................. 9

1.5.2 Install and Configure a Syslog Server ...................................................................... 9

1.6 Excluded and Functionality Not Covered .................................................................. 10

2. Secure Acceptance of the TOE ............................................................................................ 11

3. Secure Installation and Setup ............................................................................................. 12

3.1 Physical Installation .................................................................................................... 12

3.1.1 Front Panel ............................................................................................................... 12

3.1.2 Rear Panel ................................................................................................................ 12

3.2 Initial Setup .................................................................................................................. 13

3.3 Logging in to the Prime Infrastructure CLI ............................................................... 14

3.3.1 Initial configuration ................................................................................................. 14

3.3.2 Change Default Logging .......................................................................................... 15

3.3.3 FIPS mode of operation ............................................................................................ 15

3.4 Logging in to the Prime Infrastructure Web GUI ...................................................... 16

3.4.1 Install TLS Client Cipher Restriction Patch ............................................................. 16

3.4.2 Verify TOE software version .................................................................................... 17

4. Secure Configuration and Management ............................................................................ 17

4.1 User Roles .................................................................................................................... 17

4.2 Enable Strong Passwords ........................................................................................... 18

4.3 Restrict Web GUI Ciphers ........................................................................................... 18

4.4 Session Termination ................................................................................................... 19

4.5 Login Banners .............................................................................................................. 19

4.6 Obtaining and Importing CA-Signed Certificates for HTTPS and TLS .................... 20

4.7 Deleting CA-Signed Certificates.................................................................................. 23

3

4.8 Configure TLS Client Protected Syslog Server ............................................................... 23

4.9 SSH ................................................................................................................................ 23

4.10 Public-Key Authentication............................................................................................ 24

4.11 Clock and TimeZone Management ............................................................................. 25

4.12 Trusted Updates .......................................................................................................... 26

4.13 Stop/Start Prime Infrastructure Service ....................................................................... 26

4.14 Power-on Self Tests ...................................................................................................... 27

4.15 Saving Configuration ................................................................................................... 27

5. Security Relevant Events .................................................................................................... 27

5.1 Viewing Audit Records ................................................................................................ 28

5.2 Log Rotation – Audit Event Data ................................................................................ 38

6. Modes of Operation ............................................................................................................. 39

7. Security Measures for the Operational Environment ...................................................... 39

8. Related Documentation ...................................................................................................... 41

8.1 Documentation Feedback ........................................................................................... 41

8.2 Obtaining Technical Assistance.................................................................................. 41

4

List of Tables

Table 1: Acronyms ......................................................................................................................... 5

Table 2: Cisco Documentation ..................................................................................................... 8

Table 3: Operational Environment Components ........................................................................ 9

Table 4: Excluded and Functionality Not Covered ................................................................... 10

Table 5: Auditable Events ............................................................................................................. 28

Table 6: Administrative Actions ................................................................................................... 38

Table 7: Operational Environment Security Measures ................................................................. 39

List of Figures

Figure 1 ......................................................................................................................................... 12

5

List of Acronyms

The following acronyms and abbreviations are common and may be used in this document

Table 1: Acronyms

Acronyms /

Abbreviations

Definition

AAA Administration, Authorization, and Accounting

ACL Access Control Lists

AES Advanced Encryption Standard

AES-CCM AES Counter with CBC-MAC

CC Common Criteria for Information Technology Security Evaluation

CEM Common Evaluation Methodology for Information Technology Security

CM Configuration Management

DHCP Dynamic Host Configuration Protocol

EAL Evaluation Assurance Level

EAP Extensible Authentication Protocol

EAPoL Extensible Authentication Protocol (EAP) over LAN

ESP Encapsulating Security Payload

GE Gigabit Ethernet port

HTTP Hyper-Text Transport Protocol

HTTPS Hyper-Text Transport Protocol Secure

ICMP Internet Control Message Protocol

IT Information Technology

KCK Key Confirmation Key

KEK Key Encryption Key

MIC Message Integrity Check

NDcPP collaborative Network Device Protection Profile

OS Operating System

PoE Power over Ethernet

PP Protection Profile

PTK Pairwise Transient Key

RSN Robust Security Network

SA Security Association

SFP Small–form-factor pluggable port

SHS Secure Hash Standard

SSHv2 Secure Shell (version 2)

ST Security Target

TCP Transport Control Protocol

TOE Target of Evaluation

TSC TSF Scope of Control

TSF TOE Security Function

TSP TOE Security Policy

http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

6

Acronyms /

Abbreviations

Definition

UDP User datagram protocol

WAN Wide Area Network

7

DOCUMENT INTRODUCTION

Prepared By:

Cisco Systems, Inc.

170 West Tasman Dr.

San Jose, CA 95134

DOCUMENT INTRODUCTION

This document provides supporting evidence for an evaluation of a specific Target of Evaluation (TOE), the Prime Infrastructure (also referred to as PI 3.2 in this document). This Operational User Guidance with Preparative Procedures addresses the administration of the TOE software and hardware and describes how to install, configure, and maintain the TOE in the Common Criteria evaluated configuration. Administrators of the TOE will be referred to as administrators, Security administrators, TOE administrators, semi-privileged administrators, and privileged administrators in this document.

8

1. Introduction This Operational User Guidance with Preparative Procedures documents the administration of the Prime Infrastructure, the TOE, as it was certified under Common Criteria.

1.1 Audience This document is written for administrators configuring the TOE. This document assumes that you are familiar with the basic concepts and terminologies used in internetworking, and understand your network topology and the protocols that the devices in your network can use, that you are a trusted individual, and that you are trained to use the operating systems on which you are running your network.

1.2 Purpose This document is the Operational User Guidance with Preparative Procedures for the Common Criteria evaluation. It was written to highlight the specific TOE configuration and administrator functions and interfaces that are necessary to configure and maintain the TOE in the evaluated configuration. This document is not meant to detail specific actions performed by the administrator but rather is a road map for identifying the appropriate locations within Cisco documentation to get the specific details for configuring and maintaining the PI 3.2-FIPS TOE operations.

1.3 Document References This document makes reference to several Cisco Systems documents. The documents used are shown below in Table 2. Throughout this document, the guides will be referred to by the “#”, such as [1].

Table 2: Cisco Documentation

# Title Link

[1] Cisco Prime Infrastructure 3.2 Appliance Hardware Installation Guide

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-2/hardware_install/guide/Cisco_PI_Hardware_Appliance_Installation_Guide/cpiInstallUCS.html

[2] Cisco Prime Infrastructure 3.2 Quick Start Guide

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-2/quickstart/guide/cpi_qsg.html

[3] Cisco Prime Infrastructure 3.2 Administrator Guide

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-2/admin/guide/bk_CiscoPrimeInfastructure_3_2_AdminGuide.html

[4] Cisco Prime Infrastructure 3.2 User Guide

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-2/user/guide/bk_CiscoPrimeInfrastructure_3_2_0_UserGuide.html

[5] Cisco Prime Infrastructure 3.2 Command Reference Guide

https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-2/command/reference/cli32/cli312_appendix_011.html












9

# Title Link

[6] Cisco Prime Infrastructure 3.2 Release Notes

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-2/release/notes/cpi_rn.html

1.4 Supported Hardware and Software Only the hardware and software listed in table 4 of section 1.5 in the Security Target (ST) is compliant with the Common Criteria evaluation.

1.5 Operational Environment

1.5.1 Required non-TOE Hardware/ Software/ Firmware

The TOE requires the following hardware, software, and firmware in its environment:

Table 3: Operational Environment Components

Component Usage/Purpose Description

Management Workstation

This includes any IT Environment Management workstation with a TLS web browser and SSH client that is used by the Security Administrator for remote administration over TLS and SSH trusted paths.

Local Console This includes any IT Environment Console that is directly connected to the TOE component via the Serial Console Port and is used by the Security Administrator for local TOE administration.

Syslog Server This includes any syslog server to which the TOE would transmit syslog messages over a trusted channel.

1.5.2 Install and Configure a Syslog Server

Any syslog server can be used as long as it provides the following functions:

Can be accessed over TLS 1.2

Provides filtering options to filter messages upon receipt, prior to local storage;

Provides the ability to search and sort messages; and

Installs to a host operating system configured to protect stored messages from unauthorized modification or deletion.

Known compatible syslog servers include syslog4j syslog server. Other products that support TLS over syslog are Kiwi Syslog Server or syslog-ng. Only one syslog server is supported.

Syslog4j: Complete Syslog Implementation for Java from: http://syslog4j.org/

Syslog-ng software, installation instructions and guidance can be obtained from: http://www.balabit.com/network-security/syslog-ng



http://syslog4j.org/

http://www.balabit.com/network-security/syslog-ng

10

Install the syslog server per installation instructions provided with the syslog server software. Configure the host operating system to restrict access to syslog data to authorized personnel only. Configure the system to accept inbound syslog over a TLS from PI.

1.6 Excluded and Functionality Not Covered Table 4: Excluded and Functionality Not Covered

Functionality Rationale

TOE remote management using:

o The virtual KVM of the Cisco Integrated Management Controller (CIMC) interface

o SoL (Serial over Lan) through CIMC

This feature is not permitted and is excluded in the evaluated configuration and will be disabled by configuration.

Management of remote network devices This feature is available in the evaluated configuration but not covered by security functional requirements in the NDcPP.

11

2. Secure Acceptance of the TOE In order to ensure the correct TOE is received, the TOE should be examined to ensure that it is has not been tampered with during delivery.

Verify that the TOE software and hardware were not tampered with during delivery by performing the following actions:

a) Before unpacking the TOE, inspect the physical packaging the equipment was delivered in. Verify that the external cardboard packing is printed with the Cisco Systems logo and motifs. If it is not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

b) Verify that the packaging has not obviously been opened and resealed by examining the tape that seals the package. If the package appears to have been resealed, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

c) Verify that the box has a white tamper-resistant, tamper-evident Cisco Systems bar coded label applied to the external cardboard box. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). This label will include the Cisco product number, serial number, and other information regarding the contents of the box.

d) Note the serial number of the TOE on the shipping documentation. The serial number displayed on the white label affixed to the outer box will be that of the device. Verify the serial number on the shipping documentation matches the serial number on the separately mailed invoice for the equipment. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

e) Verify that the box was indeed shipped from the expected supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner). This can be done by verifying with the supplier that they shipped the box with the courier company that delivered the box and that the consignment note number for the shipment matches that used on the delivery. Also verify that the serial numbers of the items shipped match the serial numbers of the items delivered. This verification should be performed by some mechanism that was not involved in the actual equipment delivery, for example, phone/FAX or other online tracking service.

f) Once the TOE is unpacked, inspect the unit. Verify that the serial number displayed on the unit itself matches the serial number on the shipping documentation and the invoice. If it does not, contact the supplier of the equipment (Cisco Systems or an authorized Cisco distributor/partner).

12

3. Secure Installation and Setup

3.1 Physical Installation For local physical access, the Administrator has the following options available on the front and rear panels of the appliance. Only one option is needed.

3.1.1 Front Panel

A single female connector provides access to video, two USB ports for keyboard and mouse, and an RS-232C console serial port. An external breakout connector to industry standard interfaces is required if using the front panel for physical access. The following figure shows an example cable:

Figure 1

The interfaces for the cable are as follows:

(1) Front panel KVM/Console connector (2) DB9 serial port connector (3) Dual Type-A USB 2.0 connectors (4) DB15 Video connector

3.1.2 Rear Panel

The Administrator may use one of the following:

a) SerialCOM Connector. This is a standard RS-232 Serial COM port using RJ-45 connector. b) USB type A ports for keyboard and mouse and a standard VGA port for video.

For additional information Cisco Prime Infrastructure 3.2 Appliance Hardware Installation Guide [1].

Once installed Power on the appliance.

Note: Do not press F8 to configure the CIMC utility. CIMC is disabled by default and must remain disabled in the evaluated configuration.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-2/hardware_install/guide/Cisco_PI_Hardware_Appliance_Installation_Guide.html

13

3.2 Initial Setup After the appliance boots up, you’ll see the localhost login prompt.

At the localhost login prompt, enter setup. The console prompts you for the following parameters:

Hostname – The host name of the appliance

IP Address – The IP address of the appliance

IP default netmask – The default subnet mask for the IP address

IP default gateway – The IP address of the default gateway

Note: When supplying IP use IPv4 addressing

Default DNS domain – The default domain name

Primary name server – The IP address of the primary name server

Secondary name servers – The IP address if the secondary name server, if available. You can add up to three secondary name servers.

Note: A Name server is not required in the evaluated configuration but is recommended.

Primary NTP server – The IP address or host name of the primary Network Time Protocol server you want to use. (time.nist.gov is the default)

Secondary NTP servers – The IP addresses or host names of the secondary NTP servers to be used when the primary is not available

Note: Do not enter a valid primary or secondary NTP server. In the evaluated configuration, the system hardware clock is used for reliable time. Refer to section 4.10 of this document for setting the time using the system hardware clock.

System Time Zone – The time zone code you want to use.

Clock time – The clock time based on the server’s time zone

Username – The name of the first Security Administrator used to log in to the server via the console. You can accept the default, which is admin.

Password – Enter the admin user password and then confirm it.

Note: The password must meet the following requirements:

At least 15 characters long

Composed of any combination of characters that includes characters for at least 3 of these four character sets: upper case letters, lower case letters, numbers, and the following special characters: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, “)”

If the password requirement was not met an error message will be returned. For example: % Error: Password does not meet minimum length requirement.

14

When you are done entering these values, the installer application tests the network configuration parameters that you entered. If the tests are successful, it begins installing Prime Infrastructure.

When the application installation is complete, you will be prompted for the following post-installation parameters:

High Availability Role Selection—Enter yes at the prompt if you want this installed server to serve as the secondary server in a high availability implementation. You will be prompted to provide an authentication key to be used for high availability registration. If you enter no at the prompt, the server will act as the primary server (standalone) and the installation will proceed with the following prompts:

Web Interface Root Password—Enter and confirm the password used for the default root administrator. This is the account used to log in to the Prime Infrastructure web user interface for the first time and set up other user accounts.

Note: The password must meet the following requirements:

At least 15 characters long

Composed of any combination of characters that includes characters for at least 3 of these four character sets: upper case letters, lower case letters, numbers, and the following special characters: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, “)”

If the password requirement was not met an error message will be returned. For example: % Error: Password does not meet minimum length requirement.

Select Yes to proceed with the installation, or select No to re-enter high availability options.

When the installation is complete, the appliance reboots and you are presented with a login prompt.

3.3 Logging in to the Prime Infrastructure CLI

Successfully authenticate to the Command Line Interface (CLI) as an admin-role user as explained in Steps 1-3 of How to Connect Via CLI.

3.3.1 Initial configuration

The Security Administrator will need to contact Cisco Support (e-mail [email protected] or call us at 1-800-917-4134 or 1-410-423-1901) to obtain instructions for root access. Once obtained, the Security Administrator can obtain temporary get root-level privileges by following the procedure “Log In and Out as the Linux CLI root user” in [3]. The access is only needed for initial configuration in sections 3 and 4, including certificate validation, and must not be used after setup is complete and while the TOE is running in the CC evaluated configuration. Use of the root shell after the TOE is running in the CC evaluated configuration, including use of OpenSSL interface, is prohibited.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-2/admin/guide/bk_CiscoPrimeInfastructure_3_2_AdminGuide/bk_CiscoPrimeInfastructure_3_2_AdminGuide_chapter_0100.html#task_1087172

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-2/admin/guide/bk_CiscoPrimeInfastructure_3_2_AdminGuide/bk_CiscoPrimeInfastructure_3_2_AdminGuide_chapter_0110.html#task_C2B1C5EEB70F44E596DAFE7EB8E49754

15

3.3.2 Change Default Logging

The Security Administrator will need to edit the following file to ensure audit logs are rotated.

a) Follow the procedure “Log In and Out as the Linux CLI root user” in [3]. b) Edit the file /etc/logrotate.d/syslog c) After the /var/log/spooler line add the following new lines:

/opt/CSCOlumos/logs/rsysLogFwd.log

/opt/CSCOlumos/logs/updates.log

/opt/CSCOlumos/logs/fipsenable.log

d) the full contents should resemble: /var/log/cron /var/log/maillog /var/log/messages /var/log/secure /var/log/spooler /opt/CSCOlumos/logs/rsysLogFwd.log /opt/CSCOlumos/logs/updates.log /opt/CSCOlumos/logs/fipsenable.log { sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript }

e) Save and exit

In addition, the Security Administrator will need to edit the following file to ensure all command logging is transmitted to the TLS Syslog Server.

a) Follow the procedure “Log In and Out as the Linux CLI root user” in [3]. b) Edit the file /opt/CSCOlumos/rsyslog-pi.conf c) Add the following new entry one line:

:msg, ereregex, ".*(password|session|clock|opcenter27|TTY|authentication|timeout|config|useradd|userdel|usermod).*" @127.0.0.1:8515

d) Enter service rsyslog restart (or restart the TOE)

3.3.3 FIPS mode of operation

By default, the FIPS mode of operation is enabled is not configurable. At the CLI, the Security Administrator can verify the TOE is running in FIPS mode by entering the following:

PIServer/admin# show logging application ncs tail



16

Scroll through the output until this file is displayed: ==> /opt/CSCOlumos/logs/fipsenable.log <== The following message will be found: Operating in CiscoSSL FIPS mode

To exit the CLI type exit: PIServer/admin# exit

3.4 Logging in to the Prime Infrastructure Web GUI From the Management workstation launch a supported web browser. For a list of supported browsers, refer to the web client requirements section of [2].

In the browser’s address line, enter https://ipaddress, where ipaddress is the IP address of the server on which you installed Prime Infrastructure. The Prime Infrastructure user interface displays the Login window.

Note: The Security Administrator must enter the IP address and not initiate HTTPS connections to the TOE using untrusted/unverified hyperlinks that might have been sent to them from an adversary via email or other means.

Enter the root administrator username and password, as specified during installation. You must click the checkbox to acknowledge the login disclaimer.

Click Login to log in to Prime Infrastructure. The user interface is now active and available for use. The home page appears. If any licensing problems occur, a message appears in an alert box. If you have an evaluation license, the number of days until the license expires is shown. You are also alerted to any expired licenses. You have the option to go directly to the Administration > Licenses page to address these problems.

3.4.1 Install TLS Client Cipher Restriction Patch

The Security Administrator will need to contact Cisco Support (e-mail [email protected] or call us at 1-800-917-4134 or 1-410-423-1901) to obtain a required patch to restrict TLS Client ciphers required in the CC evaluated configuration. Once obtained, the Security Administrator will need to Place the patch where you access it from the PI GUI and follow the steps below:

a. Login PI Web GUI b. Navigate to -> Administration c. Licenses and Software Update d. Software Update e. Click the link to upload an update file to your server. f. Browse and locate the file g. Click OK h. Select the software update and click Install, then click Yes in the confirmation pop-up

window. Note: If the patch file is not signed or has been modified since it was downloaded from Cisco.com, Prime Infrastructure will abort the installation. Contact Cisco Support.

i. Click the Files tab j. Check the box for: PI-patch-fips-1.ubf and Click Install

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-2/quickstart/guide/cpi_qsg.html#pgfId-127113

17

3.4.2 Verify TOE software version The Security Administrator can verify the Appliance is running the Common Criteria certified version:

a) In the Web GUI, Click the settings icon at the upper right corner of any Prime Infrastructure page.

b) Click About Prime Infrastructure. The About page appears, listing the version of the product and other details.

c) The version will be 3.2.50.0.70. d) View the Installed Updates. The PI-patch-fips-1.ubf installed from section 3.4.1

will be listed as online-file-handler v1.0.0

To exit the user interface, click Log out in the top-right corner of the page.

4. Secure Configuration and Management

4.1 User Roles Web GUI The PI 3.2-FIPS TOE by default has multiple supported administrative group roles that compose the Security administrator role for managing the TOE via the Web GUI interface as described in the Security Target. The TOE also allows for customization of other roles. The administrative group roles are listed below:

Root — Members of this group have rights to perform all Administrative operations. The group permissions are not editable.

Super Users — Members of this group have rights to perform all Administrative operations. The group permissions are editable.

Admin — Members of this group have rights to administer the system and server. Can also perform monitoring and configuration operations. The group permissions are editable.

To add a new administrative user, see the Add Users and Manage User Accounts section in [3].

CLI Successfully authenticate to the Command Line Interface (CLI) as an admin-role user as explained in Steps 1-3 of How to Connect Via CLI.

The PI 3.2-FIPS TOE has a single administrative group role for managing the TOE via the CLI interface. To add a new user to the admin group enter the following:

1. admin# config t 2. admin(config)# [no] username username password {hash | plain} password role admin

Example: username User1 password hash D14697E20CC4B4B1123038A21B563B5D36A13607 role admin

3. admin(config)# exit

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-2/admin/guide/bk_CiscoPrimeInfastructure_3_2_AdminGuide/bk_CiscoPrimeInfastructure_3_2_AdminGuide_chapter_0110.html#con_1164799


18

Note: When creating a new user, the password must be entered using the hash form as shown in the example above. The admin user can get root-level privileges by following the procedure “Log In and Out as the Linux CLI root user” in [3].

4.2 Enable Strong Passwords Web GUI

1. Choose Administration > Users, Roles & AAA, then click Local Password Policy 2. The following password management capabilities are required:

a. Password must contain character from three of the character classes: upper case, lower case, digits, and special characters.

b. Password minimum length is 15 c. Click Save.

CLI 1. Enter config terminal mode under password-policy: 2. admin# config t

Enter configuration commands, one per line. End with CNTL/Z 3. admin(config)#password-policy 4. admin(config-password-policy)# digit-required 5. admin(config-password-policy)# upper-case-required 6. admin(config-password-policy)# lower-case-required 7. admin(config-password-policy)# special-required 8. admin(config-password-policy)# min-password-length 15 9. admin(config-password-policy)# exit

For more information refer to the password-policy command in [5].

4.3 Restrict Web GUI Ciphers The TOE evaluated configuration allows only ECDHE and DHE ciphers to be available from the Web GUI. To enable only ECDHE and DHE ciphers, the administrator must run this command:

admin# ncs run tls-server-ciphers tls-ecdhe tls-dhe

The ciphers will be restricted to this list below:

o TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 o TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 o TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA o TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

o TLS_DHE_RSA_WITH_AES_256_CBC_SHA o TLS_DHE_RSA_WITH_AES_128_CBC_SHA o TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 o TLS_DHE_RSA_WITH_AES_128_CBC_SHA256



https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-2/command/reference/cli32/cli312_appendix_011.html#wp1601857680

19

4.4 Session Termination Inactivity settings must trigger termination of remote and local CLI administrator sessions after a specified period of time.

Web GUI These settings are configurable by navigating to Administration > Settings > System Settings > General > Server> Global idle Timeout setting in the GUI, which defines a session idle timeout period in minutes. The global idle timeout is enabled by default and set to 15 minutes. After this period elapses, the session is terminated. CLI To set the inactivity timeout for all sessions, use the terminal session-timeout command at the CLI of Prime Infrastructure. Default is 30 minutes. admin# terminal session-timeout minutes

Note If a command had been partially typed at the CLI when the idle timeout is reached, the session will not be terminated at that point. Instead, the partial command entry will be terminated, returning the session to the command prompt, and the session idle timeout will start again.

For more information refer to the terminal-session timeout command in [5]

4.5 Login Banners The TOE may be configured with pre-login banners. These banners will be displayed before the username and password prompts.

Web GUI To customize the banner with the required text for your organization, navigate to the Administration > Settings > System Settings > General > Login Disclaimer. Enter your login disclaimer text in the available text box, then click Save. CLI To set a pre-login message on the TOE for all users who log in at the CLI use the following steps:

1. Create a text file containing the message you want to display. (i.e. login.txt). 2. From an SFTP server, copy it to TOE to defaultRepo (disk:/defaultRepo/login.txt). 3. Install the login banner entering the following at the CLI of the TOE:

PIServer/admin# banner install pre-login login.txt repository defaultRepo For all subsequent logons to the CLI, the banner will be displayed prior to session establishment.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-1/administrator/guide/PIAdminBook/maint_user_access.html#89615


http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-1/administrator/guide/PIAdminBook/config_server_settings.html#pgfId-1081781

20

4.6 Obtaining and Importing CA-Signed Certificates for HTTPS and TLS Use Prime Infrastructure to generate a Certificate Signing Request (CSR) file and send it to a Certificate Authority (CA) for validation. By default, the request is made with the following algorithm and key size, which is not configurable:

Key algorithm: RSA

Key size: 2048 bits

Connect and login at the CLI and follow steps 1 through 10 below:

Step 1 Enter the following command to generate a CSR file in the default backup repository:

PIServer/admin# ncs key genkey -newdn -csr csrfilename repository repositoryname

-newdn: Generates a new RSA key and certificate request with domain information.

-csr: Generates a new CSR certificate.

Csrfilename: CSR filename. It is an arbitrary name of your choice (for example: MyCertificate.csr).

Repositoryname: Backup file location. The backup file name can contain up to 80 alphanumeric characters.

Example: PIServer/admin# ncs key genkey -newdn -csr CSRFile.csr repository defaultRepo

Enter the fully qualified domain name of the server: pi.cisco.com Enter the name of your organizational unit: cisco Enter the name of your organization: cisco Enter the name of your city or locality: SJ Enter the name of your state or province: CA Enter the two letter code for your country: US Do you need Subject Alternative Names in the certificate (yes/no)?: yes Specify the names with comma seperate list in the format dns:<name>,ip:<address>: dns:test.pi.acme.com Generating RSA key PIServer/admin#

Step 2 Copy the CSR file to a location you can access. For example:

PIServer/admin# copy disk:/defaultRepo/CSRFile.csr ftp://your.ftp.server

21

Step 3 Send the CSR file to a Certificate Authority (CA) of your choice. There is no specific requirements on the CA. The CA will respond by sending you an SSL server certificate and one or more CA certificate files. All these files will have the filename extension CER. The CA response will indicate which of the files is:

The SSL server certificate. This is typically given a filename that reflects the host name of the server to which you will apply it.

The CA certificates, which are typically given filenames that reflect the name of the CA.

Step 4 Copy individual certificates to PI: a. Log into the root shell. Refer to section 4.1 above. b. Change directory to the admin’s home directory (i.e. /home/admin) c. Make a new directory named certs: mkdir certs d. Using SFTP/FTP, copy the certificate chain to the certs directory. e. Enter the openssl command with the following options to validate

the certificate chain: openssl verify -verbose -CAfile <(cat <intermedia-ca-cert> <root-ca-cert>) <host-cert> If the output says the PI certificate is “OK” then the chain is valid. If there is an error: error at depth lookup: unable to get issuer certificate then the chain is invalid. You must not continue and contact your PKI administrator for assistance.

f. Enter the openssl command with the following options to perform basic Constraint checking: openssl verify -x509_strict -CAfile <root-ca-cert> -untrusted <intermediate-ca-certs> <host-cert> Pass root-ca-cert to the "-CAfile" argument. Pass all combined sub-CAs to the "-untrusted" argument. Specify the host-cert last If the output says the PI certificate is “OK” then the Basic Constraint check is valid. If there is an error: error at depth lookup: invalid CA certificate then the Basic Constraint check is invalid. You must not continue and contact your PKI administrator for assistance.

Step 5 Before continuing: a. Create a single certificate file by concatenating (using the cat

command) all the CA certificate files into the SSL server certificate file. The resulting concatenated single certificate file must have the

22

SSL server certificate content appear first. The CA certificate file contents can appear in the concatenated file in any order.

b. Remove any blank lines in the concatenated single certificate file using a text editor, awk, sed, or other OS-native facilities.

Step 6 At the Prime Infrastructure command line, copy the single certificate file to the backup repository. For example:

PIServer/admin# copy ftp://your.ftp.server/CertFile.cer disk:defaultRepo

where CertFile.cer is the single certificate file you created in the previous step.

Step 7 Enter the following command to import the single certificate file into the Prime Infrastructure server:

PIServer/admin# ncs key importsignedcert CertFile.cer repository defaultRepo

-or-

Enter the following command for importing a CA signed certificate created using a Windows Certificate Authority:

PIServer/admin# ncs key importcacert tomcat CertFile.cer repository defaultRepo

Step 8 To activate the CA-signed certificates, restart Prime Infrastructure. See section 4.13 of this document.

Step 9 Once the server is restarted: Log in to Prime Infrastructure via the command line and display the list of certificates installed in the Prime Infrastructure keystore: PIServer/admin# ncs key listcacerts The list of installed certificates should contain the certificates you imported in Step 6.

Step 10 The Administrator will need to also import this client certificates into their browsers in order to authenticate to the web GUI over HTTPS. Refer to the “Importing Client Certificates Into Web Browsers” section of [3]

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-1-5/administrator/guide/PIAdminBook/config_server_settings.html#23144

23

4.7 Deleting CA-Signed Certificates If at any time the CA-signed certificates need to be deleted, follow the steps in the “Deleting CA-Signed Certificates” section of [3].

4.8 Configure TLS Client Protected Syslog Server

The CC evaluated configuration requires Prime Infrastructure to send a change audit notification when changes are made to the system. These changes include configuration changes and admin logins and logouts.

You must configure Prime Infrastructure to send these messages to specific syslog receivers.

If you do not receive syslogs, you may need to change the anti-virus or firewall settings on the destination syslog receiver to permit reception of syslog messages.

1. Select Administration > Settings > System Settings, then choose Mail and Notification > Change Audit Notification.

2. Click the Add button (+) to specify a syslog receiver. In the Syslog Receivers area, enter the IP address, protocol (TLS) and port number of the syslog receiver.

3. Click Save.

When the TOE acts as a TLS client to TLS Secure Syslog servers, it obtains the reference identifiers from the administrator configured value in step 3 above.

The TOE supports the following presented identifier types:

subjectAltName entry of type dNSName

Certificate pinning is unsupported.

Note: By default the TOE supports the following ciphersuites for the TLS client and is not configurable:

o TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 o TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 o TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA o TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

o TLS_DHE_RSA_WITH_AES_256_CBC_SHA o TLS_DHE_RSA_WITH_AES_128_CBC_SHA o TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 o TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

4.9 SSH

By default, the TOE automatically creates SSH server key pairs for authentication using the following algorithms and key sizes, which are not configurable:

Key algorithms: o RSA with a key size of 2048 bits



24

o ECDSA with over a NIST curve of P-256, P-384, and P-521 bits For remote administration sessions, the TOE supports the following encryption, MAC, and key exchange algorithms by default and is not configurable: Encryption algorithms: AES-128-CBC, AES-256-CBC, AES-128-GCM, and AES-256-GCM MAC algorithms: HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-521, AEAD_AES_128_GCM, AEAD_AES_256_GCM Key exchange: diffie-hellman-group14-sha-1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521 By default, SSH session keys are rekeyed within one hour thresholds and when transmitted data exceeds onegigabyte. These rekey values are not configurable.

4.10 Public-Key Authentication

This section will explain how to set up public-key authentication. An example is given using PuTTY on the Remote Management Workstation.

1. Log into your computer and open the PuTTYgen key generation utility. 2. Under "Parameters", select SSH-2 ECDSA or RSA as the type of key to generate:

a) If Selecting RSA enter a key size of 2048 b) If Selecting ECDSA, enter a curve of nistp256, nistp384, or nistp521 from the

drop-down menu. 3. Under "Actions", click Generate, and then, when prompted use your mouse to move

your cursor around the blank area under "Key" (this generates randomness the utility uses to create your key pair).

4. When the utility has generated your key pair, it will display the public key in the area under "Key".

5. Copy the Public Key to your clipboard. 6. In the "Key passphrase" and "Confirm passphrase" text boxes, enter a passphrase to

passphrase-protect your private key. 7. Save your public key.

a) Under "Actions", next to "Save the generated key", click Save public key. b) Give the file a name (e.g., putty_key), select a location on your computer to store

it, and then click Save. 8. Save your private key.

a) Under "Actions", next to "Save the generated key", click Save private key.

Note: If you didn't passphrase-protect your private key, the utility will ask whether you're sure you want to save it without a passphrase. Click Yes to proceed or No to go back and create a passphrase for your private key.

25

b) Keep "Save as type" set to PuTTY Private Key Files (*.ppk), give the file a name (e.g., putty_private_key), select a location on your computer to store it, and then click Save.

9. Log into the PI as the security administrator.

10. Login in with root-level privileges by following the procedure “Log In and Out as the

Linux CLI root user”

11. Change directory to the admin’s home directory (i.e. /home/admin-1)

12. Enter: mkdir -p .ssh

13. Enter: touch .ssh/authorized_keys

14. Edit the authorized_keys file using vi

15. Paste the public key into the file

16. Save and exit vi.

17. Logout of the PI CLI

18. Launch PuTTY from the Windows Computer.

19. Enter the host name or IP address of the PI server in the Connection section. For

example, [email protected]

20. Under the Connection menu, under SSH, select Auth.

21. You will need to tell PuTTY the location of the private key. This may be accomplished by

clicking on the Browse button and navigating to the private key file.

22. Click Open.

23. Enter your passphrase to your private key file.

24. You will be logged in with public-key authentication.

4.11 Clock and TimeZone Management To set the system clock, use the clock command at the CLI: clock set [mmm dd hh:mm:ss yyyy] For example: admin# clock set May 5 18:07:20 2017 For additional information refer to the clock command in [5]. For proper certificate validation, the CC evaluated configuration must be configured for the Coordinated Universal Time (UTC) timezone. If the UTC timezone is not used, certificate validation may not succeed and thus connections to the syslog audit server will fail. To set the time zone to UTC enter at the CLI in config mode: admin(config)# clock timezone UTC Note: By setting the timezone to UTC, the Security Administrator should be aware timestamps in audit records will reflect UTC timezone. The Security Administrator will need to add or subtract a given number of hours to/from UTC time to get the time in their location. The Security Administrator can refer to the link below which displays time zone differences from




26

UTC for worldwide countries and cites: https://www.timeanddate.com/worldclock/difference.html?p1=1440

4.12 Trusted Updates Cisco provides updates to Prime Infrastructure TOE software periodically. These updates fall into the following categories:

Critical Fixes—Provide critical fixes to the software. We strongly recommend that you download and apply all of these updates as soon as they are available.

Device Support—Adds support for managing devices which Prime Infrastructure did not support at release time. These updates are published on a monthly basis.

Add-Ons—Provide new features, which can include new GUI screens and functionality, to supplement the Prime Infrastructure version you are using

Instructions to download and install a software update are found in the “Download and Install a Software Update” of [3]. If the Prime Infrastructure TOE determines the update is not signed, an error will appear stating the update is not signed. For example:

If the TOE determines the update file has an invalid digital signature, a similar error will appear:

If either error is displayed, you will not be allowed to continue with the patch installation. Contact Cisco Technical Support for assistance.

4.13 Stop/Start Prime Infrastructure Service

To stop the PI service open a CLI session and enter the following:

admin# ncs stop

Wait for the command to complete. To start the PI service enter the following:

admin# ncs start

https://www.timeanddate.com/worldclock/difference.html?p1=1440

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-2/admin/guide/bk_CiscoPrimeInfastructure_3_2_AdminGuide/bk_CiscoPrimeInfastructure_3_2_AdminGuide_chapter_01.html?bookSearch=true#task_1069366

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-2/admin/guide/bk_CiscoPrimeInfastructure_3_2_AdminGuide/bk_CiscoPrimeInfastructure_3_2_AdminGuide_chapter_01.html?bookSearch=true#task_1069366

27

Only the admin can stop and start the PI service.

4.14 Power-on Self Tests

The TOE performs power-on self tests to ensure all cryptographic components are functioning correctly. The list of self-tests are in the TSS section of the ST. All self-tests must pass.

If any of the tests fail, the administrative web-based UI will not be accessible. The Security Administrator will for a limited time window will be able to login to the local CLI console. After authenticating, a fatal error is displayed and is only allowed to press <Enter> to logout and no other actions can be performed. The error message that will be displayed is: “ERROR: NCS SERVICES HAVE BEEN DISABLED BECAUSE FIPS INTEGRITY CHECK HAS FAILED! EITHER REIMAGE FROM INSTALLATION MEDIA, OR CONTACT CISCO TECHNICAL SUPPORT CENTER FOR INSTRUCTIONS ON DIAGNOSING THE FAILURE. Press <Enter> to logout”.

The Security Administrator should contact Cisco Technical Support for assistance.

4.15 Saving Configuration PI uses both a running configuration and a starting configuration when working with the CLI. Configuration changes affect the running configuration, in order to save that configuration the running configuration (held in memory) must be copied to the startup configuration. This may be achieved by either using the write memory command or the copy running-config startup-config command. For more information refer to the “Configuration Mode” section of [5]. These commands should be used frequently when making changes to the configuration of the TOE. If the TOE reboots and resumes operation when uncommitted changes have been made, these changes will be lost and the TOE will revert to the last configuration saved.

When working with the GUI, the configuration is automatically saved every time values are entered and the “Save” button is used on each screen.

5. Security Relevant Events The PI 3.2-FIPS TOE generates an audit record whenever an audited event occurs. The types of events that cause audit records to be generated include identification and authentication related events, startup and shutdown, and administrative events. (Each of the events is specified in syslog records in enough detail to identify the user for which the event is associated, when the event occurred, where the event occurred, the outcome of the event, and the type of event that occurred.

If the disk space upon which the TOE executes become completely exhausted, the TSF will drop new web application audit event data. To avoid that situation the TOE will generate warning messages when the overall disk utilization exceeds 65%. For immediate relief to free up disk space, the security administrator should run a command to compact the database. For additional information refer to the ncs cleanup command in [5].

The PI 3.2-FIPS TOE can maintain logs in multiple locations: local storage of the generated audit records and a syslog receiver, where the TOE will simultaneously offload those events to the external syslog server. The administrator should review logs at both locations.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-1/command/reference/cli31/cli211_chapter_010.html#wp2146920167


28

The TOE uses TCP syslog over the TLS protected trusted channel to transmit audit data to an external syslog server. TCP syslog buffers a small amount of audit records on the TOE if the TCP syslog connection fails and it discovers it can no longer communicate with its configured syslog server. The buffer contents will be transmitted when connectivity to the syslog server is restored.

If the connection is unintentionally broken, the administrator should perform the following steps to diagnose and fix the problem:

Check the physical network cables.

Check that the audit server is still running.

Reconfigure the audit log settings.

5.1 Viewing Audit Records Table 5 below provides sample audit records for required security functional requirements from the NDcPP. Audit records are viewed in the CLI.

1. Successfully authenticate to the Command Line Interface (CLI) as an admin-role user as explained in Steps 1-3 of How to Connect Via CLI

2. Run the command specified in the Sample Record and Location column in table 5. For example, enter the “ncs run livelogs” or “ncs run loghistory” command. “ncs run livelogs” displays audited events as they occur in real-time. Note: Both commands have the following filter options:

a) all b) secure c) ade d) messages

Note: To stop the execution of livelogs enter: Ctrl+C

Table 5: Auditable Events

Requirement Auditable Events

Additional Audit Record Contents

Sample Record and Location

FAU_GEN.1 – Start/Stop Audit Functions and Services

None None Logging starting:

2017-06-30T06:10:50.039292-07:00 opcenter27 ADEOSShell[8130]: Change Audit Details:SUCCESS:CARS CLI:startncs::root:/opt/system/bin/carssh:/dev/pts/3:1

Logging stopping:

2017-06-30T05:54:07.536236-07:00 opcenter27 ADEOSShell[7061]: Change Audit


29




Details:SUCCESS:CARS CLI:stopncs::root:/opt/system/bin/carssh:/dev/pts/3:1

Viewed with: admin# ncs run livelogs or ncs run loghistory

FAU_GEN.1 – Resetting Passwords

None None WebGUI

User '(username)' edited root (ip address) User Management 2017-Jul-07 07:40:44 PDT

Viewed with:

show logging application ncs | include "Current User:"

CLI

2017-07-07T07:46:20.321233-07:00 opcenter27 debugd[2025]: [26615]: user: user.c[490] [admin]: password updated successfully for user User1


FAU_GEN.1 – Generating/import of, changing, or deleting of cryptographic keys

FMT_MTD.1/AdminAct

None None 2017-07-07T08:02:27.396707-07:00 opcenter27 ADEOSShell[28694]: Change Audit Details:SUCCESS:CARS CLI:genkeynewdn_csr::root:/opt/system/bin/carssh:/dev/pts/3:1


FCS_HTTPS_EXT.1

FCS_TLSS_EXT.1

Failure to establish a HTTPS Session.

Reason for failure.

Failure to establish a HTTPS Session.

Reason: Handshake failed

Detailed Reason: SSL handshake terminated: Failure in SSL library, usually a protocol error:

error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher (s3_srvr.c:1435 0x7f0e073c8e05:0x00000000): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher


30




FCS_TLSC_EXT.1 Failure to establish a TLS Session

Reason for failure

RECEIVED: <131>Jun 26 08:07:02

Connecting to TCP server

javax.net.ssl.SSLException: javax.net.ssl.SSLHandshakeException: ../Source/JNI_glue/SSL.cpp:NativeCrypto_SSL_verify_peer_in_cert: Common criteria: hostname mismatch violation

at com.cisco.ciscossl.provider.ciscojce.ssl.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:583)

at

com.cisco.xmp.audit.syslog.forwarder.TLSSyslogForw

arder.connectToSyslogServer(TLSSyslogForwarder.jav

a:52)

Viewed with: “show logging application ncs tail”

Scroll until this file is displayed:

==> /opt/CSCOlumos/logs/rsysLogFwd.log <==

Also see the sample audit records for FCS_HTTPS_EXT.1 and FCS_TLSS_EXT.1

FCS_SSHS_EXT.1 Failure to establish an SSH session

Reason for failure

Non-TOE endpoint of connection (IP Address)

2017-07-06T17:56:15.743348-07:00 opcenter27 sshd[13930]: Unable to negotiate with (ip address) port 50890: no matching key exchange method found.


FIA_UIA_EXT.1 All use of the identification and authentication mechanism.

Provided user identity, origin of the attempt (e.g., IP address).

GUI with Username/Password - SUCCESS:

Login/Logout successful for user root from (IP adddress) 2017-Jun-26, 07:09:17 PDT

GUI with Username/Password - FAILURE:

Authentication Failed.Login failed for user root from (IP address) 2017-Jun-26, 07:32:46 PDT

Viewed with:

show logging application ncs | include "User:”

Local Console Username/Password – SUCCESS:

2017-07-03T09:17:50.674842-07:00 opcenter27 pam_unix(session): session opened for user admin by (uid=0)

31




Local Console Username/Password – FAILURE:

2017-06-30T13:10:33.624544-07:00 opcenter27 unix_chkpwd[25223]: password check failed for user (admin)

SSH Public Key Authentication – SUCCESS

2017-07-06T17:46:16.952179-07:00 opcenter27 sshd[12145]: Accepted publickey for User1 from (ip address) port 50856 ssh2: ECDSA SHA256:gQt0/f6MkLBkOAllK/nVRmOJU9HWbkuIsrp1WKVv7EY

SSH Password Authentication – SUCCESS

2017-07-06T18:04:00.533318-07:00 opcenter27 sshd[15247]: Accepted password for admin from 10.98.123.197 port 61034 ssh2

2017-07-06T18:04:00.534372-07:00 opcenter27 sshd[15247]: pam_unix(sshd:session): session opened for user admin by (uid=0)

SSH Password Authentication – FAILURE

017-07-06T18:05:34.745162-07:00 opcenter27 sshd[15526]: Failed password for admin from (ip address) port 61045 ssh2

2017-07-06T18:05:42.379172-07:00 opcenter27 sshd[15526]: error: maximum authentication attempts exceeded for admin from (ip address) port 61045 ssh2 [preauth]

2017-07-06T18:05:42.379288-07:00 opcenter27 sshd[15526]: Disconnecting from (ip address):61045: Too many authentication failures [preauth]


FIA_UAU_EXT.2 All use of the identification and authentication mechanism.

Origin of the attempt (e.g., IP address).

See events for FIA_UIA_EXT.1 above.

FIA_X509_EXT.1 Unsuccessful attempt to validate a certificate

Reason for failure (1)

Sun Jun 18 11:48:34 IST 2017 NOTICE reswaras Time:Sun Jun 18 11:48:33 UTC 2017, Device Ip:NA, Category:SYSTEM, Type: Change Audit, Client IP Address (IP Address),Change Audit Details:Failure to

32




establish a HTTPS Session.\n\nReason: Handshake failed\n\nDetailed Reason: SSL handshake terminated: Failure in SSL library, usually a protocol error:\n#011error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

Note: Audit Sample (1) above is received when attempting to validated a certificate that has an invalid CA.

(2)

Sun Jun 18 11:48:34 IST 2017 NOTICE reswaras Time:Sun Jun 18 11:48:33 UTC 2017, Device Ip:NA, Category:SYSTEM, Type: Change Audit, Client IP Address (IP Address),Change Audit Details CiscoJNativeErrorRuntimeExeception: NativeCrypto_ANSI_TIME_to_Calendar at sun.security.provider.certpath.BasicChecker.verifyTimestamp

Note: Audit Sample (2) above is received when

attempting to validated a certificate that is expired.

(3)

Sun Jun 18 11:48:34 IST 2017 NOTICE reswaras Time:Sun Jun 18 11:48:33 UTC 2017, Device Ip:NA, Category:SYSTEM, Type: Change Audit, Client IP Address (IP Address),Change Audit Details javax.net.ssl.SSLHandshakeException: Handshake failed

Caused by: javax.net.ssl.SSLProtocolException: SSL Handshake aborted: Failure in SSL library, usually a protocol error.


attempting to validated a certificate that is modified.

(4)

Sun Jun 18 11:48:34 IST 2017 NOTICE reswaras Time:Sun Jun 18 11:48:33 UTC 2017, Device Ip:NA, Category:SYSTEM, Type: Change Audit, Client IP Address (IP Address),Change Audit Details Java.security: CertificateException

Caused by: java.lang.IlleagalArgumentException: The key cannot be null.


attempting to validated a certificate with a Modified Public Key / Signature

Viewed with (2): “show logging application ncs

tail”

Scroll until this file is displayed:

==> /opt/CSCOlumos/logs/rsysLogFwd.log <==

33




FMT_MOF.1(1)/Audit

Administrator Action

Modification of the behaviour of the transmission of audit data to an external IT entity.

None. Initiation of the trusted channel:

2017-07-03T12:12:20.714379-07:00 opcenter27 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="30733" x-info="http://www.rsyslog.com"] start


FMT_MOF.1(1)/ TrustedUpdate

Any attempt to initiate a manual update

None. [2017-06-20 05:44:11,649] [main] [update] [INFO ] - Start processing update packages

Viewed with: "show logging application ncs | include update]”

FMT_MTD.1 All management activities of TSF data.

None See SFRs marked with “Administrator Action” in this table. In addition see the events below: Specifying a password-policy Mon Apr 09 23:38:40 PDT 2018 DEBUG debugd[2009]: [6361]: user:password-policy: user.c[1716] [root]: #012passLockEnabled = 0, retryCountLockout = 3, lockoutTimeInMins = 5 Specifying the terminal session-timeout value 2018-04-09T23:04:14.117762+00:00 pi-3-2-fips debugd[2027]: [8595]: utils: vsh_root_stubs.c[2004] [admin]: terminal session-timeout set success Add a User – GUI 2018-04-10T10:43:13.252821+00:00 pi-3-2-fips Time:Tue Apr 10 10:43:13 UTC 2018, Device Ip:NA, Category: Change Audit, Type:User Management, User Name: root, Client IP Address:NA,Change Audit Details:User 'rwest' added Modify a User – GUI 2018-04-10T10:44:56.778885+00:00 pi-3-2-fips Time:Tue Apr 10 10:44:56 UTC 2018, Device Ip:NA, Category: Change Audit, Type:User Management, User Name: root, Client IP Address:NA,Change Audit Details:User 'rwest' edited

34




Delete a User – GUI 2018-04-10T11:03:26.059077+00:00 pi-3-2-fips Time:Tue Apr 10 11:03:26 UTC 2018, Device Ip:NA, Category: Change Audit, Type:User Management, User Name: root, Client IP Address:NA,Change Audit Details:User [username] deleted Add a User – CLI 2018-04-10T10:56:47.035604+00:00 pi-3-2-fips debugd[2027]: [8488]: user: user_store_cli.c[183] [admin]: CLI user added : [username] Modify a User – CLI 2018-04-10T10:56:47.032649+00:00 pi-3-2-fips debugd[2027]: [8488]: user: user.c[511] [admin]: password updated successfully for user [username] Delete a User – CLI 2018-04-10T11:02:07.650186+00:00 pi-3-2-fips debugd[2027]: [9489]: user: user_store_cli.c[80] [admin]: CLI user deleted : [username]

FPT_STM.1


Changes to the time.

The old and new values for the time.

Origin of the attempt to change time for success and failure (e.g., IP address).

Manual changes to system time

2017-06-29T08:03:43.736433-07:00 opcenter27 debugd[2025]: [26590]: config:clock: syscfg_cli.c[1260] [admin]: clock year 2017

2017-06-29T08:03:43.736543-07:00 opcenter27 debugd[2025]: [26590]: config:clock: sysconfig.c[1659] [admin]: Setting the Local Time to Jun 29 11:04:20 2017

2017-06-29T11:04:20.001372-07:00 opcenter27 debugd[2025]: [26590]: config:clock: sysconfig.c[1672] [admin]: Date command output: Thu Jun 29 11:04:20 PDT 2017

2017-06-29T11:04:20.100048-07:00 opcenter27 debugd[2025]: [26590]: utils: sysconfig.c[2359] [admin]: carsNotifyApps(): On a TTY, hence called from CLI. Notifying apps.

35





FPT_TUD_EXT.1


Initiation of update; result of the update attempt (success or failure)

No additional information.

Success

[2018-04-06 20:50:47,547] [https-jsse-nio-443-exec-1] [update] [INFO ] - Uploaded UBF file <filename> in <number> msecs

[2018-04-06 20:50:48,435] [main] [update] [INFO ] - Started applying patch group online-file-handler(V:1.0.0)

[2018-04-06 20:50:48,579] [main] [update] [INFO ] - The patch file-handler from patch group online-file-handler(V:1.0.0) was successfully applied in 120 msecs

Viewed with: admin# show logging application ncs | include update]

Failure due to bad signature or file corruption:


[2018-04-06 14:33:58,556] [https-jsse-nio-443-

exec-6] [UpdateProcessorService] [ERROR] - The update file PI_3_2_FIPS_Update_01-1.0.0.ubf contains an invalid signature

Viewed with: admin# show logging application ncs | include UpdateProcessorService]

Note: When the ‘UpdateProcessorService’ determines a signature is invalid, it generates the error shown above, so the ‘update’ process is never engaged.

Failure due to unsigned update file:


Note: When the ‘Sign Verification’ process determines no signature is present, it generates the pop-up alert shown below, which the administrator must acknowledge. The ‘Sign Verification’ process does not generate an audit message, so when logs only include the “Update UBF” message (see https message sample above for initiation of the update), but no subsequent message from “[main] [update]”

36




or “UpdateProcessorService” that means the uploaded image was rejected due to lack of signature.

FTA_SSL_EXT.1 Any attempts at unlocking of an interactive session.


In the TOE this is represented by login attempts that occur after the timeout of an administrative user.

See events for FIA_UIA_EXT.1 above.

FTA_SSL.3 The termination of a remote session by the session locking mechanism.


GUI

Logout successful for user root from (IP Address) 2017-Jun-26, 08:38:34 PDT

Viewed with: show logging application ncs | include "User:”

CLI

2017-08-03T14:06:08.674773-07:00 opcenter27 sshd[19383]: pam_unix(sshd:session): session closed for user User1


FTA_SSL.4


The termination of an interactive session.


GUI

Logout successful for user root from (IP Address) 2017-Jun-26, 08:38:34 PDT

Viewed with: show logging application ncs | include "User:”

CLI

2017-08-03T14:09:04.492605-07:00 opcenter27 sshd[21653]: pam_unix(sshd:session): session closed for user User1


FTP_ITC.1 Initiation of the trusted channel.

Identification of the initiator and target of

Initiation of the trusted channel:

37




Termination of the trusted channel.

Failure of the trusted channel functions.

failed trusted channels establishment attempt.

2017-07-03T12:12:20.714379-07:00 opcenter27 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="30733" x-info="http://www.rsyslog.com"] start


See events for FCS_TLSS_EXT.1 above.

FTP_TRP.1 Initiation of the trusted channel.

Termination of the trusted channel.

Failures of the trusted path functions.

Identification of the claimed user identity.

See events for FCS_TLSS_EXT.1 and FCS_SSHS_EXT.1 above.

FAU_GEN.2 None. None. Not Applicable

FAU_STG_EXT.1 None. None. Not Applicable

FCS_CKM.1 None. None. Not Applicable



FCS_COP.1(1) None. None. Not Applicable




FCS_RBG_EXT.1 None. None. Not Applicable

FIA_PMG_EXT.1 None. None. Not Applicable

FIA_UAU.7 None. None. Not Applicable

FIA_X509_EXT.2 None. None. Not Applicable

FIA_X509_EXT.3 None. None. Not Applicable

FMT_SMF.1 None. None. Not Applicable

38




FMT_SMR.2 None. None. Not Applicable

FPT_SKP_EXT.1 None. None. Not Applicable

FPT_APW_EXT.1 None. None. Not Applicable

FPT_TST_EXT.1 None. None. Not Applicable

FTA_TAB.1 None. None. Not Applicable

See the table below for a summary of Admin Actions defined in FAU_GEN.1

Admin Actions Audit Event

Administrative login and logout Refer to the Audit Events for FIA_UIA_EXT.1 – User Identification and Authentication

Resetting passwords

Refer to the Audit Events for FAU_GEN.1 – Resetting Passwords

Generating/import of, changing, or deleting of cryptographic keys

Refer to the Audit Events for FAU_GEN.1 – Generating/import of, changing, or deleting of cryptographic keys

Security-related configuration changes (FMT_MOF.1(1)/Audit,FPT_STM.1, FPT_TUD_EXT.1, FTA_SSL.4)

Refer to the Audit Events for FMT_MTD.1 – Management of TSF Data

Table 6: Administrative Actions

5.2 Log Rotation – Audit Event Data

a) Log files from the following audit events in table 5 viewed with show logging application ncs:

o Resetting Passwords for Web GUI Admin Account o Add/Modify/Delete a Web GUI Admin Account o Login and Logout events to the Web GUI

are rotated by default when the size reaches 10 MB. The Administrator is able to configure the log file rotation size threshold by navigating to Log File Settings page (Administration > Settings > Logging) and specify the maximum file size in MB and number of logs. The default value is 10 MB and 10 log files. Logs are saved until they reach the maximum size. At that point, a number is appended to the log file and a new log is started. When the number of logs exceeds the maximum, the oldest log is deleted.

39

b) Log files from all other audit events listed in table 5 are rotated as follows: If the size reaches 10MB within a maximum of 7 days it will be rotated. It will also rotated weekly (Sunday), regardless of size. This is not configurable.

6. Modes of Operation The Cisco Prime Infrastructure 3.2-FIPS TOE operates in the following modes:

Booting – this includes power-on self-tests (POST) to verify cryptographic operations are working correctly. PI drops all network traffic until the image and configuration has loaded. This mode of operation automatically progresses to the Normal mode of operation.

Normal - The PI image and configuration is loaded and the TOE is operating as configured. It should be noted that all levels of administrative access occur in this mode and that all PI based security functions are operating. This is the expected mode of operation for the TOE. By default, PI utilizes CAVP tested cryptography described for all claimed cryptographic operations. The FIPS mode of operation is enabled by default and is not configurable.

PI uses a FIPS 140-2 validated cryptographic module, that runs a suite of self-tests during the TOE initial start-up to verify its correct operation. These tests check the integrity of the code, and the correct operation of each cryptographic algorithm and method used (i.e. AES-CBC, SHA-1, etc.) If any of the tests fail, the administrative web-based UI will not be accessible.

7. Security Measures for the Operational Environment

Proper operation of the TOE requires functionality from the environment. It is the responsibility of the Security administrator to ensure the Operational Environment provides the necessary functions and adheres to the environment security objectives listed below. The environment security objective identifiers map to the environment security objectives as defined in the Security Target.

Table 7: Operational Environment Security Measures

Environment Security Objective Operational Environment Security Objective Definition

Privileged and Semi-privileged administrator responsibility

OE.PHYSICAL Physical security, commensurate

with the value of the TOE and the data it contains, is provided by the environment.

Administrators must ensure the TOE is installed and maintained within a secure physical location. This can include a secured building with key card access or within the physical control of an authorized administrator in a mobile environment.

40

Environment Security Objective Operational Environment Security Objective Definition

Privileged and Semi-privileged administrator responsibility

OE.NO_GENERAL_PURPOSE There are no general-purpose

computing capabilities (e.g., compilers or user applications) available on the TOE, other than those services necessary for the operation, administration and support of the TOE.

Administrators will make sure there are no general-purpose computing capabilities (e.g., compilers or user applications) available on the TOE.

OE.NO_THRU_TRAFFIC_PROTECTION

The TOE does not provide any protection of traffic that traverses it. It is assumed that protection of this traffic will be covered by other security and assurance measures in the operational environment.

Administrators need to ensure that the security provided by the TOE is complemented by other security measures in the operational environment that provides protection to the traffic traversing the TOE.

OE.TRUSTED_ADMIN TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner.

Administrators must be properly trained in the usage and proper operation of the TOE and all the provided functionality per the implementing organization’s operational security policies. These administrators must follow the provided guidance.

OE.UPDATES The TOE firmware and software is updated by an administrator on a regular basis in response to the release of product updates due to known vulnerabilities.

Administrators ensure that the TOE is updated with the latest firmware and software patches to keep it secure from threats to known vulnerabilities.

OE.ADMIN_CREDENTIALS_SECURE

The administrator’s credentials (private key) used to access the TOE must be protected on any other platform on which they reside.

Administrators need to ensure to keep their credentials used to access the TOE, secure and protected

41

8. Related Documentation For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation at:

With CCO login: http://www.cisco.com/en/US/partner/docs/general/whatsnew/whatsnew.html

Without CCO login: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.

You can access the most current Cisco documentation on the World Wide Web at the following sites:

http://www.cisco.com

http://www-china.cisco.com

http://www-europe.cisco.com

8.1 Documentation Feedback If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco.

You can e-mail your comments to [email protected].

To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address:

Cisco Systems, Inc., Document Resource Connection 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

8.2 Obtaining Technical Assistance Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.

http://www.cisco.com/en/US/partner/docs/general/whatsnew/whatsnew.html

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

http://www.cisco.com/


http://www-china.cisco.com/

http://www-europe.cisco.com/

42

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at anytime, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.

To access Cisco.com, go to the following website:

http://www.cisco.com



Cisco Prime Infrastructure 3.2 Common Criteria ... · 1.3 Document References ... Secure...

Documents

Transcript of Cisco Prime Infrastructure 3.2 Common Criteria ... · 1.3 Document References ... Secure...