Requirement Name:
Requirement Description:
Security events shall be logged together with a unique system reference (e.g. host name, IP or MAC address) and the exact time the incident occurred. For each security event, the log entry shall include user name and/or timestamp and/or performed action and/or result and/or length of session and/or values exceeded and/or value reached.
Section 2.11.10 of RFC 3871 specifies the minimum set of security events. Each vendor shall document what security events the product logs so that it can be verified by testing.
In particular, it shall be possible to log the following events (which are intended to be supported by the network product and which can be enabled by default at manufacturing time or at a later time by the operator):
EventTypes |
Description |
Event data to be logged |
Incorrect login attempts | Records any user incorrect login attempts to the network product |
-
Username,
-
Source (IP address) if remote access
-
Timestamp
|
Administrator access | Records any access attempts to accounts that have system privileges. |
-
Username,
-
Timestamp,
-
Length of session,
-
Source (IP address) if remote access
|
Account administration | Records all account administration activity, i.e. configure, delete, enable, and disable. |
-
Administrator username,
-
Administered account,
-
Activity performed (configure, delete, enable and disable)
-
Timestamp
|
Resource Usage | Records events that have been triggered when system parameter values such as disk space, CPU load over a longer period have exceeded their defined thresholds. |
-
Value exceeded,
-
Value reached
(Here suitable threshold values shall be defined depending on the individual system.)
-
Timestamp
|
Configuration change | Changes to configuration of the network device |
|
Reboot/shutdown/crash | This event records any action on the network device that forces a reboot or shutdown OR where the network device has crashed. |
-
Action performed (reboot, shutdown, etc.)
-
Username (for intentional actions)
-
Timestamp
|
Interface status change | Change to the status of interfaces on the network device (e.g. shutdown) |
-
Interface name and type
-
Status (shutdown, missing link, etc.)
-
Timestamp
|
In addition, optionally it shall be possible to log also the following event (if supported):
EventTypes |
Description |
Event data to be logged |
Change of group membership or accounts | Any change of group membership for accounts |
-
Administrator username,
-
Administered account,
-
Activity performed (group added or removed)
-
Timestamp.
|
Security Objective references:
Test case:
Test Name:
TC_SECURITY_EVENT_LOGGING
Purpose:
To verify that the network product correctly logs all required security event types.
Procedure and execution steps:
Pre-Conditions:
-
The following information shall be provided by the documentation accompanying the network product:
-
The log where the event is recorded and how it can be accessed (e.g. the complete path).
-
If the event type is enabled by default or how to enable it.
-
What O&M services can be used on the Network Product in the configuration according to the pre-requisites for testing in clause 4.1 and how to use them.
-
The tester has the needed administrative privileges to sufficiently perform the tests
-
If needed for testing specific O&M services, a tester machine is available.
Execution Steps:
For each O&M service perform the following test steps
-
The Tester sequentially triggers each security event listed in the requirement, while covering each option detailed in the individual security event descriptions.
-
The Tester verifies whether the security events, and their individual options, were correctly logged. In particular it is verified whether they include at least the event data specified as required to be logged.
Expected Results:
All security events are appropriately logged, including all required event data.
Expected format of evidence:
The testing report contains the following information for each security event:
-
List of O&M services
-
Commands executed per O&M services
-
The relevant parts of the logs in appropriate form (e.g. file, screenshot)
-
Test result (Passed or not)
Requirement Name:
Log transfer to centralized storage
Requirement Description:
-
The Network Product shall support forwarding of security event logging data to an external system. Secure transport protocols in accordance with clause 4.2.3.2.4, shall be used.
-
Log functions should support secure uploading of log files to a central location or to an external system for the Network Product that is logging.
Security Objective references:
Test case:
Test Name:
TC_LOG TRANS_TO_CENTR STORAGE
Purpose:
To ensure log shall be transferred to centralized storage.
Procedure and execution steps:
Pre-Conditions:
-
The manufacturer shall list the standard protocols which transfer security event logging data.
-
The session between network product and central location or external system for network product log functions has been set up.
-
The tester has privilege to operate network product and related logs can be outputted.
Execution Steps:
-
The tester configures the network product to forward event logs to an external system (according to bullet a) of requirement) and related logs are sent out.
-
The tester checks whether the used transport protocol is secure protocol.
-
The tester checks whether the central location or external system for network product log functions has stored the related logs.
-
The tester configures the network product for secure upload of event log files to an external system (according to bullet b) of requirement) and performs a log file upload.
-
The tester checks whether the used transport protocol for log file upload is a secure standard protocol.
-
The tester checks whether the central location or external system for network product log functions has stored the related logs.
Expected Results:
-
The listed transport protocols are secure protocols.
-
The used transport protocol for log file upload is a secure standard protocol.
-
The tester finds that the central location or external system for network product log functions has stored the related logs.
Expected format of evidence:
A testing report provided by the testing agency which will consist of the following information:
-
Settings, protocols and configurations used,
-
Screenshot
-
Test result (Passed or not)
Requirement Name:
Protection of security event log files
Requirement Description:
The security event log shall be access controlled (file access rights) so only privileged users have access to the log files.
Security Objective references:
Test case:
Purpose:
Verify that the log(s) is(are) only accessible by privileged user(s).
Procedure and execution steps:
Pre-Conditions:
-
Documentation describing where logs are stored and how these logs are accessed and the Network Product interfaces that these logs can be access from.
Execution Steps:
-
The tester attempts to access log files using users accounts with and without the correct permissions for accessing log files.
-
Repeat the test as described in step 1 using each of the interfaces as described in the Network Product documentation.
Expected Results:
The tester checks that log files are accessible when a user with the appropriate authorisation attempts to access them and fails when a user without the correct permissions attempts to access them
Expected format of evidence:
Pass/fail result as recorded by the tester.