Specifications
Security Target Version 1.0 9/29/2014
62
interface (part of operating environment) to read audit logs. Though not required by PP, the TOE also stores audit
records locally and provides CLI and WebUI capabilities to view the contents of the audit trail. The local cache for
audit data is 3*(3*31768 bytes). Since this local protected log storage is FIFO (First in, First out), audit logs are
overwritten when the storage is exhausted. For each audit event, the following minimum information is recorded:
Event Type
The logging level
Subject Identity
The identity of the subject involved in the event. For identified users, the subject identity is
represented by the username. For other subjects, the subject identity is represented by the IP
address for wired network subjects and by the MAC address for wireless network subjects.
Date and Time
The date and time when each event occurred. The time can be obtained internally or from a
trusted NTP server in the operating environment.
Outcome
Success or failure of the event
The logged audit records also include event-specific content that includes at least all of the content required in Table
2 Audit Events.
The TOE provides functions allowing administrators to review all audit information stored on the TOE.
The TOE (MC and AP) can generate and send SNMP traps to the operating environment (SNMP server) to alert the
administrators of potential problems, misconfiguration, or attacks.
The Security audit function is designed to satisfy the following security functional requirements:
• FAU_GEN.1: The TOE generates audit events for various purposes such as security and trouble shooting.
The events include startup and shutdown of audit function, all authentication attempts, all administrative
actions, and all required auditable events as specified in Table 2 Audit Events. At a minimum, each event
includes date and time, logging level (event type), subject identity, and outcome of event.
• FAU_GEN.2: The TOE associates user id to the appropriate audit event. In other words, the user is
identified by the username in the audit record.
• FAU_SAR.1: The TOE provides audit review functions allowing administrators to review all audit data
stored by the TOE.
• FAU_SAR.2: The TOE provides access to stored audit records only to TOE administrators.
• FAU_SEL.1: The TOE provides administrators the capability to include or exclude audit events based on
event type (implying outcome where applicable). The requirement can additionally be met with an external
logging server configured to only capture information by user id (username, device interface (e.g., VLAN0,
ETH1), and wireless client identity (MAC Address). The TOE takes a secure approach of auditing all
information to ensure thorough analysis can be performed, if desired. Most logs generated on the TOE are
not administrator-initiated and those that are deal directly with authentication to the TOE and configuration
actions. An administrator can choose to selectively audit based upon event type, capturing only failing
events, passing events, or all events. This is done by specifying the logging level for the specific event
through the GUI or by command line via SSH.
• FAU_STG.1: While it is recommended to use an external server for audit data in the evaluated
configuration, the local cache is 3*(3*31768 bytes).The local logs can only be viewed – they cannot be
deleted or modified. There are no CLI commands for such actions. The only way to delete local audit
records is to go outside the evaluated configuration and reset the controller to factory defaults, or to wipe
the flash storage. If an external syslog server has been enabled, all audit logs are simultaneously written to
both the local audit log and the syslog server. Local audit logs and logs sent to a remote server are
identical.
• FAU_STG_EXT.1: The TOE will be configured to use IPsec when exporting audit records to an external
SYSLOG server.
• FAU_STG_EXT.3:The TOE uses the BSD Syslog Protocol (RFC 3164) which operates over UDP and is
purely connectionless. In order to detect a failure of the connection to the syslog server, the path must
operate over an IPsec tunnel between the TOE and the syslog server. Failure of the IPsec tunnel will
indirectly indicate failure of the audit server or the path to the audit server. A local log message will