Fabric OS Common Criteria - NIAP CCEVS · Brocade resources Fabric OS Common Criteria 6 53-1005024-01. ... • OEM/solution providers are trained and certified by Brocade to support

Supporting Fabric OS 8.1.0b

CONFIGURATION GUIDE

Fabric OS Common Criteria

53-1005024-017 June 2017

© 2017, Brocade Communications Systems, Inc. All Rights Reserved.

Brocade, the B-wing symbol, and MyBrocade are registered trademarks of Brocade Communications Systems, Inc., in the United States and in othercountries. Other brands, product names, or service names mentioned of Brocade Communications Systems, Inc. are listed at www.brocade.com/en/legal/brocade-Legal-intellectual-property/brocade-legal-trademarks.html. Other marks may belong to third parties.

Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment,equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, withoutnotice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocadesales office for information on feature and product availability. Export of technical data contained in this document may require an export license from theUnited States government.

The authors and Brocade Communications Systems, Inc. assume no liability or responsibility to any person or entity with respect to the accuracy of thisdocument or any loss, cost, liability, or damages arising from the information contained herein or the computer programs that accompany it.

The product described by this document may contain open source software covered by the GNU General Public License or other open source licenseagreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, andobtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.

Fabric OS Common Criteria2 53-1005024-01

http://www.brocade.com/en/legal/brocade-Legal-intellectual-property/brocade-legal-trademarks.html

http://www.brocade.com/en/legal/brocade-Legal-intellectual-property/brocade-legal-trademarks.html

http://www.brocade.com/support/oscd

ContentsPreface...................................................................................................................................................................................................................................5

Document conventions............................................................................................................................................................................................................................5Notes, cautions, and warnings.....................................................................................................................................................................................................5Text formatting conventions......................................................................................................................................................................................................... 5Command syntax conventions....................................................................................................................................................................................................6

Brocade resources.....................................................................................................................................................................................................................................6Document feedback..................................................................................................................................................................................................................................6Contacting Brocade Technical Support............................................................................................................................................................................................ 7

Brocade customers..........................................................................................................................................................................................................................7Brocade OEM customers............................................................................................................................................................................................................. 7

About This Document........................................................................................................................................................................................................ 9Supported hardware and software...................................................................................................................................................................................................... 9

Common Criteria Certification.......................................................................................................................................................................................11Common Criteria overview..................................................................................................................................................................................................................11The network interface............................................................................................................................................................................................................................ 11

Requirements for Web Tools.....................................................................................................................................................................................................12Opening a SSH client window...........................................................................................................................................................................................................12Firmware update......................................................................................................................................................................................................................................12

Firmware download.......................................................................................................................................................................................................................13Configuring the Fabric OS switch for Common Criteria.........................................................................................................................................................13Cryptographic configurations in Common Criteria................................................................................................................................................................... 18

TLS cryptographic configurations.......................................................................................................................................................................................... 18SSH cryptographic configurations..........................................................................................................................................................................................18Certificate Validation.....................................................................................................................................................................................................................19Certificate revocation check enforcement ..........................................................................................................................................................................20

Self-tests.....................................................................................................................................................................................................................................................20Audit messages....................................................................................................................................................................................................................................... 21

Reading an audit message........................................................................................................................................................................................................ 21Audits of CLI or Console commands....................................................................................................................................................................................22Audits of administrative actions using Web Tools............................................................................................................................................................26

Fabric OS Common Criteria53-1005024-01 3


Preface• Document conventions...................................................................................................................................................................................... 5• Brocade resources............................................................................................................................................................................................... 6• Document feedback............................................................................................................................................................................................ 6• Contacting Brocade Technical Support.......................................................................................................................................................7

Document conventionsThe document conventions describe text formatting conventions, command syntax conventions, and important notice formats used inBrocade technical documentation.

Notes, cautions, and warningsNotes, cautions, and warning statements may be used in this document. They are listed in the order of increasing severity of potential

hazards.

NOTEA Note provides a tip, guidance, or advice, emphasizes important information, or provides a reference to related information.

ATTENTIONAn Attention statement indicates a stronger note, for example, to alert you when traffic might be interrupted or the device mightreboot.

CAUTIONA Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware,firmware, software, or data.

DANGERA Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safetylabels are also attached directly to products to warn of these conditions or situations.

Text formatting conventionsText formatting conventions such as boldface, italic, or Courier font may be used to highlight specific words or phrases.

Format Description

bold text Identifies command names.

Identifies keywords and operands.

Identifies the names of GUI elements.

Identifies text to enter in the GUI.

italic text Identifies emphasis.

Identifies variables.

Identifies document titles.

Courier font Identifies CLI output.


Format Description

Identifies command syntax examples.

Command syntax conventionsBold and italic text identify command syntax components. Delimiters and operators define groupings of parameters and their logicalrelationships.

Convention Description

bold text Identifies command names, keywords, and command options.

italic text Identifies a variable.

value In Fibre Channel products, a fixed value provided as input to a command option is printed in plain text, forexample, --show WWN.

[ ] Syntax components displayed within square brackets are optional.

Default responses to system prompts are enclosed in square brackets.

{ x | y | z } A choice of required parameters is enclosed in curly brackets separated by vertical bars. You must selectone of the options.

In Fibre Channel products, square brackets may be used instead for this purpose.

x | y A vertical bar separates mutually exclusive elements.

< > Nonprinting characters, for example, passwords, are enclosed in angle brackets.

... Repeat the previous element, for example, member[member...].

\ Indicates a “soft” line break in command examples. If a backslash separates two lines of a commandinput, enter the entire command at the prompt without the backslash.

Brocade resourcesVisit the Brocade website to locate related documentation for your product and additional Brocade resources.

White papers, data sheets, and the most recent versions of Brocade software and hardware manuals are available at www.brocade.com.Product documentation for all supported releases is available to registered users at MyBrocade.

Click the Support tab and select Document Library to access product documentation on MyBrocade or www.brocade.com. You canlocate documentation by product or by operating system.

Release notes are bundled with software downloads on MyBrocade. Links to software downloads are available on the MyBrocade landingpage and in the Document Library.

Document feedbackQuality is our first concern at Brocade, and we have made every effort to ensure the accuracy and completeness of this document.However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you. You canprovide feedback in two ways:

• Through the online feedback form in the HTML documents posted on www.brocade.com

• By sending your feedback to [email protected]

Provide the publication title, part number, and as much detail as possible, including the topic heading and page number if applicable, aswell as your suggestions for improvement.

Brocade resources


http://www.brocade.com

http://my.Brocade.com





mailto:[email protected]

Contacting Brocade Technical SupportAs a Brocade customer, you can contact Brocade Technical Support 24x7 online or by telephone. Brocade OEM customers shouldcontact their OEM/solution provider.

Brocade customersFor product support information and the latest information on contacting the Technical Assistance Center, go to www.brocade.com andselect Support.

If you have purchased Brocade product support directly from Brocade, use one of the following methods to contact the BrocadeTechnical Assistance Center 24x7.

Online Telephone

Preferred method of contact for non-urgent issues:

• Case management through the MyBrocade portal.

• Quick Access links to Knowledge Base, Community, DocumentLibrary, Software Downloads and Licensing tools

Required for Sev 1-Critical and Sev 2-High issues:

• Continental US: 1-800-752-8061

• Europe, Middle East, Africa, and Asia Pacific: +800-AT FIBREE(+800 28 34 27 33)

• Toll-free numbers are available in many countries.

• For areas unable to access a toll-free number:+1-408-333-6061

Brocade OEM customersIf you have purchased Brocade product support from a Brocade OEM/solution provider, contact your OEM/solution provider for all ofyour product support needs.

• OEM/solution providers are trained and certified by Brocade to support Brocade® products.

• Brocade provides backline support for issues that cannot be resolved by the OEM/solution provider.

• Brocade Supplemental Support augments your existing OEM support contract, providing direct access to Brocade expertise.For more information, contact Brocade or your OEM.

• For questions regarding service levels and response times, contact your OEM/solution provider.

Contacting Brocade Technical Support


https://www.brocade.com

https://login.brocade.com/

http://www.brocade.com/services-support/international_telephone_numbers/index.page


About This Document• Supported hardware and software.................................................................................................................................................................9

Supported hardware and softwareBrocade recommends to confirm if the Network OS device and the software version is Common Criteria certified.

To determine if the Network OS device and current software version is Common Criteria certified, refer to https://www.niap-ccevs.org/CCEVS_Products/pcl.cfm.


https://www.niap-ccevs.org/CCEVS_Products/pcl.cfm

https://www.niap-ccevs.org/CCEVS_Products/pcl.cfm


Common Criteria Certification• Common Criteria overview............................................................................................................................................................................ 11• The network interface.......................................................................................................................................................................................11• Opening a SSH client window......................................................................................................................................................................12• Firmware update................................................................................................................................................................................................ 12• Configuring the Fabric OS switch for Common Criteria....................................................................................................................13• Cryptographic configurations in Common Criteria..............................................................................................................................18• Self-tests............................................................................................................................................................................................................... 20• Audit messages..................................................................................................................................................................................................21

Common Criteria overviewThis section contains steps for configuring the Brocade Fabric OS switch for Common Criteria (CC) standards with Fabric OS 8.1.0bNetwork Device Collaborative Protection Profile (NDcPP).

Common Criteria certification for a device enforces a set of security standards and feature limitations on a device to be compliant withthe Common Criteria standards, similar to placing the device in FIPS mode. To better understand the Common Criteria certification andthe associated security functions that have been subject to certification, refer to the Brocade Communications Systems, Inc. Directorsand Switches using Fabric OS v8.1.0 (NDcPP10) Security Target document.

Brocade Fabric OS switches provide switching functionality used in the Fibre Channel domain. The Fabric OS device managementfunctions are isolated through authentication. Once administrators log in with specific credentials, their access is limited to commands forwhich they have privileges and role-based permissions. Additionally, network management communication paths are protected againstmodification and disclosure using SSHv2.

FIPS 140-2 Security Level 2 specifies the security requirements that are satisfied by a cryptographic module utilized within a securitysystem protecting sensitive information of the system.

Brocade switches running Fabric OS 8.1.0b are designed to support FIPS-compliance mode. All cryptographic algorithms required andused in CC are certified by FIPS certifications.

The network interfaceThe Target of Evaluation (TOE) is managed through an Ethernet port where the following processes respond to process the networkpackets. All these processes run under the root privilege.

• TCP/IP stack: The Fabric OS IP stack from the kernel that accepts all packets from the network interface.

• Syslog-ng: The process that supports logging of audit messages through a TLSv1.2 tunnel on a remote server.

• SSHd: The process available on port 22 that provides a terminal session after authentication using the SSH protocol. SSHsession rekey occurs after every 1 GB of data (incoming + outgoing) of SSH session or after a configured time interval haselapsed. When both data limit and time interval are configured, rekey occurs as soon as either of the conditions is met. On rekey,both the timer and the byte count are reset.

• HTTPS: The process available on port 443 that provides web access through HTTPS over TLS for managing the switch.

The product operating environment should include the ability for DNS resolution, an NTP server, and a protected management networkfor admin connections.


Requirements for Web ToolsBefore you install Web Tools on your workstation, verify that your switches and workstation meet the Web Tools requirements listed inBrocade Fabric OS Web Tools Administration Guide, 8.1.0, 53-1004405-03.

Web Tools require any browser that conforms to HTML 4.0 (such as Internet Explorer 8 or later), JavaScript 1.0, and JRE 1.8.0_111update or later.

NOTEIf there are multiple JRE versions installed, go to the Java Control Panel and uncheck the lower JRE versions to launch WebTools using the latest JRE version.

Opening a SSH client windowOpening a SSH client window connects to the switch IP interface. You cannot connect to a Command CP blade on a director switchthrough a SSH client window opened from Web Tools, even when the blade has an IP address. Refer to the Fabric OS CommandReference for information about the SSH commands.

To open a SSH client window, perform the following steps.

1. Select a switch in Fabric Tree.You are prompted to log in. Once you do, the selected switch displays in Switch View.

2. Select SSH Client under the Tools menu.The Preference dialog box displays.

3. Enter the SSH path defined for your implementation.

To avoid the need to remember and enter in the path, you can store the path on your PC and browse to the location. Clickingthe button to the right of the field initiates the browse capability.

4. Click OK.The SSH window displays.

5. Enter your user credentials at the login prompt.

6. To close the session, enter exit at the prompt and press the Enter key.

Firmware updateFirmware packages are signed using the 2048-bit RSA key with SHA-256 during firmware build and verified during firmware installationas specified in the following steps.

1. RPM packages are signed with the private key to create a SHA-256 digest when the firmware package is generated.

2. A public key is packaged in an RPM package as part of the firmware and is downloaded as the first file.

3. As part of firmware download, each package is validated by verifying the signature.

4. Installation begins after the packages are validated.

5. The switch restarts after the successful installation.

NOTEIf the installation fails, an error with details is displayed and the download procedure is terminated.

Opening a SSH client window


The public key file on the switch contains only one public key. It is only able to validate firmware signed using one corresponding privatekey. If the private key changes in future releases, you must change the public key on the switch by using the firmware downloadcommand. When a new firmware is downloaded, the firmware download always replaces the public key file on the switch with what is inthe new firmware. This allows you to have planned firmware key changes.

You can download the signed firmware with its associated MD5 from MyBrocade. Evaluated firmware verification is performed duringthe update using the 2048-bit RSA signatures on the individual RPMs. Post update, MD5 checksum is used to check the integrity, oncethe firmware is downloaded.

Firmware downloadPerform the following tasks to download the firmware.

1. Brocade uploads the signed firmware as a tar file with its associated MD5 on secure location.

NOTEFile location and version details are provided to the customer.

2. Download and verify with the MD5.

Configuring the Fabric OS switch for CommonCriteriaTo configure the Brocade Fabric OS device to operate in Common Criteria mode, perform the following tasks.

1. Log in as the root user.

2. Enable self-tests using the fipscfg --enable selftests command.

3. Execute the firmwarecheck --enable -boot command to enable the check of firmware at boot.

4. Execute the fipscfg --zeroize command to zeroize the critical security parameters (CSPs).

5. Power-cycle the module.

6. Enable secure mode for secure upload and signature verification check using the configurechassis command to ensure securecommunication.

device:admin> configurechassis

Configure...

cfgload attributes (yes, y, no, n): [no] y

Enforce secure config Upload/Download (yes, y, no, n): [no] y

7. Configure the system for crypto compliance to limit the cryptographic algorithms used by the TOE for TLS and SSH sessionsto only those allowed by ST, using the following commands:

a. seccryptocfg --apply default_cc configures the system default

Configuring the Fabric OS switch for Common Criteria


b. seccryptocfg --replace -type ssh -kex "diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384"configures the approved EC-DH.

device:admin> seccryptocfg --replace -type ssh -kex "diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384"This command requires the daemon(s) SSH to be restartedExisting sessions will be terminated.Please confirm and provide the preferred optionPress Yes(Y,y), No(N,n) [N]:yTerminating all SSH/SCP sessions running

Broadcast message from root (ttyS0) Thu Jun 8 16:35:18 2017...

All SSH accounts will be logged out

SSH KexAlogorithms configured successfully.device:admin>

8. Use the ipfilter command to block Telnet, HTTP, and SNMP ports, and allow only SSH, HTTPS, and NTP ports.

a. ipfilter --clone FIPS_v4 -from default_ipv4

b. ipfilter --delrule FIPS_v4 -rule 2

c. ipfilter --delrule FIPS_v4 -rule 3

d. ipfilter --delrule FIPS_v4 -rule 4

e. ipfilter --activate FIPS_v4

f. Repeat steps a through e for default_ipv6 as well.

9. To assure SSH sessions are rekeyed less than or equal to 1 hour, configure time based SSH rekeying with the sshutilrekeyinterval command.

device:root> sshutil rekeyinterval 3000SSH daemon will be restarted and all SSH session will be terminatedDo you want to proceed(yes, y, no, n)[no]?yRekey Time Interval Configured to 3000 seconds.

NOTEYou do not have to configure for SSH rekeying based on traffic. The system default is configured to 1 GB oftransmitted traffic.

10. Disable EZserver to block UDP port 52357 using the configure command.

device:admin> configure

Not all options will be available on an enabled switch.To disable the switch, use the "switchDisable" command.

Configure...

Fabric parameters (yes, y, no, n): [no] D-Port Parameters (yes, y, no, n): [no] RDP Polling Cycle(hours)[0 = Disable Polling]: (0..24) [1] System services (yes, y, no, n): [no] ssl attributes (yes, y, no, n): [no] rpcd attributes (yes, y, no, n): [no] webtools attributes (yes, y, no, n): [no] y

Basic User Enabled (yes, y, no, n): [no] Perform License Checking and Warning (yes, y, no, n): [yes] Allow Fabric Event Collection (yes, y, no, n): [yes] Login Session Timeout (in secs): (60..432000) [7200] EZserver Enabled (yes, y, no, n): [yes] no

a. For directors, issue hafailover command after issuing the configure command to disable the UDP port on both CPs.



11. Ensure that the FTP mode of transfer is not selected for the following operations using the configurechassis command.

a. Uploading the system configuration.

b. Downloading the system configuration.

c. Saving the RASLOG, TRACE, supportShow, core file, FFDC data, and other support information.

d. Downloading the firmware.

device:admin> configurechassis

Configure...

cfgload attributes (yes, y, no, n): [no] y

Enforce secure config Upload/Download (yes, y, no, n): [no] y Add Suffix to the uploaded file name (yes, y, no, n): [no] Do you want to enable auto firmwaresync (yes, y, no, n): [no]

Custom attributes (yes, y, no, n): [no] system attributes (yes, y, no, n): [no] fos attributes (yes, y, no, n): [no]

NOTEDo not configure FCIP IKE or IPSec because they are not certified for CCcompliance.

12. Disable the IPSec management interface using the ipsecconfig --disable command.

13. Disable in-band management interface if it is already configured.

NOTEApplicable only to GEN 5 chassis with a FX8-24 blade. This is usually notconfigured.

device:admin> portcfg mgmtif <slot>/<port> delete mgmt_if_no

14. Run the portenccompshow command to check if any ports are enabled for compression or encryption, then disable in-flightencryption using the portcfgencrypt --disable portnumber command.

NOTEDo not define TACACS+ authspecmode.

15. Configure the SNMP access list for no access using the snmpconfig --set seclevel command.

device:admin> snmpconfig --set seclevel 3Select SNMP GET Security Level(0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 = No Access): (0..3) [0] 3Select SNMP SET Security Level(0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 = No Access): (0..3) [0] 3

Setup the certificates to be used to identify the client for secure communications. The SAN Switch generates a CertificateSigning Request (CSR). This CSR must be exported from the switch to a Certificate Authority (CA). The CA must use the CSR tocreate a certificate (which the CA signs). The signed certificate is to be used by the switch and must be loaded into the switchalong with its Root CA certificate. A Root CA certificate is always self-signed. The SAN switch needs a signed certificate for usewith its HTTPS WebTools interface and another signed certificate to be used to authenticate itself to the syslog server.. The CAcan issue multiple signed certificates or let intermediate CAs issue certificates. The certificates have a hierarchical structure of



relationship. The root certificate is the top-most in the hierarchy tree whose private key is used to sign other certificates.Intermediate certificates are signed by the root certificate with the 'CA' field set to true. The intermediate certificates, in turn, areused to authenticate certificates further down the tree. Server and client identity certificates are signed by the Root CA orintermediary CAs. Server/Client CA is the chain of certificates from the trusted root, including all intermediaries, which sign theserver/client identity certificate.

When creating a certificate chain, all certificates starting from the leaf, up till the root are included into one file and imported.Prior to importing the identity certificates, the entire certificate chain that signed the CSR is imported. To validate peer certificateduring session establishment, the trusted root CA certificate is imported.

16. Import the externally signed certificate to enable HTTPS and web tools access.

a. Generate the CSR using the seccertmgmt generate command.

device:admin> seccertmgmt generate -csr https -type rsa -keysize 2048 -hash sha256 -years 5Country Name (2 letter code, eg, US):USState or Province Name (full name, eg, California):ColoradoLocality Name (eg, city name):BroomfieldOrganization Name (eg, company name):BrocadeOrganizational Unit Name (eg, department name):SQACommon Name (Fully qualified Domain Name, or IP address): pizzabox12.englab.brocade.com (switchname of default switch)

b. Export the CSR using the seccertmgmt export command.

device:admin> seccertmgmt export -protocol scp -ipaddr 192.0.2.2 -remotedir /share/certs -login cert

command.

c. Import the root CA using the seccertmgmt import command.

device:admin> seccertmgmt import -ca -server https -protocol scp -ipaddr 10.38.38.39 -remotedir /OCSP/certs -login root -certname ca.cert.pem

d. Import the switch certificate and restart HTTPS using the seccertmgmt import command.

device:admin> seccertmgmt import -cert https -protocol scp -ipaddr 10.38.38.39 -remotedir /certs/keys -login rootEnter certificate name (must have ".crt" or ".cer" ".pem" or ".psk" suffix): 10.38.37.169.web.pemHYPERLINK "mailto:[email protected]'s" [email protected]'s password: Success: imported https certificate [10.38.37.16.web.pem].Certificate file in configuration has been updated.Secure http has been enabled.Brocade7840:FID3:admin> 2017/03/28-08:48:52, [WEBD-1004], 41631, FID 3, INFO, Brocade7840, HTTP server and weblinker process will be restarted due to configuration change.

17. Import and authenticate the public key using the sshutil importpubkey command.

device:admin> sshutil importpubkeyEnter user name for whom key is imported:adminEnter IP address:10.38.35.25Enter remote directory:/root/.sshEnter public key name(must have .pub suffix):id_ecdsa.pubEnter login name:[email protected]'s password: 2014/03/27-11:43:43, [SEC-3050], 908, FID 128, INFO, Brocade5100, Event: sshutil, Status: success, Info: Imported public key from host 10.38.35.25public key is imported successfully.



18. Install certificates used to authenticate the SAN switch to a syslog server.

a. Generate and export the CSR.

device:admin> seccertmgmt generate -csr syslogdevice:admin> seccertmgmt export -csr syslog -protocol scp -ipaddr 10.38.38.39 -remotedir /certs/keys -login root

b. Import the Root CA in the chain that signed the client certificate.

device:root> seccertmgmt import -ca -client syslog -protocol scp -ipaddr 10.38.38.39 -remotedir /etc/syslog-ng/key.d/OCSP/quaternary/certs -login root -certname ca-chain.pem

c. Import the signed certificate.

device:root> seccertmgmt import -cert syslog -protocol scp -ipaddr 10.38.38.39 -remotedir /certs/keys -login root -certname 10.38.37.16.syslog.pem

19. Configure and install certificates in the TOE to allow the syslog server to be authenticated when the SAN Switch connects to thesyslog server.

a. Import the root certificate in the chain that signed the syslog server's certificate.

device:root> seccertmgmt import -ca -server syslog -protocol scp -ipaddr 10.38.38.39 -remotedir /etc/syslog-ng/key.d/OCSP/certs -login root -certname ca.cert.pem

b. Add syslog server with syslogadmin.

device:root> syslogadmin --set -ip kali-2dot0.englab.brocade.com -secure -port 6514

NOTEThe following steps are applicable for certificates that are generated using openssl command using an openssl conffile.

• The openssl conf file used for generating the server or client identity certificate should have the followingmandatory entries (other keyUsages are allowed too, but digitalSignature should be present):

keyUsage = digitalSignature

• The openssl conf file used for generating server identity certificate should have the following mandatory entry:

extendedKeyUsage=serverAuth

• The openssl conf file used for generating client identity certificate should have the following mandatory entry:

extendedKeyUsage=clientAuth

• The openssl conf file for generating CA certs should have the following mandatory entries:

basicConstraints=CA:TRUE

keyUsage = keyCertSign

20. Configure secure mode of transport (TLSv1.2) for the audit log with the syslogadmin command.

device:root> seccertmgmt import -protocol scp -syslogcacert -ipaddr 192.0.2.12 -remotedir /etc/syslog-ng/ck -login root -certname cacert-sha256.pemsyslogadmin --set -ip 192.0.2.12 -secure -port 6514

21. Enable auditing of security events using the auditcfg --class 1,2,3,4,5,7,8,9;auditcfg --enable command.

22. Disable the root role using the following commands.

a. userconfig –-change root –e no



b. userconfig –-change factory –e no

23. Log in as Administrator. The Fabric OS device is now configured for CC mode.

Each admin user should have their own user account and their password should be protected. The TOE has default roles such as admin,securityadmin, fabricadmin, basicswitchadmin, zoneadmin etc.. with varying administrative privileges.

New user defined roles with administrative privileges can also be created on the TOE using roleconfig command. All such users areconsidered switch administrators. Users can be associated with the default roles using the userconfig command. These users withadministrative privileges can manage the TOE both locally as well as remotely by logging into the TOE via console, SSH or Web Tools.

Password policy can be set with the passwdcfg --set command. For example, the following command sets the minimum length of apassword to be 15 characters and generates a log.

passwdcfg --set -minlength 15

2017/04/20-17:27:53, [SEC-1312], 155, FID 3, INFO, pizzabox12, passwdcfg params changed as (minlength:8->15) (status:0->1) .

Similarly, passwords can be required to have special characters, numbers, capital letters, etc.

NOTEswitchname of default FID taken from switchshow CLI, along with domain set with dnsconfig CLI specifies the TOE’sreference identifier.

Cryptographic configurations in Common CriteriaThe device in Common Criteria mode supports the following cryptographic configurations.

TLS cryptographic configurations• Only TLSv1.2 protocol version is supported for TLS communication.

• The AES-128 and AES-256 encryption algorithm (with SHA-1 and SHA-256 as MAC) are supported.

• RSA is used for authentication.

• DES-based cipher suites are not supported.

SSH cryptographic configurationsThe following algorithms are supported:

• Host authentication

– ssh-rsa– ecdsa-sha2-nistp256

• Ciphers

– aes128-cbc– aes256-cbc

• Keyed-hash message authentication (HMAC) code

– hmac-sha1– hmac-sha2-256– hmac-sha2-512

Cryptographic configurations in Common Criteria


• Key exchange

– ecdh-sha2-nistp256– ecdh-sha2-nistp384– diffie-hellman-group14-sha1

Certificate ValidationBoth CA certificates and identity certificates must be validated for compliance. The following table provides more details.

X509 Field Valid NDcPP 1.0 values Validation behavior duringcertificate import

Validation behavior during sessionestablishment

Not Before:

Not After:

Certificate is validated for time anddate during import and is acceptedonly if the time and date are withinthe allowed range.

Certificates that have expired or arenot yet valid are not allowed to beimported. Import fails.

Session establishment fails if CAcertificate or identity certificate usedhas expired or is not yet valid. Incase of webtools, session cancontinue if an exception is added tothe browser.

CN= Needs to be FQN device name orIP. Wildcards are allowed only for 1level of sub-domain and notallowed for the main domain.

Validates identity certificates againstthe IP or hostname of the hostduring import. Import fails ifcommon name doesn't match withthe IP or hostname or has awildcard in any field other than thefirst level of sub-domain. Thevalidation does not apply tocommoncert.

Validates identity certificates againstIP or hostname of the host. Appliesto all identity certificates that areused for session establishmentincluding commoncert. Wildcardsare allowed only for the first level ofsub-domain.

Public-Key: CC compliant configuration valuesare documented. However norestriction is imposed on usingnon-compliant values.

No validation is performed or auditlog generated and the import issuccessful.

Audit logs are generated forcertificates that have keysize lessthan 2048. The session isestablished successfully.

CA: Field must be TRUE for CAcertificates.

Validated for CA certificates atimport, and import fails if this is nottrue.

Validated for all CAs used duringsession establishment.

Key Usage: Need to have "Certificate Sign" incase of CA certificates and "DigitalSignature" in case of identitycertificates.

NOTETo support RSA-basedciphers for TLSsessions, Keyencipherment must beset.

Validated for CA certificates andidentity certificates (for "CertificateSign" and "Digital Signature",respectively, and if validation fails,import fails.

Validated for CA certificates andidentity certificates (for "CertificateSign" and "Digital Signature",respectively, and if validation fails,session establishment fails,

X509v3 Extended Key Usage: Need to rightly indicate whether it isfor use as “server” certificate or“client” certificate. If incorrect,connection is not allowed.

Validated for correct EKU (“server”for identity certificates for serversand “client” for identity certificatesof clients) and if incorrect, importfails.

Validated for correct EKU (“server”for identity certificates for serversand “client” for identity certificatesof clients) and, if incorrect, sessionestablishment fails.

Authority Information Access: Must have valid OCSP serverrespond affirmatively. If this field isnot present, OCSP check is notperformed.

Not checked during import ofcertificate.

Checked for OCSP URL incertificate during sessionestablishment. If present, thenrevocation check is performed andconnection is established only ifrevocation check passes. If noOCSP URL found in certificate,

Cryptographic configurations in Common Criteria


X509 Field Valid NDcPP 1.0 values Validation behavior duringcertificate import

Validation behavior during sessionestablishment

then connection is establishedsuccessfully.

Signature Algorithm: CC compliant configuration valuesare documented. However norestriction is imposed on usingnon-compliant values

No validations are performed atimport.

No validations are performedduring session establishment

Subject Alternative Method Not a mandatory attribute. Ifpresent, the values stored in this willtake priority over the CN in Subjectattribute.

Validated during import for allcertificates.

Validated during sessions for allcertificates.

Basic Constraints Attribute Attribute must be present and musthave CA Field.

Validated for CA certificates atimport, and import fails if theattribute does not exist.

Validated for all CAs used duringsession establishment.

Certificate revocation check enforcementCertificate revocation check enforcement is achieved using the Online Certificate Status Protocol (OCSP).

• All TLS based applications on the switch that support certificate validation of peer (SYSLOG), verify the peer certificate with theOCSP responder for revocation, if the OCSP URI is already present as part of the peer certificate.

• If peer certificate does not have OCSP URI, the certificate is not verified for revocation and connection status depends on otherpre-existing validations of the peer certificate alone.

• The OCSP revocation check is implicit based on peer certificate having OCSP URI in it. There are no changes to any userinterfaces or CLIs.

• The certificate that signs the OCSP response for a peer is the same as the CA certificate that is imported for that peer. There isno separate OCSP certificate on the switch for verifying the OCSP response.

• The switch certificates that are sent by the switch to its peer for validation do not have OCSP URI and will not supportrevocation check by the peer.

The TLS session is established only if the OCSP response is good. The following table describes the responses and the outcome.

OCSP Responder Status TLS session status

Reachable; Response = Good Pass

Reachable; Response signature verification fails Fail

Reachable; Response = Revoked Fail

Reachable; Response = Unknown Fail

Reachable; No Response Fail

Not reachable Fail

Self-testsThe following table provides detailed information about the tests that are executed during the bootup of the switch to confirm theauthenticity of the algorithms.

NOTEDuring a self-test failure, Brocade recommends that you restart the system and test again. If the failure persists, proceed withthe Return Materials Authorization (RMA) request for the device.

Self-tests


Algorithm Description

TDES This module implements a KAT for the encrypt and decrypt operations of Triple DES in the CBC mode ofoperation.The test passes only if the calculated output equals the known output for both operations. The Triple DESKAT must execute successfully before using the Triple DES functionality

AES This module implements a known answer test (KAT) for encrypt and decrypt operation of AES-128 blocksize and 256 key size in the CBC mode of operation.The test passes only if the calculated result equals the known result for both encryption and decryption. TheAES KAT must execute successfully before accessing the AES functionality.

HMAC SHA-1 This module implements the short messages test as part of KAT for SHA-1 and later the HMAC validationtesting is done.Short Messages Test tests the ability to correctly generate message digests for messages of smaller length.

HMAC SHA-256 This module implements the short messages test as part of KAT for SHA-256 and later the HMACvalidation testing is done.Short Messages Test tests the ability to correctly generate message digests for messages of smaller length.

DRNG This module tests whether the random number generated is deterministic. This test compares a knownseed and known output against the random number generated.

RSA sign/verify This module implements a KAT for signing and verification operation of RSA. The test passes only if thesignature is verified. The KAT must execute successfully before the operator can access the RSAfunctionality.

AES GCM This module implements a KAT for AES encryption and decryption using GCM.

SHA512 This module implements the SHA-512 short message test as part of KAT.

HMAC SHA512 This module implements the short messages test as part of KAT for SHA-512 and later the HMACvalidation testing is done.Short Messages Test tests the ability to correctly generate message digests for messages of smaller length.

TLS Implements the KDF for TLS as per the SP800-131A.

SSH Implements the KDF for SSH as per the SP800-131A.

EC DSA Implements the EC DSA pair-wise consistency test.

EC DH Implements the EC DH test.

Audit messagesAudit messages are generated based on security events. All Audit messages include the ID, time, module ID, switch name, and themessage. All commands entered will have an associated audit record. Commands that include private data such as passwords, have theCLI log redacted to not include private information. Audit records are sent to an external syslog server as soon as they are generated. Thesyslog server must support TLSv1.2. RASlog messages are sent to the syslog server as well.

Reading an audit messageAUDIT messages provide user and system-related information of interest for post-event auditing and troubleshooting.

The following example shows the format of an audit event message.

<Sequence Number> AUDIT, <timestamp>, [<Event ID>], <Severity>, <Event Class>,<User ID>/<Role>/<IP address>/<Interface>/<Application Name>, <Admin Domain>/<Switch name>, <Reserved field for future expansion>, <Event-specific information>

For syslog audit messages, the Fabric OS version and six reserved fields are displayed in the message.

The following is a sample audit event message.

0 AUDIT, 2005/12/10-09:54:03, [SEC-1000], WARNING, SECURITY, JohnSmith/root/192.0.2.2/Telnet/CLI, Domain A/JohnsSwitch, , Incorrect password during login attempt.

Audit messages


The following table describes the audit message fields.

TABLE 1 Audit message field description

Variable Name Description

Sequence Number The error message position in the log.

Audit flag Identifies the message as an audit message.

Time Stamp The system time (UTC) when the message was generated on the switch. The RASLog subsystem will support aninternationalized time stamp format based on the “LOCAL” setting.

Event ID The message module and number. These values uniquely identify each message in the Fabric OS and reference thecause and actions recommended in this manual. Note that not all message numbers are used; there can be gaps inthe numeric message sequence.

Severity The severity of the error, which can be one of the following:

• 1 – CRITICAL

• 2 – ERROR

• 3 – WARNING

• 4 – INFO

Event Class The event class, which can be one of the following:

• CFG

• CLI

• FABRIC

• FIRMWARE

• LS

• MAPS

• RAS

• SECURITY

• ZONE

User ID The user ID.

Role The role of the user ID.

IP address The IP address or the resolved hostname, if applicable.

Interface The interface being used.

Application Name The application name being used on the interface.

Admin Domain The Admin Domain, if there is one.

Switch name The defined switch name or the chassis name of the switch depending on the action; for example, HA messagestypically show the chassis name and login failures show the logical switch name.This value is truncated if it is over 16 characters in length. Use the chassisName command to name the chassis orthe switchName command to rename the logical switch.

Reserved field for futureexpansion

This field is reserved for future use and contains a space character (null value).

Event-specific information A text string explaining the error encountered and providing parameters supplied by the software at runtime.

Audits of CLI or Console commands• TS-1009: The audit message indicates that the time was updated using the date CLI; for example,

Apr 1 10:10:01 Brocade300AD raslogd: 2013/04/01-10:10:01, [TS-1009], 90, WWN 10:00:00:05:1e:74:84:73 | FID 128, INFO, Brocade300AD, Date changed by user.

Audit messages


• TS-1010: The audit message indicates that the time was updated from an NTP server; for example,

2015/01/22-11:16:21, [TS-1010], 29, FID 128, INFO, sw0, NTP Server Time Update from 2015/01/22-11:16:19.920251 to 2015/01/22-11:16:21.983630

• RAS-2006: The audit message indicates that a syslog server IP address has been added; for example,

Feb 5 21:27:05 10.38.37.150 raslogd: AUDIT, 2015/02/05-21:27:04 (GMT), [RAS-2006], INFO, SECURITY, admin/admin/NONE/console/CLI, ad_0/Brocade300/CHASSIS, 7.3.0a1, , , , , , , Syslog server IP address 10.38.37.40 added.

• RAS-2007: The audit message indicates that a syslog server IP address has been removed; for example,

Feb 5 21:27:43 10.38.37.150 raslogd: AUDIT, 2015/02/05-21:27:43 (GMT), [RAS-2007], INFO, SECURITY, admin/admin/NONE/console/CLI, ad_0/Brocade300/CHASSIS, 7.3.0a1, , , , , , , Syslog server IP address 10.38.37.40 removed.

• The following audit message indicates that an SSH session failed to get established because of cipher mismatch. Similarmessages are generated for the following:

– Key exchange mismatch– Key algorithm mismatch– MAC mismatch– Host key mismatch

63 AUDIT, 2017/03/20-18:14:00 (UTC), [SEC-3076], INFO, SECURITY, NONE/NONE/NONE/None/CLI, None/sw0/FID 128, , Event: SSH, Status: failed, Info: SSH Session establishment failed. Reason: no matching cipher found, IP Addr: 10.70.12.112

• The following audit message indicates that a TLS handshake has been initiated.

[SEC-3078], INFO, SECURITY, NONE/root/NONE/None/CLI, ad_0/pizzabox12/FID 3, , Event: TLS SESSION, TLS handshake, Info: Establishing TLS connection. Host=10.38.38.152.

• The following audit message indicates that a TLS handshake failed because of wrong version number for the TLS protocol.Similar messages are generated for the following:

– Wrong ciphers– Wrong CA certificate– Server key length less than 2048

84 AUDIT, 2017/03/20-18:33:13 (UTC), [SEC-3077], INFO, SECURITY, root/root/NONE/console/CLI, ad_0/sw0/FID 128, , Event: TLS SESSION, TLS handshake failed, Info: Wrong Protocol version number.

• The following audit message indicates that a TLS session has been terminated.

[SEC-3078], INFO, SECURITY, NONE/root/NONE/None/CLI, ad_0/pizzabox12/FID 3, , Event: TLS SESSION, TLS handshake, Info: Terminating TLS connection. Host=10.38.38.152.

• The following audit message indicates that certificate validation failed because the local issuer certificate was unavailable.Similar messages are generated for the following:

– Key usage– Extended key usage– Self-signed certificates– Login with importing CA certificate– CN mismatch– Others

Audit messages


NOTEOpenSSL errors are presented in the information section as-is.

[SEC-3081], INFO, SECURITY, admin/admin/10.252.200.228/ssh/CLI, ad_0/sw0/FID 128, , Event: TLS SESSION, Certificate Validation failed, Info: Reason = unable to get local issuer certificate.[SEC-3081], 51, FID 128, INFO, Brocade6520, Event: X509v3, Certificate Validation failed, Info: Reason = unable to verify the first certificate.[SEC-3081], 7379, FID 128, INFO, chewy, Event: X509v3, Certificate Validation failed, Info: Reason = unable to get local issuer certificate. Host=10.38.37.195.[SEC-3081], 7394, FID 128, INFO, chewy, Event: X509v3, Certificate Validation failed, Info: Reason = Hostname mismatch. Host=10.38.37.195.[SEC-3081], 30947, FID 128, INFO, AMPSecurity, Event: X509v3, Certificate Validation failed, Info: Reason = self signed certificate in certificate chain. Host=kali-2dot0.englab.brocade.com.[SEC-3081], 7370, FID 128, INFO, chewy, Event: X509v3, Certificate Validation failed, Info: Reason = self signed certificate. Host=ca.englab.brocade.com.[SEC-3081], 62220, FID 3, INFO, pizzabox12, Event: X509v3, Certificate Validation failed, Info: Reason = key usage does not include digital signature. Host= CN=Brocade.[SEC-3081], 527, FID 128, INFO, Brocade6520, Event: X509v3, Certificate Validation failed, Info: Reason = unsupported certificate purpose.[SEC-3081], 7981, FID 128, INFO, chewy, Event: X509v3, Certificate Validation failed, Info: Reason = certificate is not yet valid. Host=Self CN=chewy.englab.brocade.com.[SEC-3081], 7981, FID 128, INFO, chewy, Event: X509v3, Certificate Validation failed, Info: Reason = certificate is unknown for OCSP. Host=pizzabox12.englab.brocade.com.[SEC-3081], 7981, FID 128, INFO, chewy, Event: X509v3, Certificate Validation failed, Info: Reason = OCSP application verification failure. Host=kali-2dot0.englab.brocade.com, OU.'[SEC-3081], 7981, FID 128, INFO, chewy, Event: X509v3, Certificate Validation failed, Info: Reason = invalid CA certificate: basic constraints false for CA. Host=kali-2dot0.englab.brocade.com [email protected], CN.'[SEC-3081], 7981, FID 128, INFO, chewy, Event: X509v3, Certificate Validation failed, Info: Reason = invalid CA certificate: basic constraints absent for CA. Host=kali-2dot0.englab.brocade.com [email protected], CN.\x0a'[SEC-3081], 864, FID 128, INFO, Brocade6520, Event: X509v3, Certificate Validation failed, Info: Reason = certificate signature failure. Host=testlabm1.btn.gss.com.[SEC-3081], 866, FID 128, INFO, Brocade6520, Event: X509v3, Certificate Validation failed, Info: Reason = certificate has expired. Host=testlabm1.btn.gss.com.[SEC-3081], 868, FID 128, INFO, Brocade6520, Event: X509v3, Certificate Validation failed, Info: Reason = invalid CA certificate. Host=testlabm1.btn.gss.com.[SEC-3081], 885, FID 128, INFO, Brocade6520, Event: X509v3, Certificate Validation failed, Info: Reason = Hostname wildcard check failed. Host=foo.example.com.[SEC-3081], 922, FID 128, INFO, Brocade6520, Event: X509v3, Certificate Validation failed, Info: Reason = Hostname mismatch. Host=Brocade6520.btn.gss.com.

• The following audit message indicates a successful Domain ID change via CLI.

AUDIT, 2017/05/03-17:42:04 (GMT), [CONF-1042], INFO, CONFIGURATION, root/root/NONE/console/CLI, ad_0/7840-3-security/FID 128, 8.1.0b, , , , , , , Fabric Configuration Parameter Domain changed to 13.

• The following audit message indicates that a login attempt from the console failed (bad user). A similar message is generatedfor failures due to bad passwords.

[SEC-3021], INFO, SECURITY, JBond007/NONE/NONE/console/CLI, None/pizzabox12/FID 3, , Event: login, Status: failed, Info: Failed login attempt via SERIAL.

[SEC-3021], INFO, SECURITY, admin/NONE/NONE/console/CLI, None/pizzabox12/FID 3, , Event: login, Status: failed, Info: Failed login attempt via SERIAL.

• The following audit message indicates that a login attempt from the console succeeded.

[SEC-3020], INFO, SECURITY, admin/admin/NONE/console/CLI, ad_0/pizzabox12/FID 3, , Event: login, Status: success, Info: Successful login attempt via SERIAL.

Audit messages


• The following audit message indicates that a login attempt failed at SSH (bad username). A similar message is generated forfailures due to bad passwords.

[SEC-3021], INFO, SECURITY, JBond007/admin/kali-2dot0.englab.brocade.com/ssh/CLI, ad_0/pizzabox12/FID 3, , Event: login, Status: failed, Info: Failed login attempt via REMOTE, IP Addr: kali-2dot0.englab.brocade.com.

• The following audit message indicates that a login attempt with SSH succeeded.

[SEC-3020], INFO, SECURITY, root/root/trapazoid.englab.brocade.com/ssh/CLI, ad_0/pizzabox12/FID 3, 8.1.0b_rc1_bld16, , , , , , , Event: login, Status: success, Info: Successful login attempt via REMOTE, IP Addr: trapazoid.englab.brocade.com.

• The following audit message indicates that a logout attempt with SSH succeeded. A similar message is generated for asuccessful logout from the console.

[SEC-3022], INFO, SECURITY, admin/admin/trapazoid.englab.brocade.com/ssh/CLI, ad_0/pizzabox12/FID 3, 8.1.0b_rc1_bld16, , , , , , , Event: logout, Status: success, Info: Successful logout by user [admin].

[SEC-3022], INFO, SECURITY, admin/admin/NONE/console/CLI, ad_0/pizzabox12/FID 3, , Event: logout, Status: success, Info: Successful logout by user [admin].

• The following audit messages indicate that a firmware download was initiated and completed successfully.

[SULB-1001], 41547, WWN 10:00:50:eb:1a:48:1d:82 | CHASSIS, WARNING, Brocade7840, Firmwaredownload command has started. (From v8.1.0b_rc1_bld07 To v8.1.0_cc_27mar).[SULB-1044], 41549, WWN 10:00:50:eb:1a:48:1d:82 | CHASSIS, INFO, Brocade7840, Firmwaredownload to secondary partition has completed successfully.[SULB-1002], 41612, WWN 10:00:50:eb:1a:48:1d:82 | CHASSIS, INFO, Brocade7840, Firmwaredownload command has completed successfully.

• The following audit message indicates that a firmware download has failed.

2016/11/08-16:22:09, [SULB-1011], 621, CHASSIS, INFO, Brocade7840, Firmwaredownload command failed. Failed to download RPM package. Please check if the firmware image is accessible.

The failure is also reported on the console.

Firmwaredownload failed because the signature for the firmware could not be validated.

• The following audit message indicates that a successful SSH logout has occurred.

[SEC-3022], INFO, SECURITY, admin/admin/kali-2dot0.englab.brocade.com/ssh/CLI, ad_0/pizzabox12/FID 3, , Event: logout, Status: success, Info: Successful logout by user [admin].

The success of a console logout is also reported on the console.

[SEC-3022], INFO, SECURITY, admin/admin/NONE/console/CLI, ad_0/pizzabox12/FID 3, , Event: logout, Status: success, Info: Successful logout by user [admin].

• The following message indicates that a successful SSH rekeying event has occurred.

[SEC-3072], 920, FID 128, INFO, Brocade6520, Event: sshd, Status: success, Info: Rekeying for session for 172.16.103.43:2050.

• The following audit message indicates that an ipfilter policy that has http port (80) enabled, is activated.

3 AUDIT, 2017/02/21-19:39:35 (UTC), [SEC-3075], INFO, SECURITY, root/root/NONE/console/CLI, ad_0/sw0/FID 128, , Event: ipfilter, HTTP PORT STATE: ACTIVE, Info: Activated ipfilter policy <policy_name> has activated HTTP port.

Audit messages


• The following audit message indicates that an ipfilter policy that has telnet port (23) enabled, is activated.

4 AUDIT, 2017/02/21-19:39:35 (UTC), [SEC-3075], INFO, SECURITY, root/root/NONE/console/CLI, ad_0/sw0/FID 128, , Event: ipfilter, TELNET PORT STATE: ACTIVE, Info: Activated ipfilter policy <policy_name> has activated Telnet port.

• The following audit message indicates that an ipfilter policy that has https port (443) disabled, is activated.

3 AUDIT, 2017/02/21-19:27:56 (UTC), [SEC-3075], INFO, SECURITY, root/root/NONE/console/CLI, ad_0/sw0/FID 128, , Event: ipfilter, HTTPS PORT STATE: DROP, Info: Activated ipfilter policy <policy_name> has blocked HTTPS port.

Audits of administrative actions using Web Tools• The following audit message indicates that a login attempt via Web Tools failed (bad password). A similar message is generated

for failures due to bad username.

[SEC-3021], INFO, SECURITY, admin/admin/10.38.38.152/https/WebTools, ad_255/pizzabox12/FID 3, , Event: login, Status: failed, Info: Failed login attempt via HTTP, IP Addr: 10.38.38.152.

[SEC-3021], INFO, SECURITY, admin/admin/kali-2dot0.englab.brocade.com/ssh/CLI, ad_0/pizzabox12/FID 3, , Event: login, Status: failed, Info: Failed login attempt via REMOTE, IP Addr: kali-2dot0.englab.brocade.com.

• The following audit message indicates that a login attempt via Web Tools failed (bad user).

[SEC-3021], INFO, SECURITY, JBond007/admin/10.38.38.152/https/WebTools, ad_255/pizzabox12/FID 3, , Event: login, Status: failed, Info: Failed login attempt via HTTP, IP Addr: 10.38.38.152.

• The following audit message indicates a successful login attempt via Webtools.

[SEC-3020], INFO, SECURITY, admin/admin/10.38.38.152/https/WebTools, ad_0/pizzabox12/FID 3, , Event: login, Status: success, Info: Successful login attempt via HTTP, IP Addr: 10.38.38.152.

• The following audit message indicates a successful logout attempt via Web Tools.

[SEC-3022], INFO, SECURITY, admin/admin/10.38.38.152/https/WebTools, ad_0/pizzabox12/FID 3, , Event: logout, Status: success, Info: Successful logout by user [admin].

• The following audit message indicates a successful change of switch name via Web Tools.

2017/05/02-16:31:00 (UTC), [IPAD-1002], INFO, CONFIGURATION, admin/admin/10.38.243.4/https/WebTools, ad_0/7840-3-security/FID 128, , Switch name has been successfully changed to 7840-3-security.

• The following audit message indicates a successful change in DNS configuration via Web Tools.

May 2 16:32:52 10.38.37.168 raslogd: 2017/05/02-16:32:52, [IPAD-1003], 3226, WWN 10:00:c4:f5:7c:37:5a:d2 | FID 128, INFO, 7840-3-security, DNS parameters saved successfully.

• The following audit message indicates a successful IP address configuration via Web Tools.

2017/05/03-17:15:22, [IPAD-1000], 3292, CHASSIS, INFO, Brocade7840, SW/0 Ether/0 IPv4 manual 10.38.37.166/20 DHCP Off.

• The following audit message indicates a successful Netmask configuration via Web Tools.

2017/05/03-17:22:01, [IPAD-1000], 3293, WWN 10:00:c4:f5:7c:37:5a:d2 | CHASSIS, INFO, Brocade7840, SW/0 Ether/0 IPv4 manual 10.38.37.168/24 DHCP Off.

Audit messages


• The following audit message indicates a successful Gateway configuration via Web Tools.

2017/05/03-17:46:18, [IPAD-1001], 3329, CHASSIS, INFO, Brocade7840, CP/0 IPv4 manual 10.38.32.255 DHCP not Set.

• The following audit message indicates a successful syslog server addition via Web Tools.

AUDIT, 2017/05/03-17:08:31 (GMT), [RAS-2006], INFO, SECURITY, admin/admin/10.38.243.4/https/WebTools, ad_0/7840-3-security/FID 128, 8.1.0b, , , , , , , Syslog server IP address 10.38.35.25 added.

NOTEOnly a non-TLS (not secure) server can be added.

• The following audit message indicates a successful syslog server removal via Web Tools.

AUDIT, 2017/05/03-17:12:45 (GMT), [RAS-2007], INFO, SECURITY, admin/admin/10.38.243.4/https/WebTools, ad_0/7840-3-security/FID 128, 8.1.0b, , , , , , , Syslog server IP address 10.38.35.25 removed.

• The following audit message indicates a successful creation of an IP filter rule via Web Tools.

[SEC-3035], INFO, SECURITY, admin/admin/10.38.243.4/https/WebTools, ad_0/7840-num3-security/FID 128, , Event: ipfilter, Status: success, Info: All ipfilter policy(ies) saved.

• The following audit messages indicate a successful modification of an IP filter rule via Web Tools.

[SEC-3037], INFO, SECURITY, admin/admin/10.38.243.4/https/WebTools, ad_0/7840-num3-security/FID 128, , Event: ipfilter, Status: success, Info: FIPS_v4 ipfilter policy activated.


• The following audit message indicates a successful deletion of an IP filter rule via Web Tools.


• The following audit messages indicate a successful system restart via Web Tools.

[RAS-1007], 3227, WWN 10:00:c4:f5:7c:37:5a:d2 | CHASSIS, INFO, Brocade7840, System is about to reload. AUDIT, 2017/05/02-16:34:15 (GMT),[RAS-1007], INFO, RAS, NONE/NONE/NONE/None/CLI, None/Brocade7840/CHASSIS, 8.1.0b, , , , , , , System is about to reload.AUDIT, 2017/05/02-16:34:18 (GMT), [SEC-3022], INFO, SECURITY, admin/admin/NONE/console/CLI, ad_0/7840-3-security/FID 128, 8.1.0b, , , , , , , Event: logout, Status: success, Info: Successful logout by user [admin].[HAM-1004], 3228, WWN 10:00:c4:f5:7c:37:5a:d2 | CHASSIS, INFO, Brocade7840, Processor rebooted - Reboot:WebTool.

• The following audit messages indicate a successful firmware download via Web Tools.

[SULB-1001], 10623, WWN 10:00:c4:f5:7c:00:6d:00 | CHASSIS, WARNING, BrocadeG610, Firmwaredownload command has started. (From v8.1.0b To v8.1.0b_rc1_bld21).AUDIT, 2017/05/02-16:46:24 (GMT), [SULB-1001], WARNING, FIRMWARE, admin/admin/10.38.38.152/https/Web Tools, ad_0/BrocadeG610/CHASSIS, 8.1.0b, , , , , , , Firmwaredownload command has started. (From v8.1.0b To v8.1.0b_rc1_bld21).[SULB-1044], 10624, WWN 10:00:c4:f5:7c:00:6d:00 | CHASSIS, INFO, BrocadeG610, Firmwaredownload to secondary partition has completed successfully.[FSSM-1002], 10625, WWN 10:00:c4:f5:7c:00:6d:00 | CHASSIS, INFO, BrocadeG610, HA State is in sync.[FSSM-1003], 10626, WWN 10:00:c4:f5:7c:00:6d:00 | CHASSIS, WARNING, BrocadeG610, HA State out of sync.[RAS-1007], 10627, WWN 10:00:c4:f5:7c:00:6d:00 | CHASSIS, INFO, BrocadeG610, System is about to reload.AUDIT, 2017/05/02-17:01:29 (GMT), [RAS-1007], INFO, RAS, NONE/root/NONE/None/CLI, ad_0/BrocadeG610/CHASSIS, 8.1.0b, , , , , , , System is about to reload.

Audit messages


AUDIT, 2017/05/02-17:03:20 (GMT), [SULB-1003], INFO, FIRMWARE, NONE/root/NONE/None/CLI, ad_0/BrocadeG610/CHASSIS, 8.1.0b_rc1_bld21, , , , , , , Firmwarecommit has started.[SULB-1003], 10635, WWN 10:00:c4:f5:7c:00:6d:00 | CHASSIS, INFO, BrocadeG610, Firmwarecommit has started.AUDIT, 2017/05/02-17:08:08 (GMT), [SULB-1004], INFO, FIRMWARE, NONE/root/NONE/None/CLI, ad_0/BrocadeG610/CHASSIS, 8.1.0b_rc1_bld21, , , , , , , Firmwarecommit has completed.[SULB-1004], 10643, WWN 10:00:c4:f5:7c:00:6d:00 | CHASSIS, INFO, BrocadeG610, Firmwarecommit has completed.AUDIT, 2017/05/02-17:08:08 (GMT), [SULB-1002], INFO, FIRMWARE, NONE/root/NONE/None/CLI, ad_0/BrocadeG610/CHASSIS, 8.1.0b_rc1_bld21, , , , , , , Firmwaredownload command has completed successfully.

• The following audit message indicates a successful change in switch authentication database via Web Tools (AAA servers).

AUDIT, 2017/05/02-17:21:02 (GMT), [SEC-3034], INFO, SECURITY, admin/admin/10.38.38.152/https/Web Tools, ad_0/chewy/FID 128, 8.1.0b_rc1_bld21, , , , , , , Event: aaaconfig, Status: success, Info: Authentication configuration changed from Radius Local to Local Only terminating existing sessions.

• The following audit messages indicate a successful LDAP server addition via Web Tools.

AUDIT, 2017/05/02-17:24:18 (GMT), [SEC-3014], INFO, SECURITY, admin/admin/10.38.38.152/https/Web Tools, ad_0/chewy/FID 128, 8.1.0b_rc1_bld21, , , , , , , Event: aaaConfig, Status: success, Info: Added LDAP server 6.7.8.9 for AAA services.[SEC-1184], 10653, WWN 10:00:c4:f5:7c:00:6d:00 | FID 128, INFO, chewy, LDAP configuration change, action ADD, server ID 6.7.8.9.

• The following audit messages indicate a successful RADIUS server addition via Web Tools.

AUDIT, 2017/05/02-17:24:18 (GMT), [SEC-3014], INFO, SECURITY, admin/admin/10.38.38.152/https/Web Tools, ad_0/chewy/FID 128, 8.1.0b_rc1_bld21, , , , , , , Event: aaaConfig, Status: success, Info: Added RADIUS server 2.3.4.5 for AAA services.[SEC-1184], 10652, WWN 10:00:c4:f5:7c:00:6d:00 | FID 128, INFO, chewy, RADIUS configuration change, action ADD, server ID 2.3.4.5.

• The following audit messages indicate a successful TACACS+ server addition via Web Tools.

AUDIT, 2017/05/02-17:24:19 (GMT), [SEC-3014], INFO, SECURITY, admin/admin/10.38.38.152/https/Web Tools, ad_0/chewy/FID 128, 8.1.0b_rc1_bld21, , , , , , , Event: AAA Server Config, Status: success, Info: Added TACACS+ server 10.20.30.40 for AAA services.[SEC-1184], 10654, WWN 10:00:c4:f5:7c:00:6d:00 | FID 128, INFO, chewy, TACACS+ configuration change, action ADD, server ID 10.20.30.40.

• The following audit message indicates a successful deletion of a user account via Web Tools.

AUDIT, 2017/05/03-17:41:07 (GMT), [SEC-3028], INFO, SECURITY, admin/admin/10.38.243.4/https/WebTools, ad_0/7840-3-security/FID 128, 8.1.0b, , , , , , , Event: userconfig, Status: success, Info: User account [testuser] deleted.

• The following audit message indicates a successful modification of a user account via Web Tools.

AUDIT, 2017/05/03-17:40:13 (GMT), [SEC-3027], INFO, SECURITY, admin/admin/10.38.243.4/https/WebTools, ad_0/7840-3-security/FID 128, 8.1.0b, , , , , , , Event: userconfig, Status: success, Info: User account [testuser] [ LFs changed: (null): 128 switchadmin:].

• The following audit messages indicate a successful password change via Web Tools.

[SEC-1197], 10622, WWN 10:00:c4:f5:7c:00:6d:00 | FID 128, INFO, chewy, Changed account newadmin.AUDIT, 2017/05/02-16:41:21 (GMT), [SEC-3024], INFO, SECURITY, admin/admin/10.38.38.152/https/Web Tools, ad_0/chewy/FID 128, 8.1.0b, , , , , , , Event: passwd, Status: success, Info: User account [newadmin], password changed.

• The following audit message indicates a successful password rule modification via Web Tools (minimum length).

AUDIT, 2017/05/03-17:43:24 (GMT), [SEC-3018], INFO, SECURITY, admin/admin/10.38.243.4/https/WebTools, ad_0/7840-3-security/FID 128, 8.1.0b, , , , , , , Event: passwdcfg, Status: success, Info: Parameter [minlength] changed from [8] to [15].

Audit messages


• The following audit message indicates a successful password rule modification via Web Tools (lockout threshold).

AUDIT, 2017/05/03-17:44:37 (GMT), [SEC-3018], INFO, SECURITY, admin/admin/10.38.243.4/https/WebTools, ad_0/7840-3-security/FID 128, 8.1.0b, , , , , , , Event: passwdcfg, Status: success, Info: Parameter [lockoutthreshold] changed from [0] to [10].

• The following audit messages indicate a successful SNMPv3 configuration (enabled) for all trap recipients via Web Tools.

[SNMP-1005], 10646, WWN 10:00:c4:f5:7c:00:6d:00 | FID 128, INFO, chewy, SNMP configuration attribute, snmp.inform, has changed from 0 to 1.AUDIT, 2017/05/02-17:15:49 (GMT), [SNMP-1005], INFO, CONFIGURATION, admin/admin/10.38.38.152/https/Web Tools, ad_0/chewy/FID 128, 8.1.0b_rc1_bld21, , , , , , , SNMP configuration attribute, snmp.inform, has changed from 0 to 1.

• The following audit messages indicate a successful SNMPv3 configuration (change) for trap recipient and informing via WebTools.

AUDIT, 2017/05/02-17:16:55 (GMT), [SNMP-1005], INFO, CONFIGURATION, admin/admin/10.38.38.152/https/Web Tools, ad_0/chewy/FID 128, 8.1.0b_rc1_bld21, , , , , , , SNMP configuration attribute, SNMPv3 Trap Recipient USM User Index 2, has changed from 2 to 4.[SNMP-1005], 10647, WWN 10:00:c4:f5:7c:00:6d:00 | FID 128, INFO, chewy, SNMP configuration attribute, SNMPv3 Trap Recipient USM User Index 2, has changed from 2 to 4.AUDIT, 2017/05/02-17:16:55 (GMT), [SNMP-1005], INFO, CONFIGURATION, admin/admin/10.38.38.152/https/Web Tools, ad_0/chewy/FID 128, 8.1.0b_rc1_bld21, , , , , , , SNMP configuration attribute, SNMPv3 Trap Recipient IP Address 2, has changed from [0.0.0.0] to [10.38.38.37].AUDIT, 2017/05/02-17:16:55 (GMT), [SNMP-1005], INFO, CONFIGURATION, admin/admin/10.38.38.152/https/Web Tools, ad_0/chewy/FID 128, 8.1.0b_rc1_bld21, , , , , , , SNMP configuration attribute, SNMPv3 Trap Recipient Severity Level 2, has changed from 0 to 1.[SNMP-1005], 10648, WWN 10:00:c4:f5:7c:00:6d:00 | FID 128, INFO, chewy, SNMP configuration attribute, SNMPv3 Trap Recipient IP Address 2, has changed from [0.0.0.0] to [10.38.38.37].[SNMP-1005], 10649, WWN 10:00:c4:f5:7c:00:6d:00 | FID 128, INFO, chewy, SNMP configuration attribute, SNMPv3 Trap Recipient Severity Level 2, has changed from 0 to 1.

• The following audit messages indicate a successful change in Access Control List (ACL) via Web Tools.

[SNMP-1005], 10648, WWN 10:00:c4:f5:7c:00:6d:00 | FID 128, INFO, chewy, SNMP configuration attribute, SNMPv3 Trap Recipient IP Address 2, has changed from [0.0.0.0] to [10.38.38.37].[SNMP-1005], 10649, WWN 10:00:c4:f5:7c:00:6d:00 | FID 128, INFO, chewy, SNMP configuration attribute, SNMPv3 Trap Recipient Severity Level 2, has changed from 0 to 1.[SNMP-1005], 10650, WWN 10:00:c4:f5:7c:00:6d:00 | FID 128, INFO, chewy, SNMP configuration attribute, Access Host Subnet Area 1 , has changed from [0.0.0.0] to [10.38.38.37].[SNMP-1005], 10651, WWN 10:00:c4:f5:7c:00:6d:00 | FID 128, INFO, chewy, SNMP configuration attribute, Access R/W 1 , has changed from [true] to [false].AUDIT, 2017/05/02-17:18:29 (GMT), [SNMP-1005], INFO, CONFIGURATION, admin/admin/10.38.38.152/https/Web Tools, ad_0/chewy/FID 128, 8.1.0b_rc1_bld21, , , , , , , SNMP configuration attribute, Access Host Subnet Area 1 , has changed from [0.0.0.0] to [10.38.38.37].AUDIT, 2017/05/02-17:18:29 (GMT), [SNMP-1005], INFO, CONFIGURATION, admin/admin/10.38.38.152/https/Web Tools, ad_0/chewy/FID 128, 8.1.0b_rc1_bld21, , , , , , , SNMP configuration attribute, Access R/W 1 , has changed from [true] to [false].

Audit messages


Documents

Fabric OS Common Criteria - NIAP CCEVS · Brocade resources Fabric OS Common Criteria 6 53-1005024-01. ... • OEM/solution providers are trained and certified by Brocade to support