Stealthwatch Compliance Guide 7.1 Version 1.0

Cisco Stealthwatch Compliance Guide 7.1 Version 1.0

July 2, 2020 TOC

Introduction 6 Purpose 6 Documentation 6 Target Audience 7 Assumptions 7 Evaluated TOE Configuration 9 Installation 10 Required Components 10 Secure Installation 11 TOE Environment Firewall Network 11 Installing the TOE 11 Appliance Configuration 12 Adding Appliances 12 SMC Administration Credentials 13 X.509v3 Certificates 13 Appliance IP Addresses 14 Removing Appliances 14 Connection Recovery 14 Compliance Configuration Overview 15 Maintenance Mode 15 Compliance Checklist 15 Log in to the Stealthwatch Web App 17 Open Central Management 17 Open User Management 17 Certificates 18 Best Practices 18 1. Review Appliance Identity Certificate Requirements 18 Appliance Identity Certificate Requirements 18 2. Generate Certificate Signing Requests 20

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. Cisco Public - 2 - 3. Add Certificates to the Trust Stores 21 Appliance Identity Trust Store Requirements 21 4. Replace the Appliance Identity Certificates 22 5. Delete Cisco Default Appliance Identity Certificates 24 6. Review External Service Certificate Requirements 24 External Service Certificate Requirements 24 7. Add External Service Certificates to the Trust Stores 26 External Service Trust Store Requirements 26 Compliance Mode (FIPS and Common Criteria) 28 FIPS 28 Common Criteria 29 Enabling Compliance Encryption Libraries (FIPS, CC) 31 LDAP 32 1. Add the Certificate to the Trust Stores 32 2. Configure the LDAP Settings 32 3. Add an LDAP User 33 SAML SSO 35 1. Prepare for Configuration 35 2. Configure the Service Provider 35 3. Enable SSO 36 4. Configure the Identity Provider 37 5. Add an SSO User 37 6. Test SAML Login 38 Troubleshooting 39 Audit Log Destination 40 1. Prepare for Configuration 40 2. Configure the Audit Log Destination Settings 40 3. Enable Syslog Compliance 41 SMTP Configuration and DoDIN Notifications 42 1. Prepare for Configuration 42 2. Configure SMTP Configuration and Enable DoDIN Notifications 42

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. Cisco Public - 3 - Central Management Configuration 44 Stealthwatch Online Help 44 1. Open Central Management 44 2. Enable AIDE 45 3. Enable SNMP Agent 46 4. Create a Security Label 47 5. Configure Protected Sessions Time-Out 48 6. Enable Backup Configuration Encryption 48 7. Define the Password Policy 50 General 50 Password Complexity 50 Security Lockouts 51 8. Disable External Services and Google Analytics 52 9. Apply Settings 52 NTP Communication 53 1. Create Manual-Set-Time File 53 2. Update System Time 54 3. Check the Audit Logs 55 Local Authentication Configuration 56 1. Disable the Admin User Account 56 2. Disable the Root Shell of the Console 56 3. Disable SSH and Root SSH Access 57 4. Confirming your Configuration is Complete 57 Managing Stealthwatch in Compliance 58 Scope 58 Documentation 58 Reviewing the Software Version 58 User Management 58 Login History 59 Terminating User Sessions 59 Terminate Your Console Session 59

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. Cisco Public - 4 - Terminate Your Web UI Session 59 Terminate Another User’s Active Web UI Session 59 Terminate User Accounts in Appliance Admin (DoDIN APL) 60 Manually Updating the Time 60 Enabling NTP Communications 60 Certificates 61 Syslog and Audit Logs 62 Syslog 62 Audit Logs 62 Audit Log History 63 Resetting Factory Defaults (RFD) 64 Emergency Recovery 64 TOE Processes 67 Audit Log Messages 69 Audit Log Messages Table 70 Changes and Exclusions 89 Changing Appliances After Compliance Configuration 89 Updating Software 89 Installation Failed 90 Troubleshooting a Failed Installation 91 Exclusions 92 Configurations and Features 92 Acronyms and Terms 95 Contacting Support 98

Introduction

The Target of Evaluation (TOE) is the Cisco Stealthwatch v7.1. The TOE is a network performance monitoring tool capable of detecting flow-based anomalies in the network. The TOE uses its Stealthwatch Management Console and managed appliances to gain heightened visibility into network and application performance and behavior. Purpose This document provides guidance for the secure installation and secure use of the TOE for the following evaluated configurations:

l collaborative Protection Profile for Network Devices (NDcPP) for Common Criteria (CC)

l Department of Defense Information Network Approved Products List (DoDIN APL) for the CS Tool category This document provides clarifications and changes to the Cisco documentation and should be used as the guiding document for the installation, configuration, and administration of the TOE in a Common Criteria or DoDIN APL evaluated configuration. The official Cisco documentation should be referred to and followed only as directed within this guiding document. Documentation Review the following table to download the documentation you need for the installation, configuration, and management of the TOE.

Name Description

Downloading and Licensing Stealthwatch Products Provides instructions for v7.1 licensing Stealthwatch products.

Includes steps for the installation Stealthwatch x210 Series Hardware Installation Guide of Stealthwatch hardware.

Provides instructions for configuring Stealthwatch Stealthwatch Installation and Configuration Guide hardware and virtual appliances. v7.1.1 Also provides instructions for installing virtual appliances.

Includes details of updated features in the release, bug fixes, Stealthwatch Release Notes v7.1 and known issues (with workarounds).

Name Description

Provides information about Stealthwatch Update Guide v7.1.3 updating Stealthwatch.

In the SMC, click the User icon in the toolbar in the upper right corner, and select Online Stealthwatch Online Help Help to access instructions for the SMC web and appliance administration user interfaces.

Target Audience The intended audience for this guide includes Network and Security Administrators and other personnel who are responsible for installing and configuring Stealthwatch products for the collaborative Protection Profile for Network Devices (NDcPP) or Department of Defense Information Network Approved Products List (DoDIN APL) evaluated configuration. Assumptions We assume the following:

l Physical Protection: The network device is assumed to be physically protected in its operational environment and not subject to physical attacks that compromise the security of, and/or interfere with, the device’s physical interconnections and correct operation.

l Limited Functionality: The device is assumed to provide networking functionality as its core function and not provide functionality/services that could be deemed as general purpose computing.

l Traffic Protection: A standard, generic network device does not provide any assurance regarding the protection of traffic that traverses it.

l Trusted Administrators: The administrators for the network device are assumed to be trusted and to act in the best interest of security for the organization. This includes being appropriately trained, following policy, and adhering to guidance documentation. Administrators are trusted to ensure passwords and credentials have sufficient strength, entropy, and lack malicious intent when administering the device.

l Regular Updates: The network device firmware and software is assumed to be updated by an administrator on a regular basis in response to the release of product updates due to known vulnerabilities.

l Administrative Credentials: The administrator’s credentials (private key) used to access the network device are protected by the platform on which they reside.

l Components Remain Running: The availability of all TOE components, including their audit functionality, is maintained to reduce the risk of an undetected attack on (or failure of) one or more TOE components.

l Residual Information: The administrator must ensure that there is no unauthorized access possible for sensitive residual information (cryptographic keys, keying material, PINs, passwords, etc.) on networking equipment when the equipment is discarded or removed from its operational environment.

Evaluated TOE Configuration The cryptographic module within the TOE is CiscoSSL FOM 6.2. This diagram shows the deployment configuration of the TOE:

l API: Application Programming Interface

l CLI: Command Line Interface

l HTTPS: Hypertext Transfer Protocol Secure

l TLS: Transport Layer Security

The diagram shows one of each appliance (SMC, FC, FS, and UDPD), where each appliance can be either physical or virtual. A physical FC is available: with the database and engine installed within the same appliance (e.g. FC4210), or as a pair of appliances (e.g. FC5200D), with the database on one and the engine on the other. Both provide the same TOE security functionality.

Installation

This section provides guidance for installing and configuring Stealthwatch using the Stealthwatch x210 Series Hardware Installation Guide and the Stealthwatch Installation and Configuration Guide v7.1.1.

Administrator: We address the administrator in this guide as "you" to lead you directly through the compliance configuration. Required Components Before you begin the installation, make sure you have the following components:

Component Notes

Stealthwatch Management Console (SMC)

Flow Collector

Flow Sensor

UDP Director

Required for CC. Confirm the LDAP server supports LDAP Server LDAP over TLS.

Required for DoDIN APL Single Sign-On. Not required SAML Server for CC.

Required for CC. Optional for DoDIN APL. Confirm the Syslog Server Syslog server supports Syslog over TLS.

Required for DoDIN APL Notifications. Not required for SMTP Server CC.

Refer to the "Power Supply Considerations" section in Power Supplies the Stealthwatch x210 Series Hardware Installation Guide.

Network Test Access Port (TAP), Refer to the Stealthwatch x210 Series Hardware Switched Port Analyzer (SPAN), or Installation Guide. hubs

Component Notes

Make sure you download the guides listed in Documentation Documentation.

Secure Installation This section describes the steps necessary to securely install the TOE. TOE Environment Firewall Network

l Open Ports: Use the Stealthwatch x210 Series Hardware Installation Guide "Open Ports" section to configure the network firewall in the TOE environment. Confirm the list of required ports are open with unrestricted access.

l Network Devices: Configure the TAP, SPAN, or hubs to operate with the Flow Sensor as described in the Stealthwatch x210 Series Hardware Installation Guide "Integrating the Flow Sensor into Your Network" section.

l Specifications: For detailed information about each appliance, refer to Stealthwatch Specification Sheets.

l Location: Each paired Flow Collector 5000 Series database and engine must be located in the same secured facility All other TOE environmental components can be located in separate secured facilities. Installing the TOE Initial configuration requires use of the console port to configure networking.

l Physical Appliances: For details about console ports on all physical appliances, refer to the Stealthwatch x210 Series Hardware Installation Guide.

l Virtual Appliances: For console access on all virtual appliances, refer to the "Booting from the ISO" and "Configuring the IP Addresses" sections in the Stealthwatch Installation and Configuration Guide v7.1.1. Once the appliances have been properly set up on the network, configure the IP addresses to allow for management of the TOE.

l Connecting to the Network: Refer to the "Connecting Your Appliance to the Network" section in the Stealthwatch x210 Series Hardware Installation Guide for more information.

l IP Addresses: Use the Stealthwatch x210 Series Hardware Installation Guide "Connecting with a Keyboard and a Monitor" section to configure IP addresses.

l Powering On: Once you make all network connections, you can power on the appliances.

Appliance Configuration After you connect each appliance to the network, configure each appliance using the Appliance Setup Tool. Instructions: Refer to the "Configuring Your Appliances" and "Finishing Appliance Configurations" sections in the Stealthwatch Installation and Configuration Guide v7.1.1. Appliance Setup Tool: You will use the Appliance Setup Tool to configure your appliances. The Appliance Setup Tool guides you through the following:

l Passwords: Change the admin, root, and sysadmin passwords for each appliance. We provide instructions for changing the password complexity policy for NDcPP requirements later in this guide. Refer to 7. Define the Password Policy for details.

Make sure you save your passwords in a secure location.

l IP Address

l DNS Server

l NTP: An external NTP server is required for DoDIN APL.

NTP is disabled in the evaluated Common Criteria configuration.

Adding Appliances When adding appliances, follow the instructions provided in the "Configuration Order" section in the Stealthwatch Installation and Configuration Guide v7.1.1. Make sure you:

l configure the SMC (also referred to as Central Management) first,

l configure one appliance at a time in the correct order, and

l confirm the appliance status displays as Up in Central Management before you configure the next appliance. Set up your appliances so they are managed by the SMC. During the initial configuration process, specify that the new appliance will be managed bythe SMC, and then provide the following:

l the IP address or hostname of the SMC

l a valid SMC administrator username and password to authenticate to the SMC If you are unable to add appliances to the SMC, the connection could have failed due to the following:

l a network connectivity error - Make sure you reestablish a network connection, and then continue adding appliances.

l incorrect information provided - Make sure you have the correct information (such as the IP address or hostname of the SMC, etc.), and then continue adding appliances.

SMC Administration Credentials You will need the SMC administrator credentials to register your appliances with Central Management.

l UDP Directors: When you set up a UDP Director, you will enter the SMC administrator credentials.

l Flow Collectors: When you set up a Flow Collector, you will enter the SMC administrator credentials and the flow collection port number for NetFlow or sFlow.

l Flow Sensors: When you set up a Flow Sensor, you will select a Flow Collector in your configuration and enter the SMC administrator credentials. After you complete the Appliance Setup Tool for all appliances, configure the Application ID and Payload on the Flow Sensor. For detailed instructions, refer to the "Finishing Appliance Configuration" section in the Stealthwatch Installation and Configuration Guide v7.1.1.

Adding an appliance can't be initiated by the SMC, it must be initiated by the administrator performing the initial configuration of the UDP Directors, Flow Collectors, and/or Flow Sensors.

X.509v3 Certificates During the initial TLS session, the SMC and the new appliance exchange their unique X.509v3 certificates.

All TLS sessions between appliances satisfy the TLS requirements for Common Criteria.

Once the certificates have been exchanged, the new appliance has been joined with the SMC. All subsequent (automated) communications between the SMC and managed appliances use TLS with X.509v3 certificates for authentication. For appliance communication information, see Certificates. For detailed instructions, refer to the "Adding an Appliance to Central Management" section in the Stealthwatch Installation and Configuration Guide v7.1.1.

Appliance IP Addresses Record the IP addresses of every appliance in your Stealthwatch cluster.

Appliance IP Address

Stealthwatch Management Console (SMC)

Flow Collector

Flow Sensor

UDP Director

Removing Appliances Either of the following two options, whether initiated from the SMC or from a managed appliance, will result in each TOE component deleting the device association from its local configuration.

l The SMC administrator can remove an appliance in the SMC through Central Management by selecting the Appliance Manager tab, clicking the (Ellipsis) icon in the Actions column, and then selecting Remove This Appliance.

l A local administrator of a managed appliance can remove the registration by selecting Remove Appliance from the System Configuration menu.

After an appliance is removed, no further data will be exchanged between the appliances without completing a new registration process.

For detailed instructions, refer to the "Removing an Appliance from Central Management" section in the Stealthwatch Installation and Configuration Guide v7.1.1. Connection Recovery If a connection fails between the SMC and the managed appliances, the connections will automatically retry and restore connectivity. Connections will always be temporarily unavailable when appliances are rebooting.

Compliance Configuration Overview

After you install the TOE and configure it, you are ready to configure it for compliance. Review this guide to understand the compliance configuration requirements. Maintenance Mode We are starting this compliance configuration in maintenance mode. You will configure every appliance in your Stealthwatch system. This includes installing compliant certificates, changing and enabling configuration settings, and rebooting. During these changes, the system will be unavailable and you can experience network connection problems. It is important to configure Stealthwatch for compliance at a time that will cause the least amount of disruption. Compliance Checklist To configure Stealthwatch for compliance, complete the following sections in the order shown in this list. Make sure you follow the instructions in each section based on your compliance requirements.

Required Required for Configuration Order Section Link for DoDIN Common Completed APL Criteria

Complete all Certificates 1 x x requirements and procedures

Enable Compliance Mode 2 Enable FIPS and Common x x Criteria Encryption Libraries

3 Configure LDAP x

4 Configure SAML SSO x

Configure Audit Log 5 Destination and Enable Syslog x x Compliance

Configure SMTP and DoDIN 6 x Notifications

Required Required for Configuration Order Section Link for DoDIN Common Completed APL Criteria

7 Enable AIDE x x

8 Enable SNMP Agent x

9 Create a Security Label x x

Configure Protected 10 x x Sessions Time-Out

Enable Backup Configuration 11 x Encryption

12 Define the Password Policy x x

Disable External Services and 13 x x Google Analytics

14 Disable NTP x

15 Configure Local Authentication x x

Use the following instructions to log in to the Stealthwatch Web App (your SMC) to configure all the appliances in your Stealthwatch cluster for compliance. 1. In the address field of your browser, type the following: https:// followed by the IP address of your SMC. 2. Log in as admin. 3. Enter your credentials. 4. Click Sign In. You will primarily use Central Management and User Management in this guide. Open Central Management

1. Click the (Global Settings) icon. 2. Select Central Management.

Open User Management

1. Click the Global Settings icon. 2. Select User Management.

Certificates

Each Stealthwatch appliance is installed with a unique, self-signed appliance identity certificate. For compliance, replace the Cisco default certificate with a new, compliant appliance identity certificate on every appliance in your Stealthwatch cluster. The communication of the appliances in your Stealthwatch cluster is authenticated using x.509v3 certificates. Best Practices

l Review Procedures: Before you get started, review the procedures in Certificates to understand the certificates requirements and instructions. It is a detailed process that must be done correctly for your system to work.

l Friendly Names: These procedures include naming new certificates. Make sure each certificate name is unique. Do not duplicate any certificate names in your cluster.

l Up: After you apply settings, review the Central Management > Appliance Manager page. Make sure the Appliance Status displays as Up before you edit the next appliance configuration. 1. Review Appliance Identity Certificate Requirements In the next procedure, you can choose to generate a Certificate Signing Request (CSR) in Central Management or skip the CSR if you already have certificates from a Certificate Authority. Make sure you review the certificate requirements before you proceed. Appliance Identity Certificate Requirements Make sure each appliance identity certificate meets the requirements shown here.

Whether you generate the CSR in Central Management or skip the CSR, make sure each appliance identity certificate meets the requirements shown in this table. If you have a Flow Collector 5000 series, review the engine and database certificate requirements.

Requirement Details

Make sure the appliance identity certificate is Signed by Certificate Authority (CA) signed by a Certificate Authority. Self-signed certificates are not compliant.

The certificate chain length must be at least 2:

Certificate Chain Length (2 or more) l Root (1 root)

l Intermediate (0 or more intermediaries)

Target certificate (appliance identity certificate): Extension: Basic Constraints CA set to No/False Chain certificate (root and intermediaries): CA set to Yes/True

Make sure the appliance identity certificate can be used as a client (clientAuth) and server Extended Key Usage (serverAuth) identity certificate. If you use the Stealthwatch CSR procedure, the CSR includes this information.

PEM (.cer, .crt, .pem) or PKCS#12 (.p12, .pfx, Format .pks)

Make sure the appliance identity certificate IPv4 Address as a Subject Alternative Name includes the appliance IPv4 address as one of Field the Subject Alternative Names.

Make sure the appliance identity certificate Host Name as a Subject Alternative Name includes the appliance host name as one of the Field Subject Alternative Names. This should be a fully qualified domain name.

If the appliance is a Flow Collector 5000 series, make sure the engine and database appliance Private Network as a identity certificates include the following as one Subject Alternative Name Field of the Subject Alternative Names: (Flow Collector 5000 series only) Engine: 169.254.42.100 Database: 169.254.42.101

Requirement Details

We only support RSA keys; make sure your RSA Key Length key is 4096 bits.

Make sure the certificate dates are current and Date Range not expired.

2. Generate Certificate Signing Requests Use the following instructions to prepare the Certificate Signing Request (CSR).

If you do not need to generate a CSR, skip this section and go to 3. Add Certificates to the Trust Stores .

1. Open Central Management. 2. On the Appliance Manager page, click the Ellipsis icon in the Actions column for the appliance. 3. Select Edit Appliance Configuration. 4. Locate the SSL/TLS Appliance Identity section. 5. Click Update Identity. 6. Do you need to generate a CSR (Certificate Signing Request)? Select Yes. Click Next. 7. Select a compliant RSA Key Length that is supported by your Certificate Authority.

Make sure you replace the RSA 8192 bit self-signed identity certificate with the RSA 4096 bit CA-signed identity certificate.

8. Complete the fields (optional) in the Generate a CSR section:

l Organization

l Organizational Unit

l Locality or City

l State or Province

l Country Code

l Email Address

9. Click Generate a CSR. The generation process can take several minutes.

Cancel: If you click Cancel after you generate a CSR, or anytime while you are waiting for the CA certificate, the canceled CSR will be invalid. Generate a new CSR in this case.

10. Click Download CSR. 11. Repeat Steps 1 through 10 for every appliance to generate the CSR. 12. Provide the downloaded CSRs to the same Certification Authority. 3. Add Certificates to the Trust Stores Use the following instructions to add the appliance identity certificate and certificate chain (root and intermediate) to the appliance Trust Stores. Configuration Order: Make sure you follow the selection order in these instructions to update the Trust Stores of your managed appliances before you update the SMC Trust Store.

1. Open Central Management. 2. On the Appliance Manager page, click the Ellipsis icon in the Actions column for the appliance. Order: Select your appliances in the following order:

l Flow Collector

l Flow Sensor

l UDP Director

l SMC

3. Select Edit Appliance Configuration. 4. On the Appliance Manager > General tab, locate the Trust Store section. Appliance Identity Trust Store Requirements Use this table to add the appliance identity certificate and certificate chain (root and intermediate) to the required Trust Stores.

Identity Add Certificates Details Certificate to Trust Store

Add the Flow Collector certificates to the

Flow Collector Trust Store and the SMC Trust l Flow Collector Store. l Flow Collector 5000 Series Only: Databases (5000 series only) Flow Collector l Add the Flow Collector engine certificates to the Flow Collector l Flow Collector database Trust Store. Engines (5000 series only) l Add the Flow Collector database certificates to the Flow Collector engine l SMC Trust Store.

Identity Add Certificates Details Certificate to Trust Store

Add the Flow Sensor certificates to the l Flow Sensors Flow Sensor Flow Sensor Trust Store and the SMC Trust Store. l SMC

Add the UDP Director certificates to the l UDP Directors UDP Director UDP Director Trust Store and the SMC Trust Store. l SMC

l SMC

l Flow Collectors

l Flow Collector Databases Add the SMC certificates to the SMC Trust (5000 series only) SMC Store and the Trust Store of every appliance in the Central Management appliance inventory. l Flow Collector Engines (5000 series only)

l Flow Sensors

l UDP Directors

5. Click Add New. 6. In the Friendly Name field, enter a name for the certificate. 7. Click Choose File. Select the new certificate. 8. Click Add Certificate. Confirm the new certificate is shown in the Trust Store list. 9. Repeat steps 5 through 8 to add all required certificates the appliance Trust store. 10. Click Apply Settings. Follow the on-screen prompts. 11. Up: On the Appliance Manager page, make sure the appliance finishes the configuration changes and the Appliance Status returns to Up before you proceed to the next step. 12. Repeat these steps to add certificates to the next appliance Trust Store in your cluster. 4. Replace the Appliance Identity Certificates

Make sure you add all required certificates to the appliance Trust Stores before you replace the appliance identity certificates in this section.

After you have added all required certificates to the required appliance Trust Stores, you are ready to replace the appliance identity certificates. Use the following instructions to replace the appliance identity certificate on every appliance in your cluster.

1. On the Central Management > Appliance Manager page, click the Ellipsis icon in the Actions column for the appliance. Order: Update the appliance identity in the following order:

l Flow Collector

l Flow Sensor

l UDP Director

l SMC

Make sure you follow the order to update the appliance identity.

2. Select Edit Appliance Configuration. 3. Locate the SSL/TLS Appliance Identity section. 4. If you generated a CSR in Central Management, go to step 5. If you skipped the CSR in Central Management, click Update Identity. Select No, and click Next.

5. In the Friendly Name field, enter a name for the certificate. 6. Click Choose File. Select the new appliance identity certificate. If the chain file is separate, click Choose File next to the Certificate Chain File field. Select the complete chain file (that includes the intermediate CA and root CA certificates). If you skipped the CSR in Central Management, complete the following fields if prompted:

l Format: PKCS#12

l Password: Enter the password required to decrypt the file. The password is not stored.

7. Click Replace Identity. 8. Click Apply Settings. 9. Follow the on-screen prompts. The appliance reboots automatically. 10. Up: On the Appliance Manager page, make sure the appliance finishes the configuration changes and the Appliance Status returns to Up before you proceed to the next step. 11. Review the SSL/TLS Appliance Identity list. Confirm the new certificate is shown. 12. Repeat these steps to update the appliance identity on the next appliance in your cluster.

Make sure each appliance finishes the configuration changes and returns to Up before proceeding to the next appliance.

13. If you've replaced the appliance identity certificate on every appliance in your cluster, go to the next section.

5. Delete Cisco Default Appliance Identity Certificates After you replace the appliance identity certificates and confirm your appliances are Up, delete the old (Cisco default) appliance identity certificates from the appliance Trust Stores.

Do not delete the old (Cisco default) certificates until you've added the new certificates (identity, root, and chain) and fully completed the preceding procedures.

Use the following instructions to delete a certificate from the appliance Trust Store. Trust Stores: See the Appliance Identity Trust Store Requirements table to review where the certificates are located.

1. On the Appliance Manager page, click the Ellipsis icon in the Actions column for the appliance. Select your appliances in the following order:

l Flow Collector

l Flow Sensor

l UDP Director

l SMC

2. Select Edit Appliance Configuration. 3. On the Appliance Manager > General tab, locate the Trust Store section. 4. On the Trust Store list, locate the Cisco default identity certificate you want to delete. 5. Click Delete. 6. Repeat steps 4 and 5 to delete any additional Cisco default identity certificates from the appliance Trust store. 7. Click Apply Settings. Follow the on-screen prompts. 8. Up: On the Appliance Manager page, make sure the appliance finishes the configuration changes and the Appliance Status returns to Up before you proceed to the next step. 9. Repeat these steps to delete certificates from the next appliance Trust Store in your cluster. 6. Review External Service Certificate Requirements If you are planning to enable Syslog, LDAP, SAML, or SMTP, you need to add the required certificates to the correct Trust Stores. External Service Certificate Requirements Before you add any external (non-Stealthwatch) certificates to the Trust Stores, make sure they meet these Common Criteria requirements.

When you add a certificate to your appliance Trust Store, your appliance trusts that identity and allows communication with it. Make sure each external (non-Stealthwatch) certificate meets the requirements shown in this table.

Requirement Details

Signed by Certificate Make sure the certificate is signed by a Certificate Authority. Authority (CA) Self-signed certificates are not compliant.

Certificate chain length must be at least 2: Certificate Chain Length (2 or more) l Root (1 root) l Intermediate (0 or more intermediaries)

Target certificate (appliance identity certificate): Extension: Basic CA set to No/False Constraints Chain certificate (root and intermediaries): CA set to Yes/True

Make sure the certificate can be used as a server (serverAuth) certificate. If you use the Stealthwatch CSR procedure, the CSR includes this information. Make sure the OSCP Responder's certificate has the OSCP Signing EKU field if OSCP will be used. Make sure the Syslog server's certificate contains only one of either Extended Key Usage a CRL Distribution Point URI or an OCSP Responder URI, but not both. Make sure the CA certificate contains the cRLSign key usage if CRL will be used.

Exclude clientAuth: Make sure the certificate is not used as a client (clientAuth) certificate.

Format PEM (.cer, .crt, .pem) or PKCS#12 (.p12, .pfx, .pks)

IP Address as a Subject Make sure the certificate includes the appliance IP address as one Alternative Name Field of the Subject Alternative Names.

Host Name as a Subject Make sure the certificate includes the appliance host name as one Alternative Name Field of the Subject Alternative Names.

Requirement Details

RSA Key Length We only support RSA keys. Make sure your key is 4096 bits.

Date Range Make sure the certificate dates are current and not expired.

7. Add External Service Certificates to the Trust Stores If you are planning to enable Syslog, LDAP, SAML, or SMTP, review the External Service Trust Store Requirements table to determine the Trust Store requirements for your system. External Service Trust Store Requirements

Remote Certificate Type Trust Stores Server/Service

Add the root CA certificate (that signed the Syslog All appliances certificate chain) to the Trust Stores. Make sure your in your Syslog Server server and certificates meet Common Criteria Stealthwatch requirements. cluster

Add the root CA certificate (that signed the LDAP certificate chain) to the Trust Stores. Make sure your LDAP Server SMC server and certificates meet Common Criteria requirements.

If the Identity Service Provider (IDP) URL starts with HTTPS, add the root CA certificate to the Trust Stores. If the IDP URL does not start with HTTPS, you can skip SAML SSO SMC this step. Note: Make sure your server and certificates meet DoDIN APL requirements.

All appliances Add the SMTP server certificate chain (root and in your SMTP Server intermediate) to the Trust Stores. Make sure your server Stealthwatch and certificates meet DoDIN APL requirements. cluster

Use the following instructions to add your server/service certificates to the appliance Trust Stores based on the External Service Trust Store Requirements table.

1. Open Central Management. 2. On the Appliance Manager page, click the Ellipsis icon in the Actions column for the appliance. Order: If you have to add the certificates to more than one appliance Trust Store, select your appliances in the following order:

l Flow Collector

l Flow Sensor

l UDP Director

l SMC

3. Select Edit Appliance Configuration. 4. On the Appliance Manager > General tab, locate the Trust Store section. 5. Click Add New. 6. In the Friendly Name field, enter a name for the certificate. 7. Click Choose File. Select the new certificate. 8. Click Add Certificate. Confirm the new certificate is shown in the Trust Store list. 9. Repeat steps 5 through 8 to add all required certificates the appliance Trust store. 10. Click Apply Settings. Follow the on-screen prompts. 11. Up: On the Appliance Manager page, make sure the appliance finishes the configuration changes and the Appliance Status returns to Up before you add certificates to the next appliance. 12. Repeat these steps to add certificates to the next appliance Trust Store in your cluster. 13. If you have added all required certificates to the Trust Stores, go to the next section.

Compliance Mode (FIPS and Common Criteria)

Use Compliance Mode to enable encryption libraries for the Federal Information Processing Standard (FIPS) and Common Criteria. FIPS In the United States, FIPS defines and provides security and interoperability requirements for computer systems that are used by the following:

l Federal government agencies

l Federal contractors

l Organizations that process information using a computer or telecommunications system on behalf of the federal government to accomplish a federal function When you enable FIPS Encryption Libraries, the appliance is configured with FIPS-compliant algorithms and requirements, including the following:

l CiscoJ restricts the cipher suites that can be used by Java. This affects all JVM-based components of the appliance.

l The CiscoSSH client and sshd, the OpenSSH server process, are configured to run with a restricted set of cipher suites.

l Nginx is configured to run with a restricted set of cipher suites.

l Stealthwatch checks the appliance for user passwords hashed with MD5. You can't enable FIPS encryption libraries on the appliance if they are detected.

Make sure you enable FIPS Encryption Libraries on every appliance in the system so they can communicate. By default, Stealthwatch disables FIPS Encryption Libraries.

Common Criteria Common Criteria is used with FIPS; it is an international standard for computer security certification. Refer to ISO/IEC 15408 for details. When you enable Common Criteria Encryption Libraries, the appliance is configured with Common Criteria compliant algorithms and requirements, including the following:

l CiscoJ is configured for Common Criteria. This affects all JVM based components of the appliance. CiscoJ deprecates some algorithms, notably calculating MD5, and it's possible to see errors in the log files when you attempt to use these algorithms.

l If the cryptographic library (CiscoSSL, called by CiscoJ) fails any of its start-up self-tests, the appliance will fail to boot completely and all TLS-dependent processes (TLS server and TLS client) will remain inactive.

l If the failure occurs on the SMC, the Web UI remains disabled.

l If the failure occurs on another appliance, its status displays in Central Management as a communication failure. On the appliance that has failed, log in through the console to troubleshoot, then contact Cisco Stealthwatch Support.

l The CiscoSSH client and sshd, the OpenSSH server process, are configured to run with a restricted set of cipher suites and host key algorithms.

SSH is to remain disabled on all appliances for them to remain in the evaluated Common Criteria configuration.

l The client connections are modified to use the Common Criteria cipher suite offerings.

l Nginx is configured to run with a restricted set of cipher suites for SSL.

l Nginx is configured to enforce the Common Criteria client certificate requirements documented in this guide.

l The restricted cipher suites used by CiscoJ, Nginx, and SSH are as follows:

CiscoJ, Nginx, and SSH use the following restricted cipher suites:

AES128-SHA

AES128-SHA256 AES256-SHA256

DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256

ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384

l The restricted cipher suites used for TLS are as follows.

When operating as a TLS client (to LDAP servers, to Syslog servers, and to other Stealthwatch appliances), these are the only enabled cipher suites:

TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384

When operating as a TLS server (for remote administration and in-between Stealthwatch appliances), these are the only enabled cipher suites:

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

l For all TLS functionality, only TLSv1.1 and TLSv1.2 are supported, and all other versions are rejected.

l For all TLS functionality, RSA key establishment uses 4096 bits. The only enabled EC curves are secp256r1, secp384r1, and secp521r1; and the Diffie-Hellman parameters are 2048 bits.

l The file browser API is secured so that only log files are accessible. If this is not done, then all content mounted to /lancope/var/ is accessible, including the server's private key.

l The security events log level for a variety of security events is modified, including when a management channel is created or deleted.

Enabling Compliance Encryption Libraries (FIPS, CC) Use Compliance Mode to enable encryption libraries for FIPS and Common Criteria. The following features are not available when FIPS encryption libraries are enabled: TACACS+, RADIUS, and Internet Proxy NTLM authentication. The following features are not available when Common Criteria encryption libraries are enabled: See Changes and Exclusions for details. Complete the following instructions on every appliance in your Stealthwatch cluster. 1. Confirm your Trust Stores are updated and your appliance identity certificates are replaced as specified in the Certificates procedure. 2. Open Central Management. 3. On the Appliance Manager page, click the Ellipsis icon in the Actions column for the appliance. 4. Select Edit Appliance Configuration. 5. Select the General tab. 6. Locate the Compliance Mode section. 7. Click Unlock. 8. Confirm Prerequisites: Read the prerequisites and confirm you have completed all steps and are ready to enable FIPS and Common Criteria encryption libraries.

l If you have completed all steps in the Certificates procedure, check the Trust Stores and appliance identity replacement check boxes.

l Read the warning.

l If you are ready to enable FIPS and Common Criteria encryption libraries, type the following digits: 12358

l Click Continue.

9. Check the Enable FIPS Encryption Libraries check box. 10. Check the Enable Common Criteria Encryption Libraries check box. 11. Click Apply Settings. 12. Follow the on-screen prompts. The appliance reboots automatically. 13. Up: On the Central Management > Appliance Manager page, make sure the appliance finishes the configuration changes and the Appliance Status returns to Up. Repeat these instructions to enable FIPS and Common Criteria encryption libraries on the next appliance in your cluster. 14. If you've enabled compliance encryption libraries (FIPS, Common Criteria) on all appliances in your Stealthwatch cluster, go to the next section.

LDAP

The Lightweight Directory Access Protocol (LDAP) provides a method for remote user authentication. Use the following instructions to configure and enable LDAP on the SMC. Default: LDAP is disabled by default. Recommendation: Before you get started, review the instructions for enabling LDAP. The procedure includes installing certificates and restarting the appliance. It is important to enable LDAP at a time that will cause the least amount of disruption. 1. Add the Certificate to the Trust Stores Confirm you've added the LDAP server certificate to the SMC Trust Store using 6. Review External Service Certificate Requirements and 7. Add External Service Certificates to the Trust Stores. 2. Configure the LDAP Settings Follow these instructions to configure your LDAP settings.

Field Notes

Friendly Name Enter a name for the LDAP server.

Description Enter a description for the LDAP server.

Enter the fully qualified domain name or IP server address for the Server Address LDAP server.

Enter the port designated for secure LDAP communication (LDAP Port over TLS). A commonly used TCP port for LDAP is 636.

7. In the Certificate Revocation field, select Hard Fail to be compliant. 8. Complete the following fields:

Field Notes

Enter the administrative user ID used to connect to the LDAP Server.

Bind User Stealthwatch does not support added or repeated comma characters in the Bind User field. Make sure you do not enter additional or repetitive commas if using a Distinguished Name (DN) as part of the Bind User name.

Password Enter the password for the Bind User.

Confirm Password Re-enter the exact characters of the Password you just entered.

Enter the Distinguished Name (DN). The DN applies to the branch of the directory in which searches for users should begin. It is often the top of directory tree (your domain), Base Accounts but you can also specify a sub-tree within the directory. The Bind User and the users you are authenticating should be accessible from Base Accounts. For example: DC=example,DC=com

9. Click Add. 10. Click Apply Settings. 11. Click Apply Changes. 3. Add an LDAP User

1. Open User Management. 2. Select Create > User. For instructions, click the User icon, and select Online Help. For details about adding users, see "Configuring Users."

3. In the User Name field, enter the user name. The Full Name and Email fields are optional. 4. In the Authentication Service field, select your LDAP server.

5. In Role Settings, check the Master Admin check box, if applicable, and select a Data Role. Alternatively, in Web Roles, select Web and Desktop roles. For instructions, click the User icon, and select Online Help. For details about web roles, see "Assign a Data Role."

6. Click Save, and then confirm the newly added user appears in the list of users.

SAML SSO

Use the following instructions to configure Security Assertion Markup Language Single Sign-On (SAML SSO). SSO is an authentication process that allows a user to access multiple applications with one set of credentials. SSO is required for DoDIN APL compliance. Not Supported: SSO is not supported with Integrated Windows Authentication (IWA). 1. Prepare for Configuration 1. You need the following information to configure SSO:

Requirement Details

The URL must use the fully qualified domain Identity Provider URL name or IPv4 address.

If the IDP URL starts with HTTPS, download the Identity Provider Certificate CA certificate.

2. Certificate Requirements: If the URL for downloading the IDP URL starts with HTTPS, confirm you've added the certificate to the appliance Trust Stores using the requirements and procedure in 6. Review External Service Certificate Requirements and 7. Add External Service Certificates to the Trust Stores. 2. Configure the Service Provider

1. Log in to the appliance console as sysadmin. 2. Type the following command: SystemConfig

3. Press Enter. 4. Select Advanced. 5. Select SSOSettings. 6. Confirm ssoEnable/Disable is shown as Disabled.

7. Select IdentityProvider (IDP). Click Continue. 8. Enter the URL where the Identity Provider's configuration file can be downloaded. Requirements: Enter the fully qualified domain name or IPv4 address.

9. Select DownloadIDP. Follow the on-screen prompts to enable it. 10. Select SaveChanges. Click Continue. Follow the on-screen prompts to download the IDP configuration file.

11. Select SSOSettings. 12. Review ServiceProvider(SP). Copy the URL. You will use it to configure the identity provider. 13. Review Status. Confirm it is shown as Ready.

3. Enable SSO

1. Select ssoEnable/Disable. 2. Follow the on-screen prompts to enable SSO.

3. Select CredentialDescription. Click Continue. 4. Enter a description of the SSO service credentials users need to log in. 5. Click OK. 6. Select DownloadIDP. Disable DownloadIDP until you need to save a new SSO configuration.

l Click Continue.

l Follow the on-screen prompts to disable DownloadIDP.

7. Select SaveChanges. Click Continue. 8. Exit System Configuration. 4. Configure the Identity Provider

1. In the address field of your browser, type the Service Provider URL. 2. Download the Service Provider metadata file sp.xml. 3. Configure the Identity Provider with sp.xml. 4. Make sure the outgoing claim type includes the user email address.

l For example: If the Attribute store is the Active Directory, set the outgoing claim type to the email address for the LDAP Attribute type user ID.

l Microsoft Active Directory File Server (ADFS): If the IDP type is ADFS, confirm the following custom rule is shown: c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, Value = c.Value, ValueType = c.ValueType, Properties ["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties ["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http:///adfs/com/adfs/service/trust", Properties ["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https:///fedlet"); 5. Add an SSO User Use the following instructions to add an SSO user. Users are authenticated through/by the Identity Provider.

1. Open User Management. 2. Select Create > User. For instructions, click the User icon, and select Online Help. For details about adding users, see "Configuring Users." 3. Complete the fields to create a new user. For compliance, configure the user as follows:

l Authentication Service: Select SSO.

l User Name: Enter the first part of the email address for the IDP account. Make sure the ID is identical to the one that will be used for SSO at login. For example, for [email protected], enter "name" in this field.

4. Click Save. 5. Confirm the SSO User is shown in User Management. 6. Test SAML Login

1. Log in to the Stealthwatch Web App. 2. On the login page, click the drop-down. 3. Select SAML. 4. Click the credentials button. 5. Enter the login credentials. The SMC opens to the Security Insight Dashboard.

Troubleshooting

Scenario Notes

Disable SSO Only from System Configuration through Account Lockout emergency account access.

Make sure the IDP certificate is uploaded to the SMC Can't Download IDP XML Trust Store.

Review the IDP configuration and make sure the data Can't Save IDP Configuration you entered is accurate and doesn't include any extra spaces. Also, review the IDP event logs.

Your LDAP server connection could have failed due to the following:

Failed LDAP Server Connection l a network connectivity error - Make sure you reestablish a network connection.

l incorrect information provided - Make sure your credentials are valid and then try again to connect.

Your Syslog server connection could have failed due to the following:

Failed Syslog Server Connection l a network connectivity error - Make sure you reestablish a network connection.

l incorrect information provided - Make sure your credentials are valid and then try again to connect.

Download a SAML tracer for your browser. Repeat the Other Issues SSO login to review the exchanges between the IDP and SP.

Audit Log Destination

Use Audit Log Destination to configure a secure destination for all messages using Syslog over TLS (Transport Layer Security). 1. Prepare for Configuration Confirm you've added the Syslog server certificate to the appliance Trust Stores using the requirements and procedure in 6. Review External Service Certificate Requirements and 7. Add External Service Certificates to the Trust Stores. 2. Configure the Audit Log Destination Settings

1. Open Central Management. 2. On the Appliance Manager page, click the Ellipsis icon in the Actions column for the appliance. 3. Select Edit Appliance Configuration. 4. On the Network Services tab, locate the Audit Log Destination (Syslog Over TLS) section. 5. In the IP Address field, enter the IP address of the remote Syslog server. 6. In the Destination Port field, enter the port number that the appliance uses to provide audit trail information. Destination Port Default: 6514/TCP

7. Under Certificate Revocation, select Hard Fail to be compliant. 8. Click Apply Settings. If the delivery fails, check the Audit Log. Also, check the Trust Store to confirm the Syslog SSL/TLS certificate is shown.

9. Review the inventory in Central Management > Appliance Manager. Confirm the Appliance Status is shown as Up. Repeat these instructions to configure Audit Log Destination on the next appliance in your cluster. 10. If you've configured Audit Log Destination on all appliances in your Stealthwatch cluster, go to the next section.

3. Enable Syslog Compliance Use the following instructions to establish Syslog server compliance for the selected appliance. If Syslog is enabled, all logs related to compliance will be saved in the remote Syslog server. 1. Log in to the appliance console as root. 2. Type the following command: SystemConfig

3. Press Enter. 4. Select Advanced, and press Enter. 5. Select ToggleSyslogCompliance, and press Enter.

Make sure to read the status description at the top of the dialog box confirming whether you are enabling or disabling.

6. Select Enable. You can press the space bar on your keyboard to select it. 7. Select OK. 8. Repeat these instructions to enable Syslog Compliance on the next appliance in your cluster. 9. If you've enabled Syslog Compliance on all appliances in your Stealthwatch cluster, go to the next section.

SMTP Configuration and DoDIN Notifications

Use SMTP Configuration and DoDIN Notifications to configure secure email notifications for compliance. The compliance notifications include the following:

l User Management changes (creating, updating, deleting, enabling, disabling, etc.)

l Syslog failures

l AIDE detection information

Security Label: Secure email notifications include the security label configured in this guide. For more details, go to 4. Create a Security Label . 1. Prepare for Configuration Confirm you've added the SMTP server chain (root and intermediate) certificate to the appliance Trust Stores using the requirements and procedure in 6. Review External Service Certificate Requirements and 7. Add External Service Certificates to the Trust Stores. 2. Configure SMTP Configuration and Enable DoDIN Notifications SMTP Notifications and DoDIN Notifications work together to send secure emails for compliance notifications. Make sure you configure these settings on every appliance in your Stealthwatch cluster.

1. Open Central Management. 2. On the Appliance Manager page, click the Ellipsis icon in the Actions column for the appliance. 3. Select Edit Appliance Configuration. 4. Select General tab, locate the SMTP Configuration section. For instructions, click the User icon, and select Online Help. For details about configuring SMTP, see "SMTP Notifications." 5. Complete the fields in SMTP Configuration. For compliance, configure the following:

l SMTP Server Name: Enter the IPv4 address of the SMTP server.

l Encryption Type: Select SMTPS.

6. In the DodIN-Notification section, click the Enable check box. 7. In the To Email field, enter the recipient email address.

DoDIN APL notifications will be sent to this email address.

8. Click Apply Settings. 9. Up: On the Central Management > Appliance Manager page, make sure the appliance finishes the configuration changes and the Appliance Status returns to Up. Repeat these instructions to configure SMTP Notifications and enable DoDIN notifications on the next appliance in your cluster. 10. If you've configured SMTP Notifications and enabled DoDIN on all appliances in your Stealthwatch cluster, go to the next section.

Central Management Configuration

Use the following sections to configure the next group of compliance requirements in Central Management. It is important to review the following:

l All Appliances: Configure these settings on every appliance in your Stealthwatch cluster.

l Apply Settings: You can configure the compliance requirements on each configuration tab and apply your settings to the appliance all at once. These instructions guide you through the configuration order.

l Up: After you apply settings, review the Central Management > Appliance Manager page. Make sure the Appliance Status is shown as Up before you edit the next appliance configuration.

Stealthwatch Online Help To follow the instructions for each section of Central Management, click the User icon, and select Online Help. Select the section name from the Appliance Configuration menu.

1. Open Central Management

1. Log in to the Stealthwatch Web App. 2. Click the Global Settings icon. 3. Select Central Management.

4. On the Appliance Manager page, click the Ellipsis icon in the Actions column for the appliance.

Configure your managed appliances first. Configure your SMC last.

5. Select Edit Appliance Configuration. 6. Go to the next section. 2. Enable AIDE The Advanced Intrusion Detection Environment (AIDE) is a host baselining system that detects modifications of critical files on a system. When it is enabled, AIDE runs an audit of the current system once a day. It compares the hash sum and permissions of each monitored file on the current file system against the values stored in the appliance database. Each Stealthwatch appliance runs AIDE independently and generates audit log messages separately. You can review each audit log messages for each appliance through Central Management. Each appliance is uniquely identified by its hostname as recorded in the messages transmitted to the Syslog servers. When the daily AIDE job completes, an audit log message that indicates whether any changes were detected is recorded in the audit log.

l If no changes are detected, this message displays: System baseline check passed, all files match baseline.

l If changes were detected, this message displays: AIDE found differences between database and file system! Following this message, there will be a list of the files that were changed. Review the list to make sure none of the file types are applicable to CC. The following file extensions do not apply to CC: .pod, .enc, .h, .exe, .txt, .xml, .csv, .log, .ini, .gfs, and .pyc.

If there are other file types on the list, contact Cisco Stealthwatch Support to determine whether the file changes are impacting CC security functionality. Make sure you maintain or reestablish CC security functionality.

Use the following instructions to Enable AIDE.

1. Select the Appliance tab. 2. Locate the Advanced Intrusion Detection Environment section. 3. Check the Enable AIDE check box. The appliance initializes a database within 1 hour.

3. Enable SNMP Agent A large networked environment uses Simple Network Management Protocol (SNMP) as a method of system monitoring. With SNMP Agent enabled within Stealthwatch, you can access your system status information. Additionally, when SNMP Agent is enabled, you can access the SNMP Agent via the network if the client system is one of the Trusted Hosts. For instructions, click the User icon, and select Online Help. For details about SNMP Object Identifiers, see "SNMP Agent."

1. Select the Network Services tab. 2. Locate the SNMP Agent section. 3. Check the Enable check box. 4. Complete the contact information in the following fields:

Field Description

Enter a text string that the agent will use to Read Only Community: authenticate incoming SNMP requests.

Enter the port number that the appliance uses to SNMP Port: provide system status information. The default is 161.

Enter an alphanumeric string that indicates where SysLocation: the system is physically located.

SysContact: Enter contact information about the system.

Enter an alphanumeric string that indicates the SysName: name assigned to the system.

Enter a number that indicates the quantity of SNMP SysServices: services available on the system.

Enter an alphanumeric string that describes the SysDescription: system.

Enter an object identifier that network management SysObjectID: entities use to determine the monitoring capabilities of a device.

5. In the SNMP Version field, select V3 to be compliant. The authentication hash algorithm is SHA-1, the encryption algorithm is AES, and the configured security level defaults to authPriv. When you select V3, the following fields display:

l UserName: Read-only. This field reflects the user name associated with your SNMP manager.

l EncryptionPass: Required. Enter the password you use for encryption.

l AuthPass: Required. Enter the password you use for authorization. 4. Create a Security Label In order to be compliant, set up a security label for each appliance. The security label displays in all Stealthwatch interfaces and email notifications. CSV Disabled: If a Security Label is defined, the option for exporting Comma-Separated Values (CSV) files is disabled.

1. Select the General tab. 2. Locate the Opening Message section. 3. In the Opening Message field, begin the security label message with SECURITY_LABEL: and then type the security label message. End the security label message with a semi-colon (;) and continue on to type the opening message. For example, type: SECURITY_LABEL:Cisco Confidential; Welcome to Stealthwatch!

Language: The message can be in any language and contain any supported UNICODE character other than the angle brackets (< >) or single quote (') symbols. Character Limit: 120 alphanumeric characters and spaces maximum. If there is not an opening message, no semi-colon (;) is required after the security label message.

5. Configure Protected Sessions Time-Out Use Protected Sessions Time-Out to set the number of minutes administrator privileges can be used before the session times out. When the time expires, the user is prompted to re-authenticate the administrator session. Make sure you also specify how long an administrator session can be inactive before the user is automatically logged out. The user can continue to use parts of the appliance that do not require administrator access. For instructions, click the User icon, and select Online Help. For details about session time-out, see "Protected Sessions Time-Out."

1. Locate the Protected Sessions Time-Out section. 2. In the Request User Re-Authentication for Administrator-Only Functions After field, enter the number of minutes limit for an administrator session before re-authentication is required.

l Default: The default setting is 1440 minutes (24 hours). The default is implemented when you install the appliance or upgrade the software (for example, from a major version 6.x to 7.x, etc.).

l Range: 2 to 1440 minutes

l 0: If you enter 0, the administrator session never expires.

3. In the Log Out User Due to Inactivity After field, enter the number of minutes a session can be in an idle state with no activity.

l Default: The default setting is 0; it must be changed for compliance.

l Range: 2 to 1440 minutes

l 0: If you do not change the default of 0, the administrator session never expires. 6. Enable Backup Configuration Encryption Backup Configuration Encryption is required to be enabled for compliance. Make sure you save your passwords to a secure location.

1. Locate the Backup Configuration Encryption section. 2. Check the Enable Encryption check box. 3. In the Backup Configuration Password field, type your password. This password is used to encrypt and to then decrypt backup configuration files. 4. In the Confirm Password field, re-type your password.

l Restore: For details about restoring backup configuration files, click the User icon, and select Online Help. See "Backup/Restore Configuration."

The password used to encrypt a file is required to restore it. While you can change the password that will apply to new backups, you will need to know the original password used to encrypt a file in order to decrypt and restore the file. Make sure you save your passwords to a secure location.

7. Define the Password Policy The password policy configuration applies to all user interfaces. To meet compliance requirements, configure password complexity to a minimum of 15 characters, which include at least one uppercase letter, lowercase letter, number, and special character. Security Lockouts: Both fields in the Security Lockouts section are also required for compliance. The Security Lockout rules do not apply to the admin, root, and sysadmin users. Use the following instructions to define password complexity for users.

1. Locate the Password Policy section. 2. Configure your password policy to meet the following compliance requirements: General

Default Compliance Field Criteria Values Requirements

Password must be at least characters 8 15 minimum to 30 maximum

Password expires after days 0 60

Number of previous passwords 1 5 passwords disallowed

Minimum number of days allowed between password days 0 1 changes

Password Complexity

Default Compliance Field Criteria Characters Values Requirements

A B C D E F G Password must uppercase H I J K L M N 1 uppercase contain a 0 letters O P Q R S T letter minimum of U V W X Y Z

Password must a b c d e f g h i lowercase 1 lowercase contain a 0 j k l m n o p q r letters letter minimum of s t u v w x y z

Default Compliance Field Criteria Characters Values Requirements

Password must contain a 1 2 3 4 5 6 7 8 numbers 0 1 number minimum of 9 0

< > . , ? / ' " \ | : Password must contain a ; ` ~ ! @ # $ % symbols 0 1 symbol minimum of ^ & * ( ) - _ + = { } [ ]

8 characters Number of characters which different from previous characters 4 differ from the password previous password

Security Lockouts

DoDIN APL Default Field Description Criteria Compliance Values Requirements

The number of unsuccessful sign-on Number of unsuccessful attempts numbers 0 3 attempts before security lockout occurs.

The duration in minutes of Duration of lockout minutes 0 15 the security lockout.

The Security Lockout rules do not apply to the admin, root, and sysadmin users.

8. Disable External Services and Google Analytics Use the following instructions to disable External Services and Google Analytics. Google Analytics is enabled by default;

1. Locate the External Services section.

For an appliance to be compliant, all fields in the External Services section must be disabled.

2. Uncheck the Enable Google Analytics check box. 3. If any other external services are checked, uncheck them. 9. Apply Settings Use the following instructions to apply your configuration changes to the selected appliance.

1. Click Apply Settings. 2. Follow the on-screen prompts. The appliance reboots automatically. 3. Up: Review the inventory in Central Management > Appliance Manager. Confirm the Appliance Status is shown as Up. Go to 1. Open Central Management to configure the next appliance in your Stealthwatch cluster.

NTP Communication

Use the following instructions to disable NTP communication and manually set the time on every appliance in your Stealthwatch cluster. Time Zone: Starting in v7.0.x, Stealthwatch defaults to UTC. This setting can't be changed. Disabling NTP Communication: Review the Compliance Checklist to confirm you need to disable NTP communication for compliance. When you disable NTP, it is important to note the following:

l Time can potentially drift between appliances.

l Flow records can be out of sync if time is out of sync between appliances.

l There can be other unexpected behavior on your appliances.

l Make sure you manually update the time on every appliance on a daily basis.

When you disable NTP, the time can potentially drift between appliances, and there can be other unexpected behavior on your appliances. Make sure you manually update the time on every appliance on a daily basis. 1. Create Manual-Set-Time File Use the following instructions to create the manual-set-time file on every appliance in your cluster. This procedure disables NTP communications.

1. Log in to the appliance console as root. 2. Type the following command: touch /lancope/var/manual-set-time && reboot

3. Press Enter. The appliance reboots, and NTP is disabled after the reboot. 4. Repeat these instructions on every appliance in your cluster to create the manual-set-time file.

2. Update System Time Use the following instructions to update the time on each appliance.

If other users are logged in to the system, they will be logged out automatically when these configuration changes are made.

1. Log in to the appliance console as sysadmin. 2. Type the following command: SystemConfig

3. Press Enter. 4. Select Time. 5. Enter the date and time in UTC using ISO-8601 format.

l Format: YYYY-MM-DDTHH:MM:SS

l Example: 2019-02-25T10:45:30

6. Select OK. 7. Exit System Configuration. 8. Repeat these instructions to update the time on every appliance in your Stealthwatch cluster.

When you disable NTP communications, the time can potentially drift between appliances. Make sure you manually update the time on every appliance on a daily basis.

3. Check the Audit Logs Use the following instructions to confirm your time changes were made on the selected appliance.

1. Open Central Management. 2. Click the Ellipsis icon in the Actions column for the appliance. 3. Select Support. 4. Select the Audit Logs tab. 5. In the Category field, select Management. 6. Click Search. 7. Confirm the system time changes are shown as successful.

Local Authentication Configuration

Use the following instructions to configure your appliances for local authentication as required for compliance.

For details about emergency account recovery, see Emergency Recovery. 1. Disable the Admin User Account The evaluated Common Criteria configuration requires the default admin user account be disabled because the Security Lockout rules do not apply to the admin user account. In the event that all non-default local administrative accounts become locked, they can be re- enabled:

l by either waiting for the lockout duration to expire, or

l by temporarily re-enabling the default admin user account to unlock other accounts, and then immediately re-disabling the default admin user account Use the following instructions to disable the default admin user account on all appliances in your Stealthwatch cluster.

Make sure there is a user who will still have access to the Web UI.

1. Log in to the appliance console as sysadmin.

l Physical Appliances: For details about console access for physical appliances, refer to the Stealthwatch x210 Series Hardware Installation Guide.

l Virtual Appliances: For console access on all virtual appliances, refer to the "Booting from the ISO" and "Configuring the IP Addresses" sections in the Stealthwatch Installation and Configuration Guide v7.1.1. 2. Type your password, and press Enter. 3. Select Advanced, and press Enter. 4. Select AdminUserStatus, and press Enter. 5. Follow the on-screen prompts to disable the admin user account. 6. Repeat these instructions to disable the admin user account on all appliances in your Stealthwatch cluster. 2. Disable the Root Shell of the Console 1. Log in to the appliance console as root. 2. Type the following command: usermod --shell /bin/false root && reboot

3. Press Enter. 4. The appliance reboots. The root shell is disabled after the appliance reboots.

You will no longer be able to access the root shell when you log in as sysadmin.

5. Repeat these instructions to disable the root shell on all appliances in your Stealthwatch cluster. 3. Disable SSH and Root SSH Access Use the following instructions to disable SSH and Root SSH in the Web UI. 1. Log in to the SMC as one of the following users:

l LDAP

l SAML

l Master Admin: a user with Master Admin permissions that is not the default admin user account (refer to User Management for details).

2. Open Central Management. 3. Click the Ellipsis icon in the Actions column for the appliance. 4. Select Edit Appliance Configuration. 5. On the Appliance tab, locate the SSH section. 6. Uncheck the Enable SSH check box. 7. Uncheck the Enable Root SSH Access check box. 8. Click Apply Settings. 9. Repeat these instructions to disable SSH and Root SSH Access on all appliances in your Stealthwatch cluster. 4. Confirming your Configuration is Complete Afer you have configured your appliances for local authentication, review the Compliance Checklist to confirm you have configured your system for compliance. If you've finished the configuration on all appliances in your Stealthwatch cluster as required for DoDIN APL or Common Criteria, Stealthwatch is ready for you to use it in a compliant state.

Managing Stealthwatch in Compliance

After you've completed the installation and compliance configuration using the Compliance Checklist , the following information can be useful for those managing Stealthwatch while in compliance. Scope The evaluation is limited in scope to the secure management features described in the following:

l collaborative Protection Profile for Network Devices (NDcPP) v2.1 (24-September-2018) for Common Criteria

l Department of Defense Information Network Approved Products List (DoDIN APL) for the CS Tool category To change your configuration or review configurations that are excluded from compliance, refer to Changes and Exclusions for details. Documentation Refer to the Documentation list to review Stealthwatch built-in Help and guides. Reviewing the Software Version After you finish the installation and configuration, you can verify the software version in any of the following ways:

l SMC Web UI: Click the User icon, and select About.

l Update Manager: Navigate to Central Management > Update Manager to review the software version installed on each appliance.

The running version also displays across the top of System Configuration. User Management User Management allows you to do the following:

l create or delete user accounts

l enable or disable user accounts

l enter or change passwords

l view web role permissions

l edit user accounts

l configure web roles

l configure data roles

For details about how to access User Management, see Open User Management. Login History The login history is shown automatically at login. You can also check the Audit Logs for login details. Terminating User Sessions Use the following instructions to terminate console sessions and Web UI (and Appliance Admin interface) user sessions.

Terminate Your Console Session Use the following instructions to terminate your console session.

When you log into the appliance console as sysadmin, you can only access System Configuration. You can't access a command prompt.

1. Press the Tab key to navigate to Cancel or Exit. 2. Click Cancel or Exit until you've exited the session, and a login prompt displays.

Terminate Your Web UI Session Use the following instructions to terminate your user session in the Web UI (and the Appliance Admin interface).

1. Click the User icon in the toolbar in the upper right corner. 2. Select Logout.

Make sure you terminate the user account on every appliance in your Stealthwatch cluster in the Web UI (and the Appliance Admin interface).

Terminate Another User’s Active Web UI Session Use the following instructions to terminate another user's Web UI session in Stealthwatch.

You can't delete the default admin user account active (Admin) or your own user account.

1. Open User Management. 2. Locate the user name in the list. 3. You can delete or disable the user:

l Delete: Click the Ellipsis icon in the Actions column. Select Delete.

l Disable: Click the status button to turn it off.

4. Open Central Management. 5. On the Appliance Manager Inventory page, click the Ellipsis icon in the Actions column. Select Reboot.

l Order: Reboot your SMC last.

l Unavailable: The appliance is unavailable while it reboots. You will see an error message if you try to use the appliance before it is finished rebooting. 6. Repeat steps 4 and 5 to reboot every appliance in Central Management.

Terminate User Accounts in Appliance Admin (DoDIN APL)

1. Open User Management. 2. On the Appliance Manager Inventory page, click the Ellipsis icon in the Actions column. Select View Appliance Statistics.

Optional: In your browser, type https:// followed by the appliance URL to log in to the Appliance Administration interface directly.

3. Select the Manage Users menu. 4. Select Add/Delete Users. 5. Locate the user account in the list. 6. Click Delete. 7. Select the Operations menu. 8. Select Restart Appliance. 9. Repeat these steps on every appliance that includes the user account. Manually Updating the Time If Disabling NTP communications is required for your evaluated configuration of the TOE, the time can potentially drift between appliances. Make sure you manually update the time on every appliance on a daily basis.

When you disable NTP, the time can potentially drift between appliances, and there can be other unexpected behavior on your appliances. Make sure you manually update the time on every appliance on a daily basis. Refer to NTP Communication for details. Enabling NTP Communications If you need to enable NTP communications, use the following instructions to remove the manual- set-time file on every appliance in your cluster.

Review the Compliance Checklist to confirm if you need to disable NTP communications to be compliant. Enabling NTP Communications takes the system out of the evaluated configuration for compliance.

1. Follow the steps in Emergency Recovery to re-enable the root shell. 2. Log in to the appliance console as root. 3. Type the following command: SystemConfig

4. Press Enter. 5. Type the following command: rm /lancope/var/manual-set-time && reboot

6. Press Enter. The appliance reboots, and NTP is enabled after the reboot. 7. Repeat these instructions on every appliance in your cluster to enable NTP communications. Then, configure NTP in Central Management. Certificates Each appliance ships with a unique, self-signed appliance identity certificate. The appliance identity certificate is replaced for compliance as part of the Replacing the Appliance Identity procedure.

l Appliance Identity Certificates: You can manage the appliance identity certificate in Central Management by selecting the Appliance Manager tab, clicking the Ellipsis icon in the Actions column, and then selecting Edit Appliance Configuration to get to the Appliance Configuration page. On the Appliance Configuration page for the appliance, locate the SSL/TLS Appliance Identity section, which allows you to view the current certificate, generate a CSR, and replace the appliance identity certificate.

l Trust Stores: You can manage the Trust Store certificates for the selected appliance in Central Management by selecting the Appliance Manager tab, clicking the Ellipsis icon in the Actions column, and then selecting Edit Appliance Configuration to get to the Appliance Configuration page. From the Appliance Configuration page, select the General tab and locate the Trust Stores section, where you can add or delete certificates for the appliance's Trust Store.

l New Certificates: When you replace an appliance identity certificate, the data related to the old certificate and appliance identity is destroyed automatically. For details, refer to Resetting Factory Defaults (RFD). Syslog and Audit Logs Syslog When Syslog Compliance is enabled, Stealthwatch compliance logs are saved in the remote Syslog server. The data is determined by the logs from each appliance. Some of the logs are as follows:

For more information, see Audit Log Messages.

Syslog Field Description

Syslog Time The date and time the message was created by Syslog.

Local Host Name of appliance where the event occurred.

Audit Logger: the process that is sending events to the Syslog AuditLogger: user server. User: the process that created the audit event.

Audit ID The ID assigned to the event.

Date Date and time the event occurred.

The role of the user who performed the action, or the role at which the User process is active if no user is associated with the action.

IP Address The IP address of the device used to perform the action.

Yes: The action was completed. Success or Failure No: The action was not completed.

The details of the event and this information can vary based on the Message specific event.

Audit Logs You can also review the audit logs for a selected appliance in Central Management.

l Web UI: To review the audit logs in Central Management, click the Ellipsis icon in the Actions column, select Support, and then select the Audit Logs tab.

l Details: Click the User icon, and select Online Help.

l Sort and Filter: You can sort the audit logs by clicking on each column or filter the data.

l Event Details: See Audit Log Messages for more information.

Audit Log Column Description

Date/Time The date and time the data was recorded.

Management: basic management and configuration changes. IDS: intrusion detection functions. Category Audit: auditing and system level functions. I&A: user identification and authentication. Security: user maintenance and lockout.

The ID assigned to the event. Provide the Event ID if you contact Cisco Event Stealthwatch Support.

Event Details The description of the event.

The user login name associated with the event. The user ID is User Name displayed in parentheses.

User Location The IP address of the device used to perform the action.

The component that issued the log message. The process ID reported Process Name (PID) by the component is displayed in parentheses.

Yes: The action was completed. Success No: The action was not completed.

Audit Log History In addition to transmitting logs to an external Syslog server, each Stealthwatch appliance saves audit messages locally to an audit log file. When the audit log file reaches the maximum size (5MB), a new audit log file is created. A log rotation job runs nightly; and if the active log has grown to 5 MB, it is rotated. This results in the oldest records being purged to allow space new records to be written.

Resetting Factory Defaults (RFD) When you reset factory defaults on an appliance, sensitive data is destroyed automatically.

l SSH host keys

SSH is not enabled in the evaluated Common Criteria configuration.

l Appliance identity certificate information

l Appliance web server ephemeral key seeds

l Central Management identity configuration

l Any trusted private keys for external web servers

For instructions, refer to the Stealthwatch Installation and Configuration Guide v7.1.1.

Make sure you RFD each appliance twice to completely erase data. Emergency Recovery

During emergency recovery, the appliance will be temporarily operating outside its CC- evaluated configuration.

Use the following instructions to re-enable the root shell for emergency recovery.

For additional assistance, please contact Cisco Stealthwatch Support.

1. Open Central Management. 2. On the Appliance Manager page, click the Ellipsis icon in the Actions column for the appliance. 3. Select Reboot Appliance. 4. Go to the console. When the GRUB menu is shown, type "e" to enter edit mode.

5. Advance the cursor down one line and to the end of that line. 6. At the end of the line, type the following: rw init=/bin/bash

7. Press Enter. 8. Press the F10 key to boot the machine. 9. At the shell prompt, type the following: usermod --shell /bin/bash root

10. Power off the appliance (on the physical appliance or hypervisor). 11. Power on the appliance (on the physical appliance or hypervisor). 12. Log in to the console as root, and confirm you can access it. To reset appliance passwords, refer to the Stealthwatch Installation and Configuration Guide v7.1.1.

TOE Processes

The TOE, as a network performance monitoring tool, has many processes running on it that are capable of processing incoming network traffic. These processes are briefly described for each appliance, as follows.

Appliance Process Description

This process allows user authentication to happen through an external LDAP or Active Directory provider. The connections are LDAP protected by TLS using a port which is configurable by the administrator. The default port for LDAP and AD services is port 636/TCP.

This is the Nginx process that accepts HTTPS SMC connections on port 443/TCP for Web UI and Client Interfaces, the management channel, and HTTPS the user data channel from other appliances within the TOE. This process runs with normal user level permissions at ring 3.

This process securely sends logs to an external server using the Syslog protocol over TLS. TLS Syslog The default port is 6514/TCP, but it is configurable by the administrator.

This is the engine that accepts NetFlow traffic through the administrator defined ports. Stealthwatch The default port is 2055/UDP. This process runs as root as ring 3.

This is only used for communications with the Flow Collector HTTPS SMC; all remote administration is disabled for this interface.

This process securely sends logs to an external server using the Syslog protocol over TLS. TLS Syslog The default port is 6514/TCP, but it is configurable by the administrator.

Appliance Process Description

This is the engine that captures packet level Flow Sensor traffic from the network as a TAP or SPAN device. This process runs as a root at ring 3.

This is only used for communications with the HTTPS SMC; all remote administration is disabled for this Flow Sensor interface.

This process securely sends logs to an external server using the Syslog protocol over TLS. TLS Syslog The default port is 6514/TCP, but it is configurable by the administrator.

This is the engine that receives UDP traffic on the administrator defined ports. Additionally, this Flow Forwarder process forwards the traffic to other network devices based on rules defined by the administrator. This process runs as root at ring 3.

This is only used for communications with the UDP Director HTTPS SMC; all remote administration is disabled for this interface.

This process securely sends logs to an external server using the Syslog protocol over TLS. TLS Syslog The default port is 6514/TCP, but it is configurable by the administrator.

Audit Log Messages

When you enable ToggleSyslogCompliance in System Configuration and configure the Syslog servers for each Stealthwatch appliance, all log messages will be sent to a remote Syslog server.

Error messages that indicate connection failures to Syslog servers won't be sent to the remote Syslog server.

As log messages are sent to the remote Syslog server, the messages are also written to local circular log files that can be reviewed on each appliance console. Each local file is rotated, or replaced, when it reaches 5 MB. A log rotation job runs nightly; and if the active log has grown to 5 MB, it is rotated. This results in the oldest records being purged to allow space new records to be written. You can also view the log messages for all appliances in the Audit Log, which you access through Central Management in the SMC. Most log messages have a similar format regardless of whether they were generated for the SMC or other appliances. Some SMC log messages are different, particularly for events regarding communications between the SMC and other appliances. The table specifies which log messages are generated by the SMC and which are generated by other appliances. Log messages typically display in the following format:

[process-id]: ,(),

The term "metadata" includes date-time and/or process numbers. Additionally, log messages might indicate Syslog severity level; for example, INFO, ERROR, etc.

Log message samples in this table contain generic message field identifiers instead of actual details such as timestamps, host names, and IP addresses.

Audit Log Messages Table The following table provides descriptions of audit logs messages.

Requirements Auditable Stealthwatch Examples Events

FAU_GEN.1 Startup of the Feb 10 14:15:35 smc-appliance syslog-ng[2631]: AuditLogger: syslog- ng/2631 audit functions ,4021,2020-02-10T10:14:35TZD+0000,root(0), localhost,1,Audit log service started

Shutdown of the syslog-ng[]: AuditLogger: /,,,root(0), localhost,1,Audit log service stopped

FCO_CPC_EXT.1 Enabling SMC Appliance: communications AuditLogger[]: svc-cm-inventory between a pair ,,,1, Appliance "" of components added to Central Manager Other Appliances: AuditLogger[]: svc-cmconfiguration-agent , cm-agent,,1,Appliance is now managed by https:// docker: INFO RegistrationService: 102 - Registration of appliance appliance-uuid to https:// successful

Disabling SMC Appliance: communications AuditLogger[]: svc-cm-inventory /1, between a pair ,,,1, Appliance "" of components deleted from Central Manager Other Appliances: AuditLogger: svc-cm-configurationagent/1, ,cm- agent, ,1,Appliance is no longer managed by https://

FCS_HTTPS_ Failure to establish See FTP_TRP.1/Admin for audit records. EXT.1 HTTPS session

FCS_TLSC_ Failure to establish LDAP Over TLS: EXT.1 TLS session See FTP_ITC.1 for audit records.

FCS_TLSC_ Failure to establish Syslog Over TLS: EXT.2 TLS session See FTP_ITC.1 for audit records. TLS Client Communication Between Stealthwatch Appliances: See FPT_ITT.1 for audit records.

FCS_TLSS_ Failure to establish TLS for Remote Administration: EXT.1 TLS session See FTP_TRP.1/Admin for audit records.

FCS_TLSS_ Failure to establish TLS Server Communication Between Stealthwatch Appliances: EXT.2 TLS Session See FPT_ITT.1 for audit records.

Requirements Auditable Stealthwatch Examples Events

FIA_AFL.1 Unsuccessful Account is Automatically Disabled After Successive Failed Logins: login attempts AuditLogger,, ,0,Login failed: User Disabled exceeded

FIA_UIA_EXT.1 All use of the SMC Remote Administration): identification Remote Auth Success and authentication AuditLogger, ,,1,Login successful Remote Auth LDAP Success AuditLogger,, localhost,1,Login Host verified using Subject Alternative IP Address successful AuditLogger, , ,1,Login successful Remote Auth Failure AuditLogger, , ,0,Login failed: Incorrect Password SMC (Local Administration): Local Auth Success AuditLogger, sysadmin(75),127.0.0.1,1,Login on Console successful Local Auth Failure AuditLogger , sysadmin(75),127.0.0.1,0,Login on Console failed: Incorrect Password Other Appliances: Local Auth Success AuditLogger , sysadmin(75),127.0.0.1,1,Login on Console successful Local Auth Failure AuditLogger , sysadmin(75),127.0.0.1,0,Login on Console failed: Incorrect Password

FIA_UAU_EXT.2 All use of the See for FIA_UIA_EXT.1 for audit records. identification and authentication mechanism

FIA_X509_ Unsuccessful SMC (Operating as a TLS Client): EXT.1/ITT attempt to ERROR [FSPollingTask] [132/143/] heartbeat failed (javax.net.ssl.SSLHandshakeException: PKIX path building certificate failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid FIA_X509_ certification path to requested target) EXT.1/rev CertificateExpiredException: Certificate expired at (compared to )

Requirements Auditable Stealthwatch Examples Events

ERROR [FSPollingTask] [132/143/] heartbeat failed (javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed) error:0D0680A8:asn1 encoding routines:ASN1_ CHECK_TLEN:wrong tag ERROR [FSPollingTask] [132/143/] heartbeat failed (javax.net.ssl.SSLHandshakeException: Handshake failed) signature did not verify ERROR [FSPollingTask] [132/143/] heartbeat failed (javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed ERROR [FSPollingTask] [132/143/] heartbeat failed (javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: basic constraints check failed: this is not a CA certificate) SMC (Operating as a TLS server): [crit] 7871#7871: *1570 SSL_do_handshake() failed (SSL: error:04097068:rsa routines:RSA_private_encrypt:bad signature error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed) while SSL handshaking, client: , server: 0.0.0.0:443 [crit] 7871#7871: *1569 SSL_do_handshake() failed (SSL: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed) while SSL handshaking, client: , server: 0.0.0.0:443 [crit] 7871#7871: *1568 SSL_do_handshake() failed (SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:Type=X509_CINF error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_ NOEXP_D2I:nested asn1 error:Field=cert_info, Type=X509 error:1408900D:SSL routines:ssl3_get_client_certificate:ASN1 lib) while SSL handshaking, client: , server: 0.0.0.0:443 [error] 7871#7871: CiscoSSL error encountered: invalid CA certificate. [crit] 7871#7871: *2537 SSL_do_handshake() failed (SSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed) while SSL handshaking, client: , server: 0.0.0.0:443 [error] 7871#7871: Provided certificate has no basicConstraints attributes. [crit] 7871#7871: *2536 SSL_do_handshake() failed (SSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed) while SSL handshaking, client: , server: 0.0.0.0:443 [error] 7871#7871: CiscoSSL error encountered: self signed certificate in certificate chain.

Requirements Auditable Stealthwatch Examples Events

[crit] 7871#7871: *3211 SSL_do_handshake() failed (SSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed) while SSL handshaking, client: , server: 0.0.0.0:443 [crit] 8798#8798: *4210 SSL_do_handshake() failed (SSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed) while SSL handshaking, client: , server: 0.0.0.0:443 [error] 8798#8798: CiscoSSL error encountered: certificate has expired. Other Appliances (Operating as a TLS Client): SunCertPathBuilderException: unable to find valid certification path to requested target ERROR [pool-4-thread-1] WebSocketsPolling:66 - Unable to initiate web socket connection to java.security.cert.CertificateExpiredException: Certificate expired at (compared to ) ERROR [pool-4-thread-1] WebSocketsPolling:66 - Unable to initiate web socket connection to error:0D0680A8:asn1 encoding routines:ASN1_ CHECK_TLEN:wrong tag ERROR [pool-4-thread-1] WebSocketsPolling:66 - Unable to initiate web socket connection to signature did not verify ERROR [pool-4-thread-1] WebSocketsPolling:66 - Unable to initiate web socket connection to ERROR [MonitoredHTTPClient] [] status=ERROR (javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: basic constraints check failed: this is not a CA certificate) ERROR [pool-4-thread-1] WebSocketsPolling:66 - Unable to initiate web socket connection to Other Appliances (Operating as a TLS Server): [error] 4277#4277: CiscoSSL error encountered: certificate has expired. [crit] 4277#4277: *35 SSL_do_handshake() failed (SSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed) while SSL handshaking, client: , server: 0.0.0.0:443 [crit] 4277#4277: *39 SSL_do_handshake() failed (SSL: error:04097068:rsa routines:RSA_private_encrypt:bad signature error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed) while SSL handshaking, client: , server: 0.0.0.0:443 [crit] 4277#4277: *38 SSL_do_handshake()

Requirements Auditable Stealthwatch Examples Events

failed (SSL: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed) while SSL handshaking, client: , server: 0.0.0.0:443 [crit] 4277#4277: *37 SSL_do_handshake() failed (SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:Type=X509_CINF error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_ NOEXP_D2I:nested asn1 error:Field=cert_info, Type=X509 error:1408900D:SSL routines:ssl3_get_client_certificate:ASN1 lib) while SSL handshaking, client: , server: 0.0.0.0:443 [error] 4277#4277: CiscoSSL error encountered: invalid CA certificate. [crit] 4277#4277: *41 SSL_do_handshake() failed (SSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed) while SSL handshaking, client: , server: 0.0.0.0:443 [error] 4277#4277: CA certificate 1 has no basicConstraints attributes. [crit] 4277#4277: *40 SSL_do_handshake() failed (SSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed) while SSL handshaking, client: , server: 0.0.0.0:443 [error] 4277#4277: CiscoSSL error encountered: self signed certificate in certificate chain. [crit] 4277#4277: *42 SSL_do_handshake() failed (SSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed) while SSL handshaking, client: , server: 0.0.0.0:443

FIA_X509_ Any addition, SMC (Operating as a TLS Client): EXT.1/ITT replacement, ,cm-agent,127.0.0.1,1,Successfully added or removal and certificate to trust store. Friendly name(s): [] of trust anchors FIA_X509_ in the TOE’s ,cm-agent,127.0.0.1,1,Trust store successfully EXT.1/rev trust store synchronized. Following certificates are going to be removed: [] SMC (Operating as a TLS Server): ,cm-agent,127.0.0.1,1,Successfully added certificate to trust store. Friendly name(s): [] ,cm-agent,127.0.0.1,1,Trust store successfully synchronized. Following certificates are going to be removed: [] Other Appliances (Operating as a TLS Client): ,cm-agent,127.0.0.1,1,Successfully added certificate to trust store. Friendly name(s): [] ,cm-agent,127.0.0.1,1,Trust store successfully synchronized. Following certificates are going to be removed: [] Other Appliances (Operating as a TLS Server): ,cm-agent,127.0.0.1,1,Successfully added certificate to trust store. Friendly name(s): []

Requirements Auditable Stealthwatch Examples Events

,cm-agent,127.0.0.1,1,Trust store successfully synchronized. Following certificates are going to be removed: []

Additional Unsuccessful Syslog Over TLS: messages attempt to Note: Some of these events cause failure of Syslog over TLS, causing messages to not applicable to FIA_ validate a reach the Syslog server. All such messages are stored locally on each appliance in X509_ EXT.1/Rev certificate /lancope/var/logs/access-logs/tomcat/ciscoj.log . (not applicable to FIA_X509_ Invalid CA (SMC) EXT.1/ITT) AuditLogger[]:AuditLogger: smc-agent/7634,3001, ,svc-cm-support-agent|,,0,Logging to External Audit Log Destination failed [host= :6514] - javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target AuditLogger[]:AuditLogger: smc-agent/7542,3001, ,svc-cm-configuration-agent|,,0,Logging to External Audit Log Destination failed [host= :6514] - javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Responder's certificate not valid for signing OCSP responses AuditLogger[]:AuditLogger: smc-agent/7730,3001, ,svc-cm-support-agent|,,0,Logging to External Audit Log Destination failed [host= :6514] - javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Unable to determine revocation status due to network error Invalid CA (Other Appliances) [] P5671-70 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl. OpenSSLSocketImpl.startHandshake(): initiating handshake with lport=32,976 -> phostname=null, rhostname=, port=6,514 [] P5671-70 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl. OpenSSLSocketImpl.verifyCertificateChain(): ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Revoked Certificate: Revoked Certificate (SMC) AuditLogger[]:AuditLogger: smc-agent/7542,3001, ,svc-cm-update-agent|,,0,Logging to External Audit Log Destination failed [host= :6514] - javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: , authority: EMAILADDRESS=, CN=, O=, L=, ST=, C=, extension OIDs: [] Revoked Certificate (Other Appliances) [] P5671-74 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl. OpenSSLSocketImpl.startHandshake(): initiating handshake with lport=37,272 -> phostname=null, rhostname=, port=6,514 [] P5671-74 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl.

Requirements Auditable Stealthwatch Examples Events

OpenSSLSocketImpl.verifyCertificateChain(): ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: , authority: EMAILADDRESS=, CN=, O=, L=, ST=, C=, extension OIDs: [] Invalid Signature: SMC AuditLogger[]:AuditLogger: smc-agent/7634,3001, ,svc-cm-support-agent|,,0,Logging to External Audit Log Destination failed [host= :6514] - javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed Other Appliances [] P5671-61 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl. OpenSSLSocketImpl.startHandshake(): initiating handshake with lport=41,090 -> phostname=null, rhostname=, port=6,514 [] P5671-61 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl. OpenSSLSocketImpl.verifyCertificateChain(): ValidatorException: PKIX path validation failed: java.security.cert. CertPathValidatorException: signature check failed Expired Certificate: SMC [] P5694-26 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl. OpenSSLSocketImpl.startHandshake(): initiating handshake with lport=50,444 -> phostname=null, rhostname=, port=6,514 [] P5694-26 SEVERE com.cisco.ciscossl.provider.ciscojce.ssl. OpenSSLX509Certificate.checkValidity(): java.security.cert.CertificateExpiredException: Certificate expired at (compared to ) Other Appliances [] P5671-15 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl.OpenSSLSocketImpl.startHandshake(): initiating handshake with lport=59,438 -> phostname=null, rhostname=, port=6,514 [] P5671-15 SEVERE com.cisco.ciscossl.provider.ciscojce.ssl. OpenSSLX509Certificate.checkValidity(): java.security.cert.CertificateExpiredException: Certificate expired at (compared to ) Invalid cRLSign: SMC [] P5694-179 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl.OpenSSLSocketImpl.startHandshake(): initiating handshake with lport=54,206 -> phostname=null, rhostname=, port=6,514 [] P5694-179 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl. OpenSSLSocketImpl.startHandshake(): SSLHandshakeException: PKIX path validation

Requirements Auditable Stealthwatch Examples Events

failed: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder Other Appliances [] P5671-68 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl.OpenSSLSocketImpl.startHandshake(): initiating handshake with lport=39,342 -> phostname=null, rhostname=, port=6,514 [] P5671-68 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl. OpenSSLSocketImpl.startHandshake(): SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder Revocation of Certificate via OCSP (Same on All Appliances): ERROR com.cisco.ciscossl.provider.ciscojce.ssl. OpenSSLEngineImpl – verifyCertificateChain - ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: KEY_COMPROMISE, revocation date: , authority: CN=, OU=, O=, L=, ST=, C=, extension OIDs: [2.5.29.21] caused by: CertPathValidatorException: Certificate has been revoked, reason: KEY_ COMPROMISE, revocation date: , authority: CN=, OU=, O=, L=, ST=, C=, extension OIDs: [2.5.29.21] caused by: CertificateRevokedException: Certificate has been revoked, reason: KEY_ COMPROMISE, revocation date: , authority: CN=, OU=, O=, L=, ST=, C=, extension OIDs: [2.5.29.21] Revocation Missing OCSP Responder (Same on All Appliances): legacy-auth-start.sh []: [NioProcessor-4] ERROR c.l.s.s.a.LDAPX509ExtendedTrustManager - Certificate Exception to longclaw- ad. PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder LDAP Over TLS Note: In the event that any of these LDAP-over-TLS messages fail to reach the Syslog server, they can be found locally in /lancope/var/logs/syslog. Invalid CA (SMC) docker/svc-legacy-auth[]: Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target docker/svc-legacy-auth[]: INFO c.l.sws.smc.auth.LdapSessionFactory - Failed to establish TLS connection to docker/svc-legacy-auth[]: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag docker/svc-legacy-auth[]: INFO c.l.sws.smc.auth.LdapSessionFactory - Failed to establish TLS connection to . docker/svc-legacy-auth[]: Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: basic constraints check failed: this is not a CA certificate

Requirements Auditable Stealthwatch Examples Events

legacy-auth-start.sh[]: INFO c.l.sws.smc.auth.LdapSessionFactory - Failed to establish TLS connection to . docker/svc-legacy-auth[]: Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Responder's certificate not valid for signing OCSP responses legacy-auth-start.sh[]: INFO c.l.sws.smc.auth.LdapSessionFactory - Failed to establish TLS connection to . Revoked Certificate (SMC) docker/svc-legacy-auth[]: [NioProcessor- 22] ERROR c.l.s.s.a.LDAPX509ExtendedTrustManager - Certificate Exception to . PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked, reason: UNSPECIFIED, revocation date: T, authority: [email protected], CN=subsubca-rsa, O=GSS, L=Catonsville, ST=MD, C=US, extension OIDs: [] Invalid Signature (SMC) docker/svc-legacy-auth[]: [NioProcessor- 17] ERROR c.l.s.s.a.LDAPX509ExtendedTrustManager - Certificate Exception to . PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed docker/svc-legacy-auth[]: INFO c.l.sws.smc.auth.LdapSessionFactory - Failed to establish TLS connection to Expired Certificate (SMC) docker/svc-legacy-auth[]: Caused by: java.security.cert.CertificateExpiredException: Certificate expired at (compared to ) legacy-auth-start.sh[]: INFO c.l.sws.smc.auth.LdapSessionFactory - Failed to establish TLS connection to . Invalid cRLSign (SMC) legacy-auth-start.sh[]: Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder legacy-auth-start.sh[]: INFO c.l.sws.smc.auth.LdapSessionFactory - Failed to establish TLS connection to .

FMT_MOF.1/ Any attempt to AuditLogger []: AuditLogger: svc-cm-update/1,1210, ManualUpdate initiate a manual ,,,1,SWU image uploaded to update Central Manager. AuditLogger []: AuditLogger: svc-cm-update/1,1216, ,,,1,The 'install' action of SWU is initiated on appliance

Requirements Auditable Stealthwatch Examples Events

FMT_SMF.1 All management Banner Message Change: activities of AuditLogger []: osaxsd/198216,1100, ,root TSF data (0),localhost,1,System Service bannermsg has changed these settings: BANNERMSG = Timeout Modification: AuditLogger []: osaxsd/198682,1100, , root (0),localhost,1,System Service session has changed these settings: idle_timeout_ seconds = AuditLogger[]: AuditLogger: osaxsd/90609,1100, ,root(0),localhost,1,System Service session has changed these settings: timeout_ seconds = AuditLogger []: AuditLogger: osaxsd/90787,1100, ,root(0),localhost,1,System Service session has changed thesesettings: idle_timeout_seconds = External Services: AuditLogger[]: osaxsd/142951,1100, ,root (0), localhost,1,SystemService syslog haschanged these settings: AUDIT_EXT_IP = AuditLogger[]: AuditLogger: svc-cmconfiguration/1,1506,,,,1,Initiated change appliance configuration widget auditLogDestination Configuring Authentication Failure Parameters (SMC): AuditLogger[]: AuditLogger: svc-cmconfiguration/1,1506,,,,0,Failed to initiate change appliance configuration widget passwordPolicy with error validation: invalidFailedLoginAttemptLockoutThreshold Configure Cryptographic Functionality: SMC AuditLogger[]: AuditLogger: svc-cmconfiguration/1,1506, ,,,1,Initiated change appliance configuration widget auditLogDestination AuditLogger[]: AuditLogger: svc-cmconfiguration/1,1506, ,,,1,Initiated change appliance configuration widget ldapSetup Other Appliances AuditLogger[]: AuditLogger: osaxsd/20893,1100, ,root(0),localhost,1,System Service syslog has changed these settings: AUDIT_ EXT_IP = Configure the Reference Identifier for the Peer: SMC AuditLogger[]: AuditLogger: svc-cmconfiguration/1,1506, ,,,1,Initiated change appliance configuration widget auditLogDestination Other Appliances

Requirements Auditable Stealthwatch Examples Events

AuditLogger[]:]: AuditLogger: osaxsd/20893,1100, ,root(0),localhost,1,System Service syslog has changed these settings: AUDIT_EXT_IP = Generating/Import of, Changing of, or Deleting of Cryptographic Keys: Same on the SMC and Other Appliances AuditLogger[]: AuditLogger: svc-cmconfiguration/1,5038, ,cm-agent,127.0.0.1,1,Successfully updated appliance identity. Friendly name: AuditLogger[]: svc-cm-configuration-agent/1,5047, ,cm-agent,,1,Deleted SSL cryptographic key with SHA256 for APPLIANCE identity Reset Password: Local Password Change (SMC) AuditLogger[]: AuditLogger: osaxsd/321982,1100, ,root(0),localhost,1,System Service password has changed these settings: sysadmin = XXXXXX Local Password Change (Other Appliances) AuditLogger[]: AuditLogger: osaxsd/9931,1100, ,localuser(0),localhost,1,System Service password has changed these settings: sysadmin = XXXXXX Remote Password Change (SMC) AuditLogger[]: AuditLogger: smc-server/7542,5035, ,,,1,Updated user "" Appliance Relation Modifications: AuditLogger[]: svc-cm-inventory/1,1207, , ,,1,Appliance "" added to Central Manager AuditLogger[]: svc-cm-inventory/1,1208, , ,,1,Appliance "" deleted from Central Manager Changing of Services: AuditLogger[]: svc-cm-configuration/1,1506, ,,,1,Initiated change appliance configuration widget externalServices AuditLogger[]: svc-cm-configuration/1,1506, ,,,1,Initiated change appliance configuration widget sessionTimeout AuditLogger[]: svc-cm-configuration/1,1506, ,,,1,Initiated change appliance configuration widget externalServices AuditLogger[]: svc-cm-configuration/1,1506, ,,,1,Initiated change appliance configuration widget ldapSetup AuditLogger[]: svc-cm-configuration/1,1506, ,,,1,Initiated change appliance configuration

Requirements Auditable Stealthwatch Examples Events

widget externalServices AuditLogger[]: svc-cm-configuration/1,1506, ,,,1,Initiated change appliance configuration widget openingMessage AuditLogger[]: svc-cm-configuration/1,1506, ,,,1,Initiated change appliance configuration widget externalServices Trust Store Modifications: docker/svc-cm-agent []: INFO TrustStoreService:182 - adding certificate: LDAP AuditLogger[]: svc-cm-configuration-agent/1,5042, ,cm-agent,127.0.0.1,1,Trust store successfully synchronized. Following certificates are going to be retained: [ic, ca, , fc, , , syslog, smc] AuditLogger []: AuditLogger: smc-agent/4855,5049, ,svc-sw-admin,,1,OverwroteSSL cryptographic key file containing key (SHA256) with key (SHA256) AuditLogger []: svc-cm-configuration-agent/1,5041, ,cm-agent,127.0.0.1,1,Successfully added certificate to trust store. Friendly name(s): [LDAP] User Modifications: AuditLogger[]: smc-server/4553,5003, ,,,1,User "local" added AuditLogger[]: smc-server/4553,5035, , ,,1,Updated user "local"

FPT_ITT.1 Initiation of the SMC (as TLS Client to Other Appliances): trusted channel [] P1-69 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl.OpenSSL SocketImpl.startHandshake(): initiating handshake with lport=41,360 -> phostname=, rhostname=null, port=443 [] P1-69 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl. OpenSSLSocketImpl.verifyCertificateChain(): Verifying peer cert using authentication method ECDHE_RSA: CN= [] P1-68 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl.OpenSSL SocketImpl.startHandshake(): Verified peer Flow SMC (as TLS Server, Receiving Connections From Other Appliances): [error] 7799#7799: IP address matches presented certificate for connection: . Other Appliances (as TLS Client to SMC): [] P4958-48 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl. OpenSSLSocketImpl.verifyCertificateChain(): Verifying peer cert using authentication method RSA: 1.2.840.113549.1.9.1=#, CN=, O=, L=, ST=, C= [] P4958-48 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl. OpenSSLSocketImpl.startHandshake(): Verifying peer

Requirements Auditable Stealthwatch Examples Events

[] P4958-48 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl. OpenSSLSocketImpl.startHandshake(): handshake completed: lport=47,764 -> phostname=null, rhostname= , phost=, pport=443, socketId= Other Appliances (as TLS Server, Receiving Connections From SMC): [error] 4277#4277: IP address matches presented certificate for connection: .

Termination SMC (Operating as a TLS Client): of the CONFIG trusted channel com.cisco.ciscossl.provider.ciscojce.ssl.OpenSSLSocketImpl.close(): Socket closed. functions Peer: , port: 443, socketId= SMC (Operating as a TLS Server): [info] 7799#7799: *3137 client closed keepalive connection Other Appliances (Operating as a TLS Client): CONFIG com.cisco.ciscossl.provider.ciscojce.ssl.OpenSSLSocketImpl.close(): Socket closed. Peer: , port: 443, socketId= Other Appliances (Operating as a TLS Server): [info] 4438#4438: *576 client closed keepalive connection

Failure of the SMC (Operating as a TLS Client): trusted channel error:1409017F:SSL routines:ssl3_get_server_ functions certificate:wrong certificate type ERROR [FSPollingTask] [132/143/] heartbeat failed (javax.net.ssl.SSLHandshakeException: Handshake failed) error:140920F8:SSL routines:ssl3_get_server_ hello:unknown cipher returned ERROR [FSPollingTask] [132/143/] heartbeat failed (javax.net.ssl.SSLHandshakeException: Handshake failed) error:1409210A:SSL routines:ssl3_get_server_ hello:wrong ssl version ERROR [FSPollingTask] [132/143/] heartbeat failed (javax.net.ssl.SSLHandshakeException: Handshake failed) by: SSLProtocolException: ../Source/JNI_ glue/SSL.cpp:NativeCrypto_SSL_do_handshake_Blocking: SSL handshake terminated: error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac ERROR [FSPollingTask] [132/143/] heartbeat failed (javax.net.ssl.SSLHandshakeException: Handshake failed) ERROR [FSPollingTask] [132/143/] heartbeat failed (javax.net.ssl.SSLException: javax.net.ssl.SSLHandshakeException: ../Source/JNI_glue/SSL.cpp:NativeCrypto_ SSL_verify_peer_in_cert: Common criteria: hostname IP mismatch violation)

Requirements Auditable Stealthwatch Examples Events

:SSL routines:ssl3_get_key_exchange:wrong curve (s3_clnt.c:1912 0x7f0661b24f3b:0x00000000): error:1408D17A:SSL routines:ssl3_get_key_exchange:wrong curve ERROR [FSPollingTask] [132/143/] heartbeat failed (javax.net.ssl.SSLHandshakeException: Handshake failed) : SSLProtocolException: ../Source/JNI_ glue/SSL.cpp:NativeCrypto_SSL_do_handshake_Blocking: SSL handshake terminated: error:1408C095:SSL routines:ssl3_get_finished:digest check failed ERROR [FSPollingTask] [132/143/] heartbeat failed (javax.net.ssl.SSLHandshakeException: Handshake failed) SMC (Operating as a TLS Server): [info] 7871#7871: *1431 SSL_do_handshake() failed (SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: , server: 0.0.0.0:443 [info] 7871#7871: *1395 SSL_do_handshake() failed (SSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher) while SSL handshaking, client: , server: 0.0.0.0:443 [info] 7871#7871: *1484 SSL_do_handshake() failed (SSL: error:1408F081:SSL routines:SSL3_GET_RECORD:block cipher pad is wrong) while SSL handshaking, client: , server: 0.0.0.0:443 [info] 7871#7871: *1478 SSL_do_handshake() failed (SSL: error:1408E0F4:SSL routines:ssl3_get_message:unexpected message) while SSL handshaking, client: , server: 0.0.0.0:443 [info] 7871#7871: *1432 SSL_do_handshake() failed (SSL: error:1408C095:SSL routines:ssl3_get_finished:digest check failed) while SSL handshaking, client: , server: 0.0.0.0:443 [info] 7871#7871: *1489 SSL_do_handshake() failed (SSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) while SSL handshaking, client: , server: 0.0.0.0:443 [crit] 7871#7871: *2537 SSL_do_handshake() failed (SSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed) while SSL handshaking, client: , server: 0.0.0.0:443 [crit] 7871#7871: *1570 SSL_do_handshake() failed (SSL: error:04097068:rsa routines:RSA_private_encrypt:bad signature error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed) while SSL handshaking, client: , server: 0.0.0.0:443 Other Appliances (Operating as a TLS Client): :SSL routines:ssl3_get_server_certificate:wrong certificate type (s3_clnt.c:1378 0x7f2e55e97f3b:0x00000000): error:1409017F:SSL routines:ssl3_get_server_certificate:wrong certificate type ERROR [pool-4-thread-1] WebSocketsPolling:66 - Unable to initiate web socket connection to :SSL routines:ssl3_get_server_hello:unknown cipher returned (s3_clnt.c:1076 0x7f2e55e97f3b:0x00000000): error:140920F8:SSL

Requirements Auditable Stealthwatch Examples Events

routines:ssl3_get_server_hello:unknown cipher returned ERROR [pool-4-thread-1] WebSocketsPolling:66 - Unable to initiate web socket connection to :SSL routines:ssl3_get_server_hello:wrong ssl version (s3_clnt.c:978 0x7f7924507f3b:0x00000000): error:1409210A:SSL routines:ssl3_get_server_hello:wrong ssl version ERROR [pool-4-thread-1] WebSocketsPolling:66 - Unable to initiate web socket connection to SSLProtocolException: ../Source/JNI_ glue/SSL.cpp:NativeCrypto_SSL_do_handshake_Blocking: SSL handshake terminated: error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac ERROR [pool-4-thread-1] WebSocketsPolling:66 - Unable to initiate web socket connection to SSLProtocolException: ../Source/JNI_ glue/SSL.cpp:NativeCrypto_SSL_do_handshake_Blocking: SSL handshake terminated: error:1408C095:SSL routines:ssl3_get_finished:digest check failed ERROR [pool-4-thread-1] WebSocketsPolling:66 - Unable to initiate web socket connection to ] P1-83 SEVERE com.cisco.ciscossl.provider.ciscojce.ssl.OpenSSLSocketImpl.startHandshake(): Common Criteria Exception occurred:hostname: ERROR [pool-4-thread-1] WebSocketsPolling:66 - Unable to initiate web socket connection to :SSL routines:ssl3_get_key_exchange:wrong curve (s3_clnt.c:1912 0x7f2e55e97f3b:0x00000000): error:1408D17A:SSL routines:ssl3_get_key_exchange:wrong curve ERROR [pool-4-thread-1] WebSocketsPolling:66 - Unable to initiate web socket connection to Other Appliances (Operating as a TLS Server): [info] 4277#4277: *26 SSL_do_handshake() failed (SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: , server: 0.0.0.0:443 [info] 4277#4277: *21 SSL_do_handshake() failed (SSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher) while SSL handshaking, client: , server: 0.0.0.0:443 [info] 4277#4277: *30 SSL_do_handshake() failed (SSL: error:1408F081:SSL routines:SSL3_GET_RECORD:block cipher pad is wrong) while SSL handshaking, client: , server: 0.0.0.0:443 [info] 4277#4277: *28 SSL_do_handshake() failed (SSL: error:1408E0F4:SSL routines:ssl3_get_message:unexpected message)

Requirements Auditable Stealthwatch Examples Events

while SSL handshaking, client: , server: 0.0.0.0:443 [info] 4277#4277: *27 SSL_do_handshake() failed (SSL: error:1408C095:SSL routines:ssl3_get_finished:digest check failed) while SSL handshaking, client: , server: 0.0.0.0:443 [info] 4277#4277: *31 SSL_do_handshake() failed (SSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol) while SSL handshaking, client: , server: 0.0.0.0:443 [crit] 4277#4277: *32 SSL_do_handshake() failed (SSL: error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed) while SSL handshaking, client: , server: 0.0.0.0:443 [crit] 4277#4277: *34 SSL_do_handshake() failed (SSL: error:04097068:rsa routines:RSA_private_encrypt:bad signature error:1408807B:SSL routines:ssl3_get_cert_verify:bad signature) while SSL handshaking, client: , server: 0.0.0.0:443

FPT_STM_EXT.1 Discontinuous This same message is generated on the SMC and all other appliances: changes to AuditLogger[]: AuditLogger: osaxsd/28824,1100,,root(0),localhost,1,System time updated from [] to [] Administrator actuated or changed via an automated process

FPT_TUD_EXT.1 Initiation of AuditLogger[,,,1,SWU image uploaded to of the update Central Manager. attempt (success AuditLogger[,,,1,The 'install' action of SWU is initiated on appliance AuditLogger[,root(0),localhost,1,Executed update of system with '/lancope/var/services/cm- agent/update/. The system will now reboot.

FTA_SSL.3 Termination AuditLogger[]: svc-tokenauthority /1,4004, ,,,1,The user has logged out session by the session locking mechanism

FTA_SSL.4 Termination of Remote Logout (SMC) an interactive AuditLogger[]: AuditLogger: svc-token-authority/1,4004, session ,,,1,The user has logged out Local Logout (SMC) AuditLogger[]: AuditLogger: osaxsd/243349,4004, ,sysadmin(75),127.0.0.1,1,The user has logged out of Console Local Logout (Other Appliances)

Requirements Auditable Stealthwatch Examples Events

AuditLogger[]: AuditLogger: osaxsd/48841,4004, ,sysadmin(75),127.0.0.1,1,The user has logged out of Console

FTA_SSL_EXT.1 Termination of This same message is generated on the SMC and all other appliances: a local session by AuditLogger []: AuditLogger: osaxsd/166650,4005, the session ,sysadmin(75),localhost,0,The user has been logged out of SystemConfig - locking mechanism the idle timeout was reached

FTP_ITC.1 Initiation of the Syslog Over TLS: trusted channel P5694-179 CONFIG com.cisco.ciscossl.provider.ciscojce.ssl.OpenSSLSocketImpl.startHandshake(): initiating handshake with lport=54,206 -> phostname=null, rhostname=, port=6,514 LDAP Over TLS: AuditLogger svc-legacy- auth/1,,localhost,1,Login Host verified using Subject Alternative IP Address successful

Termination of Syslog Over TLS: of the trusted NOTICE AuditLogger:,,,, ,,Remote audit log shutdown LDAP Over TLS: legacy-auth-start.sh[]: INFO com.lancope.sws.smc.auth.LdapSession - TLS connection terminated to activedirectory.testdomain.

Failure of the Syslog Over TLS: trusted channel AuditLogger[]: ,svc-cm-support- functions agent|,0,Logging to External Audit Log Destination failed [host= :6514] - javax.net.ssl.SSLHandshakeException: Handshake failed AuditLogger[]: ,svc-cm-support- agent|,0,Logging to External Audit Log Destination failed [host= :6514] - javax.net.ssl.SSLHandshakeException: Extended key usage does not permit use for TLS server authentication AuditLogger[]: ,svc-cm-support- agent|,0,Logging to External Audit Log Destination failed [host= :6514] - javax.net.ssl.SSLException: javax.net.ssl.SSLHandshakeException: ../Source/JNI_glue/SSL.cpp:NativeCrypto_ SSL_verify_peer_in_cert: Common criteria: hostname IP mismatch violation LDAP Over TLS: Failure messages for this event are generated in pairs, where one message contains the reason for the failure, and the other message contains the IP address of the LDAP server. Messages with the Reasons forFailure: Message format: docker/svc-legacy-auth Where is one of:

Requirements Auditable Stealthwatch Examples Events

Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS server authentication Caused by: java.security.cert.CertificateException: Failed hostname verification to Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target error:140920F8:SSL routines:ssl3_get_server_hello:unknown cipher returned error:1409210A:SSL routines:ssl3_get_server_hello:wrong ssl version error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac error:04097068:rsa routines:RSA_private_encrypt:bad signature error:1408C095:SSL routines:ssl3_get_finished:digest check failed error:1408F081:SSL routines:SSL3_GET_RECORD:block cipher pad is wrong Corresponding Message with LDAP Server's IP Address: docker/svc-legacy-auth INFO c.l.sws.smc.auth.LdapSessionFactory - Failed to establish TLS connection to

FTP_ Initiation of the Remote Auth Success (Using Local Account/Password): TRP.1/Admin trusted channel AuditLogger[]: svc-legacy-auth/1, ,,,1,Login successful Remote Auth LDAP Success: AuditLogger[]: svc-legacy-auth/1, ,localhost,1,Login-Host , verified using Subject Alternative IP Address successful AuditLogger[]: svc-legacy-auth/1, ,,,1,Login successful

Termination Remote Logout: of the trusted AuditLogger[]: AuditLogger: svc-token- channel authority/1,4004,,,,1,The user has logged out

Failure of Format for TheseTypes of Errors: the trusted YYYY/MM/DD HH:mm:SS [info] #:* SSL_do_ channel handshake() failed (SSL: error: :SSL routines:) while functions SSL handshaking, client: , server: 0.0.0.0:443 Where is one of: ssl3_get_client_hello:no shared cipher ssl3_get_finished:digest check failed SSL3_GET_ RECORD:decryption failed or bad record mac ssl3_ get_message:unexpected message SSL3_GET_RECORD: block cipher pad is wrong SSL23_GET_CLIENT_HELLO: unknown protocol

Requirements Auditable Stealthwatch Examples Events

Example: 2020/03/04 19:56:55 [info] 4434#4434: *11531 SSL_do _handshake() failed (SSL: error:1408A0C1:SSL routines: ssl3_get_client_hello:no shared cipher) while SSL handshaking, client: , server: 0.0.0.0:443

FTP_TRP.1/Join Initiation of the See FPT_ITT.1 for audit records. trusted channel

Termination of See FPT_ITT.1 for audit records. the trusted channel functions

Failure of the See FPT_ITT.1 for audit records. trusted channel functions

Changes and Exclusions Changing Appliances After Compliance Configuration These instructions apply to the following:

l Adding or removing appliances in Central Management

l Changing the host name

l Changing the network domain name

l Changing the IP address The overall steps are as follows. 1. Refer to the following instructions:

l Adding or Removing Appliances: Follow the instructions in the Stealthwatch Installation and Configuration Guide v7.1.1, "Troubleshooting" section.

l Changing the Host Name: Follow the instructions in the Stealthwatch Online Help, "Host Naming" section.

l Changing the Network Domain Name: Follow the instructions in the Stealthwatch Online Help, "Network Interfaces" section.

l Changing the IP Address: Follow the instructions in the Stealthwatch Online Help, "Network Interfaces" section. 2. Complete the instructions in this Stealthwatch Compliance Guide to reconfigure your Stealthwatch cluster for compliance. Make sure you configure the following:

l Certificates

l Compliance Mode (FIPS and Common Criteria)

l Local Authentication Configuration Updating Software To update your Stealthwatch appliances, open Central Management > Update Manager:

l Instructions: For an overview of steps, click the Help icon. Select Stealthwatch Online Help. When Stealthwatch update or patch files become available, download and follow the instructions in the applicable Stealthwatch Update Guide.

l Software Updates: Software updates can be downloaded from the Stealthwatch Download and License Center at https://stealthwatch.flexnetoperations.com.

l Checksum Comparison: When you download the software update files to the management computer, note the SHA-512 checksum displayed on the download page. Run a command on your local workstation (such as "sha512sum") to calculate the checksum. Compare the result with the checksum on the download page. Then, upload the file to the Update Manager.

If the result does not match the checksum, don't upload the file to the SMC. Attempt to download the file again from the Stealthwatch Download and License Center; and if the calculated checksum still does not match the expected checksum, then contact Cisco Stealthwatch Support.

l Software Version: Go to Central Management > Update Manager to review the software version installed on each appliance. The Update Manager also shows the last reboot, version ready to install, and the update status.

l Order: Make sure you update the appliances in order as described in the applicable Stealthwatch Update Guide.

Stealthwatch does not support concurrent uploading of SWU files to SMC.

l Appliance Status: Make sure each appliance completes the update and that the appliance status is shown as Up before you update the next appliance in your cluster.

l Success/Failure: If the software update fails, Installation Failed displays in the Update Status column. Installation Failed After you complete the offline verification of the integrity of the SWU file, upload each of the SWU files to the SMC. If the Update Status column displays Installation Failed, follow these instructions:

1. Click the Ellipsis icon in the Actions column. 2. Click > View Update Log. 3. Review the log for errors.

If the upload fails, review these possible reasons:

l You were attempting to upload more than one SWU file at a time. To resolve: 1. Make sure all of your uploads are stopped. 2. Upload each SWU file separately, and in order. 3. Wait for that status of each upload to change from Processing to Success before uploading the next file.

l There is insufficient disk space to upload the SWU files. To resolve: 1. Make sure there is sufficient space available. 2. Refer to the "Check the Available Disk Space" section in the applicable Stealthwatch Update Guide. 3. Expand the available disk space, if needed.

Troubleshooting a Failed Installation Common reasons update files and patches fail to upload:

l Lack of disk space: If this occurs, the update log indicates No space left on device. To resolve this issue, expand the appliance disk space by following the instructions in the "Data Storage" section of the Stealthwatch Installation and Configuration Guide v7.1.1.

l Loss of network connectivity between SMC and the appliances during the transfer of the update file or patch from SMC to the appliances: If this occurs, restore the network connectivity and retry installing the update or patch.

l Target appliance fails a readiness check during installation: This can occur if the minimum amount of time hasn't transpired since the previous reboot of the SMC or FC, or if a service fails to stop cleanly when preparing to install the update. If this occurs, the Update Status shows Installation Failed and the update log indicates Unexpected exit status!. To resolve these issues, wait for the necessary minimum time since the previous reboot of the target appliance, and retry to install the update. If the error occurs again, then contact Cisco Stealthwatch Support. .

Exclusions There are certain Stealthwatch appliances and features that are not included in the evaluated configurations.

The Endpoint Concentrator appliance is not supported in the evaluated configurations.

Configurations and Features The following configurations and features are not supported in the evaluated configurations:

Configuration Details

Admin UI file browser Admin UI file browser endpoint endpoint is not supported.

SAML SSO is supported for DoDIN APL. Only Local Authentication and LDAP are supported for the CC- Authentication evaluated configuration. Note: SAML SSO is not supported for the CC- evaluated configuration.

Comma- Separated Values (CSV) files reports CSV reports are not available when Security Label is used.

Configuration Details

Note: This includes flow reports.

This functionality is not supported for compliance, including: add-ons, Stealthwatch Apps, CTA, ISE, Google Integrations with Stealthwatch Analytics, Stealthwatch Cloud, Tetration, Data Exporter (DEX)/Flow Forwarder, and Customer Success Metrics.

NTLM authentication is not supported Internet Proxy when FIPS encryption libraries are enabled.

IPv6 should IPv6 not be enabled.

Packet Packet Analyzer Analyzer is not supported.

Configuration Details

NTP is not supported for NTP the CC- evaluated configuration.

RADIUS and RADIUS and TACACS+, including creating TACACS+ and authenticating users are not supported.

SMC Failover, where one SMC Failover SMC serves as a backup to the other, is not supported.

The SLIC Threat Feed Stealthwatch Labs Intelligence Center (SLIC) should not be enabled.

Acronyms and Terms

This section defines the acronyms and terms.

Acronym Definition

AIDE Advanced Intrusion Detection Environment

API Application Programming Interface

CA Certificate Authority

CC Common Criteria

CLI Command Line Interface

CSR Certificate Signing Request

CSV Comma-Separated Values

DNS Domain Name Service

DoDIN Department of Defense Information Network

DoDIN APL Department of Defense Information Network - Approved Products List

EAL Evaluated Assurance Level

FC Flow Collector

FIPS Federal Information Processing Standard

FS Flow Sensor

GUI Graphical User Interface

HTTP Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol Secure

Idp Identity Provider (used in SSO)

IP Internet Protocol

Acronym Definition

ISE Identity Services Engine

International Organization for Standardization (ISO) ISO/IEC International Electrotechnical Commission (IEC)

JRE Java Runtime Environment

LAN Local Area Network

LDAP Lightweight Directory Access Protocol

NDcPP collaborative Protection Profile for Network Devices

NTLM New Technology LAN Manager

OS Operating System

PAM Pluggable Authentication Module

PEM Privacy Enhanced Mail

PINs Personal Identification Numbers

RFD Reset Factory Defaults

RSA Rivest, Shamir, and Adelman (a public-key cryptographic system)

SAML Security Assertion Markup Language

SKU Stock Keeping Unit

SLIC Stealthwatch Labs Intelligence Center

SMC Stealthwatch Management Console

SMTP Simple Mail Transfer Protocol

SNMP Simple Network Management Protocol

SOAP Simple Object Access Protocol

Acronym Definition

SP Service Provider (used in SSO)

SPAN Switched Port Analyzer

SSL Secure Sockets Layer

SSO Single Sign-On

TACACS Terminal Access Controller Access Control System

TAP Test Access Port

TCP Transmission Control Protocol

TLS Transport Layer Security

TOE Target of Evaluation

TSFI TOE Security Function Interface

UDP User Datagram Protocol

UDPD UDP Director

UI User Interface

Contacting Support

If you need technical support, please do one of the following:

l Contact your local Cisco Partner

l Contact Cisco Stealthwatch Support

l To open a case by web: http://www.cisco.com/c/en/us/support/index.html

l To open a case by email: [email protected]

l For phone support: 1-800-553-2447 (U.S.)

l For worldwide support numbers: https://www.cisco.com/c/en/us/support/web/tsd- cisco-worldwide-contacts.html

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. Cisco Public - 98 - Copyright Information Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)