Bivio 6310-NC Common Criteria Administrative Guidance Version 1.10 Nov 23, 2020 Bivio 6310-NC Common Criteria Administrative Guidance CONTENTS 1. Introduction .......................................................................................................................................... 5 2. Operational Environment – IT Requirements ....................................................................................... 6 3. Operational Environment – Procedural/Policy Requirements ............................................................. 7 4. Installation and Initial Configuration .................................................................................................... 7 Initial configuration ............................................................................................................................................... 8 Logging in and out of the system ........................................................................................................................ 10 Setting time ......................................................................................................................................................... 10 Enabling the NTP Client for Time Synchronization ............................................................................................. 11 Rebooting the system ......................................................................................................................................... 12 Power cycling the system .................................................................................................................................... 12 5. Configuration Items for CC Compliance .............................................................................................. 13 6. The System Administrator ................................................................................................................... 14 7. Configuring login retries and account locking..................................................................................... 14 8. Common tasks ..................................................................................................................................... 15 9. Security Audit Data Generation .......................................................................................................... 16 Storage space for audit data ............................................................................................................................... 17 Audit log rotation ................................................................................................................................................ 17 Audit storage space running low – warning ........................................................................................................ 18 Audit log entry format ........................................................................................................................................ 18 Searching audit logs ............................................................................................................................................ 20 Starting the audit daemon .................................................................................................................................. 21 Stopping the audit daemon ................................................................................................................................ 21 Admin Login / Initiation of trusted path ............................................................................................................. 22 Admin logout / User initiated termination / Termination of trusted path ......................................................... 24 Security related information ............................................................................................................................... 25 Resetting a user’s password ................................................................................................................................ 25 Starting a service ................................................................................................................................................. 25 Stopping a service ............................................................................................................................................... 26 Capture all Administrator commands ................................................................................................................. 26 Failure to establish an SSH session (client) ......................................................................................................... 27 Successful SSH rekey (client) ............................................................................................................................... 29 Failure to establish an SSH session (server) ........................................................................................................ 30 Locking of user account ...................................................................................................................................... 31 Unlocking of user account ................................................................................................................................... 31 Nov 23, 2020 Version 1.10 Page 2 Bivio 6310-NC Common Criteria Administrative Guidance Successful SSH rekey (server) .............................................................................................................................. 31 Successful authentication for a login session over TLS ....................................................................................... 32 Termination of a login session over TLS .............................................................................................................. 33 Failed authentication for a login session over TLS .............................................................................................. 33 Failure to establish a TLS session ........................................................................................................................ 34 All use of the identification and authentication mechanism .............................................................................. 35 Unsuccessful attempt to validate a certificate (TLS server) ................................................................................ 35 Software integrity checking ................................................................................................................................ 38 Modification of the behavior of the handling of audit data, and modification of the behavior of the TSF ........ 39 Trusted updates .................................................................................................................................................. 41 Changes to time .................................................................................................................................................. 41 Termination of local session by session locking mechanism .............................................................................. 42 Termination of remote session by session locking mechanism .......................................................................... 42 Initiation of trusted channel (SSH client) ............................................................................................................ 42 Termination of trusted channel (SSH client) ....................................................................................................... 44 Failure of the trusted channel (public key) ......................................................................................................... 44 Running cryptographic tests (on the OpenSSL cryptography suite) ................................................................... 45 Modification, deletion, generation/import of cryptographic keys ..................................................................... 45 Configuration of a new time server and removal of an existing time server ...................................................... 48 10. Configuring the SSH tunnel client for transporting audit logs to remote server ............................ 49 Mitigating Against CVE-2020-14145 ................................................................................................................... 52 11. Admin login authentication ............................................................................................................ 52 Password based authentication .......................................................................................................................... 53 Strong passwords ................................................................................................................................................ 53 Public key based authentication ......................................................................................................................... 54 Login session timeout ......................................................................................................................................... 55 Login warning banner ......................................................................................................................................... 55 Changing the Administrator’s password ............................................................................................................