This section explains the compliance/common criteria effort​ to create a service to raise Avi Load Balancer events based on logs from non-Avi Load Balancer modules (SSH and SSHD). ​These events must persist in secure manner for minimum of 90 days for audit compliance.

Network Device Connection Protection Profile

Network Device connection Protection Profile (NDcPP) is a government standard to ensure secure communication between TOE (Target Of Evaluation), also known as Controller and SE, and external components (including consumers of Avi Load Balancer REST API).

Events

All external communication related authentication failures need to be logged and persisted for auditing purposes. For persistence of the events, you can reply on existing alerts infrastructure to export them to an external entity. You can minimize the types of events that need to be persisted. You can use AUDIT_COMPLIANCE_EVENT to log authentication failures only.

SSH and TLS are the only protocols under the purview of this exercise (All other protocols can be ignored). Specific information is required in the events to identify the authentication failures.

Audit Record Failures

SAML

The following are the audit record failures for SAML:

  • Initiation of the trusted channel: NA

  • Termination of the trusted channel: NA

  • Failure of the trusted channel functions: NA

  • Unsuccessful attempt to validate a certificate: The following are the new SAML-related errors that are being addressed in this task:

    • CertificateError

    • IncorrectlySigned

    • UnsolicitedResponse

    • VerificationError

    • SigverError

  • Failure of authenticating a client: NA

  • Failure to establish an SSH session: The auth failure will be logged for these failure events.

  • Identification of the initiator and target of failed trusted channels establishment attempt: NA

ViMgr (vCenter)

The following are the audit record failures logged for Syslog, SNMP, and ViMgr (vCenter):

  • Initiation of the trusted channel: NA

  • Termination of the trusted channel: NA

  • Failure of the trusted channel functions: NA

  • Unsuccessful attempt to validate a certificate: NA

  • Failure of authenticating a client: NA

  • Failure to establish an SSH session: NA

  • Identification of the initiator and target of failed trusted channels establishment attempt: NA

Events, Syslog, and Splunk (Both SE and Controller)

The following are the audit record failures logged for Events Syslog, Splunk (Both SE and Controller):

  • Initiation of the trusted channel: NA

  • Termination of the trusted channel: NA

  • Failure of the trusted channel functions: NA

  • Unsuccessful attempt to validate a certificate: NA

  • Failure of authenticating a client: NA (no auth in RPC/ GRPC)

  • Failure to establish an SSH session: NA

  • Identification of the initiator and target of failed trusted channels establishment attempt: ObjectDoesNotExist (SSL certificate does not exist)

Controller - SE

The following are the audit record failures logged for Controller Service Engine:

  • Initiation of the trusted channel: NA

  • Termination of the trusted channel: NA

  • Failure of the trusted channel functions: NA

  • Unsuccessful attempt to validate a certificate: NA

  • Failure to authenticate a client: NA

  • Failure to establish an SSH session: NA

  • Identification of the initiator and target of failed trusted channels establishment attempt: NA

Cloud

The following are the audit record failures logged for Cloud:

  • Initiation of the trusted channel: NA

  • Termination of the trusted channel: NA

  • Failure of the trusted channel functions: NA

  • Unsuccessful attempt to validate a certificate: NA

  • Failure to authenticate a client: NA

  • Failure to establish an SSH session: NA

  • Identification of the initiator and target of failed trusted channels establishment attempt: NA

Syslog and SNMP

The following are the audit record failures logged for Syslog, SNMP:

  • Initiation of the trusted channel: NA

  • Termination of the trusted channel: NA

  • Failure of the trusted channel functions: NA

  • Unsuccessful attempt to validate a certificate: NA

  • Failure to authenticate a client: NA

  • Failure to establish an SSH session: NA

  • Identification of the initiator and target of failed trusted channels establishment attempt: NA

Pulse

The following are the audit record failures logged for Pulse:

  • Initiation of the trusted channel: NA

  • Termination of the trusted channel: NA

  • Failure of the trusted channel functions: NA

  • Unsuccessful attempt to validate a certificate: NA

  • Failure to authenticate a client: NA

  • Failure to establish an SSH session: NA

  • Identification of the initiator and target of failed trusted channels establishment attempt: NA