Skip to main content

Other Audit Requirements (NDPP v1.1)

 

User identification

Description of audit event: This event corresponds to user identification at login.

Audit event message syntax: 

<date> <time> <log_source> <process_name>[<process_id>]: function=[pam_sm_acct_mgmt] service=[login] terminal=[/dev/tts/0] user=[<user_name>] ruser=[<unknown>] rhost=[]

Example of log entry:

Aug 23 12:47:38 10.64.100.6 login[2955]: pam_warn(login:account): function=[pam_sm_acct_mgmt] service=[login] terminal=[/dev/tts/0] user=[admin] ruser=[<unknown>] rhost=[]

Log entry generated by: One of login, wci or sshd processes, depending on how the user is logged in.

Password based authentication

Description of audit event: This event corresponds to the password-based authentication of a user.

Audit event message syntax:

<date> <time> <log_source> <process_name>[<process_id>]: function=[pam_sm_authenticate] service=[login] terminal=[/dev/tts/0] user=[<user_name>] ruser=[<unknown>] rhost=[]

Example of log entry:

Aug 23 12:47:38 10.64.100.6 login[2955]: pam_warn(login:auth): function=[pam_sm_authenticate] service=[login] terminal=[/dev/tts/0] user=[admin] ruser=[<unknown>] rhost=[]

Log entry generated by: One of login, wci or sshd processes, depending on how the user is logged in.

Changes to the time

Description of audit event: This event corresponds to changing the time on the encoder or decoder, and is triggered by calling dtconfig on the CLI.

Audit event message syntax:

<date> <time> <log_source> <user_name>[host_address]: System date and time changed from <old_date> to <new_date> by <user_name>.

Example of log entry:

May 17 15:22:00 emilan date: System date and time changed from Thu Aug 23 09:19:55 EDT 2012 to Thu May 17 15:22:00 EDT 2012 by admin.

Log entry generated by: date process

Additional fields:

  • <old_date> System date and time that was configured prior to attempted change.
  • <new_date> Newly set system date and time.

Initiation of update

Description of audit event: This event corresponds to the initiation of a firmware upgrade package. A log entry is generated by requesting the installation of a new package either from the CLI or Web Interface.

Audit event message syntax:

<date> <time> <log_source> package: "User <user_name> at <host_address> has requested package <hai_package_fname> to be installed on next reboot."

Example of log entry:

Aug 17 14:59:00 10.64.100.6 package: User admin has requested package haios_enc_v2.1.0-14.hai to be installed on next reboot.

Log entry generated by: package process

Additional fields:

  • <hai_package_fname> Name of the firmware upgrade package requested to be installed.

Termination of a remote session by the session locking mechanism

After a defined idle time period passes, the user is logged out of the open session, and needs to log back in, starting a new session. See the section "Logging out (manually and after a timeout)" (under Administrative Events) for details about log entries covering the termination of sessions after a timeout.

Termination of an interactive session

See the section "Logging out (manually and after a timeout)" (under Administrative Events) for details about the auditing of user-initiated termination of sessions.

Attempts at unlocking of an interactive session

See the successful scenarios in the sections "Logging in via CLI" and "Logging in via the Web Interface" (under Administrative Events) for details about log entries covering this event.

Inter-TSF Trusted Channel (TLS)

Initiation of the trusted channel

Description of audit event: This event corresponds to the initiation and establishment of a TLS connection. This event occurs after enabling auditing on the encoder or decoder.

Audit event message syntax:

<date> <time> <log_source> nsyslogd[<process_id>]: Established connection and accepted client certificate from <server_address> due to matching hostname/subject. Subject is "<server_cert_subject> ", fingerprint is "<server_cert_fingerprint>"

Example of log entry: 

Aug 23 10:44:05 emilan

nsyslogd[1465]: Established connection and accepted client certificate from fw-syslog.haivision.com due to matching hostname/subject. Subject is "fw-syslog.haivision.com", fingerprint is "SHA1:00:D4:21:FB:DB:D2:BA:04:19:D2:4A:B3:F2:C3:C0:70:B3:8C:DA:82"

Log entry generated by: nsyslogd process

Additional fields:

  • <server_address> IP address or hostname of the audit server.
  • <server_cert_subject> Subject name present in the certificate presented by the audit server during the authentication phase of the connection.
  • <server_cert_fingerprint> Hashed fingerprint of the certificate presented by the audit server during the authentication phase of the connection.

Termination of the trusted channel

Description of audit event: This event corresponds to the closing of the TLS connection. The event occurs after disabling auditing on the encoder or decoder.

Audit event message syntax:

<date> <time> <log_source> <syslog_program >[<processs_id>]: Closing TLS connection with <server_address>

Example of log entry:

Dec 20 16:08:39 10.64.110.141 nsyslogd[1004]: Closing TLS connection with fw-syslog.haivision.com

Log entry generated by: nsyslogd process

Additional fields:

  • <server_address> IP address or hostname of the audit server.

Failure of the trusted channel functions

Description of audit event: This event corresponds to a failure to establish or maintain a TLS connection between the encoder or decoder and the audit server.

This event is usually the result of a failed certificate authentication, which could be due to the certificate being self-signed, having expired, having a subject that does not match the server address being used by the client during the connection, etc. Other causes can be an incorrect IP address, the audit server being down or possibly running behind a firewall which rejects the connection.

These causes cannot be logged due to the absence of a connection to an audit server, which is the only trusted channel maintained by the encoder or decoder. Instead, administrative users are notified of the issue on their next login.

Trusted Path (SSH & HTTPS)

Initiation of the trusted channel

See the successful scenarios in the sections "Logging in via CLI" and "Logging in via the Web Interface" (under Administrative Events) for details about log entries covering the initiation of SSH and HTTPS sessions respectively.

Termination of the trusted channel

See the section "Logging out (manually and after a timeout)" (under Administrative Events) for details about log entries covering the termination of SSH and HTTPS sessions.

Failures of the trusted path functions

See the failure scenarios in the sections "Logging in via CLI" and "Logging in via the Web Interface" (under Administrative Events) for details about log entries covering the failure to initiate SSH and HTTPS sessions respectively.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close