Nortel Networks Nortel Network VPN Router and Client Workstation 7.05 User Manual

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 44 of 67

© 2008 Nortel Networks

System Log

The System Log records data about System events which are considered significant enough
to be written to disk, including those displayed in the Configuration and Security logs.
Examples of events that would appear in the System log include:

LDAP activity
Configuration activity
Server authentication and authorization requests

The following list gives the general format of System Log entries:

Time stamp
Task that issued the event (“tEvtLgMgr”, “tObjMgr”, “tHttpdTask”)
A number that indicates the Central Processing Unit (CPU) that issued the event

(“0” = “CPU(0)”, “1” = “CPU(1)”)

Software module that issued the event
A number that indicates the event’s persistence (“0” = “non-persistent”, “1” =

“persistent”)

A number that indicates the event’s severity level (“0” = “Debug”, “1” = “Low”,

“2” = “Medium”, “3” = “High”)

Rule section matched by this event
Matching packet source, destination, protocol, and action configured for the

matched rule

Event Log

The Event Log records detailed data about all events that take place on the system. These
entries are not necessarily written to disk (as with the System Log). The Event Log records
data about all system activity in-memory, but only the significant entries are saved in the
System Log (i.e., on disk).

The Event Log includes information on tunneling, security, backups, debugging, hardware,
security, daemon processes, software drivers, interface card driver events, and other system
components and event types.

The Event Log retains the most recent 2000 log entries. Once this maximum capacity has
been reached the Event Log overwrites the oldest entry when a new entry needs to be made.

TOE administrators interact with the TOE through the management GUI [or CLI], but unprivileged TOE users are
restricted to establishing VPN sessions with the TOE via the Nortel VPN Client. All of the user actions (detailed
above) performed through either of these interfaces are recorded in the appropriate audit log. The TOE creates an
audit record when a TOE user causes any of the events in “Table 4 - Auditable Events” to occur. Audit records
generated in the Nortel VPN Router are stored locally as flat files on internal storage with no direct TOE
administrator access.

Since audit functionality is critical to the secure operation of the TOE, both internal and external backups of the
audit logs are supported. Automatic backup and archiving of the logs ensures that the logs are always available.
External storage backup of audit records occurs outside of the TOE and it is the administrator’s responsibility to
specify an external backup server.

TOE administrators may view audit records via a management GUI display (in a manner suitable for human
consumption and understanding). This display includes the date and time of the event; the type of event; the subject
identity; the outcome (success or failure) of the event; and the identity of the user responsible for the event. TOE
users can read audit records only through the TOE’s management GUI, and only after being authenticated to an
appropriately privileged role. TOE users are never given write access to the audit records.

TOE Security Functional Requirements Satisfied: FAU_GEN.1, FAU_SAR.1.