Microsoft Windows Common Criteria Evaluation Microsoft Windows 10

Download 298.26 Kb.
bet	10/60
Sana	04.01.2022
Hajmi	298.26 Kb.
	#4840

1 ... 6 7 8 9 10 11 12 13 ... 60

c. no other method]
DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 813
[~~none~~]	N/A

Table 2: Administrative Actions audits (AGD2: FAU_GEN.1) (AGD1: FAU_GEN.1)

Requirement	Description	Additional Record Contents	Log: Event Id
FAU_SEL.1	All modifications to the audit configuration that occur while the audit collection functions are operating.	No additional Information.	Security: 4719, 4912
FCS_CKM_EXT.1	[generation of a REK]	No additional Information.	System: 1027
FCS_CKM_EXT.5	Success or failure of the wipe.	No additional Information.	System: Success: 12 Failure: 1074
FCS_CKM.1(ASYM KA)	Failure of key generation activity for authentication keys.	No additional Information.	Microsoft-Windows-Crypto-NCrypt/Operational: 4
FCS_HTTPS_EXT.1	Failure of the certificate validity check.	Issuer Name and Subject Name of certificate. [No additional information].	Microsoft-Windows-CAPI2/Operational: 11
FCS_RBG_EXT.1	Failure of the randomization process.	No additional information.	System: 20
FCS_STG_EXT.1	Import or destruction of key. [No other events]	Identity of key. Role and identity of requestor.	Import: Security: 5058 Destruction: System: 12
FCS_STG_EXT.3	Failure to verify integrity of stored key.	Identity of key being verified.	Microsoft-Windows-Crypto-NCrypt: 3 (Task Category: Open Key Failure)
FCS_DTLS_EXT.1	Failure of the certificate validity check.	Issuer Name and Subject Name of certificate.	Microsoft-Windows-CAPI2/Operational: 30
FCS_TLSC_EXT.1	Failure to establish an EAP-TLS session.		System : 36888 Microsoft-Windows-CAPI2/Operational: 11, 30
FCS_TLSC_EXT.1	Establishment/termination of an EAP-TLS session.		Establishment: System : 36880 Termination: Microsoft-Windows-SChannel-Events/Perf: 1793
FCS_TLSC_EXT.2	Failure to establish a TLS session.	Reason for failure.	System : 36888 Microsoft-Windows-CAPI2/Operational: 11, 30
	Failure to verify presented identifier.	Presented identifier and reference identifier.	Microsoft-Windows-CAPI2/Operational: 11
	Establishment/termination of a TLS session.	Non-TOE endpoint of connection.	Establisment: System: 36880 Microsoft-Windows-CAPI2/Operational: 11 Termination: Microsoft-Windows-SChannel-Events/Perf: 1793
FDP_DAR_EXT.1	Failure to encrypt/decrypt data.	No additional information.	System: 24588
FDP_DAR_EXT.2	Failure to encrypt/decrypt data.	No additional information.	Crypto-NCrypt/Operational: 6
FDP_STG_EXT.1	Addition or removal of certificate from Trust Anchor Database.	Subject name of certificate.	Import: Microsoft-Windows-CAPI2/Operational: 90 Removal: CertificateServicesClient-Lifecycle-System/Operational: 1004
FDP_UPC_EXT.1	Application initiation of trusted channel.	Name of application. Trusted channel protocol. Non-TOE endpoint of connection.	HTTPS/TLS: System: 36880 Microsoft-Windows-CAPI2/Operational: 11 Bluetooth: System: 9
FIA_AFL_EXT.1	Excess of authentication failure limit.	No additional information.	Exceeding failure limit: Security:4740
FIA_BLT_EXT.1	User authorization of Bluetooth device. User authorization for local Bluetooth service.	User authorization decision. Bluetooth address and name of device. Bluetooth profile. Identity of local service.	System: 9 System: 20001
FIA_BLT_EXT.2	Initiation of Bluetooth connection.	Bluetooth address and name of device.	System: 8
FIA_BLT_EXT.2	Failure of Bluetooth connection.	Reason for failure.	System: 16
FIA_UAU_EXT.2	Action performed before authentication.	No additional information.	N/A (no selection in Security Target)
FIA_UAU_EXT.3	User changes Password Authentication Factor.	No additional information.	Security: 4723
FIA_X509_EXT.1	Failure to validate X.509v3 certificate.	Reason for failure of validation.	Microsoft-Windows-CAPI2/Operational: 11
FIA_X509_EXT.2	Failure to establish connection to determine revocation status.	No additional information.	Microsoft-Windows-CAPI2/Operational: 11
FMT_SMF_EXT.1	Change of settings.	Role of user that changed setting. Value of new setting.	See Table 2: Administrative Actions audits
	Success or failure of function.	Role of user that performed function. Function performed. Reason for failure	See Table 2: Administrative Actions audits
	Initiation of software update.	Version of update.	System: 19
	Initiation of application installation or update.	Name and version of application.	Microsoft-Windows-AppXDeploymentServer/Operational: 400
FMT_SMF_EXT.2	Unenrollment.	Identity of administrator. Remediation action performed.	DeviceManagement-Enterprise-Diagnostics-Provider/Admin: 48
FPT_AEX_EXT.4	Blocked attempt to modify TSF data.	Identity of subject. Identity of TSF data.	Security: 4656
FPT_NOT_EXT.1 (AUDIT)	[Measurement of TSF software].	[Integrity verification value].	System: 20
FPT_NOT_EXT.1 (ATTEST)	[Measurement of TSF software].	[Integrity verification value].	Attestation log file
FPT_TST_EXT.1	Initiation of self-test. Failure of self-test.		System: 20
FPT_TST_EXT.2	Start-up of TOE.	Boot Mode.	System: 12
FPT_TST_EXT.2	[Detected integrity violations].	[The TSF code that caused the integrity violation].	Automatic Repair
FPT_TUD_EXT.2	Success or failure of signature verification for software updates.		Setup: 2, 3
FPT_TUD_EXT.2	Success or failure of signature verification for applications.		Microsoft-Windows-AppXDeploymentServer/Operational: 400/404 for success/failure
FTA_TAB.1	Change in banner setting.	No additional information.	Security: 4657
FTA_WSE_EXT.1	All attempts to connect to access points.	Identity of access point.	Microsoft-Windows-WLAN-AutoConfig/Operational log event: 8001, 8003
FTP_ITC_EXT.1	Initiation and termination of trusted channel.	Trusted channel protocol. Non-TOE endpoint of connection.	IPSec: Security: 4650, 4651, 5451, 4655 HTTP/TLS: System: 36880 Microsoft-Windows-CAPI2/Operational: 11 Microsoft-Windows-SChannel-Events/Perf: 1793 EAP-TLS/802.1x/802.11-2012: Microsoft-Windows-WLAN-AutoConfig/Operational: 8001, 8003

Table 3: Audits for SFRs (AGD1: FAU_GEN.1)

Log location

Message

Fields

Setup

Package was successfully changed to the Installed state

Logged:

PackageIdentifier:

ErrorCode:

Setup

Windows update could not be installed because … “The data is invalid”

Logged:

Commandline:

ErrorCode:

Microsoft-Windows-Crypto-NCrypt

Open key operation failed

Logged:

Provider Name:

Key Name:

Microsoft-Windows-Crypto-NCrypt/Operational

Create key operation failed

Logged:

Provider Name:

Key Name:

Algorithm Name:

Microsoft-Windows-Crypto-NCrypt/Operatonal

Unprotect Key operation failed

Logged:

KeyId:

System

Source: BTHUSB

The remote adapter < remote bluetooth radio address> was successfully paired with the local adapter.

Logged:

EventData:

System

Source: BTHUSB

The remote adapter < remote bluetooth radio address> was added to the list of personal devices.

Logged:

EventData:

Microsoft-Windows-CAPI2/Operational

Build Chain

System/TimeCreated/SystemTime:

Subject name of the leaf certificate is the first instance of the following path:

UserData/CertGetCertificateChain/CertificateChain/Certificate subjectName:

Subject name of the issuing certificate is the second instance of the following path:

UserData/CertGetCertificateChain/CertificateChain/ChainElement/Certificate

TrustStatus -> ErrorStatus: 1>

System

Source: Kernel-General

The operating system started at system time .

Logged:
This event along with no other earlier events indicates a wipe has occurred.

System

Source: BTHUSB

The mutual authentication between the local Bluetooth adapter and a device with Bluetooth adapter address failed.

Logged:

Data:

System

Source: WindowsUpdateClient

Installation Successful: Windows successfully installed the following update:

Logged:

Security ID:

updateTitle:

updateGuid:

serviceGuid:

updateRevisionNumber:

System

Source: Kernel-Boot

The last boot’s success was .

Logged:

LastBootGood:

System

Source: Kernel-Boot

The OS loader advanced options menu was displayed and the user selected option

Logged:

OptionSelected:

Note: this event is recorded if the operating system was started in an auxiliary boot mode whereas its absence indicates the operating system started in normal boot mode.

Microsoft-Windows-CAPI2/Operational

Verify Chain Policy

System -> TimeCreated -> SystemTime:

UserData -> CertVerifyCertificateChainPolicy -> Certificate -> subjectName:

UserData -> CertVerifyCertificateChainPolicy -> Result -> value :

Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider

MDM Unenroll: Unenroll event sent to server

Logged:

Security UserID:

Microsoft-Windows-Audio/Operational

MMDevAPI: Audio device state changed

Logged:

OpCode:

Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider

MDM Enroll: Succeeded

Logged:

Security UserID:

Microsoft-Windows-CAPI2/Operational

Logged:

Security UserID:

Subject:

400

Microsoft-Windows-AppXDeployment-Server-Microsoft-Windows-AppXDeployment-Server/Operational

Deployment Add operation on Package
from: (<.appx pathname> ) finished successfully

Logged:

403

Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider

MDM ConfigurationManager: CSP Allow check.

Logged:

URI:

Allowed:

404

Microsoft-Windows-AppXDeployment-Server-Microsoft-Windows-AppXDeployment-Server/Operational

AppX Deployment operation failed for package with error . The specific error text for this failure is: .

Logged:

410

Microsoft-Windows-Kernel-PnP/Device Configuration

Device < DeviceInstanceId> was started

Logged:

User:

DeviceInstanceId:

472

Microsoft-Windows-AppXDeployment-Server-Microsoft-Windows-AppXDeployment-Server /Operational

Moving package folder <%program files location%\
to <%deleted program files location%\
. Result:

Logged:

Security ID:

SourceFolderPath: <%program files location%\

DestinationFolderPath: <%deleted program files location%\

801

Microsoft-Windows-Kernel-PnP/Device Configuration

Processing device .

TimeCreated:

813

Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider

MDM PolicyManager

Logged:

Policy:

814

Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider

MDM PolicyManager

Logged:

Policy:

832

Microsoft-Windows-Kernel-PnP/Device Configuration

End removal of .

TimeCreated:

1004

Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational

A certificate has been deleted

Logged:

UserID:

SubjectNames:

Thumbprint:

NotValidAfter: :

1006

Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational

A new certificate has been installed.

Logged:

Subject:

Thumbprint:

1015

Applications and Services Logs-Microsoft-Windows-Wcmsvc-Operational

Interface token applied

Logged:

Security ID:

Media type:

AutoProfiles:

1027

System

Source: TPM-WMI

The Ownership of the Trusted Platform Module (TPM) hardware on this computer was successfully taken (TPM TakeOwnership command) by the system

Logged:

Keywords:

1074

System

Source: User32

The process \systemreset.exe has initiated the restart of computer on behalf of user for the following reason: No title for this reason could be found

Reason Code: 0x20001

Logged: User:

1100

Security

Subcategory: Security State Change

The event logging service has shut down

Logged:

Keywords:

1103

Security

The security audit log is now percent full.

Logged:

Keywords:

1104

System

The security audit log is full.

Logged:

Keywords:

1502

Microsoft-Windows-GroupPolicy/Operational

The Group Policy settings for the computer were processed successfully. New settings from 1 Group Policy objects were detected and applied.

Logged:

1793

Microsoft-Windows-SChannel-Events/Perf

Logged:

4502

System

Source: ResetEng

Attempt to restore the system to original condition has failed. Changes to the system have been undone.

Logged:

Keywords:

4608

Security

Subcategory: Security State Change

Startup of audit functions

Logged:

Task category:

Keywords:

4624

Security

Subcategory: Logon

An account was successfully logged on.

Logged:

Security ID:

Account Name:

Account Domain:

Workstation Name:

Logon Type:

LogonID:

Source Network Address:

4650

Security

Subcategory: IPsec Main Mode

IPsec main mode security association was established. Certificate authentication was not used.

Logged:

Task category:

Local Endpoint:

Remote Endpoint:

Keying Module Name:

Local Certificate:

Remote Certificate:

Cryptographic Information:

Keywords:

4651

Security

Subcategory: IPsec Main Mode

IPsec main mode security association was established. A certificate was used for authentication.

Logged:

Task category:

Local Endpoint:

Remote Endpoint:

Keying Module Name:

Local Certificate:

Remote Certificate:

Cryptographic Information:

Keywords:

4655

Security

Subcategory: IPsec Main Mode

IPsec main mode security association ended

Logged:

Task category:

Local Endpoint:

Remote Endpoint:

Keying Module Name:

Keywords:

4656

Security

Subcategory: Handle Manipulation

A handle to an object was requested.

Logged:

Security ID:

Object Name:

Access Mask:

Accesses:

Keywords:

4657

Security

Subcategory: Registry

Registry entry change

Logged:

Task category:

Security ID:

Object name:

Change Information:

Keywords:

4673

Security

Subcategory: Sensitive Privilege Use / Non Sensitive Privilege Use

A privileged service was called.

Logged:

Security ID:

Account Name:

Account Domain:

Keywords:

4719

Security

Subcategory: Audit Policy Change

System audit policy was changed

Logged:

Security ID:

Account Name:

Account Domain:

Task category:

Task Subcategory:

Subcategory GUID:

Changes:

Keywords:

4723

Security

Subcategory: User Account Management

An attempt was made to change an account's password.

Logged:

Security ID:

Keywords:

4739

Security

Subcategory: Authentication Policy Change

Domain Policy was changed.

Logged:

Security ID:

Account Name:

Account Domain:

Task Category:

Changed Attributes:

4740

Security

Subcategory: User Account Management

A user account was locked out

Logged:

Security ID:

Account Name:

Account Domain:

4800

Security

Subcategory: Logoff

The workstation was locked.

Logged:

Security UserID:

Account Name:

Account Domain:

4801

Security

Subcategory: Logon

The workstation was unlocked.

Logged:

Security ID:

Account Name:

Account Domain:

4912

Security

Subcategory: Audit Policy Change

Per-user Audit Policy was changed

Logged:

Security ID:

Account Name:

Account Domain:

Policy Change Details:

Policy For Account:

Keywords:

4950

Security

Subcategory: MPSSVC Rule-Level Policy Change

A Windows Firewall setting has changed.

Logged:

Value:

5058

Security

Subcategory: System Integrity

Key file operation

Logged:

Task category:

Subject:

Cryptographic Parameters:

Key file operation information:

5447

Security

Subcategory: Other Policy Change Events

Windows Filtering Platform filter has been changed

Logged:

Task category:

Change type:

Filter ID:

Filter Name:

Layer ID:

Layer Name:

Additional Information:

5450

Security

Subcategory: Filtering Platform Policy Change

Windows Filtering Platform sub-layer has been changed

Logged:

Task category:

Change type:

Sub-layer ID:

Sub-layer Name:

5451

Security

Subcategory: IPsec Quick Mode

IPsec quick mode security association was established

Logged:

Task category:

Local Endpoint:

Remote Endpoint:

Keying Module Name:

Cryptographic Information:

Keywords:

5038

Security

Subcategory: System Integrity

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

Logged:

Task category:

File Name: < file failing integrity check>

5446

Security

Subcategory: Filtering Platform Policy Change

Windows Filtering Platform callout has been changed

Logged:

Task category:

Change type:

Callout ID:

Callout Name:

Layer ID:

Layer Name:

Keywords:

5447

Security

Subcategory: Other Policy Change Events

Windows Filtering Platform filter has been changed

Logged:

Task category:

Change type:

Filter ID:

Filter Name:

Layer ID:

Layer Name:

Additional Information:

5450

Security

Subcategory: Filtering Platform Policy Change

Windows Filtering Platform sub-layer has been changed

Logged:

Task category:

Change type:

Sub-layer ID:

Sub-layer Name:

8000

Microsoft-Windows-WLAN-AutoConfig/Operational

WLAN AutoConfig service started a connection to a wireless network

Logged:

Network Adapter:

8001

Microsoft-Windows-WLAN-AutoConfig/Operational

WLAN AutoConfig service has successfully connected to a wireless network

Logged:

SSID: (non-TOE endpoint of connection)

Authentication: WPA2-Enterprise (protocol)

8002

Microsoft-Windows-WLAN-AutoConfig/Operational

WLAN AutoConfig service failed to connect to a wireless network

Logged:

SSID: < Wireless network name> (non-TOE endpoint of connection)

8003

Microsoft-Windows-WLAN-AutoConfig/Operational

WLAN AutoConfig service has successfully disconnectd from a wireless network

Logged:

Interface GUID: < network adapter identification>

SSID:

8006

Microsoft-Windows-WLAN-AutoConfig/Operational

WLAN AutoConfig service has finished starting the hosted network.

Logged:

Interface GUID:

SSID:

8022

Microsoft-Windows-AppLocker/Packaged app-Execution

was prevented from running.

Logged:

11001

Microsoft-Windows-WLAN-AutoConfig/Operational

Wireless network association succeeded

Logged:

Network Adapter:

Local MAC address:

11004

Microsoft-Windows-WWAN-SVC-Events/Operational

Received ContextState

Logged:

Action:

11004

Microsoft-Windows-WLAN-AutoConfig/Operational

Wireless security stopped

Logged:

Network Adapter:

Local MAC address:

11010

Microsoft-Windows-WLAN-AutoConfig/Operational

Wireless Security Started

Logged:

Network Adapter:

Local MAC Address:

14001

Microsoft-Windows-WLAN-AutoConfig/Operational

New Wireless Network Policy

Logged:

Applied Settings:

20001

System

Source: UserPnP

Driver Manager concluded the process to install driver for Device Instance ID

Logged:

Security UserID:

DeviceInstanceID:

SetupClass:

24579

System

Source: Bitlocker-Driver

Encryption of volume : completed

Logged:

Security UserID:

Volume:

24588

System

Source: Bitlocker-Driver

The conversion operation on volume encountered a bad sector error.

Logged:

Volume:

24667

System

Source: BitLocker-Driver

BitLocker finalization sweep completed for volume .

Logged:

Volume:

36880

System

Source: Schannel

An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.

Logged:

Protocol:

CipherSuite:

36888

System

Source: Schannel

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is %1.

Logged:

Reason for failureProtocol:

The following are the possible error codes:

Description	Error Code Value
Unexpected message	10
Bad record MAC	20
Record overflow	22
Decompression fail	30
Handshake failure	40
Illegal parameter	47
Unknown CA	48
Access denied	49
Decode error	50
Decrypt error	51
Protocol version	70
Insufficient security	71
Internal error	80
Unsupported extension	110

Automatic Repair

%windir%\system32\logfiles\srt\strtrail.txt

Startup Repair diagnosis and repair log

Logged:

Boot critical file:

Wipe Failure Screen

Display

There was a problem resetting your PC. No changes were made.

On logon a message is displayed to the user indicating that the recovery operation of the system failed.

Bitlocker recovery

Display

Bitlocker recovery

On startup a message is displayed requesting the Bitlocker recovery key

Table 4: Audit (AGD1: FAU_GEN.1) (AGD3: FAU_GEN.1)

Katalog: download
download -> Evault Portal Version
download -> Naamsesteenweg 145, 3001 Heverlee
download -> -
download -> Software Technologies xampp installation Lab

Download 298.26 Kb.

1 ... 6 7 8 9 10 11 12 13 ... 60

Download 298.26 Kb.