Table 3. Feature History Table
Feature Name
|
Release Information
|
Description
|
Collect Filesystem Inventory
|
Release 7.3.1
|
With this feature, a snapshot of the filesystem metadata such as when the file was created, modified, or accessed is collected
at each configured interval.
In addition to displaying the changes that the file underwent as compared to the previous snapshot, the inventory helps in
maintaining data integrity of all the files in the system.
|
IMA Optimization
|
Release 7.3.1
|
Integrity Measurement Architecture (IMA) is a Linux-based utility that attests and appraises the integrity of a system security,
at runtime. In this release, IMA introduces the following IMA optimization aspects:
-
Incremental IMA that collects IMA events selectively and progressively instead of collecting all the IMA events at the same
time. You can define the start of an IMA sequence, which consists of start event, start sequence number, and start time.
-
SUDI Signature - provides the hardware root of trust to the dossier that is collected by the system.
|
Support for Display Compact Option
|
Release 7.4.1
|
This release introduces:
-
The display compact option in the dossier CLI. The dossier contains all the fields of the IMA events, thus making the file
size very heavy. With the display compact option, the system allows you to obtain IMA event logs in the protobuf format, which
can then be decoded at the client end.
The display compact option is added to the show platform security integrity dossier include system-integrity-snapshot command.
|
The Cisco IOS XR Software provides a data dossier command, show platform security integrity dossier , that helps in collecting the data from various IOS XR components. The output is presented in JSON format.
You can choose various selectors for this command as given below:
Router#show platform security integrity dossier include packages reboot-history rollback-history system-integrity-snapshot filesystem-inventory system-inventory nonce 1580 | utility sign nonce 1580 include-certificate
Create Signed-Envelope
To verify the data integrity and authenticity of the data dossier output, a signature is added to the output data. To enable
this feature, you can use the utility sign command along with the show platform security integrity dossier command. The output is presented in JSON format.
This utility sign can also be used with any of the IOS XR commands.
Note
|
The Secure Unique Device Identifier or SUDI signature provides the hardware root of trust to the dossier that is collected
by the system.
|
Verification Example of Collecting Data Dossier and Creating Signed-Envelope
Router#show platform security integrity dossier include reboot-history nonce 1580 | utility sign nonce 1580 include-certificate
Fri Mar 27 15:20:58.010 IST
{
"cli-output": "{\"collection-start-time\":1585302658.0980761,\"model-name\":\"http://cisco.com/ns/yang/Cisco-IOS-XR-ama\",\"model-revision\":\"2019-08-05\",\"license-udi\":{\"result-code\": \"Success\", \"license-udi\": \"UDI: PID:NCS-5501-SE,SN:FOC2107R0ZB\\n\"},\"version\":{\"result-code\": \"Success\", \"version\": \"Cisco IOS XR Software, Version 7.0.1.26I\\nCopyright (c) 2013-2020 by Cisco Systems, Inc.\\n\\nBuild Information:\\n Built By : labuser\\n Built On : Wed Mar 11 20:46:36 PDT 2020\\n
Built Host : iox-ucs-009\\n Workspace : /auto/iox-ucs-009-san2/prod/7.0.1.26I.DT_IMAGE/asr9000/ws\\n Version : 7.0.1.26I\\n Location : /opt/cisco/XR/packages/\\n Label : 7.0.1.26I\\n\\ncisco ASR 9000 () processor\\nSystem uptime is 1 week 3 days 19 hours 58 minutes\\n\\n\"},\"platform\":{\"result-code\": \"Success\", \"platform\": \"Node Type State Config state\\n------------------------------------------------------------------------------
--\\n0/RP0/CPU0 ASR-9000-SE(Active) IOS XR RUN NSHUT\\n0/RP0/NPU0 Slice UP \\n0/FT0 NCS-1RU-FAN-FW OPERATIONAL NSHUT\\n0/FT1 NCS-1RU-FAN-FW OPERATIONAL NSHUT\\n0/PM0 NCS-1100W-ACFW FAILED NSHUT\\n0/PM1 NCS-1100W-ACFW OPERATIONAL NSHUT\\n\"},\"reboot-history\":{\"result-code\":\"Success\",\"model-name\":\"Cisco-IOS-XR-linu
x-os-reboot-history-oper\",\"model-revision\":\"2019-04-05\",\"node\":[{\"node-name\": \"0/RP0/CPU0\", \"reboot-history\": [{\"reason\": \"User initiated graceful reload\", \"time\": \"Wed Feb 19 15:25:11 2020\", \"cause-code\": 1, \"no\": 1}, {\"reason\": \"CARD_SHUTDOWN\", \"time\": \"Wed Feb 19 16:38:00 2020\", \"cause-code\": 37, \"no\": 2}, {\"reason\": \"CARD_SHUTDOWN\", \"time\": \"Wed Feb 19 19:06:27 2020\", \"cause-code\": 37, \"no\": 3}, {\"reason\": \"CARD_SHUTDOWN\", \"time\": \"Thu Feb 20 11:50
:50 2020\", \"cause-code\": 37, \"no\": 4}, {\"reason\": \"CARD_SHUTDOWN\", \"time\": \"Fri Feb 21 10:54:09 2020\", \"cause-code\": 37, \"no\": 5}, {\"reason\": \"CARD_SHUTDOWN\", \"time\": \"Fri Feb 21 19:00:10 2020\", \"cause-code\": 37, \"no\": 6}, {\"reason\": \"CARD_SHUTDOWN\", \"time\": \"Sun Feb 23 12:05:25 2020\", \"cause-code\": 37, \"no\": 7}, {\"reason\": \"User initiated graceful reload\", \"time\": \"Mon Mar 2 19:03:25 2020\", \"cause-code\": 241, \"no\": 8}, {\"reason\": \"CARD_SHUTDOWN\", \"
time\": \"Mon Mar 2 19:08:16 2020\", \"cause-code\": 37, \"no\": 9}]}]},\"collection-end-time\":1585302661.316119}",
"signature-envelop": {
"nonce": "1580",
"signature-version": "01",
"digest-algorithm": "RSA-SHA256",
"pub-key-id": "4278",
"signature": "ZEKkhGKqZZifp3m6v/6O69MvXN+o9x+6vp9DnzO8YwaMdd59ORVRck9UoqWGd9JB9wfK9B7eMN+UvhCqBRwgw==",
"sudi-signature": "UogQoTKcJ5FFHQ3VYIBjYTelQax5b/I5yHcGL2xjw0HE27vtc7d2OQ7dC3rAljtkrlEZduAKHxhmkMoakR
Grp7gl+5PfsSeXdEMG3kaaKja3isPsyX2/EaBr3bw3SzUHaFicY3MPESS4FwdOpfVbEwe+AR+CB9lDnbl4Izwo0zDTw4M41SWkZZmgHVMXgVf
jwPiVYONdFVTift7rfoIoMVUoYkRbQYiFPGxMjgNcixfDqGjXoTt+hen4IRbvvRz653qgWVvS+TEgcU/nBVvkX1itNR5uGeh/Vcs8dbpBPixh
afZEfwWI8G2WQClfC0q+O+ggfn8ln9UW6exNKQZb2Q==",
"signing-certificate": [ "MIIDLjCCAhagAwIBAwICELUwDQYJKoZIhvcNAQELBQAwODEjMCEGCSqGSIb3DQEJAhYUdHVya
Z/tJlIYOzTRJjx9ZtFdX8yyOj3zuI+zDakPRn4XA2blqFN3dO71MofsIiO7SEKc52aQDes4PbjkQcibKYhrYboECypdhuG/TPyhxndFlWa/
ZnhGiziW7I9nddMgU5cE0XZ48x5G5ixqmwG8AQiuQHsNsCZ/hDeJiLrfOYYmlVXaRLZTJDZvuXqpmTn9k342NT+fqsHHvT+qyLZ5V9iuma
QyjHiP8I4kfVS5nzZhTjkEnQHgxadsNEY1pnThDntAEFsZacajHBFDNi1UyzbHxr0EwCc5ALpdyY1F9CghdcJ2XEd8VjGFtLXn1oFQvJe
Ru5e5BfM7+rU8IN3iuyLHAgMBAAGjZDBiMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgP4MCAGA1UdJQEB/
eqW4mYYmDV+OE/BMszvjLl2wsIwDQYJKoZIhvcNAQELBQADggEBAHJL4re6ehAejTXBMGQAsIJ2Z4vdxeRb3N4qB1
EH3nUMxDmea5JCGO3b8=" ]
}
}
Router#
Please note that the above output is a sample output which does not indicate actual values.
Collect Filesystem Inventory
The metadata of the filesystem can be collected using data dossier. The metadata of the file includes information about time
the file was created, last accessed, last modified and so on. A snapshot is captured at each configured interval. The initial
snapshot shows a complete snapshot of all files in the filesystem. The files are scanned periodically and new inventory data
is collected and stored as incremental snapshots.
To enable this feature, use the filesystem-inventory command.
Router(config)#filesystem-inventory
Router(config-filesystem-inventory)#snapshot-interval 2
Router(config-filesystem-inventory)#commit
The snapshot-interval
is the time interval in 15-minute blocks. The interval ranges 1–96. For example, value of 2
indicates that a snapshot interval is collected every 30 minutes. The snapshots are stored in./misc/scratch/filesysinv The logs are stored in /var/log/iosxr/filesysinv/*.
To retrieve the filesystem inventory, use the following dossier command. Output is presented in JSON format.
show platform security integrity dossier include filesystem-inventory | file <platform>-parent.json
{"collection-start-time":1610168028.380901,
"model-name":"http://cisco.com/ns/yang/Cisco-IOS-XR-ama",
"model-revision":"2019-08-05","license-udi":{"result-code": "Success", "license-udi":
"UDI: PID:NCS-55A1-24H,SN:FOC2104R15R\n"},"version":{"result-code": "Success",
"version": "Cisco IOS XR Software, Version 7.3.1
\nCopyright (c) 2013-2020 by Cisco Systems, Inc.\n\nBuild Information:\n
Built By : <user>\n Built On : Thu Jan 7 17:16:02 PST 2021\n
Built Host : <host>\n Workspace : <ws>
Version : 7.3.1\n Location : /opt/cisco/XR/packages/\n Label : 7.3.1\n\ncisco
() processor\nSystem uptime is 8 hours 7 minutes\n\n"},"platform":{"result-code":
"Success", "platform":
"Node Type State Config state
--------------------------------------------------------------------------------
0/RP0/CPU0 <node-type>(Active) IOS XR RUN NSHUT\n
0/RP0/NPU0 Slice UP
0/RP0/NPU1 Slice UP
0/FT0 <platform>-A1-FAN-RV OPERATIONAL NSHUT
0/FT1 <platform>-A1-FAN-RV OPERATIONAL NSHUT
0/FT2 <platform>-A1-FAN-RV OPERATIONAL NSHUT
PM1 <platform>-1100W-ACRV OPERATIONAL NSHUT
"},
----------------------------Output is snipped for brevity -------------------------------------
To limit the number of snapshots, use the following command:show platform security integrity dossier include filesystem-inventory filesystem-inventory-options '{\"0/RP0/CPU0\": {\"block_start\": 0, \"count\": 1}}’
To start from a new block, use the following command:
show platform security integrity dossier include filesystem-inventory filesystem-inventory-options '{\"0/RP0/CPU0\": {\"block_start\": 5}}’
To collect data from a remote node, use the following command:show platform security integrity dossier include filesystem-inventory filesystem-inventory-options '{\"0/RP1/CPU0\": {\"block_start\": 0}}’ | file harddisk:PE1_remote.json
Following is the sample of the display compact container:{"node-data":[{"node-location":"node0_RP0_CPU0","up-time":150311,"start-time":"Tue Jul 27 13:55:12 2021","ima-event-log-compact":
["IlYIABoMCO+ggIgGEKmxwZYBIkQIABAKGhTU2yPVDA5Rx+64ecp41qZQrLEWSCACKhSXl+340O7Ta
xz5JUeBYFHIr05F7jIOYm9vdF9hZ2dyZWdhdGVAAQ=="]}]}
Incremental Integrity Measurement Architecture
With incremental Integrity Meansurement Architecture (IMA), you can define the starting IMA sequence that you want to include
in a response. The system then starts to report the subsequent events.show platform security integrity dossier incremental-ima
"{\"ima_start\":[{\"0/RP0/CPU0\":{\"start_event\":1000,\"start_time\":\"Tue Feb 16 09:15:17 2021\"}}]}"