Chapter 5
Security
Table 5-3
Security Level
Superuser
Provisioning
Maintenance
Retrieve
5.2.2.2 Superuser Password and Login Privileges
A Superuser can perform ONS 15600 user creation and management tasks from the network or node
(default login) view. In network view, a Superuser can add, edit, or delete users from multiple nodes at
one time. In node view, a Superuser can only add, edit, or delete users from that node.
Superuser password and login privilege criteria include:
•
•
•
•
•
•
5.3 Audit Trail
The ONS 15600 maintains a GR-839-compliant audit trail log that resides on the TSC card. This record
shows who has accessed the system and what operations were performed during a given period of time.
The log includes authorized Cisco logins and logouts using the operating system command line interface
(CLI), CTC, and TL1; the log also includes FTP actions, circuit creation/deletion, and user/system
generated actions.
Event monitoring is also recorded in the audit log. An event is defined as the change in status of an
element within the network. External events, internal events, attribute changes, and software
upload/download activities are recorded in the audit trail.
Audit trails are useful for maintaining security, recovering lost transactions and enforcing
accountability. Accountability is the ability to trace user activities and is done by associating a process
or action with a specific user. To view the Audit Trail log, refer to Chapter 7, "Manage Alarms," in the
Cisco ONS 15600 Procedure Guide. Users can access the audit trail logs from any management interface
(CTC, CTM, TL1).
ONS 15600 User Idle Times
Default Idle Time
15 minutes
30 minutes
60 minutes
Unlimited
Privilege level—A Superuser can change the privilege level (such as Maintenance or Provisioning)
of a user ID while the user is logged in. The change will become effective the next time the user logs
in and will apply to all nodes within the network.
Login visibility—Superusers can view real-time lists of users who are logged into a node (both CTC
and TL1 logins) by retreiving a list of logins by node. A Superuser can also log out an active user.
Password expiration and reuse settings—Superusers provision password reuse periods (the number
of days before a user can reuse a password) and reuse intervals (the number of passwords a user must
generate before reusing a password).
User lockout settings—A Superuser can manually lock out or unlock a user ID.
Invalid login attempts—A Superuser sets the number of invalid login attempts a user can make
before the user ID is locked out. Additionally, the Superuser sets the time interval the user ID is
locked out after the user reaches the login attempt limit.
Single Session Per User—If the Superuser provisions a user ID to be active for a single occurrence
only, concurrent logins with that user ID are not allowed.
Cisco ONS 15600 Reference Manual, R6.0
5.3 Audit Trail
5-5