Cellcrypt Federal Stack Auditing and Monitoring User Guide

Contents hide

1 Cellcrypt Federal Stack Auditing and Monitoring

2 Introduction

7 NIAP Compliant Auditing Features

8 Example output for IP Connections

9 Documents / Resources

9.1 References

10 Related Posts

Cellcrypt Federal Stack Auditing and Monitoring

Legal
Copyright © Cellcrypt Inc. All rights reserved. Neither the whole nor any part of the information contained in this document may be adapted or reproduced in any material or electronic form without the prior written consent of the copyright holder. Information in this document is subject to change without notice. Cellcrypt Inc. makes no warranty of any kind with regard to this information, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Cellcrypt Inc. and the authors shall not be liable for errors contained herein or for incidental or consequential damages concerned with the furnishing, performance, or use of this material.

Warning: This document is protected by copyright law and international treaties. Unauthorized reproduction or distribution of this document, or any portion of it, may result in severe civil and criminal penalties and will be prosecuted to the maximum extent possible under law.

Patents pending Cellcrypt Inc
Every effort has been made to ensure that the contents of this document are correct. However, neither the authors nor Cellcrypt Inc. accept any liability for loss or damage caused or alleged to be caused directly or indirectly by this document.

Introduction

This manual will provide instructions on how to audit each component of the Cellcrypt Stack. As this is a technical manual, it is worth mentioning that more information about how auditing works is available in the Auxiliary Services – Audit section of the Technical Specifications and Requirements manual.
If you have any questions or concerns, please contact us at support@csghq.com.

Paths to Logs
Detailed location of the log files for every instance of the Cellcrypt Stack.

DB

Network Device NDcPP Ref	Event	Where to find it	Evidence
FMT_SMF.1	Database query	–	–

MariaDB

Database Errors and Warnings:/var/log/mariadb/mariadb.log

API

Network Device NDcPP Ref	Event	Where to find it	Evidence
FCS_HTTP S_EXT.1	Failure to establish an HTTPS Session.	/var/log/ nginx/api- [DOMAIN]- error.log
FCS_TLSC_ EXT.1	Failure to establish a TLS Session	/var/log/ nginx/api- [DOMAIN]- error.log

FCS_TLSS_ EXT.1

Failure to establish a TLS Session

/var/log/ nginx/api- [DOMAIN]-

error.log

EMP

Network Device NDcPP Ref	Event	Where to find it	Evidence
FIA_AFL.1	Unsuccessful login attempts limit is met or exceeded.	–	–
FAU_GEN. 1.1	Resetting passwords	/var/log/ messages
		/opt/secure/ portal/app/ storage/logs/ laravel.log
FCS_HTTP S_EXT.1	Failure to establish a HTTPS Session.	/var/log/ nginx/emp- [DOMAIN]- error.log
FCS_TLSC_ EXT.1	Failure to establish a TLS Session	/var/log/ nginx/emp- [DOMAIN]- error.log

FCS_TLSS_ EXT.1

Failure to establish a TLS Session

/var/log/ nginx/emp- [DOMAIN]-

error.log

Network Device NDcPP Ref	Event	Where to find it	Evidence
FCS_HTTP S_EXT.1	Failure to establish a HTTPS Session.	/var/log/nginx/my- [DOMAIN]- error.log
FCS_TLSC _EXT.1	Failure to establish a TLS Session	/var/log/nginx/my- [DOMAIN]- error.log
FCS_TLSS _EXT.1	Failure to establish a TLS Session	/var/log/nginx/my- [DOMAIN]- error.log

SAS

Network Device NDcPP Ref	Event	Where to find it	Evidence
FIA_UIA_E XT.1	All use of identification and authentication mechanism.	/var/log/ messages

FIA_UAU_E XT.2	All use of identification and authentication mechanism.	/var/log/ messages
FMT_SMF.1	All management activities of TSF data.	/var/log/ messages
FCS_TLSC_ EXT.1	Failure to establish a TLS Session	/var/log/ stunnel/ stunnel.log
FCS_TLSS_ EXT.1	Failure to establish a TLS Session	/var/log/ stunnel/ stunnel.log
FCS_TLSS_ EXT.2	Failure to authenticate the client	/var/log/ stunnel/ stunnel.log
–	activate_remote_wipe –	/var/log/ messages
–	authenticate_admin_user	/var/log/ messages
–	admin_logout	/var/log/ messages
–	admin_session_expired	/var/log/ messages
–	send_password_reset_mail	/var/log/ messages
–	check_password_reset	/var/log/ messages

–	reset_password	/var/log/ messages
–	add_admin_user_partner_g roup	/var/log/ messages
–	create_admin_user	/var/log/ messages
–	delete_admin_user	/var/log/ messages
–	user_register	/var/log/ messages
–	modify_user_roles	/var/log/ messages
–	update_by_id	/var/log/ messages
–	device_update_status	/var/log/ messages
–	add_alias	/var/log/ messages
–	remove_alias	/var/log/ messages
–	remove_account	/var/log/ messages
–	auth_my_user	/var/log/ messages

–

user_logout

/var/log/ messages

Vault

Network Device NDcPP Ref	Event	Where to find it	Evidence
FCS_HTTP S_EXT.1	Failure to establish a HTTPS Session.	/var/log/nginx/ vault- [DOMAIN]- error.log
FCS_TLSC_ EXT.1	Failure to establish a TLS Session	/var/log/nginx/ vault- [DOMAIN]- error.log
FCS_TLSS_ EXT.1	Failure to establish a TLS Session	/var/log/nginx/ vault- [DOMAIN]- error.log

SIP

Network Device NDcPP

Ref

Event

Where to find it

Evidence

FAU_GEN .1/CDR	Audit Data Generation (Call Detail Record)	/var/log/ opensips.log	2022-12-07T19:17:55.672734+00:00 sip-* /usr/ local/sbin/opensips[35710]: ACC: call ended: created=1645211866;call_start_time=16452118 67;duration=8;ms_duration=8296;setuptime=1; method=INVITE;from_tag=fa6f84b3-38a2-4709- 8ffd-3e10f52df51d;to_tag=809ab268-06ba-41e 1-9f03-4270ebe692af;call_id=ba07fafd-963c-46 39- a454-6bba4627c887;code=200;reason=OK;src_i p=;dst_ip=13.90.174.9;call_end_time=1645211 875;call_type=Audio;caller=;callee=
FIA_UAU. 2/VVoIP	Successful or failed registration of VVoIP endpoint/device	/var/log/ opensips.log
FIA_UAU. 2/VVoIP	Authentication of external VvoIP endpoint/device	/var/log/ opensips.log
FMT_SMF .1	Enabling/disabling VVoIP endpoint/device features	/var/log/ opensips.log
FCS_TLS S_EXT.2	Failure to authenticate the client	/var/log/ opensips.log

Nginx

TLS Access – Registers every TLS connection to the HTTPS Proxy/var/log/nginx/api.domain.com-access.log
TLS Error – Registers every TLS error when connecting to the HTTPS Proxy/var/log/nginx/api.domain.com-error.log

Stunnel
Stunnel service logs /var/log/stunnel/stunnel.log

ECS
ECS Supervisor

ECS actions and errors
/var/log/supervisor/ecs-stderr

ECS Connectivity errors
/var/log/supervisor/ecs-stdout-

Sync actions and errors
/var/log/supervisor/sync-emp-stderr

Sync Connectivity error
/var/log/supervisor/sync-emp-stdout-

Supervisor
Log – Registers whenever the server is spawned, stopped, or rebooted. /var/log/supervisor/supervidord.log

Asterisk
Asterisk logs, actions, and error messages

Nginx
TLS Access – Registers every TLS connection to the HTTPS Proxy/var/log/nginx/ecs.domain.com-access.log

TLS Error – Registers every TLS error when connecting to the HTTPS Proxy/var/log/nginx/ecs.domain.com-error.log

SAS
SAS Supervisor
SAS NodeJS Workers’ logs, actions, and error messages
/var/log/supervisor/*

Backend-v4 transactions, messages, and logs
/var/log/supervisor/backend-v4-*

Supervisor Log
Registers whenever the server is spawned, stopped, or rebooted. /var/log/supervisor/supervidord.log

Secure Application Server
SAS Gearman Workers’ logs, actions, and error messages
/var/log/secure-application-server/*

German
German server runtime errors
/var/log/gearman-job-server/gearman.log

Redis
Redis operations logs
/var/log/redis/redis-server.log

Revinetd
Revinetd transactions and connections logs
/var/log/supervisor/sip-reverse-stderr-*

Stunnel
Stunnel service logs
/var/log/stunnel/stunnel.log

SIP
SIP Supervisor
Revinetd – SIP Reverse service logs
/var/log/supervisor/sip-reverse-stderr-*Supervisor Log – Registers whenever server is spawned, stopped or rebooted. /var/log/supervisor/supervidord.log

Opensips
Registers every SIP connection attempt
/var/log/opensips.log

Stunnel
Stunnel service logs
/var/log/stunnel/stunnel.log

Vault
Vault Supervisor
Vault service file download/upload notices and error logs
/var/log/supervisor/vault-v3-stderr-*

Nginx
TLS Access – Registers every TLS connection to the HTTPS Proxy /var/log/nginx/vault.domain.com-access.log

TLS Error – Registers every TLS error when connecting to the HTTPS Proxy /var/log/nginx/vault.domain.com-error.log

Portal (EMP/My)
Laravel
Registers Portal events, actions, and errors
/opt/secure/portal/app/storage/logs/laravel.log

Nginx
TLS Access – Registers every TLS connection to the HTTPS Proxy (EMP)
/var/log/nginx/emp.domain.com-access.log

TLS Error – Registers every
TLS error when connecting to the HTTPS Proxy (EMP)
/var/log/nginx/emp.domain.com-error.log

TLS Access – Registers every
TLS connection to the HTTPS Proxy (MY)
/var/log/nginx/my.domain.com-access.log

TLS Error – Registers every
TLS error when connecting to the HTTPS Proxy (MY)
/var/log/nginx/my.domain.com-error.log

Stunnel
Stunnel service logs
/var/log/stunnel/stunnel.log

AUX

Nginx
TLS Access – Registers every TLS connection to the HTTPS Proxy
/var/log/nginx/aux.domain.com-access.log

TLS Error – Registers every
TLS error when connecting to the HTTPS Proxy
/var/log/nginx/aux.domain.com-error.log

Shared logs
Syslog
All log messages are sent to syslog.
/var/log/messages

NTP
Every NTP-related statistic and log.
/var/log/ntpstats/*

SSH
SSH daemon logs.
/var/log/secure

Stack Auditing

Many of the auditing features of the application were designed in order to comply with NIAP Requirements and are enabled by default.
This informative section provides insights into what requirements are fulfilled and where you can find those pieces of information.

Aux

Network Device NDcPP Ref

Event

Where to find it

Evidence

FCS_HTTP S_EXT.1

Failure to establish a HTTPS Session.

/var/log/nginx/ aux-[DOMAIN]-

error.log

NIAP Compliant Auditing Features

Some of the auditing features required by NIAP are available once the audit module is installed. This section explains in further detail each of the available features provided.

Start-up/shutdown date/time of audit functions
FAU_GEN.1.1 mandates that the TOE shall generate an audit record of the start-up and shutdown of the audit functions

Jul 23 14:49:34 ip-172-31-33-210.us-west-2.compute.internal auditd[2207]: The audit daemon is exiting.
Jul 23 14:49:36 ip-172-31-33-210.us-west-2.compute.internal systemd[1]: Starting Security Auditing Service…

Jul 23 14:49:36 ip-172-31-33-210.us-west-2.compute.internal auditd[22693]: Started dispatcher: /sbin/ audited paid: 22695
Jul 23 14:49:36 ip-172-31-33-210.us-west-2.compute.internal auditd[22693]: Init complete, auditd 2.8.4 listening for events (startup state enabled)

IP connections
FAU_GEN.1.1/Log states that the TSF shall be able to generate a system log record of IP connections.
Nftables outputs any IP connections directly into the syslog file.

Example output for IP Connections

Aug 5 19:07:41 ip-172-31-33-210 kernel: LOG_IPTABLES_PING_REQUEST: IN=eth0 OUT=
MAC=06:d6:65:61:b7:fe:06:b1:01:79:45:47:08:00 SRC=179.184.19.129 DST=172.31.33.210 LEN=84 TOS=0x00
PREC=0x00 TTL=38 ID=6627 DF PROTO=ICMP TYPE=8 CODE=0 ID=32536 SEQ=200

Aug 5 19:07:42 ip-172-31-33-210 kernel: LOG_IPTABLES_PING_REQUEST: IN=eth0 OUT=
MAC=06:d6:65:61:b7:fe:06:b1:01:79:45:47:08:00 SRC=179.184.19.129 DST=172.31.33.210 LEN=84 TOS=0x00
PREC=0x00 TTL=38 ID=6791 DF PROTO=ICMP TYPE=8 CODE=0 ID=32536 SEQ=201

Aug 5 19:07:43 ip-172-31-33-210 kernel: LOG_IPTABLES_PING_REQUEST: IN=eth0 OUT=
MAC=06:d6:65:61:b7:fe:06:b1:01:79:45:47:08:00 SRC=179.184.19.129 DST=172.31.33.210 LEN=84 TOS=0x00
PREC=0x00 TTL=38 ID=6835 DF PROTO=ICMP TYPE=8 CODE=0 ID=32536 SEQ=202

Note: Per FAU_GEN.1/CDR’s test no. 1, the IP connections are tested through the “ping” command (hence the log format shown above)

Miscellaneous status logs
FAU_GEN.1.1/Log also calls for disk and file storage capacity, NTP status, CPU usage, memory usage, audit storage capacity, and fan status. The evaluation tests revolve around monitoring said parameters for a 10-minute period and performing calls/messaging. These are handled using a simple shell script to forward the outputs from existing OS monitoring services. The OS utility top is used for CPU/memory status, and df, for available disk space. These outputs are redirected to the syslog log file.

Disk/file storage capacity

Aug 5 18:55:01 ip-172-31-33-210 journal: df -h: Filesystem Size Used Avail Use% Mounted on
Aug 5 18:55:01 ip-172-31-33-210 journal: df -h: /dev/xvda2 10G 3.4G 6.7G 34% /
Aug 5 18:55:01 ip-172-31-33-210 journal: df -h: devtmpfs 897M 0 897M 0% /dev

Aug 5 18:55:01 ip-172-31-33-210 journal: df -h: tmpfs 919M 0 919M 0% /dev/shm
Aug 5 18:55:01 ip-172-31-33-210 journal: df -h: tmpfs 919M 79M 840M 9% /run
Aug 5 18:55:01 ip-172-31-33-210 journal: df -h: tmpfs 919M 0 919M 0% /sys/fs/cgroup

Aug 5 18:55:01 ip-172-31-33-210 journal: df -h: tmpfs 184M 0 184M 0% /run/user/1000
Aug 5 18:55:01 ip-172-31-33-210 journal: df -h: tmpfs 184M 0 184M 0% /run/user/0
Aug 5 18:55:01 ip-172-31-33-210 ntpstat: synchronised to NTP server (204.11.201.10) at stratum 3

Aug 5 18:55:01 ip-172-31-33-210 ntpstat: time correct to within 37 ms
Aug 5 18:55:01 ip-172-31-33-210 ntpstat: polling server every 1024 s

CPU/Memory usage

Aug 6 14:41:54 ip-172-31-33-210 top: top – 14:41:54 up 19 days, 3:04, 2 users, load average: 0.00, 0.01, 0.05
Aug 6 14:41:54 ip-172-31-33-210 top: Tasks: 182 total, 2 running, 180 sleeping, 0 stopped, 0 zombie
Aug 6 14:41:54 ip-172-31-33-210 top: %Cpu(s): 0.0 us, 6.2 sy, 0.0 ni, 93.8 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st

Aug 6 14:41:54 ip-172-31-33-210 top: KiB Mem : 1880524 total, 64660 free, 1247988 used, 567876 buff/cache
Aug 6 14:41:54 ip-172-31-33-210 top: KiB Swap: 0 total, 0 free, 0 used. 352988 avail Mem
Aug 6 14:41:54 ip-172-31-33-210 top: mbie

Aug 6 14:41:54 ip-172-31-33-210 top: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
Aug 6 14:41:54 ip-172-31-33-210 top: 21324 ec2-user 20 0 162028 2104 1540 R 6.2 0.1 0:00.01 top
Aug 6 14:41:54 ip-172-31-33-210 top: 1 root 20 0 128148 5032 2504 S 0.0 0.3 4:03.70 systemd

Aug 6 14:41:54 ip-172-31-33-210 top: 2 root 20 0 0 0 0 S 0.0 0.0 0:00.36 kthreadd

Local Administrative Logins
The first item of FAU_GEN.1.1 states that all administrative login and logout events must be accounted for, as well as the start/stop of trusted channels. The stack handles this by setting watching rules on login/logout binaries, which, in addition to “report -l” functionality produces reports on all login attempts on the server. The last package is used for trusted channels initiation/termination info. Additionally, Syslog is configured to audit all attempts to initiate a super-user session (including commands such as sudo).
Login info:

Login Report
date time auid host term exe success event

08/06/2019 15:50:09 ec2-user 200.175.61.81.static.gvt.net.br /dev/pts/0 /usr/sbin/sshd yes 919456
08/06/2019 18:13:41 ec2-user 200.175.61.81.static.gvt.net.br /dev/pts/0 /usr/sbin/sshd yes 919808
08/07/2019 09:17:17 ec2-user 200.175.61.81.static.gvt.net.br /dev/pts/0 /usr/sbin/sshd yes 921179

08/07/2019 13:24:55 ec2-user 200.175.61.81.static.gvt.net.br /dev/pts/0 /usr/sbin/sshd yes 921613
08/07/2019 13:27:52 ec2-user 200.175.61.81.static.gvt.net.br /dev/pts/0 /usr/sbin/sshd yes 921820
08/07/2019 14:46:53 ec2-user 200.175.61.81.static.gvt.net.br /dev/pts/0 /usr/sbin/sshd yes 924724

08/07/2019 16:05:17 ec2-user 200.175.61.81.static.gvt.net.br /dev/pts/0 /usr/sbin/sshd yes 926211

Trusted channel info

ec2-user pts/0 179.184.19.129.s Mon Aug 5 18:16 – 19:58 (01:41)

ec2-user ssh 200.175.61.81.st Mon Aug 5 20:27 – 20:27 (00:00)
ec2-user pts/2 200.175.61.81.st Mon Aug 5 19:24 – 22:42 (03:17)
ec2-user pts/5 200.175.61.81.st Mon Aug 5 19:52 – 23:59 (04:06)

ec2-user pts/2 200.175.61.81.st Tue Aug 6 14:28 – 14:38 (00:09)
ec2-user pts/0 179.184.19.129.s Tue Aug 6 14:20 – 14:43 (00:23)
ec2-user pts/2 200.175.61.81.st Tue Aug 6 14:38 still logged in

Super-user sessions

Aug 8 20:40:20 ip-172-31-33-210 sudo: pam_unix(sudo:session): session opened for user root by ec2- user(uid=0)
Aug 8 20:40:20 ip-172-31-33-210 sudo: pam_tty_audit(sudo:session): unknown option `ec2-user’

Aug 8 20:40:20 ip-172-31-33-210 sudo: pam_tty_audit(sudo:session): changed status from 1 to 1
Aug 8 20:41:39 ip-172-31-33-210 sudo: pam_unix(sudo:session): session closed for user root
Aug 8 20:41:54 ip-172-31-33-210 sudo: ec2-user : TTY=pts/0 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/ bin/systemctl restart rsyslog

Bad SH Authentication

FAU_GEN.1.1 also requires the TOE to log unsuccessful login attempts, including when they exceed some preset limit.
The TOE uses auditd’s own summary reporting plugin – report – and specifies auditing rules for the pam_tty service.

Example output: report -i -au –failed
Authentication Report date time acct host term exe success event
07/31/2019 12:29:42 ec2-user 179.184.19.129 ssh /usr/sbin/sshd no 845672

07/31/2019 13:12:40 ec2-user 179.184.19.129 ssh /usr/sbin/sshd no 845839
07/31/2019 13:31:19 ec2-user 179.184.19.129 ssh /usr/sbin/sshd no 845872
07/31/2019 19:01:13 ec2-user 200.175.61.81 ssh /usr/sbin/sshd no 848199

07/31/2019 19:28:00 ec2-user 179.184.19.129 ssh /usr/sbin/sshd no 848260

Changes to Time and Date
The FPT_STM_EXT.1 requirement makes it necessary to audit any discontinuous changes in time. Monitoring time-related binaries and executables (see example below) audit any attempts to discontinuous time changes on the stack.

Example output
Summary report of executables involved in changing the TOE server’s timezone

Executable Report

# date time exe term host auid event
332. 08/06/2019 13:23:34 /usr/lib/systemd/systemd ? ? unset 877714

333. 08/06/2019 13:23:34 /usr/lib/systemd/systemd-timedated (none) ? unset 877713
334. 08/06/2019 13:23:34 /usr/lib/systemd/systemd-timedated (none) ? unset 877715
335. 08/06/2019 13:24:04 /usr/lib/systemd/systemd ? ? unset 877716

336. 08/06/2019 13:25:45 /usr/lib/systemd/systemd ? ? unset 877729
337. 08/06/2019 13:25:45 /usr/bin/timedatectl pts0? administrator 877726
338. 08/06/2019 13:25:45 /usr/lib/systemd/systemd-timedated (none) ? unset 877728

339. 08/06/2019 13:25:45 /usr/lib/systemd/systemd-timedated (none) ? unset 877731
340. 08/06/2019 13:25:45 /usr/lib/systemd/systemd-timedated (none) ? unset 877732

Manual Update Attempts

FMT_MOF.1/ManualUpdate mandates that all attempts to initiate a manual code update must be audited. Even though FPT_TUD_EXT.
events are no longer need to be audited (initiation/result of update attempts), logging the outputs of the manual updates fulfills both requirements.
Direct modifications to the setup script were made to log all update messages prompted. E.g.:

Aug 6 18:31:54 ip-172-31-33-210 journal: SW upgrade: #033[1;32mmariadb#033[0m: Running precondition checks.
Aug 6 18:32:50 ip-172-31-33-210 journal: SW upgrade: #033[1;32mmariadb#033[0m: Running precondition checks.
Aug 6 18:32:50 ip-172-31-33-210 journal: SW upgrade: #033[1;32mmariadb#033[0m: Configuring system.

Aug 6 18:32:53 ip-172-31-33-210 journal: SW upgrade: #033[1;32mmariadb#033[0m: Starting services.
Aug 6 18:32:53 ip-172-31-33-210 journal: SW upgrade: #033[1;32mmariadb#033[0m: Running final checks.
Aug 6 18:32:53 ip-172-31-33-210 journal: SW upgrade: #033[1;32mmariadb#033[0m: Installed.

Call Detail Records
The protected local logs include the Call Detail Records (CDRs). These permissions are automatically set during the

TOE software installation process. The CDR’s are generated by the ESC OpenSIPS service and consist of the following information:
TOE unique identifier

Call originator identifier
Call receiver identifier
Unique transaction sequence number

Call status (missed/connected/terminated / failures)
Call type (voice/voice + video)
Call start time
Call end time
Call duration
Call direction (incoming/outgoing)
Call routing into TOE
Call routing out of TOE

Time zone
Example call log showing CDR details: 2022-02-18T19:17:55.672734+00:00 sip-alpha /usr/local/bin/opensips[35710]: ACC: call ended:created=1645211866;call_start_time=1645211867;duration=8;ms_duration=8296;setuptime=1;method=INVIT E;from_tag=fa6f84b3-38a2-4709-8ffd-3e10f52df51d;to_tag=809ab268-06ba-41e1-9f03-4270ebe692af;call_id= ba07fafd-963c-4639- a454-6bba4627c887;code=200;reason=OK;src_ip=;dst_ip=13.90.174.9;call_end_time=1645211875;call_type=A audio;caller=;callee=

Shared auditing information
This information is produced on every machine running any of the Cellcrypt stack services.

SSH / Direct access

Network Device NDcPP Ref	Event	Where to find it	Evidence
FCS_SSHS_ EXT.1	Failure to establish an SSH session	/var/ log/ messag es

NTP

Network Device NDcPP Ref	Event	Where to find it	Evidence
FCS_SSHS_ EXT.1	Failure to establish an SSH session	/var/ log/ messag es

Hardware information

Network Device NDcPP Ref

Event

Where to find it

Evidence

FAU_GEN.

1/Log

CPU and Memory usage

/var/ log/ messag es

2021-12-06T11:09:30.302105-05:00 api-* top: top –

14:41:54 up 19 days, 3:04, 2 users, load average: 0.00,

0.01, 0.05

2021-12-06T11:09:30.302105-05:00 api-* top: Tasks:

182 total, 2 running, 180 sleeping, 0 stopped, 0 zombie

2021-12-06T11:09:30.302105-05:00 api-* top: %Cpu(s):

0.0 us, 6.2 sy, 0.0 ni, 93.8 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st

2021-12-06T11:09:30.302105-05:00 api-* top: KiB

Mem : 1880524 total, 64660 free, 1247988 used,

567876 buff/cache

2021-12-06T11:09:30.302105-05:00 api-* top: KiB

Swap: 0 total, 0 free, 0 used. 352988 avail Mem

2021-12-06T11:09:30.302105-05:00 api-* top: mbie

2021-12-06T11:09:30.302105-05:00 api-* top: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2021-12-06T11:09:30.302105-05:00 api-* top: 21324 admin 20 0 162028 2104 1540 R 6.2 0.1 0:00.01 top

2021-12-06T11:09:30.302105-05:00 api-* top: 1 root 20

0 128148 5032 2504 S 0.0 0.3 4:03.70 systemd

2021-12-06T11:09:30.302105-05:00 api-* top: 2 root 20

0 0 0 0 S 0.0 0.0 0:00.36 kthreadd

FAU_GEN.

1/Log

NTP Status

/var/ log/ messag es

2021-12-06T11:09:30.302105-05:00 api-* ntpstat:

synchronised to NTP server (204.11.201.10) at stratum 3

2021-12-06T11:09:30.302105-05:00 api-* ntpstat: time

correct to within 37 ms

2021-12-06T11:09:30.302105-05:00 api-* ntpstat:

polling server every 1024 s

FAU_GEN.

1/Log

Disk and file storage capacity

/var/ log/ messag es