Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Sample Code Audits of Configuration Changes

 

This sample code audits all changes to the configuration secret data and sends the logs to a file named Audit-File:

This sample code expands the scope of the minimum audit to audit all changes to the configuration, not just secret data, and sends the logs to a file named Audit-File:

Example: System Logging of Configuration Changes

This example shows a sample configuration and makes changes to users and secret data. It then shows the information sent to the audit server when the secret data is added to the original configuration and committed with the load command.

The new configuration changes the secret data configuration statements and adds a new user.

Table 1 shows sample for syslog auditing for NDcPPv2.1:

Table 1: Auditable Events

Requirement

Auditable Events

Additional Audit Record Contents

How event generated

FAU_GEN.1

None

None

FAU_GEN.2

None

None

FAU_STG_EXT.1

None

None

FAU_STG.1

None

None

FCS_CKM.1

None

None

FCS_CKM.2

None

None

FCS_CKM.4

None

None

FCS_COP.1/DataEncryption

None

None

FCS_COP.1/SigGen

None

None

FCS_COP.1/Hash

None

None

FCS_COP.1/KeyedHash

None

None

FCS_COP.1(1)/KeyedHashCMAC

None

None

FCS_RBG_EXT.1

None

None

FIA_PMG_EXT.1

None

None

FIA_UIA_EXT.1

All use of identification and authentication mechanism.

Origin of the attempt (e.g., IP address)

Successful Local Login

Jan 3 09:59:36 login[7637]: LOGIN_INFORMATION: User root logged in from host [unknown] on device ttyu0

Jan 3 09:59:36 login[7637]: LOGIN_ROOT: User root logged in as root from host [unknown] on device ttyu0

Unsuccessful Local Login

Jan 3 09:57:52 login[7637]: LOGIN_PAM_

AUTHENTICATION_ERROR: Failed password for user root

Jan 3 09:57:52 login[7637]: LOGIN_FAILED: Login failed for user root from host ttyu0

Successful Remote Login

Jan 3 09:32:07 mgd[47035]: UI_AUTH_EVENT: Authenticated user 'test1' assigned to class 'j-read-only' Jan 3 09:32:07 mgd[47035]: UI_LOGIN_EVENT: User 'test1' login, class 'j-read-only' [47035], ssh-connection '10.1.5.153 36784 10.1.2.68 22', client-mode 'cli'

Unsuccessful Remote Login

Jan 3 09:26:56 sshd: SSHD_LOGIN_FAILED: Login failed for user 'test1' from host '10.1.5.153'

FIA_UAU_EXT.2

All use of identification and authentication mechanism.

Origin of the attempt (e.g., IP address)

Successful Local Login

Jan 3 09:59:36 login[7637]: LOGIN_INFORMATION: User root logged in from host [unknown] on device ttyu0 Jan 3 09:59:36 login[7637]: LOGIN_ROOT: User root logged in as root from host [unknown] on device ttyu0

Unsuccessful Local Login

Jan 3 09:57:52 login[7637]: LOGIN_PAM_

AUTHENTICATION_ERROR: Failed password for user root

Jan 3 09:57:52 login[7637]: LOGIN_FAILED: Login failed for user root from host ttyu0

Successful Remote Login

Jan 3 09:32:07 mgd[47035]: UI_AUTH_EVENT: Authenticated user 'test1' assigned to class 'j-read-only' Jan 3 09:32:07 mgd[47035]: UI_LOGIN_EVENT: User 'test1' login, class 'j-read-only' [47035], ssh-connection '10.1.5.153 36784 10.1.2.68 22', client-mode 'cli'

Unsuccessful Remote Login

Jan 3 09:26:56 sshd: SSHD_LOGIN_FAILED: Login failed for user 'test1' from host '10.1.5.153'

FIA_UAU.7

None

None

FMT_MOF.1/ManualUpdate

Any attempt to initiate a manual update

None

Dec 28 21:51:21 mgd[8007]: UI_CMDLINE_READ_LINE: User 'root', command ‘request vmhost software add /var/tmp/junos-

vmhost-install-

mx-x86-64-19.1-

20181231.0.tgz no-validate’

FMT_MTD.1/CoreData

None

None

FMT_SMF.1

All management activities of TSF data

None

Refer to the audit events listed in this table.

FMT_SMR.2

None

None

FPT_SKP_EXT.1

None

None

FPT_APW_EXT.1

None

None

FPT_TST_EXT.1

None

None

FPT_TUD_EXT.1

Initiation of update; result of the update attempt (success or failure)

None

Dec 28 21:51:21 mgd[8007]: UI_CMDLINE_READ_LINE: User 'root', command ‘request vmhost software add /var/tmp/junos-

vmhost-install-mx-

x86-64-19.1-

20181231.0.tgz no-validate’

FPT_STM_EXT.1

Discontinuous changes to time - either Administrator actuated or changed via an automated process. (Note that no continuous changes to time need to be logged. See also application note on FPT_STM_EXT.1)

For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (e.g., IP address).

Apr 22 15:31:37 mgd[11121]: UI_CMDLINE_READ_LINE: User 'root', command 'set date 201904221532.00

Apr 22 15:32:05 mgd[11121]: UI_CMDLINE_READ_LINE: User 'root', command 'show system uptime '

FPT_STM_EXT.1 FTA_SSL_EXT.1 (if “terminate the session is selected)

The termination of a local interactive session by the session locking mechanism.

None

Jan 3 11:59:29 cli: UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'root' exceeded and session terminated

FTA_SSL.3

The termination of a remote session by the session locking mechanism.

None

Jan 3 11:26:23 cli: UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'root' exceeded and session terminated

FTA_SSL.4

The termination of an interactive session.

None

Local

Jan 3 11:47:25 mgd[52521]: UI_LOGOUT_EVENT: User 'root' logout

Remote

Jan 3 11:43:33 sshd[52425]: Received disconnect from 10.1.5.153 port 36800:11: disconnected by user

FTA_TAB.1

None

None

FTP_ITC.1

Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions.

Identification of the initiator and target of failed trusted channels establishment attempt.

Initiation of the trusted path

Jan 3 12:09:00 sshd[53492]: Accepted keyboard-interactive/pam for root from 10.1.5.153 port 36802 ssh2

Termination of the trusted path

Jan 3 12:09:03 sshd[53492]: Received disconnect from 10.1.5.153 port 36802:11: disconnected by user Jan 3 12:09:36 sshd:

Failure of the trusted path

SSHD_LOGIN_FAILED: Login failed for user 'root' from host '10.1.5.153'

FTP_TRP.1/Admin

Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions.

None

Initiation of the trusted path

Jan 3 12:09:00 sshd[53492]: Accepted keyboard-interactive/pam for root from 10.1.5.153 port 36802 ssh2

Termination of the trusted path

Jan 3 12:09:03 sshd[53492]: Received disconnect from 10.1.5.153 port 36802:11: disconnected by user Jan 3 12:09:36 sshd:

Failure of the trusted path

SSHD_LOGIN_FAILED: Login failed for user 'root' from host '10.1.5.153'

FCS_SSHS_EXT.1

Failure to establish an SSH session

Reason for failure

Dec 17 15:02:12 sshd[9842]: Unable to negotiate with 10.1.5.153 port 43836: no matching key exchange method found. Their offer: diffie-hellman-

group1-sha1,ext-info-c

FIA_X509_EXT.1/Rev

Unsuccessful attempt to validate a certificate Any addition, replacement or removal of trust anchors in the TOE's trust store

Reason for failure of certificate validation Identification of certificates added, replaced or removed as trust anchor in the TOE's trust store

Dec 28 22:20:23 veriexec[9371]: cannot validate /packages/db/pkginst.

9286/manifest.ecerts: subject issuer mismatch:

/C=US/ST=CA/L=

Sunnyvale/O=Juniper Networks/

OU=Juniper CA/CN=

PackageProductionTest

Ec_2017_NO_DEFECTS/

emailAddress=ca@juni

per.net

FIA_X509_EXT.2

None

None

FPT_TUD_EXT.2

Failure of update

Reason for failure (including identifier of invalid certificate)

Dec 28 22:20:23 veriexec[9371]: cannot validate /packages/db/pkginst.

9286/manifest.ecerts:

subject issuer mismatch:

/C=US/ST=CA/L=

Sunnyvale/O=

Juniper Networks/

OU=

Juniper CA/CN=

PackageProductionTest

Ec_2017_

NO_DEFECTS/

emailAddress=

ca@juniper.net

FMT_MOF.1/Functions

None

None

FMT_MOF.1/Services

None

None

FMT_MTD.1/CryptoKeys

None

None

FIA_AFL.1

Administrator lockout due to excessive authentication failures

None

Jan 3 08:13:59 sshd: SSHD_LOGIN_

ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (2) reached by user 'test1'

FCS_IPSEC_EXT.1

Session Establishment with peer

Entire packet contents of packets transmitted or received during session establishment

Nov 9 20:24:13 ikev2_allocate_exchange_data: Successfully allocated exchange data for SA 88fbc00 Nov 9 20:24:13 ikev2_allocate_exchange_data_info: Successfully allocated Info exchange data for SA 88fbc00 ED 88ab028 Nov 9 20:24:13 ikev2_allocate_exchange_data: Successfully allocated exchange data for SA 88fb300 Nov 9 20:24:13 ikev2_allocate_exchange_data_info: Successfully allocated Info exchange data for SA 88fb300 ED 8927028 Nov 9 20:24:13 [20.1.1.1 <-> 30.1.1.2] ikev2_decode_encr: [8920400/88fbc00] Packet decrypted successfully Nov 9 20:24:13 [20.1.1.1 <-> 30.1.1.2] kmd_pm_ike_sa_delete_notif_done_cb: Received success IKE SA 88fbc00 delete notification Nov 9 20:24:13 [20.1.1.1 <-> 30.1.1.2] ikev2_free_exchange_data_info: Successfully freed Info exchange data from SA 88fbc00 Nov 9 20:24:13 [20.1.1.1 <-> 30.1.1.2] ikev2_free_exchange_data: Successfully freed exchange data from SA 88fbc00 Nov 9 20:24:13 [20.1.1.1 <-> 30.1.1.2] ikev2_decode_encr: [8921080/88fb300] Packet decrypted successfully

FIA_X509_EXT.1

Session establishment with CA

Entire packet contents of packets transmitted or received during session establishment

Nov 9 20:24:14 [20.1.1.1 <-> 30.1.1.2] ikev2_decode_auth: [8920e00/88fbc00] AUTH(method = RSA Sig (1), len = 256, data = 7a3da09a 068ac628 5e0abaf9 dcc41c33 7bdf7073 f654835a aef2e5bf f71288fc 207bed57 8b5ce79a 1112be79 a8616396 5984a7f1 834ba83d 0fe75219 8d10eeb7 2e730445 0c610fe1 e75aa728 04 Nov 9 20:24:21 ikev2_decode_auth: [8921300/88fb300] AUTH(method = RSA Sig (1), len = 256, data = 9ecf8df6 fb44582a 5e1acbcc bc38d392 d255fabb d3859e39 3ac6b82d 8f5f2dd3 d4943772 f0874829 f7a6c0bf dc0bc85b 6f0a86e5 864b8500 20108fca 249adfbc b1355265 489e0b32 346aeac2 a5

FPF_RUL_EXT.1

Application of rules configured with the ‘log’ operation

Source and destination addresses

Source and destination ports

Transport Layer Protocol

TOE Interface

Time of Log: 2017-11-09 21:02:03 PST, Filter: pfe, Filter action: accept, Name of interface: ms-4/0/0.1 Name of protocol: TCP, Packet Length: 52, Source address: 40.1.1.2:10799, Destination address: 10.1.1.1:22

FPF_RUL_EXT.1

Indication of packets dropped due to too much network traffic

TOE interface that is unable to process packets

Jan 8 01:08:09 bm-b (FPC Slot 2, PIC Slot 0) ms40 mspmand[249]: CPU zone change GREEN=>RED (98.98 %) Jan 8 01:08:09 bm-b (FPC Slot 2, PIC Slot 0) ms40 mspmand[249]: CPU utilization (98.98 percent) exceeded threshold, packets may be dropped Jan 8 01:08:09 bm-b (FPC Slot 2, PIC Slot 0) ms40 mspmand[249]: CPU trap sent successfully