Sample Code Audits of Configuration Changes
This sample code audits all changes to the configuration
secret data and sends the logs to a file named Audit-File:
This sample code expands the scope of the minimum
audit to audit all changes to the configuration, not just secret data,
and sends the logs to a file named Audit-File:
Example: System Logging of Configuration Changes
This example shows a sample configuration and makes changes to users and secret data. It then shows the information sent to the audit server when the secret data is added to the original configuration and committed with the load command.
The new configuration changes the secret data configuration statements and adds a new user.
Table 1 shows sample for syslog auditing for NDcPPv2.1:
Table 1: Auditable Events
Requirement | Auditable Events | Additional Audit Record Contents | How event generated |
|---|---|---|---|
FAU_GEN.1 | None | None | |
FAU_GEN.2 | None | None | |
FAU_STG_EXT.1 | None | None | |
FAU_STG.1 | None | None | |
FCS_CKM.1 | None | None | |
FCS_CKM.2 | None | None | |
FCS_CKM.4 | None | None | |
FCS_COP.1/DataEncryption | None | None | |
FCS_COP.1/SigGen | None | None | |
FCS_COP.1/Hash | None | None | |
FCS_COP.1/KeyedHash | None | None | |
FCS_COP.1(1)/KeyedHashCMAC | None | None | |
FCS_RBG_EXT.1 | None | None | |
FIA_PMG_EXT.1 | None | None | |
FIA_UIA_EXT.1 | All use of identification and authentication mechanism. | Origin of the attempt (e.g., IP address) | Successful Local Login Jan 3 09:59:36 login[7637]: LOGIN_INFORMATION: User root logged in from host [unknown] on device ttyu0 Jan 3 09:59:36 login[7637]: LOGIN_ROOT: User root logged in as root from host [unknown] on device ttyu0 Unsuccessful Local Login Jan 3 09:57:52 login[7637]: LOGIN_PAM_ Jan 3 09:57:52 login[7637]: LOGIN_FAILED: Login failed for user root from host ttyu0 Successful Remote Login Jan 3 09:32:07 mgd[47035]: UI_AUTH_EVENT: Authenticated user 'test1' assigned to class 'j-read-only' Jan 3 09:32:07 mgd[47035]: UI_LOGIN_EVENT: User 'test1' login, class 'j-read-only' [47035], ssh-connection '10.1.5.153 36784 10.1.2.68 22', client-mode 'cli' Unsuccessful Remote Login Jan 3 09:26:56 sshd: SSHD_LOGIN_FAILED: Login failed for user 'test1' from host '10.1.5.153' |
FIA_UAU_EXT.2 | All use of identification and authentication mechanism. | Origin of the attempt (e.g., IP address) | Successful Local Login Jan 3 09:59:36 login[7637]: LOGIN_INFORMATION: User root logged in from host [unknown] on device ttyu0 Jan 3 09:59:36 login[7637]: LOGIN_ROOT: User root logged in as root from host [unknown] on device ttyu0 Unsuccessful Local Login Jan 3 09:57:52 login[7637]: LOGIN_PAM_ Jan 3 09:57:52 login[7637]: LOGIN_FAILED: Login failed for user root from host ttyu0 Successful Remote Login Jan 3 09:32:07 mgd[47035]: UI_AUTH_EVENT: Authenticated user 'test1' assigned to class 'j-read-only' Jan 3 09:32:07 mgd[47035]: UI_LOGIN_EVENT: User 'test1' login, class 'j-read-only' [47035], ssh-connection '10.1.5.153 36784 10.1.2.68 22', client-mode 'cli' Unsuccessful Remote Login Jan 3 09:26:56 sshd: SSHD_LOGIN_FAILED: Login failed for user 'test1' from host '10.1.5.153' |
FIA_UAU.7 | None | None | |
FMT_MOF.1/ManualUpdate | Any attempt to initiate a manual update | None | Dec 28 21:51:21 mgd[8007]: UI_CMDLINE_READ_LINE: User
'root', command ‘request vmhost software add /var/tmp/junos- |
FMT_MTD.1/CoreData | None | None | |
FMT_SMF.1 | All management activities of TSF data | None | Refer to the audit events listed in this table. |
FMT_SMR.2 | None | None | |
FPT_SKP_EXT.1 | None | None | |
FPT_APW_EXT.1 | None | None | |
FPT_TST_EXT.1 | None | None | |
FPT_TUD_EXT.1 | Initiation of update; result of the update attempt (success or failure) | None | Dec 28 21:51:21 mgd[8007]: UI_CMDLINE_READ_LINE: User
'root', command ‘request vmhost software add /var/tmp/junos- |
FPT_STM_EXT.1 | Discontinuous changes to time - either Administrator actuated or changed via an automated process. (Note that no continuous changes to time need to be logged. See also application note on FPT_STM_EXT.1) | For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (e.g., IP address). | Apr 22 15:31:37 mgd[11121]: UI_CMDLINE_READ_LINE: User 'root', command 'set date 201904221532.00 Apr 22 15:32:05 mgd[11121]: UI_CMDLINE_READ_LINE: User 'root', command 'show system uptime ' |
FPT_STM_EXT.1 FTA_SSL_EXT.1 (if “terminate the session is selected) | The termination of a local interactive session by the session locking mechanism. | None | Jan 3 11:59:29 cli: UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'root' exceeded and session terminated |
FTA_SSL.3 | The termination of a remote session by the session locking mechanism. | None | Jan 3 11:26:23 cli: UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'root' exceeded and session terminated |
FTA_SSL.4 | The termination of an interactive session. | None | Local Jan 3 11:47:25 mgd[52521]: UI_LOGOUT_EVENT: User 'root' logout Remote Jan 3 11:43:33 sshd[52425]: Received disconnect from 10.1.5.153 port 36800:11: disconnected by user |
FTA_TAB.1 | None | None | |
FTP_ITC.1 | Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions. | Identification of the initiator and target of failed trusted channels establishment attempt. | Initiation of the trusted path Jan 3 12:09:00 sshd[53492]: Accepted keyboard-interactive/pam for root from 10.1.5.153 port 36802 ssh2 Termination of the trusted path Jan 3 12:09:03 sshd[53492]: Received disconnect from 10.1.5.153 port 36802:11: disconnected by user Jan 3 12:09:36 sshd: Failure of the trusted path SSHD_LOGIN_FAILED: Login failed for user 'root' from host '10.1.5.153' |
FTP_TRP.1/Admin | Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions. | None | Initiation of the trusted path Jan 3 12:09:00 sshd[53492]: Accepted keyboard-interactive/pam for root from 10.1.5.153 port 36802 ssh2 Termination of the trusted path Jan 3 12:09:03 sshd[53492]: Received disconnect from 10.1.5.153 port 36802:11: disconnected by user Jan 3 12:09:36 sshd: Failure of the trusted path SSHD_LOGIN_FAILED: Login failed for user 'root' from host '10.1.5.153' |
FCS_SSHS_EXT.1 | Failure to establish an SSH session | Reason for failure | Dec 17 15:02:12 sshd[9842]: Unable to negotiate with
10.1.5.153 port 43836: no matching key exchange method found. Their
offer: diffie-hellman- |
FIA_X509_EXT.1/Rev | Unsuccessful attempt to validate a certificate Any addition, replacement or removal of trust anchors in the TOE's trust store | Reason for failure of certificate validation Identification of certificates added, replaced or removed as trust anchor in the TOE's trust store | Dec 28 22:20:23 veriexec[9371]: cannot validate /packages/db/pkginst. |
FIA_X509_EXT.2 | None | None | |
FPT_TUD_EXT.2 | Failure of update | Reason for failure (including identifier of invalid certificate) | Dec 28 22:20:23 veriexec[9371]: cannot validate /packages/db/pkginst. |
FMT_MOF.1/Functions | None | None | |
FMT_MOF.1/Services | None | None | |
FMT_MTD.1/CryptoKeys | None | None | |
FIA_AFL.1 | Administrator lockout due to excessive authentication failures | None | Jan 3 08:13:59 sshd: SSHD_LOGIN_ |
FCS_IPSEC_EXT.1 | Session Establishment with peer | Entire packet contents of packets transmitted or received during session establishment | Nov 9 20:24:13 ikev2_allocate_exchange_data: Successfully allocated exchange data for SA 88fbc00 Nov 9 20:24:13 ikev2_allocate_exchange_data_info: Successfully allocated Info exchange data for SA 88fbc00 ED 88ab028 Nov 9 20:24:13 ikev2_allocate_exchange_data: Successfully allocated exchange data for SA 88fb300 Nov 9 20:24:13 ikev2_allocate_exchange_data_info: Successfully allocated Info exchange data for SA 88fb300 ED 8927028 Nov 9 20:24:13 [20.1.1.1 <-> 30.1.1.2] ikev2_decode_encr: [8920400/88fbc00] Packet decrypted successfully Nov 9 20:24:13 [20.1.1.1 <-> 30.1.1.2] kmd_pm_ike_sa_delete_notif_done_cb: Received success IKE SA 88fbc00 delete notification Nov 9 20:24:13 [20.1.1.1 <-> 30.1.1.2] ikev2_free_exchange_data_info: Successfully freed Info exchange data from SA 88fbc00 Nov 9 20:24:13 [20.1.1.1 <-> 30.1.1.2] ikev2_free_exchange_data: Successfully freed exchange data from SA 88fbc00 Nov 9 20:24:13 [20.1.1.1 <-> 30.1.1.2] ikev2_decode_encr: [8921080/88fb300] Packet decrypted successfully |
FIA_X509_EXT.1 | Session establishment with CA | Entire packet contents of packets transmitted or received during session establishment | Nov 9 20:24:14 [20.1.1.1 <-> 30.1.1.2] ikev2_decode_auth: [8920e00/88fbc00] AUTH(method = RSA Sig (1), len = 256, data = 7a3da09a 068ac628 5e0abaf9 dcc41c33 7bdf7073 f654835a aef2e5bf f71288fc 207bed57 8b5ce79a 1112be79 a8616396 5984a7f1 834ba83d 0fe75219 8d10eeb7 2e730445 0c610fe1 e75aa728 04 Nov 9 20:24:21 ikev2_decode_auth: [8921300/88fb300] AUTH(method = RSA Sig (1), len = 256, data = 9ecf8df6 fb44582a 5e1acbcc bc38d392 d255fabb d3859e39 3ac6b82d 8f5f2dd3 d4943772 f0874829 f7a6c0bf dc0bc85b 6f0a86e5 864b8500 20108fca 249adfbc b1355265 489e0b32 346aeac2 a5 |
FPF_RUL_EXT.1 | Application of rules configured with the ‘log’ operation | Source and destination addresses Source and destination ports Transport Layer Protocol TOE Interface | Time of Log: 2017-11-09 21:02:03 PST, Filter: pfe, Filter action: accept, Name of interface: ms-4/0/0.1 Name of protocol: TCP, Packet Length: 52, Source address: 40.1.1.2:10799, Destination address: 10.1.1.1:22 |
FPF_RUL_EXT.1 | Indication of packets dropped due to too much network traffic | TOE interface that is unable to process packets | Jan 8 01:08:09 bm-b (FPC Slot 2, PIC Slot 0) ms40 mspmand[249]: CPU zone change GREEN=>RED (98.98 %) Jan 8 01:08:09 bm-b (FPC Slot 2, PIC Slot 0) ms40 mspmand[249]: CPU utilization (98.98 percent) exceeded threshold, packets may be dropped Jan 8 01:08:09 bm-b (FPC Slot 2, PIC Slot 0) ms40 mspmand[249]: CPU trap sent successfully |