Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Sample Code Audits of Configuration Changes

 

This sample code audits all changes to the configuration secret data and sends the logs to a file named Audit-File:

This sample code expands the scope of the minimum audit to audit all changes to the configuration, not just secret data, and sends the logs to a file named Audit-File:

Example: System Logging of Configuration Changes

This example shows a sample configuration and makes changes to users and secret data. It then shows the information sent to the audit server when the secret data is added to the original configuration and committed with the load command.

The new configuration changes the secret data configuration statements and adds a new user.

Table 1 shows sample for syslog auditing for NDcPPv2:

Table 1: Auditable Events

Requirement

Auditable Events

Additional Audit Record Contents

How event generated

FAU_GEN.1

None

None

FAU_GEN.2

None

None

FAU_STG_EXT.1

None

None

FAU_STG.1

None

None

FCS_CKM.1

None

None

FCS_CKM.2

None

None

FCS_CKM.4

None

None

FCS_COP.1/DataEncryption

None

None

FCS_COP.1/SigGen

None

None

FCS_COP.1/Hash

None

None

FCS_COP.1/KeyedHash

None

None

FCS_COP.1(1)/KeyedHashCMAC

None

None

FCS_RBG_EXT.1

None

None

FIA_PMG_EXT.1

None

None

FIA_UIA_EXT.1

All use of identification and authentication mechanism.

Origin of the attempt (e.g., IP address)

Successful Local Login

Jan 3 09:59:36 login[7637]: LOGIN_INFORMATION: User root logged in from host [unknown] on device ttyu0

Jan 3 09:59:36 login[7637]: LOGIN_ROOT: User root logged in as root from host [unknown] on device ttyu0

Unsuccessful Local Login

Jan 3 09:57:52 login[7637]: LOGIN_PAM_

AUTHENTICATION_ERROR: Failed password for user root

Jan 3 09:57:52 login[7637]: LOGIN_FAILED: Login failed for user root from host ttyu0

Successful Remote Login

Jan 3 09:32:07 mgd[47035]: UI_AUTH_EVENT: Authenticated user 'test1' assigned to class 'j-read-only' Jan 3 09:32:07 mgd[47035]: UI_LOGIN_EVENT: User 'test1' login, class 'j-read-only' [47035], ssh-connection '10.1.5.153 36784 10.1.2.68 22', client-mode 'cli'

Unsuccessful Remote Login

Jan 3 09:26:56 sshd: SSHD_LOGIN_FAILED: Login failed for user 'test1' from host '10.1.5.153'

FIA_UAU_EXT.2

All use of identification and authentication mechanism.

Origin of the attempt (e.g., IP address)

Successful Local Login

Jan 3 09:59:36 login[7637]: LOGIN_INFORMATION: User root logged in from host [unknown] on device ttyu0 Jan 3 09:59:36 login[7637]: LOGIN_ROOT: User root logged in as root from host [unknown] on device ttyu0

Unsuccessful Local Login

Jan 3 09:57:52 login[7637]: LOGIN_PAM_

AUTHENTICATION_ERROR: Failed password for user root

Jan 3 09:57:52 login[7637]: LOGIN_FAILED: Login failed for user root from host ttyu0

Successful Remote Login

Jan 3 09:32:07 mgd[47035]: UI_AUTH_EVENT: Authenticated user 'test1' assigned to class 'j-read-only' Jan 3 09:32:07 mgd[47035]: UI_LOGIN_EVENT: User 'test1' login, class 'j-read-only' [47035], ssh-connection '10.1.5.153 36784 10.1.2.68 22', client-mode 'cli'

Unsuccessful Remote Login

Jan 3 09:26:56 sshd: SSHD_LOGIN_FAILED: Login failed for user 'test1' from host '10.1.5.153'

FIA_UAU.7

None

None

FMT_MOF.1/ManualUpdate

Any attempt to initiate a manual update

None

Dec 28 21:51:21 mgd[8007]: UI_CMDLINE_READ_LINE: User 'root', command ‘request vmhost software add /var/tmp/junos-

vmhost-install-

mx-x86-64-19.1-

20181231.0.tgz no-validate’

FMT_MTD.1/CoreData

None

None

FMT_SMF.1

All management activities of TSF data

None

Refer to the audit events listed in this table.

FMT_SMR.2

None

None

FPT_SKP_EXT.1

None

None

FPT_APW_EXT.1

None

None

FPT_TST_EXT.1

None

None

FPT_TUD_EXT.1

Initiation of update; result of the update attempt (success or failure)

None

Dec 28 21:51:21 mgd[8007]: UI_CMDLINE_READ_LINE: User 'root', command ‘request vmhost software add /var/tmp/junos-

vmhost-install-mx-

x86-64-19.1-

20181231.0.tgz no-validate’

FPT_STM_EXT.1

Discontinuous changes to time - either Administrator actuated or changed via an automated process. (Note that no continuous changes to time need to be logged. See also application note on FPT_STM_EXT.1)

For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (e.g., IP address).

Apr 22 15:31:37 mgd[11121]: UI_CMDLINE_READ_LINE: User 'root', command 'set date 201904221532.00

Apr 22 15:32:05 mgd[11121]: UI_CMDLINE_READ_LINE: User 'root', command 'show system uptime '

FPT_STM_EXT.1 FTA_SSL_EXT.1 (if “terminate the session is selected)

The termination of a local interactive session by the session locking mechanism.

None

Jan 3 11:59:29 cli: UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'root' exceeded and session terminated

FTA_SSL.3

The termination of a remote session by the session locking mechanism.

None

Jan 3 11:26:23 cli: UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'root' exceeded and session terminated

FTA_SSL.4

The termination of an interactive session.

None

Local

Jan 3 11:47:25 mgd[52521]: UI_LOGOUT_EVENT: User 'root' logout

Remote

Jan 3 11:43:33 sshd[52425]: Received disconnect from 10.1.5.153 port 36800:11: disconnected by user

FTA_TAB.1

None

None

FTP_ITC.1

Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions.

Identification of the initiator and target of failed trusted channels establishment attempt.

Initiation of the trusted path

Jan 3 12:09:00 sshd[53492]: Accepted keyboard-interactive/pam for root from 10.1.5.153 port 36802 ssh2

Termination of the trusted path

Jan 3 12:09:03 sshd[53492]: Received disconnect from 10.1.5.153 port 36802:11: disconnected by user Jan 3 12:09:36 sshd:

Failure of the trusted path

SSHD_LOGIN_FAILED: Login failed for user 'root' from host '10.1.5.153'

FTP_TRP.1/Admin

Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions.

None

Initiation of the trusted path

Jan 3 12:09:00 sshd[53492]: Accepted keyboard-interactive/pam for root from 10.1.5.153 port 36802 ssh2

Termination of the trusted path

Jan 3 12:09:03 sshd[53492]: Received disconnect from 10.1.5.153 port 36802:11: disconnected by user Jan 3 12:09:36 sshd:

Failure of the trusted path

SSHD_LOGIN_FAILED: Login failed for user 'root' from host '10.1.5.153'

FCS_SSHS_EXT.1

Failure to establish an SSH session

Reason for failure

Dec 17 15:02:12 sshd[9842]: Unable to negotiate with 10.1.5.153 port 43836: no matching key exchange method found. Their offer: diffie-hellman-

group1-sha1,ext-info-c

FIA_X509_EXT.1/Rev

Unsuccessful attempt to validate a certificate Any addition, replacement or removal of trust anchors in the TOE's trust store

Reason for failure of certificate validation Identification of certificates added, replaced or removed as trust anchor in the TOE's trust store

Dec 28 22:20:23 veriexec[9371]: cannot validate /packages/db/pkginst.

9286/manifest.ecerts: subject issuer mismatch:

/C=US/ST=CA/L=

Sunnyvale/O=Juniper Networks/

OU=Juniper CA/CN=

PackageProductionTest

Ec_2017_NO_DEFECTS/

emailAddress=ca@juni

per.net

FIA_X509_EXT.2

None

None

FPT_TUD_EXT.2

Failure of update

Reason for failure (including identifier of invalid certificate)

Dec 28 22:20:23 veriexec[9371]: cannot validate /packages/db/pkginst.

9286/manifest.ecerts:

subject issuer mismatch:

/C=US/ST=CA/L=

Sunnyvale/O=

Juniper Networks/

OU=

Juniper CA/CN=

PackageProductionTest

Ec_2017_

NO_DEFECTS/

emailAddress=

ca@juniper.net

FMT_MOF.1/Functions

None

None

FMT_MOF.1/Services

None

None

FMT_MTD.1/CryptoKeys

None

None

FIA_AFL.1

Administrator lockout due to excessive authentication failures

None

Jan 3 08:13:59 sshd: SSHD_LOGIN_

ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (2) reached by user 'test1'

FPT_RPL.1

Detected replay attempt

None

Apr 15 10:05:16.142910 MKA actor #0 received duplicate or delayed PDU Apr 15 10:05:16.142932 MKA actor #0 received MKPDU, SCI 3C:94:D5:A0:A0:07/1, MI 27:D7:9F:97:53:

CF:EF:86:00:52:C1:78, MN 1530