Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Event Logging Overview

 

The evaluated configuration requires the auditing of configuration changes through the system log.

In addition, Junos OS can:

  • Send automated responses to audit events (syslog entry creation).

  • Allow authorized managers to examine audit logs.

  • Send audit files to external servers.

  • Allow authorized managers to return the system to a known state.

The logging for the evaluated configuration must capture the events. The logging events are listed below:

Table 1 shows sample for syslog auditing for NDcPPv2:

Table 1: Auditable Events

Requirement

Auditable Events

Additional Audit Record Contents

FAU_GEN.1

None

None

FAU_GEN.2

None

None

FAU_STG_EXT.1

None

None

FAU_STG.1

None

None

FCS_CKM.1

None

None

FCS_CKM.2

None

None

FCS_CKM.4

None

None

FCS_COP.1/DataEncryption

None

None

FCS_COP.1/SigGen

None

None

FCS_COP.1/Hash

None

None

FCS_COP.1/KeyedHash

None

None

FCS_RBG_EXT.1

None

None

FDP_RIP.2

None

None

FIA_AFL.1

Unsuccessful login attempts limit is met or exceeded.

Origin of the attempt (e.g., IP address).

FIA_PMG_EXT.1

None

None

FIA_UIA_EXT.1

All use of identification and authentication mechanism.

Provided user identity, origin of the attempt (e.g., IP address).

FIA_UAU_EXT.2

All use of identification and authentication mechanism.

Origin of the attempt (e.g., IP address).

FIA_UAU.7

None

None

FMT_MOF.1/ManualUpdate

Any attempt to initiate a manual update.

None

FMT_MTD.1/CoreData

All management activities of TSF data

None

FMT_SMF.1

None

None

FMT_SMR.2

None

None

FPT_SKP_EXT.1

None

None

FPT_APW_EXT.1

None

None

FPT_TST_EXT.1

None

None

FPT_TUD_EXT.1

Initiation of update; result of the update attempt (success or failure)

None

FPT_STM.1

Discontinuous changes to time - either Administrator actuated or changed through an automated process.

For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (such as, IP address).

FTA_SSL_EXT.1 (if terminate the session is selected)

The termination of a local interactive session by the session locking mechanism.

None

FTA_SSL.3

The termination of a remote session by the session locking mechanism.

None

FTA_SSL.4

The termination of an interactive session.

None

FTA_TAB.1

None

None

FCS_SSHS_EXT.1

Failure to establish an SSH session

Reason for failure

FTP_ITC.1

Initiation of the trusted channel.

Termination of the trusted channel. Failure of the trusted channel functions

Identification of the initiator and target of failed trusted channels establishment attempt

FTP_TRP.1/Admin

Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions.

None

FCS_SSHS_EXT.1

Failure to establish an SSH session

Reason for failure

FIA_X509_EXT.1/Rev

Unsuccessful attempt to validate a certificate

Reason for failure

FIA_X509_EXT.2

None

None

FIA_X509_EXT.3

None

None

FMT_MOF.1/Functions

Modification of the behaviour of the transmission of audit data to an external IT entity, the handling of audit data, the audit functionality when Local Audit Storage Space is full.

None

FMT_MOF.1/Services

Starting and stopping of services.

None

FMT_MTD.1/CryptoKeys

Management of cryptographic keys.

None

FFW_RUL_EXT.1

Application of rules configured with the ‘log’ operation

Source and destination addresses.

Source and destination ports. Transport Layer Protocol TOE Interface

Indication of packets dropped due to too much network traffic

TOE interface that is unable to process packets.

Identifier of rule causing packet drop

FFW_RUL_EXT.2

None

None

FCS_IPSEC_EXT.1

Session Establishment with peer

Entire packet contents of packets transmitted/received during session establishment

FIA_X509_EXT.1

Session establishment with CA

Entire packet contents of packets transmitted/received during session establishment

FPF_RUL_EXT.1

Application of rules configured with the ‘log’ operation

Source and destination addresses.

Source and destination ports. Transport Layer Protocol TOE Interface

Indication of packets dropped due to too much network traffic

TOE interface that is unable to process packets

In addition, Juniper Networks recommends that logging also:

  • Capture all changes to the configuration.

  • Store logging information remotely.

Related Documentation