[Contents] [Prev] [Next] [Index] [Report an Error]

Example: System Logging of Configuration Changes

This example shows an example configuration, makes changes to users and secret data, then shows the information sent to the audit server when the secret data is added to the original configuration and committed with the load command.

Example Common Criteria Configuration

[edit system]
location {
country-code US;
building B1;
}
...
login {
user tester {
uid 2000;
class super-user;
authentication {
encrypted-password “$1$pRxmZhC0$5F.ysqVL4Z5G67yg4Af4L.”;
    # SECRET-DATA;
}
}
}
radius-server 10.10.10.10 {
secret “$9$jCkfz3nC0ORmfEyKvN-ikqPz39Ap” # SECRET-DATA
}
...
snmp {
description CC_accounting;
location CC_testlab;
contact CC_tester;
v3 {
usm {
local-engine;
user CC_tester {
authentication-MD5 {
authentication–password “$9$ooajqTnCpB36pBREKv4aJUK.5FQ” ;
    # SECRET-DATA
}
}
}
vacm {
security-to-group {
security-model usm;
security-name CC_tester {
group CC_tester_group;
}
}
}
view View_All {
old .1 include;
}
}
...

Example Common Criteria Configuration Changes

The new configuration changes the secret data configuration statements and adds a new user.

user@host# show | compare
[edit system login user tester authentication]
–    encrypted-password “$1$pRxmZhC0$5F.ysqVL4Z5G67yg4Af4L.”; # SECRET-DATA
+    encrypted-password “$1$4iTht8rmdlfKJdMMmdU03nd0skKwdj”; # SECRET-DATA
[edit system login]
+    user tester2 {
+        uid 2001;
+        class operator;
+        authentication {
+            encrypted-password “$1$hJP42n6Q$6twaOvyLAjfkFvZ6ELKxpGW”;
                   # SECRET-DATA
+        }
+     }
[edit system radius-server 10.10.10.10]
–    secret “$9$jCkfz3nC0ORmfEyKvN-ikqPz39Ap”; # SECRET-DATA
+    secret “$9$99ZiCORrlMXNbvWbb2oGq.Fn/C0BrHs”; # SECRET-DATA
[edit snmp v3 usm user CC_tester authentication-MD5]
–    encrypted-password “$9$ooajqTnCpB36pBREKv4aJUK.5FQ”; # SECRET-DATA
+    encrypted-password “$9$NzbwZGiH.PGRMm5Q9C1Kvnm”; # SECRET-DATA

Load Merge

This section assumes that the example Common Criteria configuration is loaded on a router running JUNOS software. When a load merge command is executed to merge the contents of the example Common Criteria configuration changes with the contents of the original configuration, the following audit logs are created concerning the secret data: 

Jul 24 17:43:28  chow mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'regress' set: [snmp v3 usm local-engine user tester authentication-md5 authentication-key]
Jul 24 17:43:28  chow mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'regress' set: [system radius-server 1.2.3.4 secret]
Jul 24 17:43:28  chow mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'regress' set: [system login user tester authentication encrypted-password]
Jul 24 17:43:28  chow mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'regress' set: [system login user tester2 authentication encrypted-password]

Load Replace

This section assumes that the example Common Criteria configuration is loaded on a router running JUNOS software. When a load replace command is executed to merge the contents of the example Common Criteria configuration changes with the contents of the original configuration, the following audit logs are created concerning the secret data: 

Jul 24 18:29:09  chow mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'regress' replace: [snmp v3 usm local-engine user tester authentication-md5 authentication-key]
Jul 24 18:29:09  chow mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'regress' replace: [system radius-server 1.2.3.4 secret]
Jul 24 18:29:09  chow mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'regress' replace: [system login user tester authentication encrypted-password]
Jul 24 18:29:09  chow mgd[4163]: UI_CFG_AUDIT_SET_SECRET: User 'regress' replace: [system login user tester authentication encrypted-password]

Load Override

This section assumes that the example Common Criteria configuration is loaded on a router running JUNOS software. When a load override command is executed to merge the contents of the example Common Criteria configuration changes with the contents of the original configuration, the following audit logs are created concerning the secret data: 

Jul 25 14:25:51  chow mgd[4153]: UI_LOAD_EVENT: User 'regress' is performing a 'load override'
Jul 25 14:25:51  chow mgd[4153]: UI_CFG_AUDIT_OTHER: User 'regress' override: CC_config2.txt
Jul 25 14:25:51  chow mgd[4153]: UI_CFG_AUDIT_SET_SECRET: User 'regress' set: [snmp v3 usm local-engine user tester authentication-md5 authentication-key]
Jul 25 14:25:51  chow mgd[4153]: UI_CFG_AUDIT_SET_SECRET: User 'regress' set: [system radius-server 1.2.3.4 secret]
Jul 25 14:25:51  chow mgd[4153]: UI_CFG_AUDIT_SET_SECRET: User 'regress' set: [system login user tester authentication encrypted-password]
Jul 25 14:25:51  chow mgd[4153]: UI_CFG_AUDIT_SET_SECRET: User 'regress' set: [system login user tester authentication encrypted-password]

Load Update

This section assumes that the example Common Criteria configuration is loaded on a router running JUNOS software. When a load update command is executed to merge the contents of the example Common Criteria configuration changes with the contents of the original configuration, the following audit logs are created concerning the secret data: 

Jul 25 14:31:03  chow mgd[4153]: UI_LOAD_EVENT: User 'regress' is performing a 'load update'
Jul 25 14:31:03  chow mgd[4153]: UI_CFG_AUDIT_OTHER: User 'regress' update: CC_config2.txt
Jul 25 14:31:03  chow mgd[4153]: UI_CFG_AUDIT_SET_SECRET: User 'regress' set: [snmp v3 usm local-engine user tester authentication-md5 authentication-key]
Jul 25 14:31:03  chow mgd[4153]: UI_CFG_AUDIT_OTHER: User 'regress' deactivate: [snmp v3 usm local-engine user tester authentication-md5 authentication-key] ""
Jul 25 14:31:03  chow mgd[4153]: UI_CFG_AUDIT_SET_SECRET: User 'regress' set: [system radius-server 1.2.3.4 secret]
Jul 25 14:31:03  chow mgd[4153]: UI_CFG_AUDIT_OTHER: User 'regress' deactivate: [system radius-server 1.2.3.4 secret] ""
Jul 25 14:31:03  chow mgd[4153]: UI_CFG_AUDIT_SET_SECRET: User 'regress' set: [system login user tester authentication encrypted-password]
Jul 25 14:31:03  chow mgd[4153]: UI_CFG_AUDIT_OTHER: User 'regress' deactivate: [system login user tester authentication encrypted-password] ""
Jul 25 14:31:03  chow mgd[4153]: UI_CFG_AUDIT_SET_SECRET: User 'regress' set: [system login user test authentication encrypted-password]
Jul 25 14:31:03  chow mgd[4153]: UI_CFG_AUDIT_OTHER: User 'regress' deactivate: [system login user test authentication encrypted-password] ""

Note: Log entries made when the configurations are changed using J-Web, JUNOScope, and JUNOScript are similar, but not identical, to changes made using the CLI.

For more information about configuring parameters and managing log files, see the JUNOS System Log Messages Reference.

[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2008, Juniper Networks, Inc. All Rights Reserved. Trademark Notice.