Sample Code Audits of Configuration Changes
This sample code audits all changes to the configuration secret data and sends the logs to a file named Audit-File:
[edit system]
syslog {
file Audit-File {
authorization info;
change-log info;
interactive-commands info;
}
}
This sample code expands the scope of the minimum audit to audit all changes to the configuration, not just secret data, and sends the logs to a file named Audit-File:
[edit system]
syslog {
file Audit-File {
any any;
authorization info;
change-log any;
interactive-commands info;
kernel info;
pfe info;
}
}
Example: System Logging of Configuration Changes
This example shows a sample configuration and makes changes to users and secret data.
[edit system]
location {
country-code US;
building B1;
}
...
login {
message "UNAUTHORIZED USE OF THIS DEVICE\n\tIS STRICTLY PROHIBITED!";
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password “$ABC123”;
# SECRET-DATA
}
}
password {
format sha512;
}
}
radius-server 192.0.2.15 {
secret “$ABC123” # SECRET-DATA
}
services {
ssh;
}
syslog {
user *{
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
...
...
The new configuration changes the secret data configuration statements and adds a new user.
user@host# show | compare
[edit system login user admin authentication]
– encrypted-password “$ABC123”; # SECRET-DATA
+ encrypted-password “$ABC123”; # SECRET-DATA
[edit system login]
+ user admin2 {
+ uid 20.3;
+ class read-only;
+ authentication {
+ encrypted-password “$ABC123”;
# SECRET-DATA
+ }
+ }
[edit system radius-server 192.0.2.15]
– secret “$ABC123”; # SECRET-DATA
+ secret “$ABC123”; # SECRET-DATA
The following table provides details about the auditable events.
| Requirement | Auditable Events | Additional Audit Record Contents |
|---|---|---|
|
FAU_GEN.1 |
None | None |
| FAU_GEN.1/IPS | None | None |
| FAU_GEN.2 | None | None |
| FAU_STG_EXT.1 | None | None |
| FCS_CKM.1 | None | None |
| FCS_CKM.2 | None | None |
| FCS_CKM.4 | None | None |
|
FCS_COP.1/DataEncryption |
None | None |
|
FCS_COP.1/Hash |
None | None |
| FCS_COP.1/KeyedHash | None | None |
| FCS_COP.1/SigGen | None | |
|
FCS_IPSEC_EXT.1 |
Failure to establish an IPsec SA. | Reason for failure |
| FCS_IPSEC_EXT.1 (VPN) | Session Establishment with peer | Entire packet contents of packets transmitted/received during session establishment |
| FCS_RBG_EXT.1 | None | None |
| FDP_RIP.2 | None | None |
| FCS_SSHS_EXT.1 | Failure to establish an SSH session | Reason for failure |
|
FFW_RUL_EXT.1 |
• Application of rules configured with the ‘log’ operation |
• Source and destination addresses • Source and destination ports • Transport Layer Protocol • TOE Interface |
|
FFW_RUL_EXT.2 |
Dynamical definition of rule Establishment of a session |
None |
|
FIA_AFL.1 |
Unsuccessful login attempts limit is met or exceeded | Origin of the attempt (e.g., IP address) |
| FIA_PMG_EXT.1 | None | None |
| FIA_PSK_EXT.1 | None | None |
| FIA_UAU.7 | None | None |
|
FIA_UAU_EXT.2 |
All use of identification and authentication mechanism | Origin of the attempt (e.g., IP address) |
|
FIA_UIA_EXT.1 |
All use of identification and authentication mechanism | Origin of the attempt (e.g., IP address) |
|
FIA_X509_EXT.1/Rev |
• Unsuccessful attempt to validate a certificate • Any addition, replacement or removal of trust anchors in the TOE's trust store |
• Reason for failure of certificate validation • Identification of certificates added, replaced or removed as trust anchor in the TOE's trust store |
|
FIA_X509_EXT.2 |
None | None |
| FIA_X509_EXT.3 | None | None |
|
FMT_MOF.1/Functions |
None | None |
|
FMT_MOF.1/ManualUpdate |
Any attempt to initiate a manual update | None |
|
FMT_MOF.1/Services |
None | None |
| FMT_MTD.1/CoreData | All management activities of TSF data | None |
|
FMT_MTD.1/CryptoKeys |
None | None |
|
FMT_SMF.1 |
All management activities of TSF data | None |
| FMT_SMF.1/FFW | All management activities of TSF data (including creation, modification and deletion of firewall rules. | None |
| FMT_SMF.1/IPS | Modification of an IPS policy element. | Identifier or name of the modified IPS policy element (e.g. which signature, baseline, or known-good/known-bad list was modified). |
|
FMT_SMR.2 |
None | None |
|
FPF_RUL_EXT.1 |
Application of rules configured with the ‘log’ operation |
• Source and destination addresses • Source and destination ports • Transport Layer Protocol • TOE Interface |
|
FPT_APW_EXT.1 |
None | None |
| FPT_FLS.1/SelfTest | Failure of the TSF | Type of failure that occurred. |
|
FPT_SKP_EXT.1 |
None | None |
|
FPT_STM_EXT.1 |
Discontinuous changes to time - either Administrator actuated or changed via an automated process (Note that no continuous changes to time need to be logged. See also application note on FPT_STM_EXT.1) |
For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (e.g., IP address). |
|
FPT_TST_EXT.1 |
None. | None |
|
FPT_TST_EXT.3 |
Indication that the TSF self-test was completed. Failure of self-test | None |
|
FPT_TUD_EXT.1 |
Initiation of update; result of the update attempt (success or failure) | None |
|
FTA_SSL.3 |
The termination of a remote session by the session locking mechanism | None |
| FTA_SSL.4 | The termination of an interactive session | None |
| FTA_SSL_EXT.1 (if “terminate the session” is selected) | The termination of a local session by the session locking mechanism | None |
| FTA_TAB.1 | None | None |
|
FTP_ITC.1 |
• Initiation of the trusted channel • Termination of the trusted channel • Failure of the trusted channel functions |
Identification of the initiator and target of failed trusted channels establishment attempt |
|
FTP_TRP.1/Admin |
• Initiation of the trusted path • Termination of the trusted path. • Failure of the trusted path functions. |
None |
| IPS_ABD_EXT.1 | Inspected traffic matches an anomaly-based IPS policy. |
• Source and destination IP addresses. • The content of the header fields that were determined to match the policy. • TOE interface that received the packet. • Aspect of the anomaly-based IPS policy rule that triggered the event (e.g. throughput, time of day, frequency, etc.). • Network-based action by the TOE (e.g. allowed, blocked, sent reset to source IP, sent blocking notification to firewall). |
| IPS_IPB_EXT.1 |
Inspected traffic matches a list of known-good or known-bad addresses applied to an IPS policy. |
• Source and destination IP addresses (and, if applicable, indication of whether the source and/or destination address matched the list). • TOE interface that received the packet. • Network-based action by the TOE (e.g. allowed, blocked, sent reset). |
| IPS_NTA_EXT.1 |
• Modification of which IPS policies are active on a TOE interface. • Enabling/disabling a TOE interface with IPS policies applied. • Modification of which mode(s) is/are active on a TOE interface. |
• Identification of the TOE interface. • The IPS policy and interface mode (if applicable). |
| IPS_SBD_EXT.1 | Inspected traffic matches a signature-based IPS rule with logging enabled. |
• Name or identifier of the matched signature. • Source and destination IP addresses. • The content of the header fields that were determined to match the signature. • TOE interface that received the packet. • Network-based action by the TOE (e.g. allowed, blocked, sent reset). |
|
Requirement |
Auditable Events |
Additional Audit Record Contents |
Audit Record |
|---|---|---|---|
| FAU_GEN.1 | None | None | None |
|
FAU_GEN.1/IPS |
None | None | |
|
FAU_GEN.2 |
None | None | |
|
FAU_STG_EXT.1 |
None | None | |
|
FCS_CKM.1 |
None | None | |
|
FCS_CKM.2 |
None | None | |
|
FCS_CKM.4 |
None | None | |
|
FCS_COP.1/DataEncryption |
None | None | |
|
FCS_COP.1/SigGen |
None | None | |
|
FCS_COP.1/Hash |
None | None | |
|
FCS_COP.1/KeyedHash |
None | None | |
|
FCS_RBG_EXT.1 |
None | None | |
| FDP_RIP.2 | None | None | |
| FIA_AFL.1 | Unsuccessful login attempts limit is met or exceeded. | Origin of the attempt (e.g., IP address). |
<35>1 2022-05- 02T13:07:12.148Z NFX350 sshd 90361 - - error: PAM: authentication error for acumensec from 10.1.2.170 <37>1 2022-05-02T13:07:12.149Z NFX350 sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.4.138.19 username="acumensec" source-address="10.1.2.170"] Login failed for user 'acumensec' from host '10.1.2.170' <35>1 2022-05-02T13:07:13.681Z NFX350 sshd 90361 - - error: PAM: authentication error for acumensec from 10.1.2.170 <37>1 2022-05-02T13:07:13.682Z NFX350 sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.4.138.19 username="acumensec" source-address="10.1.2.170"] Login failed for user 'acumensec' from host '10.1.2.170' <35>1 2022-05-02T13:07:19.935Z NFX350 sshd 90361 - - error: PAM: authentication error for acumensec from 10.1.2.170 <37>1 2022-05-02T13:07:19.936Z NFX350 sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.4.138.19 username="acumensec" source-address="10.1.2.170"] Login failed for user 'acumensec' from host '10.1.2.170' <38>1 2022-05-02T13:07:31.262Z NFX350 sshd 90361 - - Failed password for acumensec from 10.1.2.170 port 33032 ssh2 <37>1 2022-05-02T13:07:31.262Z NFX350 sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.4.138.19 username="acumensec" source-address="10.1.2.170"] Login failed for user 'acumensec' from host '10.1.2.170' <37>1 2022-05-02T13:07:49.026Z NFX350 sshd 90361 LIBJNX_LOGIN_ACCOUNT_LOCKED [junos@2636.1.1.1.4.138.19 username="acumensec"] Account for user 'acumensec' has been locked out from logins <37>1 2022-05-02T13:07:49.027Z NFX350 sshd 90361 PAM_USER_LOCK_LOGIN_REQUESTS_DENIED [junos@2636.1.1.1.4.138.19 hostname="10.1.2.170"] Login requests from host '10.1.2.170' are denied <38>1 2022-05-02T13:07:49.027Z NFX350 sshd 90361 - - Failed password for acumensec from 10.1.2.170 port 33032 ssh2 <37>1 2022-05-02T13:07:49.028Z NFX350 sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.4.138.19 username="acumensec" source-address="10.1.2.170"] Login failed for user 'acumensec' from host '10.1.2.170' <37>1 2022-05-02T13:08:14.032Z NFX350 sshd - SSHD_LOGIN_ATTEMPTS_THRESHOLD [junos@2636.1.1.1.4.138.19 limit="5" username="acumensec"] Threshold for unsuccessful authentication attempts (5) reached by user 'acumensec' <38>1 2022-05-02T13:08:14.033Z NFX350 sshd 90362 - - Disconnecting authenticating user acumensec 10.1.2.170 port 33032: Too many password failures for acumensec |
|
FIA_PMG_EXT.1 |
None | None | |
|
FIA_PSK_EXT.1 |
None | None | |
| FIA_UIA_EXT.1 | All use of identification and authentication mechanism. | Origin of the attempt (e.g., IP address). |
Local Successful Login Nov 27 09:11:11 NFX350 login[21384]: LOGIN_INFORMATION: User acumensec logged in from host [unknown] on device ttyu0 Nov 27 09:11:11 NFX350 mgd[72306]: UI_AUTH_EVENT: Authenticated user 'acumensec' assigned to class 'j-super-user' Local Unsuccessful Login Nov 27 09:09:36 NFX350 login: Login attempt for user acumensec from host [unknown] Nov 27 09:09:43 NFX350 login[21384]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user acumensec Nov 27 09:09:43 NFX350 login[21384]: LOGIN_FAILED: Login failed for user acumensec from host ttyu0 Nov 27 09:09:59 NFX350 login[21384]: Login attempt for user exit from host [unknown] Nov 27 09:09:59 NFX350 login[21384]: 1 LOGIN FAILURE ON ttyu0 Nov 27 09:09:59 NFX350 login[21384]: 1 LOGIN FAILURE ON ttyu0, acumensec Remote Successful Login Nov 27 09:14:05 NFX350 sshd[72464]: Accepted keyboard-interactive/pam for acumensec from 192.168.137.3 port 55000 ssh2 Nov 27 09:14:06 NFX350 mgd[72469]: UI_AUTH_EVENT: Authenticated user 'acumensec' assigned to class 'j-super-user' Nov 27 09:14:06 NFX350 mgd[72469]: UI_LOGIN_EVENT: User 'acumensec' login, class 'j-super-user' [72469], ssh-connection '192.168.137.3 55000 192.168.137.20 22', client-mode 'cli' Remote Unsuccessful Login Nov 27 09:12:25 NFX350 sshd[72377]: error: PAM: authentication error for acumensec from 192.168.137.3 Nov 27 09:12:25 NFX350 sshd: SSHD_LOGIN_FAILED: Login failed for user 'acumensec' from host '192.168.137.3' Nov 27 09:13:05 NFX350 sshd[72377]: error: PAM: authentication error for acumensec from 192.168.137.3 Nov 27 09:13:05 NFX350 sshd: SSHD_LOGIN_FAILED: Login failed for user 'acumensec' from host '192.168.137.3' |
| FIA_UAU_EXT.2 | All use of identification and authentication mechanism. | Origin of the attempt (e.g., IP address). |
Local Successful Login Nov 27 09:11:11 NFX350 login[21384]: LOGIN_INFORMATION: User acumensec logged in from host [unknown] on device ttyu0 Nov 27 09:11:11 NFX350 mgd[72306]: UI_AUTH_EVENT: Authenticated user 'acumensec' assigned to class 'j-super-user' Local Unsuccessful Login Nov 27 09:09:36 NFX350 login: Login attempt for user acumensec from host [unknown] Nov 27 09:09:43 NFX350 login[21384]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user acumensec Nov 27 09:09:43 NFX350 login[21384]: LOGIN_FAILED: Login failed for user acumensec from host ttyu0 Nov 27 09:09:59 NFX350 login[21384]: Login attempt for user exit from host [unknown] Nov 27 09:09:59 NFX350 login[21384]: 1 LOGIN FAILURE ON ttyu0 Nov 27 09:09:59 NFX350 login[21384]: 1 LOGIN FAILURE ON ttyu0, acumensec Remote Successful Login Nov 27 09:14:05 NFX350 sshd[72464]: Accepted keyboard-interactive/pam for acumensec from 192.168.137.3 port 55000 ssh2 Nov 27 09:14:06 NFX350 mgd[72469]: UI_AUTH_EVENT: Authenticated user 'acumensec' assigned to class 'j-super-user' Nov 27 09:14:06 NFX350 mgd[72469]: UI_LOGIN_EVENT: User 'acumensec' login, class 'j-super-user' [72469], ssh-connection '192.168.137.3 55000 192.168.137.20 22', client-mode 'cli' Remote Unsuccessful Login Nov 27 09:12:25 NFX350 sshd[72377]: error: PAM: authentication error for acumensec from 192.168.137.3 Nov 27 09:12:25 NFX350 sshd: SSHD_LOGIN_FAILED: Login failed for user 'acumensec' from host '192.168.137.3' Nov 27 09:13:05 NFX350 sshd[72377]: error: PAM: authentication error for acumensec from 192.168.137.3 Nov 27 09:13:05 NFX350 sshd: SSHD_LOGIN_FAILED: Login failed for user 'acumensec' from host '192.168.137.3' |
|
FIA_UAU.7 |
None | None | |
|
FMT_MTD.1/CoreData |
None | None | |
|
FMT_SMR.2 |
None | None | |
|
FPT_SKP_EXT.1 |
None | None | |
|
FPT_APW_EXT.1 |
None | None | |
| FPT_TST_EXT.1 | None | None | |
| FPT_TST_EXT.3 |
|
Nov 27 09:51:58 NFX350 kernel: @ 1606470687 [2020-11-27 09:51:27 UTC] mgd start Nov 27 09:51:58 NFX350 kernel: Creating initial configuration: ... Nov 27 09:51:58 NFX350 kernel: mgd: Running FIPS Self-tests Nov 27 09:51:58 NFX350 kernel: mgd: Testing kernel KATS: Nov 27 09:51:58 NFX350 kernel: mgd: NIST 800-90 HMAC DRBG Known Answer Test: Passed Nov 27 09:51:58 NFX350 kernel: mgd: DES3-CBC Known Answer Test:Passed Nov 27 09:51:58 NFX350 kernel: mgd: HMAC-SHA1 Known Answer Test: Passed Nov 27 09:51:58 NFX350 kernel: mgd: HMAC-SHA2-256 Known Answer Test: Passed Nov 27 09:51:58 NFX350 kernel: mgd: SHA-2-384 Known Answer Test:Passed Nov 27 09:51:58 NFX350 kernel: mgd: SHA-2-512 Known Answer Test: Passed Nov 27 09:51:58 NFX350 kernel: mgd: AES128-CMAC Known Answer Test: Passed |
|
| FIA_X509_EXT.1/Rev | Unsuccessful attempt to validate a certificate |
Any addition, replacement or removal of trust anchors in the TOE’s trust store. Reason for failure of certificate validation. Identification of certificates added, replaced or removed as trust anchor in the TOE’s trust store. Addition of trust anchor. |
<182>1 2022-06-09T11:02:59.701Z NFX350 mgd 50145 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[security pki ca-profile AcumenCA ca-identity\]" delimiter="" data="<unconfigured>" value="AcumenCA"] User 'acumensec' set: [security pki ca-profile AcumenCA ca-identity] <unconfigured> -> "AcumenCA" <190>1 2022-06-09T11:03:01.073Z NFX350 mgd 50145 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.19 username="acumensec" command="run request security pki ca-certificate load ca-profile AcumenCA filename /var/home/acumensec/AcumenCA.crt "] User 'acumensec', command 'run request security pki ca-certificate load ca-profile AcumenCA filename /var/home/acumensec/AcumenCA.crt ' <29>1 2022-06-09T11:03:01.085Z NFX350 pkid 22008 PKID_PV_CERT_LOAD [junos@2636.1.1.1.4.138.19 type-string="AcumenCA"] Certificate AcumenCA has been successfully loaded Removal of trust anchor <190>1 2022-06-09T11:06:48.714Z NFX350 mgd 50145 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.19 username="acumensec" command="run clear security pki ca-certificate ca-profile AcumenCA "] User 'acumensec', command 'run clear security pki ca-certificate ca-profile AcumenCA ' <29>1 2022-06-09T11:06:48.725Z NFX350 pkid 22008 PKID_PV_CERT_DEL [junos@2636.1.1.1.4.138.19 type-string="AcumenCA"] Certificate deletion has occurred for AcumenCA Unsuccessful attempt to validate certificate <27>1 2021-08-25T12:48:07.220Z NFX350 pkid 21707 PKID_NO_CA_CERT [junos@2636.1.1.1.4.138.19 type-string="NFX350"] CA Certificate for certificate NFX350 not found in local database |
|
FIA_X509_EXT.2 |
None | None | |
|
FIA_X509_EXT.3 |
None | None | |
| FMT_MOF.1/ManualUpdate | Any attempt to initiate a manual update. | None |
<190>1 2021-08-10T06:41:14.181Z NFX350 mgd 23572 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.19 username="acumensec" command="request vmhost software add /var/tmp/jinstall-host-nfx-3-x86-64-20.3I-20201210.0.1400-secure-signed.tgz no-validate "] User 'acumensec', command 'request vmhost software add /var/tmp/jinstall-host-nfx-3-x86-64-20.3I-20201210.0.1400-secure-signed.tgz no-validate ' <190>1 2021-08-10T06:41:14.198Z NFX350 mgd 23572 UI_CHILD_START [junos@2636.1.1.1.4.138.19 command="/usr/libexec/ui/package"] Starting child '/usr/libexec/ui/package' <29>1 2021-08-10T06:41:14.200Z NFX350 mgd 23572 - - /usr/libexec/ui/package -X update /var/tmp/jinstall-host-nfx-3-x86-64-20.3I-20201210.0.1400-secure-signed.tgz -no-validate |
|
FMT_SMF.1 FMT_SMF.1/VPN FMT_SMF.1/FFW |
All management activities of TSF data (including creation, modification and deletion of firewall rules) |
None |
• Ability to administer the TOE locally and remotely: Local Successful Login Nov 27 09:11:11 NFX350 login[21384]: LOGIN_INFORMATION: User acumensec logged in from host [unknown] on device ttyu0 Nov 27 09:11:11 NFX350 mgd[72306]: UI_AUTH_EVENT: Authenticated user 'acumensec' assigned to class 'j-super-user' Remote Successful Login Nov 27 09:14:05 NFX350 sshd[72464]: Accepted keyboard-interactive/pam for acumensec from 192.168.137.3 port 55000 ssh2 Nov 27 09:14:06 NFX350 mgd[72469]: UI_AUTH_EVENT: Authenticated user 'acumensec' assigned to class 'j-super-user' Nov 27 09:14:06 NFX350 mgd[72469]: UI_LOGIN_EVENT: User 'acumensec' login, class 'j-super-user' [72469], ssh-connection '192.168.137.3 55000 192.168.137.20 22', client-mode 'cli' • Ability to configure the access banner: May 13 00:03:58 NFX350 mgd[14109]: UI_CMDLINE_READ_LINE: User 'acumensec', command 'set system login message \"\ ThisIsLoginBanner\" ' May 13 00:04:00 NFX350 mgd[14109]: UI_CMDLINE_READ_LINE: User 'acumensec', command 'set system login announcement \"\ ThisIsMOTDBanner\ ThisIsExecBanner\ • Ability to configure the session inactivity time before session termination or locking: <182>1 2021-08-25T12:37:30.586Z NFX350 mgd 71982 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[system login idle-timeout\]" delimiter="\"" data="60" value="5"] User 'acumensec' set: [system login idle-timeout] "60 -> "5" • Ability to update the TOE, and to verify the updates using digital signature and [no other] capability prior to installing those updates: • Ability to configure the authentication failure parameters for FIA_AFL.1: <182>1 2021-08-10T06:53:02.864Z NFX350 mgd 23572 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[system login retry-options lockout-period\]" delimiter="\"" data="5" value="1"] User 'acumensec' set: [system login retry-options lockout-period] "5 -> "1" • All management activities of TSF data (including creation, modification and deletion of firewall rules) <182>1 2022-06-13T07:23:58.008Z NFX350 mgd 88911 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[firewall family inet filter SRC_DENY term drop from source-address 10.1.1.60/32\]" delimiter="" value=""] User 'acumensec' set: [firewall family inet filter SRC_DENY term drop from source-address 10.1.1.60/32] <182>1 2022-06-13T07:24:01.607Z NFX350 mgd 88911 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[firewall family inet filter SRC_DENY term drop then discard\]" delimiter="" value=""] User 'acumensec' set: [firewall family inet filter SRC_DENY term drop then discard] <182>1 2022-06-13T07:24:06.001Z NFX350 mgd 88911 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[firewall family inet filter SRC_DENY term drop then\]" delimiter="" data="<unconfigured>" value="log"] User 'acumensec' set: [firewall family inet filter SRC_DENY term drop then] <unconfigured> -> "log" <182>1 2022-06-13T08:09:55.268Z NFX350 mgd 88911 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.19 username="acumensec" action="delete" pathname="[firewall filter DEST_PERMIT\]" delimiter="" value=""] User 'acumensec' delete: [firewall filter DEST_PERMIT] • Ability to manage the cryptographic keys: Nov 27 09:31:28 NFX350 mgd[79117]: UI_AUTH_EVENT: Authenticated user 'Tester1' assigned to class 'j-super-user' Nov 27 09:31:28 NFX350 mgd[79117]: UI_LOGIN_EVENT: User 'Tester1' login, class 'j-super-user' [79117], ssh-connection '192.168.137.3 56026 192.168.137.20 22', client-mode 'cli' Nov 27 09:31:30 NFX350 mgd[79117]: UI_CMDLINE_READ_LINE: User 'Tester1', command 'configure ' Nov 27 09:31:30 NFX350 mgd[79117]: PVIDB: Attribute 'license.agile_infra_supported' not present in Db Nov 27 09:31:30 NFX350 mgd[79117]: UI_DBASE_LOGIN_EVENT: User 'Tester1' entering configuration mode Nov 27 09:31:35 NFX350 mgd[79117]: UI_CFG_AUDIT_OTHER: User 'Tester1' set: [system services ssh ciphers aes128-cbc] Nov 27 09:31:35 NFX350 mgd[79117]: UI_CMDLINE_READ_LINE: User 'Tester1', command 'set system services ssh ciphers aes128-cbc ' • Ability to configure the cryptographic functionality: Verified /boot/boot.4th \\Verified /boot/platform.4th \\Verified /boot/loader.rc \\Verified /boot/junos-menu.4th \\\Verified /boot/junos-support.4th \\Verified /boot/junos-snapshot.4th \\\Verified /boot/junos-device.4th \\Verified /boot/junos-boot.4th \\Verified /boot/platform-boot.4th \\Verified /boot/junos-term.4th \\\Verified /boot/oam-autoboot.4th \u001b[m\u001b[H\u001b[J\u001b[H\u001b[KAutoboot in 3 seconds... (press Ctrl-C to interrupt) \u001b[H\u001b[KAutoboot in 2 seconds... (press Ctrl-C to interrupt) \u001b[H\u001b[KAutoboot in 1 seconds... (press Ctrl-C to interrupt) \u001b[m\u001b[H\u001b[J\u001b[H\u001b[KAutoboot in 3 seconds... (press Ctrl-C to interrupt) \u001b[H\u001b[KAutoboot in 2 seconds... (press Ctrl-C to interrupt) \u001b[H\u001b[KAutoboot in 1 seconds... (press Ctrl-C to interrupt) \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\Verified /packages/sets/active/boot/os-kernel/../manifest signed by PackageProductionECP256_2020 Verified /packages/sets/active/boot/os-crypto/../manifest signed by PackageProductionECP256_2020 mgd: FIPS Self-tests Passed mgd: commit complete /etc/config//nfx350_s3-defaults.conf: 33: (28) syntax error, expecting '}' or '{': initial-hold /etc/config//nfx350_s3-defaults.conf: 41: (13) error recovery ignores input until this point: } mgd: commit complete @ 1606470702 [2020-11-27 09:51:42 UTC] mgd done Lock Manager RDM Embedded 7 [04-Aug-2006] http://www.birdstep.com Copyright (c) 1992-2006 Birdstep Technology, Inc. All Rights Reserved. Unix Domain sockets Lock manager Lock manager 'lockmgr' started successfully. Database Initialization Utility RDM Embedded 7 [04-Aug-2006] http://www.birdstep.com Copyright (c) 1992-2006 Birdstep Technology, Inc. All Rights Reserved. Profile database initialized Enhanced arp scale is disabled lag enhanced disabled 0 No core dumps found. Prefetching /usr/sbin/rpd ... Prefetching /usr/libexec64/rpd ... Prefetching /usr/sbin/lacpd ... Prefetching /usr/sbin/chassisd ... @ 1606470705 [2020-11-27 09:51:45 UTC] mountlater start @ 1606470708 [2020-11-27 09:51:48 UTC] mountlater done newsyslog.junos: pid file doesn't exist: /var/run/syslog.pid Starting jlaunchhelperd. Invoking jdid_diag_mode_setup.sh on junos Starting cron. Fri Nov 27 09:51:58 UTC 2020 FreeBSD/amd64 (NFX350) (ttyu0) login: QAT: could not find SSL section in any config files Starting network management services: snmpd libvirtMib_subagent. Synchronizing UEFI key-store: Juniper Dev keys are not revoked. Doing nothing cp: cannot stat '/var/platform/lte_vm_xml_params': No such file or directory rm: cannot remove '/lib/udev/rules.d/lte_usb.rules': No such file or directory FreeBSD/amd64 (NFX350) (ttyu0) Ability to configure the lifetime for IPsec SAs: <182>1 2021-08-25T12:31:44.291Z NFX350 mgd 71982 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[security ipsec proposal ipsec-devices-proposal lifetime-seconds\]" delimiter="\"" data="30000" value="28800"] User 'acumensec' set: [security ipsec proposal ipsec-devices-proposal lifetime-seconds] "30000 -> "28800" • Ability to import X.509v3 certificates to the TOE’s trust store: <190>1 2021-08-25T07:12:05.518Z NFX350 mgd 59039 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.19 username="acumensec" command="run request security pki ca-certificate load ca-profile AcumenICA filename AcumenICA.crt "] User 'acumensec', command 'run request security pki ca-certificate load ca-profile AcumenICA filename AcumenICA.crt ' <29>1 2021-08-25T07:12:05.527Z NFX350 pkid 21707 PKID_PV_CERT_LOAD [junos@2636.1.1.1.4.138.19 type-string="AcumenICA"] Certificate AcumenICA has been successfully loaded • Ability to start and stop services: Nov 27 09:27:36 NFX350 mgd[77596]: UI_AUTH_EVENT: Authenticated user 'Tester1' assigned to class 'j-super-user' Nov 27 09:27:36 NFX350 mgd[77596]: UI_LOGIN_EVENT: User 'Tester1' login, class 'j-super-user' [77596], ssh-connection '192.168.137.3 55836 192.168.137.20 22', client-mode 'cli' Nov 27 09:27:38 NFX350 mgd[77596]: UI_CMDLINE_READ_LINE: User 'Tester1', command 'configure ' Nov 27 09:27:38 NFX350 mgd[77596]: PVIDB: Attribute 'license.agile_infra_supported' not present in Db Nov 27 09:27:38 NFX350 mgd[77596]: UI_DBASE_LOGIN_EVENT: User 'Tester1' entering configuration mode Nov 27 09:27:56 NFX350 mgd[77596]: UI_CMDLINE_READ_LINE: User 'Tester1', command 'set system services netconf ssh ' • Ability to configure audit behavior: Jan 12 12:16:06 NFX350 clear-log[91489]: logfile cleared Jan 12 12:16:06 NFX350 mgd[91445]: UI_CHILD_STATUS: Cleanup child '/usr/libexec/ui/clear-log', PID 91489, status 0 Jan 12 12:16:06 NFX350 mgd[91445]: UI_FILE_CLEARED: 'audit' logfile cleared by user 'acumensec' Jan 12 12:16:13 NFX350 mgd[91445]: UI_CMDLINE_READ_LINE: User 'acumensec', command 'exit ' Jan 12 12:16:13 NFX350 mgd[91445]: UI_DBASE_LOGOUT_EVENT: User 'acumensec' exiting configuration mode • Ability to configure thresholds for SSH rekeying: [System Message]: Approximate 1 minutes 4 seconds before rekey happens show system uptime Current time: 2020-05-17 21:49:03 UTC Time Source: LOCAL CLOCK System booted: 2020-05-12 23:51:11 UTC (4d 21:57 ago) Protocols started: 2020-05-12 23:52:33 UTC (4d 21:56 ago) Last configured: 2020-05-17 21:45:59 UTC (00:03:04 ago) by acumensec 9:49PM up 4 days, 21:58, 4 users, load averages: 0.68, 0.54, 0.51 debug3: send packet: type 30 debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: rekeying in progress debug1: rekeying in progress debug3: receive packet: type 31 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:d93HoDt2BojeOsanLln+jo5UOohW75UXKXiafuYWX6I debug2: verify_host_key: server host key ECDSA SHA256:d93HoDt2BojeOsanLln+jo5UOohW75UXKXiafuYWX6I matches cached key debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: set_newkeys: rekeying, input 3016 bytes 144 blocks, output 3832 bytes 147 blocks debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received show system uptime Current time: 2020-05-17 21:50:04 UTC Time Source: LOCAL CLOCK System booted: 2020-05-12 23:51:11 UTC (4d 21:58 ago) Protocols started: 2020-05-12 23:52:33 UTC (4d 21:57 ago) Last configured: 2020-05-17 21:45:59 UTC (00:04:05 ago) by acumensec 9:50PM up 4 days, 21:59, 4 users, load averages: 0.60, 0.55, 0.51 • Ability to re-enable an Administrator account: May 22 21:00:51 NFX350 sshd[33266]: LIBJNX_LOGIN_ACCOUNT_UNLOCKED: Account for user 'Tester' has been unlocked for logins • Ability to set the time which is used for time-stamps: Nov 27 09:59:28 NFX350 mgd[13369]: UI_CHILD_START: Starting child '/bin/date' May 13 00:00:00 NFX350 date: date set by root May 13 00:00:00 NFX350 mgd[13369]: UI_CHILD_STATUS: Cleanup child '/bin/date', PID 13406, status 0x200 May 13 00:00:00 NFX350 mgd[13369]: UI_CHILD_EXITED: Child exited: PID 13406, status 2, command '/bin/date' May 13 00:00:00 NFX350 mgd[13369]: UI_COMMIT_PROGRESS: Commit operation in progress: signaling 'Network security daemon', pid 11660, signal 31, status 0 with notification errors enabled May 13 00:00:00 NFX350 nsd[11660]: NSD_SYS_TIME_CHANGE: System time has changed. • Ability to configure the reference identifier for the peer: <182>1 2021-08-25T12:53:12.267Z NFX350 mgd 73318 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[security ike gateway gw-b remote-identity hostname\]" delimiter="" data="<unconfigured>" value="peer.acumensec.local"] User 'acumensec' set: [security ike gateway gw-b remote-identity hostname] <unconfigured> -> "peer.acumensec.local" • Ability to manage the TOE’s trust store and designate X.509v3 certificates as trust anchors. <182>1 2022-06-09T11:02:59.701Z NFX350 mgd 50145 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[security pki ca-profile AcumenCA ca-identity\]" delimiter="" data="<unconfigured>" value="AcumenCA"] User 'acumensec' set: [security pki ca-profile AcumenCA ca-identity] <unconfigured> -> "AcumenCA" <190>1 2022-06-09T11:03:01.073Z NFX350 mgd 50145 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.19 username="acumensec" command="run request security pki ca-certificate load ca-profile AcumenCA filename /var/home/acumensec/AcumenCA.crt "] User 'acumensec', command 'run request security pki ca-certificate load ca-profile AcumenCA filename /var/home/acumensec/AcumenCA.crt ' <29>1 2022-06-09T11:03:01.085Z NFX350 pkid 22008 PKID_PV_CERT_LOAD [junos@2636.1.1.1.4.138.19 type-string="AcumenCA"] Certificate AcumenCA has been successfully loaded • Ability to manage the trusted public keys database. <190>1 2022-06-13T07:16:56.570Z NFX350 mgd 88911 UI_CHILD_START [junos@2636.1.1.1.4.138.19 command="/usr/bin/ssh-keygen"] Starting child '/usr/bin/ssh-keygen' <190>1 2022-06-13T07:16:56.584Z NFX350 mgd 88911 UI_CHILD_STATUS [junos@2636.1.1.1.4.138.19 command="/usr/bin/ssh-keygen" pid="54449" status-code="0"] Cleanup child '/usr/bin/ssh-keygen', PID 54449, status 0 <182>1 2022-06-13T07:16:56.585Z NFX350 mgd 88911 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[system login user syslog-mon authentication ssh-ecdsa /* SECRET-DATA */\]" delimiter="" value=""] User 'acumensec' set: [system login user syslog-mon authentication ssh-ecdsa /* SECRET-DATA */] • Definition of packet filtering rules: <182>1 2022-06-13T07:23:58.008Z NFX350 mgd 88911 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[firewall family inet filter SRC_DENY term drop from source-address 10.1.1.60/32\]" delimiter="" value=""] User 'acumensec' set: [firewall family inet filter SRC_DENY term drop from source-address 10.1.1.60/32] <182>1 2022-06-13T07:24:01.607Z NFX350 mgd 88911 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[firewall family inet filter SRC_DENY term drop then discard\]" delimiter="" value=""] User 'acumensec' set: [firewall family inet filter SRC_DENY term drop then discard] <182>1 2022-06-13T07:24:06.001Z NFX350 mgd 88911 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[firewall family inet filter SRC_DENY term drop then\]" delimiter="" data="<unconfigured>" value="log"] User 'acumensec' set: [firewall family inet filter SRC_DENY term drop then] <unconfigured> -> "log" • Association of packet filtering rules to network interfaces <182>1 2022-06-13T07:30:40.233Z NFX350 mgd 88911 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[interfaces ge-1/0/0 unit 0 family inet filter input\]" delimiter="" data="<unconfigured>" value="SRC_DENY"] User 'acumensec' set: [interfaces ge-1/0/0 unit 0 family inet filter input] <unconfigured> -> "SRC_DENY" • Ordering of packet filtering rules by priority <182>1 2022-06-13T07:37:13.229Z NFX350 mgd 88911 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[firewall filter DEST_PERMIT term permit from destination-address 10.1.5.27/32\]" delimiter="" value=""] User 'acumensec' set: [firewall filter DEST_PERMIT term permit from destination-address 10.1.5.27/32] <182>1 2022-06-13T07:37:21.523Z NFX350 mgd 88911 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[firewall filter DEST_PERMIT term permit then\]" delimiter="" data="<unconfigured>" value="accept"] User 'acumensec' set: [firewall filter DEST_PERMIT term permit then] <unconfigured> -> "accept" <182>1 2022-06-13T07:37:29.283Z NFX350 mgd 88911 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[firewall filter DEST_PERMIT term permit then\]" delimiter="" data="<unconfigured>" value="log"] User 'acumensec' set: [firewall filter DEST_PERMIT term permit then] <unconfigured> -> "log" <182>1 2022-06-13T07:37:43.032Z NFX350 mgd 88911 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[firewall filter DEST_PERMIT term drop from destination-address 10.1.5.27/32\]" delimiter="" value=""] User 'acumensec' set: [firewall filter DEST_PERMIT term drop from destination-address 10.1.5.27/32] <182>1 2022-06-13T07:37:55.884Z NFX350 mgd 88911 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[firewall filter DEST_PERMIT term drop then discard\]" delimiter="" value=""] User 'acumensec' set: [firewall filter DEST_PERMIT term drop then discard] <182>1 2022-06-13T07:38:02.763Z NFX350 mgd 88911 UI_CFG_AUDIT_SET [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[firewall filter DEST_PERMIT term drop then\]" delimiter="" data="<unconfigured>" value="log"] User 'acumensec' set: [firewall filter DEST_PERMIT term drop then] <unconfigured> -> "log" |
| FPT_TUD_EXT.1 | Initiation of update; result of the update attempt (success or failure). | None. |
<190>1 2021-08-10T06:41:14.181Z NFX350 mgd 23572 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.19 username="acumensec" command="request vmhost software add /var/tmp/jinstall-host-nfx-3-x86-64-20.3I-20201210.0.1400-secure-signed.tgz no-validate "] User 'acumensec', command 'request vmhost software add /var/tmp/jinstall-host-nfx-3-x86-64-20.3I-20201210.0.1400-secure-signed.tgz no-validate ' <190>1 2021-08-10T06:41:14.198Z NFX350 mgd 23572 UI_CHILD_START [junos@2636.1.1.1.4.138.19 command="/usr/libexec/ui/package"] Starting child '/usr/libexec/ui/package' <29>1 2021-08-10T06:41:14.200Z NFX350 mgd 23572 - - /usr/libexec/ui/package -X update /var/tmp/jinstall-host-nfx-3-x86-64-20.3I-20201210.0.1400-secure-signed.tgz -no-validate |
| FPT_STM_EXT.1 | Discontinuous changes to time - either Administrator actuated or changed via an automated process. (Note that no continuous changes to time need to be logged. See also application note on FPT_STM_EXT.1) For discontinuous changes to time: The old and new values for the time. | Origin of the attempt to change time for success and failure (e.g., IP address). |
Nov 27 09:59:28 NFX350 mgd[13369]: UI_CHILD_START: Starting child '/bin/date' May 13 00:00:00 NFX350 date: date set by root May 13 00:00:00 NFX350 mgd[13369]: UI_CHILD_STATUS: Cleanup child '/bin/date', PID 13406, status 0x200 May 13 00:00:00 NFX350 mgd[13369]: UI_CHILD_EXITED: Child exited: PID 13406, status 2, command '/bin/date' May 13 00:00:00 NFX350 mgd[13369]: UI_COMMIT_PROGRESS: Commit operation in progress: signaling 'Network security daemon', pid 11660, signal 31, status 0 with notification errors enabled May 13 00:00:00 NFX350 nsd[11660]: NSD_SYS_TIME_CHANGE: System time has changed. |
| FTA_SSL_EXT.1 | (if “terminate the session” is selected) The termination of a local session by the session locking mechanism. | None. |
May 17 04:50:21 NFX350 cli: UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'root' exceeded and session terminated May 17 04:50:21 NFX350 mgd[95344]: UI_LOGOUT_EVENT: User 'root' logout |
| FTA_SSL.3 | The termination of a remote session by the session locking mechanism. | None. |
May 17 04:50:21 NFX350 cli: UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'root' exceeded and session terminated May 17 04:50:21 NFX350 mgd[95344]: UI_LOGOUT_EVENT: User 'root' logout |
| FTA_SSL.4 | The termination of an interactive session. | None. |
Local May 16 08:29:28 NFX350 mgd[17208]: UI_CMDLINE_READ_LINE: User 'acumensec', command 'quit ' May 16 08:29:28 NFX350 mgd[17208]: PVIDB: Attribute 'license.agile_infra_supported' not present in Db May 16 08:29:28 NFX350 mgd[17208]: UI_LOGOUT_EVENT: User 'acumensec' logout Remote Nov 27 09:35:10 NFX350 mgd[79303]: UI_CMDLINE_READ_LINE: User 'acumensec', command 'exit ' Nov 27 09:35:10 NFX350 mgd[79303]: PVIDB: Attribute 'license.agile_infra_supported' not present in Db Nov 27 09:35:10 NFX350 mgd[79303]: UI_LOGOUT_EVENT: User 'acumensec' logout |
| FTA_TAB.1 | None | None | |
| FTP_ITC.1 | Initiation of the trusted channel.
Termination of the trusted channel. Failure of the trusted channel functions. |
Identification of the initiator and target of failed trusted channels establishment attempt. |
Initiation <14>1 2021-08-16T12:23:47.193Z NFX350 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.4.138.19 source-address="10.1.1.60" source-port="21985" destination-address="10.1.3.27" destination-port="1" connection-tag="0" service-name="icmp" nat-source-address="10.1.1.60" nat-source-port="21985" nat-destination-address="10.1.3.27" nat-destination-port="1" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="vpn-allow" source-zone-name="trust" destination-zone-name="vpnzone" session-id-32="67216731" username="N/A" roles="N/A" packet-incoming-interface="ge-1/0/0.1" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] session created 10.1.1.60/21985->10.1.3.27/1 0x0 icmp 10.1.1.60/21985->10.1.3.27/1 0x0 N/A N/A N/A N/A 1 vpn-allow trust vpnzone 67216731 N/A(N/A) ge-1/0/0.1 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A Failure and Termination <14>1 2021-08-17T13:59:52.690Z NFX350 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.4.138.19 source-address="10.1.1.60" source-port="58108" destination-address="10.1.3.27" destination-port="22" connection-tag="0" service-name="junos-ssh" protocol-id="6" icmp-type="0" policy-name="vpn-deny" source-zone-name="trust" destination-zone-name="vpnzone" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-1/0/0.1" encrypted="No" reason="Denied by policy" session-id-32="67244718" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] session denied 10.1.1.60/58108->10.1.3.27/22 0x0 junos-ssh 6(0) vpn-deny trust vpnzone UNKNOWN UNKNOWN N/A(N/A) ge-1/0/0.1 No Denied by policy 67244718 N/A N/A -1 N/A N/A N/A <14>1 2021-08-17T13:59:53.691Z NFX350 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.4.138.19 source-address="10.1.1.60" source-port="58108" destination-address="10.1.3.27" destination-port="22" connection-tag="0" service-name="junos-ssh" protocol-id="6" icmp-type="0" policy-name="vpn-deny" source-zone-name="trust" destination-zone-name="vpnzone" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-1/0/0.1" encrypted="No" reason="Denied by policy" session-id-32="67244719" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] session denied 10.1.1.60/58108->10.1.3.27/22 0x0 junos-ssh 6(0) vpn-deny trust vpnzone UNKNOWN UNKNOWN N/A(N/A) ge-1/0/0.1 No Denied by policy 67244719 N/A N/A -1 N/A N/A N/A |
| FTP_TRP.1/Admin | Initiation of the trusted path.
Termination of the trusted path. Failure of the trusted path functions. |
None. |
Initiation <38>1 2021-08-10T10:34:55.462Z NFX350 sshd 34040 - - Accepted keyboard-interactive/pam for acumensec from 10.1.1.60 port 41942 ssh2 <190>1 2021-08-10T10:34:55.808Z NFX350 mgd 34051 UI_AUTH_EVENT [junos@2636.1.1.1.4.138.19 username="acumensec" authentication-level="j-super-user"] Authenticated user 'acumensec' assigned to class 'j-super-user' <190>1 2021-08-10T10:34:55.809Z NFX350 mgd 34051 UI_LOGIN_EVENT [junos@2636.1.1.1.4.138.19 username="acumensec" class-name="j-super-user" local-peer="" pid="34051" ssh-connection="10.1.1.60 41942 10.1.1.127 22" client-mode="cli"] User 'acumensec' login, class 'j-super-user' [34051], ssh-connection '10.1.1.60 41942 10.1.1.127 22', client-mode 'cli' Termination <190>1 2021-08-10T10:37:16.686Z NFX350 mgd 34051 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.19 username="acumensec" command="exit "] User 'acumensec', command 'exit ' <190>1 2021-08-10T10:37:16.695Z NFX350 mgd 34051 UI_LOGOUT_EVENT [junos@2636.1.1.1.4.138.19 username="acumensec"] User 'acumensec' logout <38>1 2021-08-10T10:37:16.710Z NFX350 sshd 34049 - - Received disconnect from 10.1.1.60 port 41942:11: disconnected by user <38>1 2021-08-10T10:37:16.710Z NFX350 sshd 34049 - - Disconnected from user acumensec 10.1.1.60 port 41942 Failure SSHD_LOGIN_ATTEMPTS_THRESHOLD [junos@2636.1.1.1.4.138.19 limit="5" username="acumensec"] Threshold for unsuccessful authentication attempts (5) reached by user 'acumensec' <38>1 2021-08-10T10:29:50.300Z NFX350 sshd 33807 - - Disconnecting authenticating user acumensec 10.1.1.60 port 41934: Too many password failures for acumensec <38>1 2021-08-10T10:29:50.300Z NFX350 sshd 33806 - - Disconnecting authenticating user acumensec 10.1.1.60 port 41934: Too many password failures for acumensec [preauth] |
| FCS_SSHS_EXT.1 | Failure to establish an SSH session | Reason for failure | <35>1 2022-05-02T13:07:12.148Z NFX350
sshd 90361 - - error: PAM: authentication error for acumensec from
10.1.2.170 <37>1 2022-05-02T13:07:12.149Z NFX350 sshd - SSHD_LOGIN_FAILED [junos@2636.1.1.1.4.138.19 username="acumensec" source-address="10.1.2.170"] Login failed for user 'acumensec' from host '10.1.2.170' |
|
FMT_MOF.1/Functions |
None | None | |
| FMT_MOF.1/Services | None | None | |
| FMT_MTD.1/CryptoKeys | None | None | |
|
FFW_RUL_EXT.1 |
Application of rules configured with the ‘log’ operation |
Source and destination addresses. Source and destination ports. Transport Layer Protocol. TOE Interface. |
Time of Log: 2021-05-06 08:48:14 UTC, Filter: pfe, Filter action: discard, Name of interface: ge-1/0/0.1 Name of protocol: ICMP, Packet Length: 84, Source address: 10.1.1.60, Destination address: 10.1.1.127 ICMP type: 8, ICMP code: 0 Time of Log: 2021-05-04 08:48:13 UTC, Filter: pfe, Filter action: discard, Name of interface: ge-1/0/0.1 Name of protocol: ICMP, Packet Length: 84, Source address: 10.1.1.60, Destination address: 10.1.1.127 ICMP type: 8, ICMP code: 0 |
| FCS_IPSEC_EXT.1 | Session Establishment with peer | Entire packet contents of packets transmitted/received during session establishment |
21 10:21:59 NFX350 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.168.1/19882->10.10.10.1/7 0x0 icmp 192.168.168.1/19882->10.10.10.1/7 0x0 N/A N/A N/A N/A 1 vpn-chi-tr vpnzone trust 67135301 N/A(N/A) st0.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A\r\nJan 21 10:21:59 NFX350 RT_FLOW: |
| FPF_RUL_EXT.1 |
Application of rules configured with the ‘log’ operation |
Source and destination addresses Source and destination ports Transport Layer Protocol TOE Interface |
acumensec@NFX350:fips# run show firewall log detail Tme of Log: 2021-05-04 08:34:18 UTC, Filter: pfe, Filter action: discard, Name of interface:ge-1/0/0.1 Name of protocol: ICMP, Packet Length: 84, Source address: 10.1.1.60, Destination address: 10.1.1.127 ICMP Type: 8, ICMP code: 0 Tme of Log: 2021-05-04 08:34:17 UTC, Filter: pfe, Filter action: discard, Name of interface: ge-1/0/0.1 Name of protocol: ICMP, Packet Length: 84, Source address: 10.1.1.60, Destination address: 10.1.1.127 ICMP Type: 8, ICMP code: 0 |
|
FFW_RUL_EXT.2 |
Dynamical definition of rule. Establishment of a session | None |
Time of Log: 2021-05-31 04:19:27 UTC, Filter: pfe, Filter action: accept, Name of interface: ge-1/0/0.1 Name of protocol: TCP, Packet Length: 52, Source address: 10.1.1.60:45130, Destination address: 10.1.3.160:1023 Time of Log: 2021-05-31 04:19:27 UTC, Filter: pfe, Filter action: accept, Name of interface: ge-1/0/0.1 Name of protocol: TCP, Packet Length: 52, Source address: 10.1.1.60:45130, Destination address: 10.1.3.160:1023 Time of Log: 2021-05-31 04:19:24 UTC, Filter: pfe, Filter action: accept, Name of interface: ge-1/0/0.1 Name of protocol: TCP, Packet Length: 63, Source address: 10.1.1.60:45130, Destination address: 10.1.3.160:1023 |
| FMT_SMF.1/IPS |
Modification of an IPS policy element. |
Identifier or name of the modified IPS policy element (e.g. which signature, baseline, or known-good/known-bad list was modified). |
<182>1 2021-08-10T07:47:22.958Z NFX350 mgd 26205 UI_CFG_AUDIT_OTHER [junos@2636.1.1.1.4.138.19 username="acumensec" action="set" pathname="[security idp custom-attack UDPDstport\]" delimiter="" value=""] User 'acumensec' set: [security idp custom-attack UDPDstport] <190>1 2021-08-10T07:47:22.958Z NFX350 mgd 26205 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.4.138.19 username="acumensec" command="set security idp custom-attack UDPDstport "] User 'acumensec', command 'set security idp custom-attack UDPDstport ' |
| IPS_ABD_EXT.1 | Inspected traffic matches an anomaly-based IPS policy. |
Source and destination IP addresses. The content of the header fields that were determined to match the policy. TOE interface that received the packet Aspect of the anomaly-based IPS policy rule that triggered the event (e.g. throughput, time of day, frequency, etc.). Network-based action by the TOE (e.g. allowed, blocked, sent reset to source IP, sent blocking notification to firewall).1 |
<14>1 2021-06-25T04:53:46.402Z NFX350 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.4.138.19 epoch-time="1624596826" message-type="SIG" source-address="10.1.1.60" source-port="0" destination-address="10.1.3.160" destination-port="0" protocol-name="ICMP" service-name="SERVICE_IDP" application-name="ICMP-ECHO" rule-name="1" rulebase-name="IPS" policy-name="idp-Policies" export-id="1048618" repeat-count="0" action="DROP" threat-severity="INFO" attack-name="IPS-security" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="0.0.0.0" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="trust" source-interface-name="ge-1/0/0.1" destination-zone-name="untrust" destination-interface-name="ge-1/0/1.1" packet-log-id="0" alert="yes" username="N/A" roles="N/A" xff-header="N/A" cve-id="N/A" message="-"] IDP: at 1624596826, SIG Attack log <10.1.1.60/0->10.1.3.160/0> for ICMP protocol and service SERVICE_IDP application ICMP-ECHO by rule 1 of rulebase IPS in policy idp-Policies. attack: id=1048618, repeat=0, action=DROP, threat-severity=INFO, name=IPS-security, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:ge-1/0/0.1->untrust:ge-1/0/1.1, packet-log-id: 0, alert=yes, username=N/A, roles=N/A, xff-header=N/A, cve-id=N/A and misc-message |
| IPS_IPB_EXT.1 | Inspected traffic matches a list of known-good or known-bad addresses applied to an IPS policy. |
Source and destination IP addresses (and, if applicable, indication of whether the source and/or destination address matched the list). TOE interface that received the packet. Network-based action by the TOE (e.g. allowed, blocked, sent reset). |
<14>1 2021-06-25T06:56:03.712Z NFX350 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.4.138.19 source-address="10.1.1.60" source-port="20396" destination-address="10.1.3.160" destination-port="1" connection-tag="0" service-name="icmp" nat-source-address="10.1.1.60" nat-source-port="20396" nat-destination-address="10.1.3.160" nat-destination-port="1" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="bypass-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="67186413" username="N/A" roles="N/A" packet-incoming-interface="ge-1/0/0.1" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN" application-category="N/A" application-sub-category="N/A" application-risk="-1" application-characteristics="N/A" src-vrf-grp="N/A" dst-vrf-grp="N/A"] session created 10.1.1.60/20396->10.1.3.160/1 0x0 icmp 10.1.1.60/20396->10.1.3.160/1 0x0 N/A N/A N/A N/A 1 bypass-all trust untrust 67186413 N/A(N/A) ge-1/0/0.1 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A <14>1 2021-06-25T06:56:03.712Z NFX350 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.4.138.19 epoch-time="1624604163" message-type="SIG" source-address="10.1.1.60" source-port="20396" destination-address="10.1.3.160" destination-port="1" protocol-name="ICMP" service-name="SERVICE_IDP" application-name="ICMP -ECHO" rule-name="1" rulebase-name="IPS" policy-name="idp-Policies" export-id="1048585" repeat-count="0" action="DROP" threat-severity="INFO" attack-name="IPV4-Source-Address" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="0.0.0.0" nat-destination-port="0" elapsed-time="0" inbound- bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="trust" source-interface-name="ge-1/0/0.1" destination-zone-name="untrust" destination-interface-name="ge-1/0/1.1" packet-log-id="0" alert="yes" username="N/A" roles="N/A" xff-header="N/A" cve-id="N/A" message="-"] IDP: at 1624604163, SIG Attack log <10.1.1.60/20396->10.1.3.160/1> for ICMP protocol and service SERVICE_IDP application ICMP-ECHO by rule 1 of rulebase IPS in policy idp-Policies. attack: id=1048585, repeat=0, action=DROP, threat-severity=INFO, name=IPV4-Source-Address, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:ge-1/0/0.1->untrust:ge-1/0/1.1, packet-log-id: 0, alert=yes, username=N/A, roles=N/A, xff-header=N/A, cve-id=N/A and misc-message - <14>1 2021-06-25T06:57:05.764Z NFX350 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.4.138.19 reason="Closed by junos-idp" source-address="10.1.1.60" source-port="20396" destination-address="10.1.3.160" destination-port="4" connection-tag="0" service-name="icmp" nat-source-address="10.1.1.60" nat-source-port="20396" nat-destination-address="10.1.3.160" nat-destination-port="4" nat-connection-tag="0" src-nat-rule-type="N/A" src-nat-rule-name="N/A" dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="1" policy-name="bypass-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="67186416" packets-from-client="1" bytes-from-client="84" packets-from-server="0" bytes-from-server="0" elapsed-time="60" application="ICMP" nested-application="ICMP-ECHO" username="N/A" roles="N/A" packet-incoming-interface="ge-1/0/0.1" encrypted="No" application-category="Infrastructure" application-sub-category="Networking" application-risk="1" application-characteristics="N/A" secure-web-proxy-session-type="NA" peer-session-id="0" peer-source-address="0.0.0.0" peer-source-port="0" peer-destination-address="0.0.0.0" peer-destination-port="0" hostname="NA" src-vrf-grp="N/A" dst-vrf-grp="N/A"] session closed Closed by junos-idp: 10.1.1.60/20396->10.1.3.160/4 0x0 icmp 10.1.1.60/20396->10.1.3.160/4 0x0 N/A N/A N/A N/A 1 bypass-all trust untrust 67186416 1(84) 0(0) 60 ICMP ICMP-ECHO N/A(N/A) ge-1/0/0.1 No Infrastructure Networking 1 N/A NA 0 0.0.0.0/0->0.0.0.0/0 NA N/A N/A |
| IPS_SBD_EXT.1 | Inspected traffic matches a signature-based IPS rule with logging enabled. Name or identifier of the matched signature |
Source and destination IP addresses The content of the header fields that were determined to match the signature. TOE interface that received the packet Network-based action by the TOE (e.g. allowed, blocked, sent reset) |
<14>1 2021-06-25T07:14:21.651Z NFX350 RT_IDP - IDP_ATTACK_LOG_EVENT [junos@2636.1.1.1.4.138.19 epoch-time="1624605261" message-type="SIG" source-address="10.1.1.60" source-port="49560" destination-address="10.1.3.160" destination-port="21" protocol-name="TCP" service-name="SERVICE_IDP" application-name="FTP" rule-name="1" rulebase-name="IPS" policy-name="idp-Policies" export-id="2450" repeat-count="0" action="DROP" threat-severity="INFO" attack-name="FTP:USER:ANONYMOUS" nat-source-address="0.0.0.0" nat-source-port="0" nat-destination-address="0.0.0.0" nat-destination-port="0" elapsed-time="0" inbound-bytes="0" outbound-bytes="0" inbound-packets="0" outbound-packets="0" source-zone-name="trust" source-interface-name="ge-1/0/0.1" destination-zone-name="untrust" destination-interface-name="ge-1/0/1.1" packet-log-id= "0" alert="yes" username="N/A" roles="N/A" xff-header="N/A" cve-id="N/A" message="-"] IDP: at 1624605261, SIG Attack log <10.1.1.60/49560->10.1.3.160/21> for TCP protocol and service SERVICE_IDP application FTP by rule 1 of rulebase IPS in policy idp-Policies. attack: id=2450, repeat=0, action=DROP, threat-severity=INFO, name=FTP:USER:ANONYMOUS, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:trust:ge-1/0/0.1->untrust:ge-1/0/1.1, packet-log-id: 0, alert=yes, username=N/A, roles=N/A, xff-header=N/A, cve-id=N/A and misc-message - |