Sample Code Audits of Configuration Changes
This sample code audits all changes to the configuration secret data and sends the logs to a file named Audit-File:
[edit system] syslog { file Audit-File { authorization info; change-log info; interactive-commands info; } }
This sample code expands the scope of the minimum audit to audit all changes to the configuration, not just secret data, and sends the logs to a file named Audit-File:
[edit system] syslog { file Audit-File { any any; authorization info; change-log any; interactive-commands info; kernel info; pfe info; } }
Example: System Logging of Configuration Changes
This example shows a sample configuration
and makes changes to users and secret data. It then shows the information
sent to the audit server when the secret data is added to the original
configuration and committed with the load
command.
[edit system] location { country-code US; building B1; } ... login { message "UNAUTHORIZED USE OF THIS ROUTER\n\tIS STRICTLY PROHIBITED!"; user admin { uid 2000; class super-user; authentication { encrypted-password “$ABC123”; # SECRET-DATA } } } radius-server 192.0.2.15 { secret “$ABC123” # SECRET-DATA } services { ssh; } syslog { user *{ any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } ... ...
The new configuration changes the secret data configuration statements and adds a new user.
security-administrator@host:fips# show | compare [edit system login user admin authentication] – encrypted-password “$ABC123”; # SECRET-DATA + encrypted-password “$ABC123”; # SECRET-DATA [edit system login] + user admin2 { + uid 2001; + class operator; + authentication { + encrypted-password “$ABC123”; # SECRET-DATA + } + } [edit system radius-server 192.0.2.15] – secret “$ABC123”; # SECRET-DATA + secret “$ABC123”; # SECRET-DATA
Table 1 shows sample for syslog auditing for NDcPPv2.2e:
Requirement |
Auditable Events |
Additional Audit Record Contents |
How event generated |
---|---|---|---|
FAU_GEN.1 |
None |
None |
|
FAU_GEN.2 |
None |
None |
|
FAU_STG_EXT.1 |
None |
None |
|
FAU_STG.1 |
None |
None |
|
FCS_CKM.1 |
None |
None |
|
FCS_CKM.2 |
None |
None |
|
FCS_CKM.4 |
None |
None |
|
FCS_COP.1/DataEncryption |
None |
None |
|
FCS_COP.1/SigGen |
None |
None |
|
FCS_COP.1/Hash |
None |
None |
|
FCS_COP.1/KeyedHash |
None |
None |
|
FCS_COP.1(1) |
None |
None |
|
FCS_COP.1 |
None |
None |
|
FCS_RBG_EXT.1 |
None |
None |
|
FIA_PMG_EXT.1 |
None |
None |
|
FIA_UIA_EXT.1 |
All use of identification and authentication mechanism. |
Origin of the attempt (e.g., IP address) |
Successful Local Login Jan 3 09:59:36 login[7637]: LOGIN_INFORMATION: User root logged in from host [unknown] on device ttyu0 Jan 3 09:59:36 login[7637]: LOGIN_ROOT: User root logged in as root from host [unknown] on device ttyu0 Unsuccessful Local Login Jan 3 09:57:52 login[7637]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user root Jan 3 09:57:52 login[7637]: LOGIN_FAILED: Login failed for user root from host ttyu0 Successful Remote Login Jan 3 09:32:07 mgd[47035]: UI_AUTH_EVENT: Authenticated user 'test1' assigned to class 'j-read-only' Jan 3 09:32:07 mgd[47035]: UI_LOGIN_EVENT: User 'test1' login, class 'j-read-only' [47035], ssh-connection '10.1.5.153 36784 10.1.2.68 22', client-mode 'cli' Unsuccessful Remote Login Jan 3 09:26:56 sshd: SSHD_LOGIN_FAILED: Login failed for user 'test1' from host '10.1.5.153' |
FIA_UAU_EXT.2 |
All use of identification and authentication mechanism. |
Origin of the attempt (e.g., IP address) |
Successful Local Login Jan 3 09:59:36 login[7637]: LOGIN_INFORMATION: User root logged in from host [unknown] on device ttyu0 Jan 3 09:59:36 login[7637]: LOGIN_ROOT: User root logged in as root from host [unknown] on device ttyu0 Unsuccessful Local Login Jan 3 09:57:52 login[7637]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user root Jan 3 09:57:52 login[7637]: LOGIN_FAILED: Login failed for user root from host ttyu0 Successful Remote Login Jan 3 09:32:07 mgd[47035]: UI_AUTH_EVENT: Authenticated user 'test1' assigned to class 'j-read-only' Jan 3 09:32:07 mgd[47035]: UI_LOGIN_EVENT: User 'test1' login, class 'j-read-only' [47035], ssh-connection '10.1.5.153 36784 10.1.2.68 22', client-mode 'cli' Unsuccessful Remote Login Jan 3 09:26:56 sshd: SSHD_LOGIN_FAILED: Login failed for user 'test1' from host '10.1.5.153' |
FIA_UAU.7 |
None |
None |
|
FMT_MOF.1/ManualUpdate |
Any attempt to initiate a manual update |
None |
Dec 28 21:51:21 mgd[8007]:UI_CMDLINE_READ_LINE:User 'root', command ‘request vmhost software add /var/tmp/junosvmhost-installmx-x86-64-19.1-20181231.0.tgz no-validate’ |
FMT_MTD.1/CoreData |
None |
None |
|
FMT_SMF.1 |
All management activities of TSF data |
None |
Refer to the audit events listed in this table. |
FMT_SMR.2 |
None |
None |
|
FPT_SKP_EXT.1 |
None |
None |
|
FPT_APW_EXT.1 |
None |
None |
|
FPT_TST_EXT.1 |
None |
None |
Enter or Reboot the device to view the self-test during startup. |
FPT_TUD_EXT.1 |
Initiation of update; result of the update attempt (success or failure) |
None |
Dec 28 21:51:21 mgd[8007]: UI_CMDLINE_READ_LINE: User 'root', command ‘request vmhost software add /var/tmp/junos-add vmhost-install-mxx86-64-19.1-20181231.0.tgz no-validate’ |
FPT_STM_EXT.1 |
Discontinuous changes to time - either Administrator actuated or changed via an automated process. (Note that no continuous changes to time need to be logged. See also application note on FPT_STM_EXT.1) |
For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (e.g., IP address). |
Apr 22 15:31:37 mgd[11121]: UI_CMDLINE_READ_LINE: User 'root', command 'set date 201904221532.00 Apr 22 15:32:05 mgd[11121]: UI_CMDLINE_READ_LINE: User 'root', command 'show system uptime ' |
FPT_STM_EXT.1 FTA_SSL_EXT.1 (if “terminate the session is selected) |
The termination of a local interactive session by the session locking mechanism. |
None |
Jan 3 11:59:29 cli: UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'root' exceeded and session terminated |
FTA_SSL.3 |
The termination of a remote session by the session locking mechanism. |
None |
Jan 3 11:26:23 cli: UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'root' exceeded and session terminated |
FTA_SSL.4 |
The termination of an interactive session. |
None |
Local Jan 3 11:47:25 mgd[52521]: UI_LOGOUT_EVENT: User 'root' logout Remote Jan 3 11:43:33 sshd[52425]: Received disconnect from 10.1.5.153 port 36800:11: disconnected by user |
FTA_TAB.1 |
None |
None |
|
FTP_ITC.1 |
Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions. |
Identification of the initiator and target of failed trusted channels establishment attempt. |
Initiation of the trusted path Jan 3 12:09:00 sshd[53492]: Accepted keyboard-interactive/pam for root from 10.1.5.153 port 36802 ssh2 Termination of the trusted path Jan 3 12:09:03 sshd[53492]: Received disconnect from 10.1.5.153 port 36802:11: disconnected by user Jan 3 12:09:36 sshd: Failure of the trusted path SSHD_LOGIN_FAILED: Login failed for user 'root' from host '10.1.5.153' |
FTP_TRP.1/Admin |
Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions. |
None |
Initiation of the trusted path Jan 3 12:09:00 sshd[53492]: Accepted keyboard-interactive/pam for root from 10.1.5.153 port 36802 ssh2 Termination of the trusted path Jan 3 12:09:03 sshd[53492]: Received disconnect from 10.1.5.153 port 36802:11: disconnected by user Jan 3 12:09:36 sshd: Failure of the trusted path SSHD_LOGIN_FAILED: Login failed for user 'root' from host '10.1.5.153' |
FCS_SSHS_EXT.1 |
Failure to establish an SSH session |
Reason for failure |
Dec 17 15:02:12 sshd[9842]: Unable to negotiate with 10.1.5.153 port 43836: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,ext-info-c |
FIA_X509_EXT.1/Rev |
Unsuccessful attempt to validate a certificate Any addition, replacement or removal of trust anchors in the TOE's trust store |
Reason for failure of certificate validation Identification of certificates added, replaced or removed as trust anchor in the TOE's trust store |
Dec 28 22:20:23 veriexec[9371]: cannot validate /packages/db/pkginst.9286/manifest.ecerts: subject issuer mismatch: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=PackageProductionTestEc_2017_NO_DEFECTS/emailAddress=ca@juniper.net |
FIA_X509_EXT.2 |
None |
None |
|
FPT_TUD_EXT.2 |
Failure of update |
Reason for failure (including identifier of invalid certificate) |
Dec 28 22:20:23 veriexec[9371]: cannot validate /packages/db/pkginst.9286/manifest.ecerts: subject issuer mismatch: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=PackageProductionTestEc_2017_NO_DEFECTS/emailAddress=ca@juniper.net |
FMT_MOF.1/Functions |
None |
None |
|
FMT_MOF.1/Services |
None |
None |
|
FMT_MTD.1/CryptoKeys |
None |
None |
|
FIA_AFL.1 |
Administrator lockout due to excessive authentication failures |
None |
Jan 3 08:13:59 sshd: SSHD_LOGIN_ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (2) reached by user 'test1' |