Event Logging Overview
The evaluated configuration requires the auditing of configuration changes through the system log.
In addition, Junos OS can:
Send automated responses to audit events (syslog entry creation).
Allow authorized managers to examine audit logs.
Send audit files to external servers.
Allow authorized managers to return the system to a known state.
The logging for the evaluated configuration must capture the events. The logging events are listed below:
Table 1 shows sample for syslog auditing for NDcPPv2:
Requirement |
Auditable Events |
Additional Audit Record Contents |
---|---|---|
FAU_GEN.1 |
None |
None |
FAU_GEN.2 |
None |
None |
FAU_STG_EXT.1 |
None |
None |
FAU_STG.1 |
None |
None |
FCS_CKM.1 |
None |
None |
FCS_CKM.2 |
None |
None |
FCS_CKM.4 |
None |
None |
FCS_COP.1/DataEncryption |
None |
None |
FCS_COP.1/SigGen |
None |
None |
FCS_COP.1/Hash |
None |
None |
FCS_COP.1/KeyedHash |
None |
None |
FCS_RBG_EXT.1 |
None |
None |
FDP_RIP.2 |
None |
None |
FIA_AFL.1 |
Unsuccessful login attempts limit is met or exceeded. |
Origin of the attempt (e.g., IP address). |
FIA_PMG_EXT.1 |
None |
None |
FIA_UIA_EXT.1 |
All use of identification and authentication mechanism. |
Provided user identity, origin of the attempt (e.g., IP address). |
FIA_UAU_EXT.2 |
All use of identification and authentication mechanism. |
Origin of the attempt (e.g., IP address). |
FIA_UAU.7 |
None |
None |
FMT_MOF.1/ManualUpdate |
Any attempt to initiate a manual update. |
None |
FMT_MTD.1/CoreData |
All management activities of TSF data |
None |
FMT_SMF.1 |
None |
None |
FMT_SMR.2 |
None |
None |
FPT_SKP_EXT.1 |
None |
None |
FPT_APW_EXT.1 |
None |
None |
FPT_TST_EXT.1 |
None |
None |
FPT_TUD_EXT.1 |
Initiation of update; result of the update attempt (success or failure) |
None |
FPT_STM.1 |
Discontinuous changes to time - either Administrator actuated or changed through an automated process. |
For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (such as, IP address). |
FTA_SSL_EXT.1 |
The termination of a local interactive session by the session locking mechanism. |
None |
FTA_SSL.3 |
The termination of a remote session by the session locking mechanism. |
None |
FTA_SSL.4 |
The termination of an interactive session. |
None |
FTA_TAB.1 |
None |
None |
FCS_SSHS_EXT.1 |
Failure to establish an SSH session |
Reason for failure |
FTP_ITC.1 |
Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions. |
Identification of the initiator and target of failed trusted channels establishment attempt. |
FTP_TRP.1/Admin |
Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions. |
None |
FCS_SSHS_EXT.1 |
Failure to establish an SSH session |
Reason for failure |
FIA_X509_EXT.1/Rev |
Unsuccessful attempt to validate a certificate |
Reason for failure |
FIA_X509_EXT.2 |
None |
None |
FIA_X509_EXT.3 |
None |
None |
FMT_MOF.1/Functions |
Modification of the behaviour of the transmission of audit data to an external IT entity, the handling of audit data, the audit functionality when Local Audit Storage Space is full. |
None |
FMT_MOF.1/Services |
Starting and stopping of services. |
None |
FMT_MTD.1/CryptoKeys |
Management of cryptographic keys. |
None |
FFW_RUL_EXT.1 |
Application of rules configured with the ‘log’ operation |
Source and destination addresses.Source and destination ports. Transport Layer Protocol TOE Interface. |
Indication of packets dropped due to too much network traffic |
TOE interface that is unable to process packets.Identifier of rule causing packet drop. |
|
FFW_RUL_EXT.2 |
None |
None |
FCS_IPSEC_EXT.1 |
Session Establishment with peer |
Entire packet contents of packets transmitted/received during session establishment. |
FIA_X509_EXT.1 |
Session establishment with CA |
Entire packet contents of packets transmitted/received during session establishment. |
FPF_RUL_EXT.1 |
Application of rules configured with the ‘log’ operation |
Source and destination addresses. Source and destination ports. Transport Layer Protocol TOE Interface. |
Indication of packets dropped due to too much network traffic. |
TOE interface that is unable to process packets. |
In addition, Juniper Networks recommends that logging also:
Capture all changes to the configuration.
Store logging information remotely.