Sample Code Audits of Configuration Changes
This sample code audits all changes to the configuration secret data and sends the logs to a file named Audit-File:
[edit system]
syslog {
file Audit-File {
authorization info;
change-log info;
interactive-commands info;
}
}
This sample code expands the scope of the minimum audit to audit all changes to the configuration, not just secret data, and sends the logs to a file named Audit-File:
[edit system]
syslog {
file Audit-File {
any any;
authorization info;
change-log any;
interactive-commands info;
kernel info;
pfe info;
}
}
Example: System Logging of Configuration Changes
This example shows a sample configuration and makes changes to users and secret data.
It then shows the information sent to the audit server when the secret data is added
to the original configuration and committed with the load command.
[edit system]
location {
country-code US;
building B1;
}
...
login {
message "UNAUTHORIZED USE OF THIS ROUTER\n\tIS STRICTLY PROHIBITED!";
user admin {
uid 2000;
class super-user;
authentication {
encrypted-password “$ABC123”;
# SECRET-DATA
}
}
}
radius-server 192.0.2.15 {
secret “$ABC123” # SECRET-DATA
}
services {
ssh;
}
syslog {
user *{
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
...
...
The new configuration changes the secret data configuration statements and adds a new user.
security-administrator@hostname:fips# show | compare
[edit system login user admin authentication]
– encrypted-password “$ABC123”; # SECRET-DATA
+ encrypted-password “$ABC123”; # SECRET-DATA
[edit system login]
+ user admin2 {
+ uid 2001;
+ class operator;
+ authentication {
+ encrypted-password “$ABC123”;
# SECRET-DATA
+ }
+ }
[edit system radius-server 192.0.2.15]
– secret “$ABC123”; # SECRET-DATA
+ secret “$ABC123”; # SECRET-DATA
Table 1 shows sample for syslog auditing for NDcPPv2.2e:
|
Requirement |
Auditable Events |
Additional Audit Record Contents |
How event generated |
|---|---|---|---|
|
FAU_GEN.1 |
None |
None |
|
|
FAU_GEN.2 |
None |
None |
|
|
FAU_STG_EXT.1 |
None |
None |
|
|
FAU_STG.1 |
None |
None |
|
|
FCS_CKM.1 |
None |
None |
|
|
FCS_CKM.2 |
None |
None |
|
|
FCS_CKM.4 |
None |
None |
|
|
FCS_COP.1/DataEncryption |
None |
None |
|
|
FCS_COP.1/SigGen |
None |
None |
|
|
FCS_COP.1/Hash |
None |
None |
|
|
FCS_COP.1/KeyedHash |
None |
None |
|
|
FCS_COP.1(1) |
None |
None |
|
|
FCS_COP.1 |
None |
None |
|
|
FCS_RBG_EXT.1 |
None |
None |
|
|
FIA_PMG_EXT.1 |
None |
None |
|
|
FIA_UIA_EXT.1 |
All use of identification and authentication mechanism. |
Origin of the attempt (e.g., IP address) |
Successful Local Login Jan 3 09:59:36 login[7637]: LOGIN_INFORMATION: User root logged in from host [unknown] on device ttyu0 Jan 3 09:59:36 login[7637]: LOGIN_ROOT: User root logged in as root from host [unknown] on device ttyu0 Unsuccessful Local Login Jan 3 09:57:52 login[7637]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user root Jan 3 09:57:52 login[7637]: LOGIN_FAILED: Login failed for user root from host ttyu0 Successful Remote Login Jan 3 09:32:07 mgd[47035]: UI_AUTH_EVENT: Authenticated user 'test1' assigned to class 'j-read-only' Jan 3 09:32:07 mgd[47035]: UI_LOGIN_EVENT: User 'test1' login, class 'j-read-only' [47035], ssh-connection '10.1.5.153 36784 10.1.2.68 22', client-mode 'cli' Unsuccessful Remote Login Jan 3 09:26:56 sshd: SSHD_LOGIN_FAILED: Login failed for user 'test1' from host '10.1.5.153' |
|
FIA_UAU_EXT.2 |
All use of identification and authentication mechanism. |
Origin of the attempt (e.g., IP address) |
Successful Local Login Jan 3 09:59:36 login[7637]: LOGIN_INFORMATION: User root logged in from host [unknown] on device ttyu0 Jan 3 09:59:36 login[7637]: LOGIN_ROOT: User root logged in as root from host [unknown] on device ttyu0 Unsuccessful Local Login Jan 3 09:57:52 login[7637]: LOGIN_PAM_AUTHENTICATION_ERROR: Failed password for user root Jan 3 09:57:52 login[7637]: LOGIN_FAILED: Login failed for user root from host ttyu0 Successful Remote Login Jan 3 09:32:07 mgd[47035]: UI_AUTH_EVENT: Authenticated user 'test1' assigned to class 'j-read-only' Jan 3 09:32:07 mgd[47035]: UI_LOGIN_EVENT: User 'test1' login, class 'j-read-only' [47035], ssh-connection '10.1.5.153 36784 10.1.2.68 22', client-mode 'cli' Unsuccessful Remote Login Jan 3 09:26:56 sshd: SSHD_LOGIN_FAILED: Login failed for user 'test1' from host '10.1.5.153' |
|
FIA_UAU.7 |
None |
None |
|
|
FMT_MOF.1/ManualUpdate |
Any attempt to initiate a manual update |
None |
|
|
FMT_MTD.1/CoreData |
None |
None |
|
|
FMT_SMF.1 |
All management activities of TSF data |
None |
Refer to the audit events listed in this table. |
|
FMT_SMR.2 |
None |
None |
|
|
FPT_SKP_EXT.1 |
None |
None |
|
|
FPT_APW_EXT.1 |
None |
None |
|
|
FPT_TUD_EXT.1 |
Initiation of update; result of the update attempt (success or failure) |
None |
|
|
FPT_STM_EXT.1 FTA_SSL_EXT.1 (if “terminate the session is selected) |
The termination of a local interactive session by the session locking mechanism. |
None |
Jan 3 11:59:29 cli: UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'root' exceeded and session terminated |
|
FTA_SSL.3 |
The termination of a remote session by the session locking mechanism. |
None |
Jan 3 11:26:23 cli: UI_CLI_IDLE_TIMEOUT: Idle timeout for user 'root' exceeded and session terminated |
|
FTA_SSL.4 |
The termination of an interactive session. |
None |
Local Jan 3 11:47:25 mgd[52521]: UI_LOGOUT_EVENT: User 'root' logout Remote Jan 3 11:43:33 sshd[52425]: Received disconnect from 10.1.5.153 port 36800:11: disconnected by user |
|
FTA_TAB.1 |
None |
None |
|
|
FTP_ITC.1 |
Initiation of the trusted channel. Termination of the trusted channel. Failure of the trusted channel functions. |
Identification of the initiator and target of failed trusted channels establishment attempt. |
Initiation of the trusted path Jan 3 12:09:00 sshd[53492]: Accepted keyboard-interactive/pam for root from 10.1.5.153 port 36802 ssh2 Termination of the trusted path Jan 3 12:09:03 sshd[53492]: Received disconnect from 10.1.5.153 port 36802:11: disconnected by user Jan 3 12:09:36 sshd: Failure of the trusted path SSHD_LOGIN_FAILED: Login failed for user 'root' from host '10.1.5.153' |
|
FTP_TRP.1/Admin |
Initiation of the trusted path. Termination of the trusted path. Failure of the trusted path functions. |
None |
Initiation of the trusted path Jan 3 12:09:00 sshd[53492]: Accepted keyboard-interactive/pam for root from 10.1.5.153 port 36802 ssh2 Termination of the trusted path Jan 3 12:09:03 sshd[53492]: Received disconnect from 10.1.5.153 port 36802:11: disconnected by user Jan 3 12:09:36 sshd: Failure of the trusted path SSHD_LOGIN_FAILED: Login failed for user 'root' from host '10.1.5.153' |
|
FCS_SSHS_EXT.1 |
Failure to establish an SSH session |
Reason for failure |
Dec 17 15:02:12 sshd[9842]: Unable to negotiate with 10.1.5.153 port 43836: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,ext-info-c |
|
FIA_X509_EXT.1/Rev |
Unsuccessful attempt to validate a certificate Any addition, replacement or removal of trust anchors in the TOE's trust store |
Reason for failure of certificate validation Identification of certificates added, replaced or removed as trust anchor in the TOE's trust store |
Dec 28 22:20:23 veriexec[9371]: cannot validate /packages/db/pkginst.9286/manifest.ecerts: subject issuer mismatch: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=PackageProductionTestEc_2017_NO_DEFECTS/emailAddress=ca@juniper.net |
|
FIA_X509_EXT.2 |
None |
None |
|
|
FPT_TUD_EXT.2 |
Failure of update |
Reason for failure (including identifier of invalid certificate) |
Dec 28 22:20:23 veriexec[9371]: cannot validate /packages/db/pkginst.9286/manifest.ecerts: subject issuer mismatch: /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks/OU=Juniper CA/CN=PackageProductionTestEc_2017_NO_DEFECTS/emailAddress=ca@juniper.net |
|
FMT_MOF.1/Functions |
None |
None |
|
|
FMT_MOF.1/Services |
None |
None |
|
|
FMT_MTD.1/CryptoKeys |
None |
None |
|
|
FIA_AFL.1 |
Administrator lockout due to excessive authentication failures |
None |
Jan 3 08:13:59 sshd: SSHD_LOGIN_ATTEMPTS_THRESHOLD: Threshold for unsuccessful authentication attempts (2) reached by user 'test1' |
|
FPT_STM_EXT.1 |
Discontinuous changes to time - either Administrator actuated or changed via an automated process. (Note that no continuous changes to time need to be logged. See also application note on FPT_STM_EXT.1) |
For discontinuous changes to time: The old and new values for the time. Origin of the attempt to change time for success and failure (e.g., IP address). |
mgd 71079 UI_CMDLINE_READ_LINE [junos@2636.1.1.1.2.164 username="root" command="set date 202005201815.00 "] User 'root', command 'set date 202005201815.00' mgd 71079 UI_COMMIT_PROGRESS [junos@2636.1.1.1.2.164 message="signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled"] Commit operation in progress: signaling 'Network security daemon', pid 2641, signal 31, status 0 with notification errors enabled nsd 2641 NSD_SYS_TIME_CHANGE - System time has changed |
|
Note:
We are not claiming NTP as part of FPT_STM_EXT.1 SFR. However, in our configuration guide we have leveraged activate/deactivate NTP services to validate MACsec tolerance and MACsec key-chain. |
|||
|
FPT_TST_EXT.1 |
None |
None |
Enter or Reboot the device to view the self-test during startup. |
|
Note:
If there is a self-test error, you can recover the device via USB recovery. If the USB recovery fails, you can contact JTAC for support (https://support.juniper.net/support/). |
|||